Bloomberg is reporting the United Kingdom publicly announced its first major government-backed cyber attack, conducted in 2017, targeted Islamic State:

Jeremy Fleming, the director of GCHQ, which is better known for its communications interception work, said his agency had worked with the Ministry of Defence to make “a significant contribution to coalition efforts” against the al-Qaeda splinter group. He said that as well as making it “almost impossible” for the group to spread its message, the attack had protected forces on the battlefield.

“This is the first time the U.K. has systematically and persistently degraded an
adversary’s online efforts as part of a wider military campaign,” Fleming told a cybersecurity conference in Manchester, England, “Did it work? I think it did.”

He said other operations might “look to deny service, disrupt a specific online activity, deter an individual or a group, or perhaps destroy equipment and networks.”

Notice the qualifying “as part of a wider military campaign” added to the statement? What this likely means is this attack against Islamic State is not the first time the UK has conducted cyber attacks, but one in which a cyber attack was only one aspect of a multi-faceted, multi-domain operation.

There is no doubt the UK has conducted previous cyber attacks. Although the nation has never publicly proclaimed so, the country is one of the stronger purveyors of cyber capabilities, and absolutely leverages them when necessary. Since the inception of the UK NCSC, which is part of the GCHQ, this operation was likely the first time the organization worked in tandem with the Ministry of Defence for this strategic opportunity.

In the aftermath of the Paris terror attacks it is important to recognize a few important points as the media bombards the world with comments from scared politicians, especially in the United States more than anywhere. Like with any form of security, the primary operating foundation is risk management. This is in stark contrast to what the average citizen believes – the ability to prevent every terrorist attack.

Like in the ephemeral world of cyber security, it is impossible to stop every single attack, every day, from now through eternity. In cyber, attacks happen constantly – not a minute passes without some cyber weaponry being fired. Malicious actors continuously launch operations designed to disrupt or compromise their targets.

The differentiators in cyber are the low threshold to arm oneself, and the ability to attack without causing any form of physical harm. This makes it easy to constantly pull a so-called cyber trigger without ever needing to stop. People almost never face actual bodily harm.

The type of terrorism experienced in Paris causes actual physical harm, as we can all witness on the 24-hour news cycle. However, although one form of terrorism is kinetic and the other is not, they both are identical in one aspect: the ability to prevent every form of both malicious acts is unattainable. While the goal is lofty, it is impractical to believe security professionals are capable of thwarting every act of terrorism, no matter the form it takes.

We need to recognize the goal of terrorism is to scare people. However, by giving in to the terror by enacting laws and policies designed to drastically modify the American way of life, we allow the terrorists to win. This is what they want to happen – they want us to change. If we become more personally vigilant through education, rather than expecting our government to save us from future cowardly acts of murder, we win.

Do not let the media sway us from the truth: terrorism will continue no matter the loose or strict our laws we pass. Whether America – or other countries throughout the world – take additional steps towards the inevitable police state or not, there will be future acts of terrorism. They will happen in the United States or somewhere else in the world. It is inevitable. Why?

We cannot stop every act of terrorism. Nobody can. It is an impossible task, and something we should not expect of law enforcement and our intelligence agencies. Hindsight is absolutely 20/20, so it is easy to look back on an incident and theorize how it could have been prevented. In some cases that may be true, but mostly it is a false assumption.

The best thing we can do now is to continue living our lives as we always have – be the consummate American, but grow and learn from these terrorists. As in cyber security, our goal in fighting terrorism is to assume compromise but minimize the damage the malicious actors can inflict. There is a delicate balance between security and liberty; we should err on the side of liberty otherwise we lose and allow the terrorists to dictate the message.

That can never happen. We can, and will, overcome these trying times thanks to our resilience, so long as we keep our eye on what is important.

US allies have pledged to fight ISIS in cyberspace as part of collective response agreements (emphasis added):

In a 31-point list India and the UAE issued outlining a plan to counter terrorists in the region, the two countries said they would, “promote cooperation in cybersecurity, including prevention on use of cyber for terrorism, radicalization and disturbing social harmony.”
Authorities have been concerned about ISIS’s savvy use of social media services and online communications channels to recruit foreigners.

Hacking groups claiming affiliation with ISIS have also taken credit for a growing number of hacks across Europe and the U.S. in recent months.

To help combat this threat, the U.S. negotiated new deals with India and the Gulf states in recent months. The agreements pledge to share more data on cybersecurity threats in the region and to swap tactics on pursuing terrorists online.

Last week, top U.S. officials hosted an Indian delegation to discuss combating cyber crime.

ZDNet on a new report stipulating how ISIS has the “best cyber offense” of any terrorist group today:

“ISIS [also known as Islamic State] came onto the scene very quickly, but they already have arguably the best cyber offensive capability of any extremist movement out there, and it’s still early days,” Mikko Hypponen, chief research officer at F-Secure said.

“We still haven’t seen real physical damage being done by any extremist group, and it’s probably going to take a while until we see it. But these guys are the first ones that actually have some existing hackers who have joined them and moved in from the West,” Hypponen told the AusCERT Information Security Conference on Australia’s Gold Coast in his keynote address on Friday morning.

“It’s not yet really a big problem, but obviously this isn’t getting better, this is getting worse,” he said.

One such hacker is Abu Hussain Al Britani, a British citizen that F-Secure had been tracking as a traditional hacker three years ago. They lost track of him two years ago, but found him again last summer in Syria.

Dan Lohrmann of Emergency Management wonders about cyber terrorism and just how dangerous is the ISIS cyber caliphate threat to the United States:

But how serious of an online threat is ISIS and those who claim to work with or for the Islamic State? Could these groups unleash cyber terrorism and successfully bring down critical infrastructure in the U.S. and/or around the world? Where do these cyberthreats rank, if we compare them to other cyberattacks from cyber criminals or cyberattacks originating from Russia or China?

There is no doubt that ISIS has learned to use the Internet successfully to attract new recruits through the use of social media. Stories of men and women who travel to the Middle East from all over the world has been major topic of global discussion in 2014 and 2015.

So could more dangerous cyberterrorism be coming from the self-proclaimed “cyber caliphate?”

ISIS appears to be much more organized and cyber savvy than their predecessor Al Qaeda. While they may have demonstrated some rudimentary tradecraft, expect their capabilities to grow as they being to attract more potential jihadists with cyber skills towards those fabled virgins.

Cory Bennett and Elise Viebeck of The Hill on ISIS prepping for cyber war against the United States even though they have only demonstrated rudimentary cyber operations capabilities thus far:

“It’s only really a matter of time till we start seeing terrorist organizations using cyberattack techniques in a more expanded way,” said John Cohen, a former counterterrorism coordinator at the Department of Homeland Security.

“The concern is that as an organization like ISIS acquires more resources financially they will be able to hire the talent they need or outsource to criminal organizations,” Cohen added. “I think they’re probably moving in that direction anyway.”

Military officials agree. NSA Director Adm. Michael Rogers this week called the pending shift “a great concern and something that we pay lots of attention to.”

“At what point do they decide they need to move from viewing the Internet as a source of recruitment … [to] viewing it as a potential weapon system?” Rogers asked.

Startup costs for a cyber attack organization are nominal when compared to obtaining actual physical, kinetic attack weapons. ISIS will likely end up recruiting some would-be jihadists with decent cyber attack skillsets. American industry better to be prepared for such cyber terrorism ahead of time.

To get their point across ISIS would probably target something high profile, like a U.S. government web site or a much more important US commercial internet business. I am not saying ISIS will have the means to carry out a successful cyber attack operation, but they will end up launching an attack aimed at the US at some point in the future.

It really is only a matter of time.