ISIS is “waking up” to the idea of using sophisticated malware to cyberattack critical infrastructure in the U.S., FBI Director James Comey said Wednesday.
“Logic tells me it’s coming,” and that the terror group is “looking into” whether it is capable of pulling off such attacks, Comey said at the Cybersecurity Law Institute at Georgetown University.
Over the last two years, Comey said there has been more attention paid to potential cyberattacks against the U.S., and although he hasn’t seen them yet, “it just makes too much sense” to see destructive malware end up in the hands of terrorists.
Comey pointed to a “layer cake” of threats, with nation-states at the top and common criminals at the bottom. The threat of terror groups adopting cyber tactics usual carried about by China or North Korea is most concerning, he said.
“Destructive malware is a bomb. And terrorists want bombs” Comey said. And while it may be difficult for a terrorist to physically enter the U.S., they can do so online in an instant.
Comey also discussed the struggle of curbing the influence of ISIS on the Internet, calling social media “the intersection where cyber and counterterrorism merge.” Last week, Admiral Mike Rogers, the head of U.S. Cyber Command, commented that a shift by ISIS of using cyber capabilities not just for recruitment but as a weapons system is a “great concern” to the National Security Agency.
The FBI is also seeing an increase in the encryption of operational communications between terrorists and potential recruits online. Despite a court order that would allow investigators to obtain devices and view communications, many of those communications have moved to encrypted platforms that hinder them from reading.
While Comey feels that there are societal benefits when it comes to encryption and the privacy of citizens online, the costs can leave intelligence communities with less information to stop a potential terror plot, or what is referred to by the FBI as “going dark.” This has led to a “collision,” according to Comey, where authorities have to balance the “important interest in privacy and important interest in public safety.”