"ISIS" Hacking the Military Is Embarrassing But Not Worth a Freakout
There are two sure-fire ways to get yourself immediate mainstream media attention: Allude to terrorism, and do it on Twitter. Someone purporting to represent the dread Islamic State did both Monday, proving the U.S. military's public affairs business is a trainwreck but accomplishing little else.
When ISIS, or an ISIS acolyte, or a disgruntled soldier, or some lunatic rando with WiFi, commandeered U.S. Central Command's Twitter and YouTube accounts Monday, the act could be seen by outsiders as a devastating deed of derring-do for the brutal militant group. Critics have long underestimated the Islamist syndicate at their peril, as it rolled back America's "gains" in Iraq and established a quasi-state state in the fog of regional civil war. Its mostly millennial coreligionists have long been obsessed with tech and media—although its social media capabilities and achievements have long been overblown by reporters, too.
The most recent hack seems to have exploited that nervous sensitivity in the media, causing a lunchtime sensation by using CENTCOM's accounts to post pro-ISIS propaganda videos and images purporting (falsely) to show sensitive U.S. military info. "You'll see no mercy infidels," the hacker wrote on Pastebin. "ISIS is already here, we are in your PCs, in each military base. With Allah's permission we are in CENTCOM now."
This will likely be the jolt of horror leading evening news reports tonight and occupying Fox News screamers for days to come. Don't believe it. The hackers have nothing of value so far, and they've proven nothing—except, perhaps, the absurd futility of soldiers running social media accounts.
First, despite the hacker's "Pentagon Networks Hacked!" insistence, it was dumping nothing unclassified or sensational in its tweets from the CENTCOM account, and it offered no reason to believe it had anything important in its possession, other than a few old military and academic presentation talking points.
As my colleague Sam Biddle points out, the hacker did tweet out some contact info for soldiers and retired generals, along with stock threats to their families, which deserve to be taken a little seriously, owing to their specificity. But none of that info is secret, or even difficult to obtain.
"[T]here's no evidence that any DoD system, computer or network has in any way been compromised," Pentagon spokesman Col. Steve Warren said Monday.
Sure, but... still. Of course Uncle Sam would say that. Could the hacker have gotten something else juicy from its incursion into CENTCOM? Nah. Most military work computers that contain sensitive non-classified information don't even run Facebook, Twitter, and other "timewaster" websites; in Iraq, we needed to requisition a special "clean" console to run social media, and that web-surfing console could do very little else. And all of these systems were very separate from SIPRNET, the secure intranet the military uses to share secret data. This means that you simply can't access sensitive military information by cracking a weak Twitter password.
And that's all this was: a banal takeover of weak social media accounts. How easy is it? Speaking as someone who helped set up the Army's first social media accounts in Iraq in 2008 and 2009, it's really, really easy.
I knew someone who once went to a conference at the Naval Academy and guessed their wifi password because it was B34t4rmy #CyberWar
— Kelsey D. Atherton (@AthertonKD) January 12, 2015
Typically, social media is a low-order priority for military public-affairs outfits, a place to stash "grip and grin" photos of soldiers getting medals or doing hometown howdies that only their families would probably care about. The accounts are often run by junior service members or contractors, and security is light.
Thus Monday's attack was not a hugely impressive one, embarrassing and bold as it was. It seemed a one-off crime of opportunity. CENTCOM's Facebook, Flickr, and Pinterest pages were all unmolested Monday, for example. (Though why the hell the theater-level headquarters for military operations across 20 countries needs a Pinterest page flummoxes even me, a former military public affairs flack.)
This sort of thing is not uncommon—LulzSec, an offshoot of Anonymous, once hacked the CIA's external home page, leading to this XKCD comic (h/t to Paul Jones):
Finally, it's unclear who even did the CENTCOM hack. The hacker's rhetoric certainly claims some strong affinity with ISIS, but some observers have pointed out that ISIS rarely refers to itself as ISIS; that the MO sounds an awful lot like that of the anti-ISIS, pro-Assad Syrian Electronic Army; and that it's always possible that a bored or disillusioned soldier decided to screw his bosses over for the lulz.
Does all this mean we shouldn't take ISIS seriously? Of course not; it's a confederation of bloodthirsty psychotic assholes who have long threatened to kill Westerners in their homes, as they've killed thousands of innocents in Iraq and Syria. But neither should we overstate the threat they pose and perpetuate the ever-spinning myth of ISIS's cyber-savvy. Perhaps instead, we could focus on the incompetence and pointlessness of military-sponsored social media accounts.
[Illustration by Jim Cooke]