Islamic State plans deadly cyber attacks, says Britain - but how real is the threat?

The UK today warned of terrorists targeting hospitals, power stations and air-traffic control systems. But for the moment a number of factors may stand in the way of those deadly ambitions.
Written by Steve Ranger, Global News Director
Chancellor George Osborne speaks out about the danger of cyber attacks.
Image: HM Treasury
Terrorists from the so-called Islamic State want to launch deadly cyber attacks against targets such as power stations, hospitals and air-traffic control systems in the UK, Chancellor George Osborne has said.

"The stakes could hardly be higher -- if our electricity supply, or our air-traffic control, or our hospitals were successfully attacked online, the impact could be measured not just in terms of economic damage but of lives lost," the Chancellor said in a speech at the headquarters of surveillance agency GCHQ.

Osborne said IS does not yet have the capability to kill by attacking the UK's critical infrastructure but added: "We know they want it and are doing their best to build it. So when we talk about tackling ISIL, that means tackling their cyberthreat as well as the threat of their guns, bombs and knives."

As a result of this danger and other threats, Osborne said the UK is almost doubling its cybersecurity spending to £1.9bn over five years.

But how likely is it that IS -- or any terrorist group -- could launch a deadly cyber attack?

Breaking into the industrial-control systems of a power station or chemical factory to cause damage is theoretically possible, especially because these systems are now being connected to the internet to help with, for example, remote monitoring.

And because these industrial-control systems were often built decades ago, they lack the security of more modern systems, making them potentially vulnerable to hackers. However, they also tend to be bespoke, so that attacking any system is likely to take significant reconnaissance, research and hard-to-find technical skills.

Those factors help explain why such attacks have until now only been thought of as an option for the largest nation states with significant resources and long-term planning. And so far no digital attack of this kind has lead to loss of life.

When US director of national intelligence James Clapper gave his assessment of worldwide cyber threats in September, he noted the "likelihood of a catastrophic attack from any particular actor is remote at this time".

Much of his focus was on the states with significant cyber espionage and attack capabilities: Russia, China, Iran and North Korea. But he said terrorist groups will continue to experiment with hacking, which could serve as the foundation for developing more advanced capabilities.

"Terrorist sympathizers will probably conduct low-level cyber attacks on behalf of terrorist groups and attract attention of the media, which might exaggerate the capabilities and threat posed by these actors," he said.

IS was mentioned -- but the focus was on its "highly-strategic social-media campaign," its well-documented use of social networks to communicate with its supporters around the world -- rather than any cyber attack capability.

"The group quickly builds expertise in the platforms it uses and often leverages multiple tools within each platform. ISIL and its adherents' adept use of social media allows the group to maximize the spread of its propaganda and reach out to potential recruits," he said.

However, there have been some indications that IS is taking an interest in US power-station systems, but with little success.

"Strong intent. Thankfully, low capability," said John Riggi, a section chief at the FBI's cyber division quoted by CNN in October when describing IS skills. "But the concern is that they'll buy that capability."

Similarly, US assistant attorney general John Carlin told USA Today in June that IS lacked the technical skills to launch any serious attack but noted: "I don't think there is any doubt that if they are able to obtain that capability, they are going to use it.''

One factor that does potentially set IS apart from other terrorist groups is its level of funding. Last year oil production controlled by IS was estimated to be worth $800m a year -- more than $2m per day, although that figure has probably declined as a result of airstrikes over the past year.

More on surveillance and cybercrime

Editorial standards