By now, most readers of this blog are well aware that, for a brief period of time yesterday, ISIS cyber warriors (going under the hashtag #CyberCaliphate) took control of the CENTCOM Twitter and You-Tube accounts. Twitter and You-Tube are, of course, public facing PR sites, not operational ones, but still, the image is jarring.
So, what are we to think of this? Is it a “major problem” or is it reflective of nothing more than a minor prank? Should we be concerned or not? Herewith a few thoughts:
First, and foremost, this demonstrates a truism of the cyber-realm — there is no place that is absolutely safe. We can do a great deal in risk reduction but no silver bullet exists to eliminate risk. All systems are vulnerable.
Second, it is unsurprising that the Twitter and You-Tube accounts were vulnerable. If I had to guess, I would speculate that the both of the accounts were “open” accounts — ones that CENTCOM was hoping that many of its public relations staff would post to. As such, I am going to guess that the password protection on the sites was relatively weak — and therefore pretty easy to crack.
At least, I’m hoping that is how ISIS got in. Because if they compromised the web sites through a phishing attack against a CENTCOM IT administrator, then the possibility of greater compromise exists. For if they were able to access the Twitter account through an IT administrator, then, of course, the other systems that administrator manages are also potentially vulnerable.
Third, on the merits this hack is meaningless. Attacking a public-facing account that has no operational significance is … well,
not terribly significant. One of my favorite exposition on the subject is a cartoon from XKCD (which if you have not found it, is the perfect source for geek cyber humor!). Here is how they would view this “assault.
On the other hand (there is always an “other hand” in cyber) my (our?) understanding of the minor nature of the intrusion is not reflective of how the world will look at it. Many who are not tech-savvy will not understand that this intrusion was insignificant. To them it will look like “ISIS beat CENTCOM” and that is a narrative that ISIS will gladly advance. So even though the substantive problem is minor, I would assess this as a reasonably significant success for ISIS as an Information Operation.
Finally, this does raise the question of whether and to what extent the Federal government is effective at cyber defense. To be sure, as I said, the Twitter accounts are not high-value targets. But it is nonetheless somewhat concerning that the accounts were so readily penetrated. I am always reminded of Federal vulnerability when I hear officials of the government assert that “all will be well” if only the Feds took a greater role in cybersecurity. I continue to be skeptical that the Federal government is any better (or worse!) than the private sector.