Photo credit: www.usnews.com
While ISIL’s cyber exploits have slipped from recent headlines, ISIL has already made significant headway in cyberspace in 2015. The group gained access to and defaced US government social networking sites about a half year ago. In April, ISIL was able to gain control of a French television station, only three short months after the horrific shooting assault at media outlet Charlie Hebdo. Most concerning for the US, the group “doxed” or exposed personal identification information (PII), including addresses, of approximately one hundred US military personnel. The doxing was not unaccompanied: messages included with the list said to “kill them wherever you find them” and to attack doxed individuals in their homes.
While these cyber attacks were significant in their fallout, through these attacks we have learned of at least three solid lines of effort for ISIL’s “Cyber Caliphate:”
While the responsibility for countering lines of effort one and two reside within the managerial IT infrastructure of targeted organizations, line of effort three falls upon users and their training. Protecting against ISIL’s third line of effort in cyberspace seems to have received a relatively minimal amount of attention from the US Department of
Defense’s force protection efforts. While there has not been any reported attack of a US servicemember to date as a result of ISIL’s exposed “kill list,” all members of the DoD, simply by virtue of having a record of their existence, are now at risk of a terror attack. Self-affiliated jihadists have already taken it upon themselves to attack members of the NYPD and, more recently, a group holding a contest for depictions of Muhammad. The DoD has made numerous statements indicating its resolve to protect its members, but this action cannot stop at designated cyber network defenders.
Every modern network operations center and information assurance directorate uses firewalls and controls for its network, yet also understands the importance of securing end points through Host-Based Security Systems (HBSS) - in other words, ensuring not only that a base is secure, but ensuring the servicemembers within are capable of defending themselves as well.
Photo credit: The Associated Press
Despite ISIL’s “doxing” and “kill list” publishing, the DoD has yet to implement a comprehensive, corporate, user-empowering training program to provide servicemembers and their families with step-by-step training and tools to prevent a personalized terror attack as a result of the exposure of their personal information. While the DoD has issued various tips to educate its members in cyber security, it has yet to underline the gravity of tying cyber security to protection against a terrorist attack.
The DoD also implements a Force Protection Condition (FPCON) that ranges from Alpha (least security) to Delta (highest security). It recently elevated its FPCON level to Bravo in early May of this year. The DoD’s FPCON standards include anti-terrorism measures to be taken on post, but makes no mention of what measures DoD individuals should take to protect themselves when not on a military installation. Similarly, the DoD maintains Information Operations Condition (INFOCON) levels to address cyber attacks, but these guidelines address corporate networks, not individual servicemember protection. There has not been any discussion to bridge the gap between these two alert methods to address the inherent dangers that now span the cyber and physical worlds our servicemembers now face.
The most important principles of protecting one’s self on social media (e.g. using a long and complex password, removing cell phone numbers and addresses, refraining from providing layouts of one’s house, avoiding posting information as to whereabouts for time periods, and tailoring security settings to allow things like restricted viewing of posts) are well known practices. Diligent members within the DoD community have developed and published smart cards that instruct members on how to best protect themselves. But in the same way the DoD trains its servicemembers to protect themselves in combat, so too must it train its servicemembers in cyber awareness. Providing mock social media sites servicemembers and their families to provide hands-on training on how to secure their social media accounts and more routine, command messaging on the dangers presented by “oversharing,” would help provide this security.
Beyond the control of individuals are personal information aggregators. Sites such as Arivify, Spokeo, or PeopleFinder employ automatic “crawlers” that aggregate personal information based on publicly available records. While what they do is legal, the risks of such conduct are readily apparent. These sites take information that once would have required a malicious actor to go through the effort of acquiring a phone book of a certain locale and put it in Google-searchable format. Now all it takes for an aspiring jihadi to find out where someone lives is some Google searching and a bit of cross verification through these sites. There aren’t many options for safeguarding your privacy here, but simply doing a Google search for your name will reveal the sites on which your information is most readily found. After that, you can find FAQs or contact information on these websites in order to request removal, which is mandatory according to revisions of the Freedom of Information Act. You can also opt to pay about $130 to use services that will automatically find such websites and take care of the deletion for you, as outlined in this article from CNET.
While cyber mythology tells tales of “halt and catch fire” commands that can launch code which send a computer into a frenzied state and induce actual fire, there has been little evidence of cyberspace directly affecting the physical world - but ISIL is trying. Through “doxing” efforts, ISIL is providing high-value target lists to members and sympathizers and lowering the barrier of entry to terrorism. It is imperative our current servicemembers and veterans become equipped to make themselves less accessible through cyberspace so that they may protect their livelihoods, their families, and themselves.
About the Author: Matt Lembright
Lembright is an Analytic Consultant supporting Army Cyber Command with Cyber Mission Forces integration. He previously commanded a company in the 780th Military Intelligence Brigade, helping create the Cyber Mission Forces, served as a Cyber OPFOR (opposing force) Team Leader, and is the J2 Intelligence Officer for the Military Cyber Professionals Association.