Al-Qaeda’s new cyber strategy and the outlook for cyber terrorism
In June 2020, al-Qaeda (AQ) released the second issue of its new English-language magazine One Ummah. The publication’s diverse contents included a lengthy article on the United States economy, specifically how it might be harmed in furtherance of the group’s global agenda. Amongst the usual menacing assertions was a call for the AQ faithful to engage in ‘e-jihad’, to conduct cyber attacks against a range of US critical national and commercial infrastructure.
Renewed calls for cyber terrorism
While AQ has called for cyber attacks on the West for roughly a decade, the One Ummah article was notable for several reasons. In contrast to the typically bombastic tone of AQ publications, the author gave a relatively mature appreciation of the complexities of network operations, recognising such activities require significant technical capabilities and teams of professional hackers, along with the necessary infrastructure.
Rather than positing cyber attacks as a simple or cost-effective alternative to conventional attacks, the article acknowledges that successfully carrying out such operations requires considerable time, resources and manpower. Beyond proffering suggestions on how the group might develop the necessary capabilities (recruiting software engineers, training young recruits in IT), it also advises cooperation, where possible, with unaligned malicious actors (presumably cyber criminals of one variety or another).
Finally, the author appears to be familiar with the literature on cyber war. As well as invoking the prospect of a cyber 9/11, the article recounts statements made by senior Western policymakers on the potential vulnerability of critical infrastructure, urging followers to exploit this.
In all, the piece was more sober and pragmatic than earlier Islamist extremist material on the subject. The extent to which this reflects a new, more sophisticated approach to the cyber domain on the part of AQ remains to be seen. However, the magazine seems to have been published with the blessing of the groups leadership, and therefore probably carries more weight than the hyperbole periodically issued by technically minded sympathisers.
The limited capabilities of terrorists
Despite this, the evidence for AQ or other Islamist extremist groups possessing the capability to mount more than rudimentary network operations is nonexistent. More sophisticated actors, such as Hamas and Hezbollah, have employed malware for intelligence gathering alongside more quotidian disinformation and propaganda activities. However, there is nothing to suggest that even those groups are remotely close to having any kind of capability to disrupt the operation of Western critical national infrastructure (CNI), let alone deliver destructive effects digitally. Indeed, such capabilities are believed to remain the preserve of a handful of nation states.
Disruptive cyber attacks on the increase
Nonetheless, disruptive attacks on CNI and industrial targets are increasing in frequency. While these incidents might not have the psychological impact of conventional attacks, they can cause significant financial losses to those directly affected, as well as significant inconvenience to consumers.
In February, a US gas compression facility was shut down after ransomware was deployed against the operators information and operational technology networks. While no programmable logic controllers (PLCs) (responsible for directly controlling physical processes) were affected, the entire pipeline had to be shut down for 48 hours owing to transmission dependencies. Less impactful ransomware attacks have also been reported in Europe, including against Elexon, the company responsible for the balancing and settlement of the UK’s power system, in May.
There is nothing to suggest that any of these attacks have links to terrorist groups. But while such attacks are unlikely to garner significant attention outside the InfoSec and national security community, they do accord with AQ’s recently restated attritional strategy of economic warfare, even when conducted for financial gain.
Perhaps more alarming is the potential for nation states to use non-state actors to conduct deniable network operations against adversaries. In April, several Israeli water facilities were targeted in a coordinated attack. In this case PLCs were compromised in an attempt to alter chlorine levels in the water. The attack was detected, and no damage was caused. However, the incident demonstrated the potential to cause significant physical disruption and, in an extreme scenario, threat to life. The attack was claimed by the Jerusalem Electronic Army but was widely believed to have been orchestrated by Iran.
While groups such as AQ are unlikely readily to find nation-state backers, the normalisation of offensive cyber operations increases the probability of such capabilities proliferating. However, in the near term, it is more likely that AQ and its peers will attempt to acquire more modest capabilities that allow it to conduct disruptive rather than destructive cyber attacks. While a disquieting prospect, this will not materially change the threat landscape, as a range of threat actors, from cyber criminals to hacktivists, are already at it.