Is the Islamic State planning a cyber terrorist attack on American companies or American critical infrastructure? Let's face it—probably not. Why? Because, well, has there ever been a horrifying, evocative, or even remotely "terrifying" cyberattack on the West? Does "cyberterrorism" even really fit with a jihadist organization's goals?
Not to nitpick, but, just because a hack or an attack comes from a terrorist organization does not necessarily make it terrifying.
That didn't stop the FBI from issuing a notice late last week to companies noting that "extremist hackers and hacktivists groups, including but not limited to those aligned with the ISIL ideology, will continue to threaten and may attempt offensive cyber actions against the United States in response to perceived or actual US military operations in Iraq or Syria." The FBI noted that it has "no information at this time to indicate specific cyber threats to US networks or infrastructure."
Cyberterrorism has been a buzzword on Capitol Hill for well over a decade now and, while cybersecurity is certainly and has been a serious issue for the US government and American companies, cyberterrorism—that is, hacks or attacks pulled off by strictly jihadist or terror-aligned have been few and far between and haven't exactly captured the public's consciousness in a way that an actual terrorist attack would.
In fact, former NSA director Michael Hayden said earlier this year is that cyber terrorism isn't even a thing (yet): "I don't have a single example of cyber terrorism. Not one incident," he said.
These are not, for instance, Chinese hackers looking to steal American intellectual property. These are people who want to kill or hurt the West (at least, according to everything they've suggested so far).
Lots of people have come to this conclusion: In 2009, the UN Security Council said that "there is not yet an obvious terrorist threat in the [cybersecurity] area."
Last week, a paper by the Bipartisan Policy Center asked what should be two very obvious questions: "When it comes to assessing whether terrorists are a likely cyber threat, two critical questions are worth raising. First, under which scenarios could a cyber attack cause the kind of terror among the population that terrorists hope to achieve?" the paper suggested. "Second, is a cyber attack actually the easiest way for terrorists to achieve that goal or are traditional methods cheaper and more effective?"
The most apparent answer to the first question is that groups like ISIS and al-Qaeda are looking to kill or otherwise harm western citizens.
A cyberattack that causes physical harm is certainly not outside the realm of possibility: An attack on the power grid, or on a wastewater management system, or hell, even on a traffic light could hurt or kill people. But the most sophisticated and destructive cyberattack ever, Stuxnet, was (we think) a clandestine operation undertaken by the best hackers the United States and Israel had (and even that didn't kill anyone and wasn't particularly "terrifying").
There's no doubt that ISIS is tech saavy. But cutting a video using Final Cut Pro and engineering a cyberattack that's sophisticated enough to cause serious physical harm are two completely different skill sets.
More likely, the kind of cyberattack that ISIS could pull off would be one similar to those we've seen from the Syrian Electronic Army in recent years. While those attacks have garnered plenty of attention for the group, the attention that temporarily defacing a website or co-opting The Onion's Twitter feed for a few minutes got them pales in comparison to the attention and fear ISIS created when it beheaded journalist James Foley.
Even the FBI admits in its warning that the most likely attacks would be "website defacements" that would contain messages supporting ISIS or, perhaps, pictures or video of one of ISIS's decapitations. It cites only "probably aspirational threats" from social media accounts as the impetus for issuing the warning.
That brings us to the second question raised in the Bipartisan Policy Center paper: Is a cyber attack easier to pull off and more evocative than, say, a plot to decapitate a random person in Australia? Is it even more evocative than taking a photo of the ISIS flag in front of the White House (even on an iPhone)? Is any cyber attack even remotely likely to conjure up the images we saw or the terror we felt on 9/11? Of course not. At least not anytime soon.