Wednesday, September 02, 2015

Yes, they just droned a hacker

Many are disputing the story about a recent story about a drone strike that targeted the hacker TriCk from Anonymous group TeaMp0isoN. They claim instead that the guy, Junaid Hussain, was targeted because he was a major recruiter for ISIS/Daesh. There is some truth to this criticism, but at the same time, the hacker angle cannot be removed from this story.

The Pentagon has confirmed that one reason they targeted Junaid Hussain was his hacking activities. The AP story quotes the Central Command as saying:
"This individual was very dangerous. He had significant technical skills."
The truth of the matter is more complicated. It's unlikely Junaid Hussain actually had "significant technical skills". He was probably a "script kiddy", one of the many low-skilled hackers that form the bulk of Anonymous-style hacking groups. The actual hacks were minor. He may have hacked the CENTCOM Twitter accounts, but it's unlikely he actually hacked anything of military consequence.

Like many in Anonymous, his primary skills were propaganda and mastery of social media. He was in contact with one of the "Mohamed Cartoon" killers in Texas, for example. According to news reports, it was his use of social media in "inspiring" others to join ISIS/Daesh that put him as #3 on the kill list (after the leader of the terrorist group, and the guy in charge of beheadings), not his hacking.

But at the same time, his hacking may have been an essential element.

Lots of ISIS/Daesh supporters are active on social media like Twitter and Facebook. What make Junaid Hussain stand out was the notoriety of his hacks. It's like describing Donald Trump purely as a candidate for president while ignoring that it's his status as a billionaire that enabled his candidacy. While Junaid Hussain was #3 on the ISIS/Dasesh target list for his recruitment activities, it's his hacking that made those activities possible.

More importantly, it may have been an essential legal element. The military can't just drone strike anybody it wants. It must follow rules. Jeffrey Carr has an good post about the legality of drone striking somebody like Junaid. Carr finds that his membership in ISIS/Daesh was a sufficient legal basis for assassinating him.

I'm not convinced Carr's analysis is complete, though, and would love for a military lawyer who specializes in such things to weigh in. When it's a citizen of an ally (or our country), I suspect that some sort of overt act may also be required. Hacking the Pentagon qualifies as an overt act. Carr has a great start, but what I'd really like to see is a decision tree about precisely what sorts of hacking activities can get someone drone striked. Likewise, I'd like to see precisely what sort of activities on Twitter and Facebook can put one in danger. The United States already has a legal doctrine of being able to declare citizens "enemy combatants" bypassing due process of law. I'd like to know more about what that entails, at least for hackers.

This year has seen an unprecedented "War on Hackers" by the Obama administration. The U.S. took action against North Korea based on what it claims where that country's hacks against our country. The U.S. has proposed sweeping changes in the law that threaten civil liberties and anybody that looks like a hacker, such as security researchers. The President has declared the threat of hackers a "state of emergency" that gives it sweeping powers to either arrest people suspected of hacking, or confiscate their property. The administration is working on export controls, whose side effect is to make it easy to convict somebody of a felony for simply talking about hacking. Finally, the administration has drone striked a hacker. Sure, it was for more than simply hacking, but at the same time, that hacking was essential to the story cannot be ignored.

No comments: