Opinion: The shocking mediocrity of Islamic State 'hacker' Junaid Hussain
Hiring tech talent is hard. Drawing talent to a warzone shadowed by drones is harder.
On听Aug. 25, a US airstrike killed Junaid Hussain, a British national considered the Islamic State鈥檚 most capable hacker 鈥 though听that may听not听have been听a high bar to clear.
While The Wall Street Journal听听that jihadists called him their "secret weapon," J.M. Berger, author of "ISIS: The State of Terror," described him as "a Twitter noisemaker and a hack hacker." Many online听labeled him a听听鈥 more plagiarist than innovator 鈥 and they probably got him right.
By most accounts, the kinds of malicious action you could call "cyberattacks" were a small portion of his portfolio and impact; he was also a recruiter, a propagandist, and apparently an adviser on operations security. In other words, he was best known for effective information sharing. He was that guy in your office who encourages you all to give Slack a try 鈥 authoring any kind of "cyber 9/11" was hardly in the cards.
So why was Hussain targeted with a Hellfire missile? Understanding听why he made the coalition鈥檚 kill list goes a long way toward clarifying the threat posed by terror-affiliated hackers.
Even at the expert level, opinions differ widely about what the spread of digital arms means for international security. As Frank Cilluffo and Joseph Clark put it in a recent听听for听Lawfare, "Cyber changes everything, cyber changes nothing." In Hussain鈥檚 case, everything he did made the Islamic State's network a bit more effective; almost nothing he did was so novel that it couldn鈥檛 have been done otherwise. Recruiting by Twitter is more efficient than recruiting by fax, but propaganda has always been with us. Targeting service members is easier if they鈥檝e been doxxed, but lone wolves are an old threat. Encrypted chat is more secure than unencrypted; Hussain was still located and killed.
But his example is sobering because he was trivial, not exceptional. Anyone can learn to do what Hussain could do. Going forward, given his celebrity, more jihadists likely will.听
For would-be hacktivists or cybercriminals, barriers to entry are low today. If you have your heart set on doing some of the work yourself, many streamlined tools are cheap or free and 鈥 because they have legitimate applications in security research 鈥 available on the open web (Metasploit is as popular with the FBI as it is with Dutch organized crime). The menu of options broadens if you know your way around the Deep Web鈥檚 underground markets, especially if you have cash to spare. But why even buy an exploit or a vulnerability 鈥 some of which remain very pricey 鈥 when you can just commission the data breach you want, or buy up stolen personal data in the aftermath of one?
Just听this month, the FBI announced the arrest of a 20-year-old Kosovar hacker who went by the handle Th3Dir3ctorY. According to the criminal complaint, he provided Hussain with stolen personal information on thousands of federal employees. Hussain then shared the data dump with social media followers, along with a call to action: "We are extracting confidential data and passing on your personal information to the soldiers of the khilafah, who soon with the permission of Allah will strike at your necks in your own lands!"
Th3Dir3ctorY stands charged with providing material support to the Islamic State. Assistant Attorney General John Carlin called the case "a first of its kind," but it鈥檚 unlikely to be the last.
The capacity to do modest harm online is well within the Islamic State's reach 鈥 low-hanging fruit that the group, for the most part, has yet to pick. Its sympathizers could cost-effectively scale efforts to deface websites for propaganda value, defraud targets for financial benefit, or give kinetic plots a boost with intelligence gathered online. The missing ingredient has been either will or interest 鈥 and Hussain鈥檚 prominence marked a definite growth in both. Developing talent is harder, but talent is less necessary than ever.
That said, the group鈥檚 capacity will almost certainly grow over time. While jihadists are a long way from a Stuxnet-style attack with kinetic impact 鈥 that weapon听听cost some $100 million to develop 鈥 it remains imaginable that the group will attract followers capable of significant economic disruption, something after the fashion of the Sony compromise. While its time, money, and talent are strained by war, that pressure may eventually lapse. If the Islamic State develops stable borders, continues to draw foreign recruits from technical professions, and preserves significant revenue streams like oil and antiquity sales, jihadist "state-sponsorship" of hacktivism will be a growing concern.
Already, law enforcement officials say, sympathizers have probed the American energy grid. FBI Cyber Division Section Chief John Riggi听听the attacks showed "strong intent. Thankfully, low capability. But the concern is that they鈥檒l buy that capability."
For now, the challenge is to guard against script kiddies, not the kind of outrageously talented "10x developers" Silicon Valley competes for. Better 鈥 and basic 鈥 cybersecurity practices would harden Western targets that are gratuitously soft today. And the lesson to take from the life, work, and death of Junaid Hussain is that he was a mediocre hacker 鈥 and he听was a听threat听because, as a mediocre hacker, he offered the Islamic State an effective role model.
"I don鈥檛 recognize the law or its enforcers," he told听听years ago. "I don鈥檛 fear 'prison' 鈥 at least I鈥檇 be blocked from the mad world outside. I鈥檇 also be able to focus on myself and practice my religion more. I don鈥檛 fear no one except God."
His example will outlive him. Drone strikes don鈥檛 stamp out inspiration.
Meg King is the Director of the Digital Futures Project at the Wilson Center.
Grayson Clary is a Research Associate for the Digital Futures Project.听Follow him on Twitter .
听
