For 40 minutes yesterday, followers of the most feared terrorist organization in the world had free reign of a computer network of the US military. That is the story that many will take away from the hack of CENTCOM’s Twitter and YouTube accounts. And that story will be hyperbole.
First off all, whether the group ad-Dawlah al-Islāmīyah fil ‘Irāq wa ash-Shām, aka “Islamic State” or ISIS, was actually behind the hack of US Central Command’s social media accounts remains to be seen. More importantly, seizing control of those accounts is the equivalent of controlling a social media megaphone, but not the actual networks that matter to military operations. The networks are civilian controlled and hosted, not Pentagon owned or run. No critical command and control networks were touched, nor, for that matter, were any of the military’s internal or external computer networks that are used to move classified or even run-of-the-mill information.
What was posted on the feeds was also not that significant or expert, which is all the more notable when one compares it against ISIS’s previous social media campaigns, which were highly professional with pre-planned hashtag tie-ins, catchy screengrabs, and distribution across language barriers. (ISIS runs social media feeds in at least 23 different languages.) Frankly, given the immense opportunity the hackers had holding such an impressive mic for around 40 minutes, the content itself was rather disappointing. Indeed, that one of the first tweets sent out was a picture of a goat points to this hack being more about shits and giggles than any highly organized campaign of attack linked to the broader ISIS network.
Another indicator was the account cover image being changed to the text “i love you isis.” ISIS is group that tends not to call itself by that acronym (a Western construct that limits it’s scope to two state borders “islamic State of Iraq and Syria,” rather than a wider, borderless caliphate they vision aims for). Nor is ISIS a group that tends to use the verb “love” all that much.
Other messages were posed as as if they were exposing secret US military war plans for China or Korea, but a closer look showed them actually to be PowerPoint slides with MIT’s Lincoln Lab logo on the side. Another message claimed to provide ISIS followers anywhere the ability to hunt down US soldiers at home; “AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK,” one tweet said. But the documents attached turned out to be publicly available information dating back to 2012. For instance, knowing the snail-mail address of the Pentagon or the name of the commander of Fort Bragg is something an attacker could have gotten elsewhere and, of course, is not the same as being able to do something about it in real terms. On the Youtube side, only two supposed ISIS propaganda videos were posted, neither of which drew attention to the group in the manner of its more widely seen videos already online. To put it another way, in seizing the medium, they didn’t do much with the message.
At the end of the day, the result of the hack was lots of chatter, but little change in the real world. In other words, the social media hack was a lot like social media itself.
But don’t take that to mean that the event doesn’t matter. Just as social media plays a role in shaping real wars, politics, and business today, so does a hack like this signify more than bluster. This hack was highly embarrassing for US Central Command, all the more so for taking place at the very moment the President was speaking on the importance of cybersecurity. In addition, the likely low-level way the hackers got in is very embarrassing and likely consequential to whoever had the keys to the CENTCOM accounts (one imagines them now awaiting reassignment to the Arctic).
Incidentally, it’s a good reminder to turn on two-factor authentication for all your accounts. But I digress.
Embarrassing moments on social media happen all the time and may not have the same heft as attacks involving bombs and guns, but they do have importance. The meme of a big organization being shown up by the little guy is powerful, and resonates all the more when that organization is the US military, which has already spent $1.2 billion in the fight against ISIS. Yes this hack was mere “cybervandalism” as a CENTCOM spokesperson after the attack (not via Twitter, notably) and was likely unlinked to ISIS’s central core in its planning, organization or execution. But the hack is still a valuable propaganda moment to the group. At the same time it has suffered a series of setbacks on the physical battlefields of Iraq, the ISIS flag got waved in a medium that more people in the West both notice and care about—the social media environment.
Moreover, the value also matters in a different kind of fight: ISIS’s fight with its competitors in the terrorism game for funding, recruits, and attention. ISIS is a rival to al Qaida and rose to prominence as much due to its savvy use of social media as by its actual operations on the ground. Akin to the Sydney siege or the Paris attacks, even if there turns out not to be an actual ISIS role in the planning and organization of the event, the group’s cause still will get credit for it. It further stakes ISIS’s claim to prominence among the next generation of jihadis.
Like most hacks and terrorism writ large, the takeaway lessons here are the same as those that came before. We need to be better about security on all aspects, but we usually won’t until something goes wrong. Social media matters immensely, but also doesn’t. The threats are real, but can be weathered.
And, letting goats into your office is never a good idea.
No comments:
Post a Comment