Communications of the ACM

Cyberterrorism is a concept that appears recurrently in contemporary media. This coverage is particularly interesting if one believes, as I do, that no act of cyberterrorism has ever yet occurred and is unlikely to at any time in the near future.

Angelos Keromytis

Nicely written article, but I disagree. Ultimately, we're trying to judge the likelihood of "black swans". While one doesn't happen, you're right. Once it does, you will have been retroactively and "obviously" wrong. It's worth discussing, though.

First of all, considering the ease with which large-scale Internet phenomena ("epidemics") and events affecting SCADA systems (Stuxnet, the purported Brazilian power blackout, and even the dumping of sewage into water reservoirs in Australia a few years ago), it is a very dangerous and largely baseless assumption that terrorists will not be able to acquire the know-how. Also keep in mind that several nation states consistently (and others periodically) engage with and patronize terrorist groups; weapons, training and other support is routinely passed along. How difficult would it be for expertise or at least tools to flow through the same channels? Furthermore, keep in mind the various analyses showing that a disproportionate number of terrorists have engineering backgrounds; these folks aren't (all) dummies.

On the second point: failed physical attacks don't seem to deter further physical attacks. Trial-and-error as well as radical changes in approach seem to be within the practice of terrorists, whether operating in cells or in isolation. Why not keep trying? There are a lot of attack tools out there that can be purchased (or even acquired for free) in the underground market. All that's necessary is a suitably vulnerable target and a bit of luck. (Consider the purported failed(?) attack on the City of London stock exchange last year, which recently surfaced in the news. What would the impact of that have been if successful, and at what risk/cost to the attackers?)

On the third point, I will simply refer you to the various analyses of the underground cyber-insecurity market. Anything (including zero-day exploits) can be had for the right price. There are even software-as-a-service attack tools that can be used with no downloads and very little expertise; and, the sellers will be happy to customize a tool. These transactions occur over largely anonymous online channels, with very little risk to the participants. The risk to operational security just isn't there.

As a side note, how would you classify the Estonia and Georgia cyber-attacks? Supposedly, they were launched and managed by non-state-actors. Arguably, they weren't terribly catastrophic, therefore one might be inclined to dismiss them; but, that would be analogous to arguing that the failed bombing attempt of the Northwest flight to Detroit in 2009 was not an act of terrorism.

Having said all that, do I believe we're likely to experience a catastrophic cyber-terrorism attack imminently? No, mostly because of the lack of "imminent" *and* "catastrophic" consequences of such attacks. On the other hand, we're close to a point (if we haven't already crossed it) where such attacks are possible simply because a lot of our physical infrastructure is instrumented and remotely controllable. (Until not-too-many years ago, it would have been possible to purposely and remotely cause an oil-spill event such as the BP disaster remotely, since the drill heads had no safeguards whatsoever. One of the big if silent successes of DHS.)

Anonymous

The article is well-written and brings interesting arguments to light. However, while I agree with the author that cyberattacks are unlikely to be perpetrated by terrorist groups for the reasons mentioned, these arguments do not apply for attacks that can be started by non-terrorist groups, such as governments. In this case, the exact opposite applies: 1) governments need to trust cyber-mercenaries no more than they already trust the real-world spies and soldiers that work for them; 2) the lack of high-impact media images is precisely the kind of covert action required by intelligence operations.

It has often been said that inter-state wars of the future will inflict losses on a "cyber battleground", and recent rumors about the origin of StuxNet are consistent with that belief.

--Sylvain Hall

Maura Conway

Thanks for the comments. In response:

Angelos, youre doubtless correct to point out the inadvisability of predicting that something wont happen. I have, in past writings on this subject, tended to cover myself in this respect by arguing not that cyberterrorism cannot happen or will not happen, but that, contrary to popular perception, it has not happened yet. Given the reignited fear of cyberterrorism that I have noticed in the media and amongst policymakers in recent times, however, I decided to more unambiguously nail my colours to the mast in this particular opinion piece!

On your first substantive point, Im not sure that we can describe the Stuxnet attack as easy and I understand that many observers now believe it was the work of a state or states, which suggests a significant investment of personnel, know-how, time, and money. As for the dumping of sewage into water reservoirs in Australia a few years ago, that was carried out by a disgruntled former employee (i.e. it was an inside job). The latter sort of attack has always presented and, indeed, continues to present a far greater threat to such infrastructure than a cyberterrorist attack, in my opinion.

While its true that numerous states have been known to supply weapons, training, and other support to an assortment of terrorist groups, supplying the same groups with a high-level cyber weapon or the expertise to develop same would, I think, be a different matter. Why? Because the fungible nature of such a weapon or such expertise and the borderless nature of the Internet means that it might double back on the same state and its cyber infrastructures in short order.

Im familiar with the various analyses showing that a disproportionate number of violent jihadis rather than terrorists in general have engineering backgrounds. My point was that relatively few have advanced IT education, which is surely necessary to carry out a significant cyberterrorist attack. Basically, Im tired of hearing media commentators elevating script-kiddies to potential cyberterrorists and insinuating that just because X or Y group has the capacity to build a website or distribute content online, the next step is a major attack by them using the Internet.

These folks, you say, aren't (all) dummies. I never suggested that they were. Almost half of the random sampling of violent Islamists I mentioned in my column had a higher education, which is significantly higher than amongst the general population of most countries, including the US (at c.35%). Two points are worth making in this respect: 1.) there is a difference between having a university degree and having the expertise necessary to carry out some specific task. Thence my mention of the failed car bomb attacks carried out by medical doctors in London and Glasgow in 2007. On the other hand, 2.) terrorists groups composed of persons with very little formal education, such as the IRA, showed that technological savvy is not limited to those with university degrees. (The latter example is much more akin to the situation obtaining for violent jihadis with respect to, for example, the development of IEDs, in the Iraq and Afghan conflicts than it is to the situation in the contemporary cyber realm however).

Moving on to your second point, which was that failed physical attacks don't seem to deter further physical attacks. No, but then terrorists of all stripes have a long history of successful terrorist attacks, the means of which are still available to them and as effective as ever. Why carry out a cyber attack on the London stock exchange when one could just engage in a conventional attack with a much higher likelihood of success and immediate blanket media coverage? In fact, your assertion that radical changes in approach seem to be within the practice of terrorists is off the mark and means that the latter is much more likely than the former. There are a relatively small number of types of attacks that feature in terrorists arsenals and are repeated across different time periods, ideological groupings, geographies, etc. A list of such types of attacks would include car bombings, airline hijackings, and suicide bombings, or some combination of these. (The events of 9/11 do not negate this assertion as individually airplanes and suicide attacks have a long history of use amongst terrorists).

On your third point: if this is as easy as described, why hasnt anybody done it yet?
But, hey, Im not a techie, I study terrorism and so the larger part of my comments was with respect to the calculations likely to be made by terrorist groups in weighing the costs and benefits of cyberterrorism versus other methods available to them. You dont address these issues, which in my opinion are at least as important, if not more so, than the technological aspects of cyberterrorism. What I wanted to bring to light in my column was that journalists tend to think about, and privilege, the technology and not the terrorists. As, so it seems, do many techies! The technology is less than half the story though.

Maura Conway

A brief follow-up:

Angelos, you mention, as a side note, the Estonia and Georgia cyber attacks and ask how I would classify these: if a state had a significant hand in these, I would consider whether they might fall into the domain of cyberwar, if not I would tend to place them into some other category of cyber activism. I do not consider them to fall into the realm of cyberterrorism for a number of reasons, including my belief, which I share with Dorothy Denning and others, that cyber attacks that do not directly result in loss of life should not be termed cyberterrorism unless the effects are otherwise massively catastrophic.

Finally, Sylvain mentions cyber attacks perpetrated by states/governments and points out that my arguments do not apply in respect of these: absolutely correct! Cyberwar and cyberterrorismlike war and terrorismare different things and not (generally) engaged in for the same purposes.

Thad McIlroy

Hi Maura,

I think your piece in ACM 02-2011 is an excellent and important article for a host of reasons.

All of which I explained in a lengthy thrice-edited response on the site, hoping I would offer another perspective to your ever-so-serious correspondents who, in a nutshell, seem to be saying, "well OK, maybe it not like totally likely but that doesn't mean it can't happen and therefore..."

Sadly I hit a wrong button while posting, of course just on the final few lines of the edit, and the words are but a memory.

Trying to train people on understanding relatively risk has always proved far less satisfying that just telling them what they want to be hearing anyway. I try, for pure sport, to raise some of the ill-defined concerns that inform our determination to act with the same salutary effects as found when carefully sorting newsprint from "other print" and "yummy mulch." My mother used to wash it all very carefully as well: she was doing her part, she was.

Having been deputized lo these many years to watch for suspicious bags in the airport and bus terminal, and to stare at fellow passengers' shoes on overseas flight (and now also on the lookout for passenger who set fire to their undies), I assume that we've got a bunch of able volunteers available to thwart cyberterrorism. Heck, if they could just clamp down once and for all on a few spammers; they can display their little deputy badges proudly.

But who will see them?

I'm sorry to allow a defeatist note in my content when I conclude that,"Daddy's [Already] Gone to War."

Dr Jayadev Gyani

This is an interesting Contribution from an expert on the subject, surely, it would sooth our nerves, ever fearing a Cyber Terrorist attack !

I would agree with the theme of the Author. my intention is to present a bit different perspective of the notion "terrorism" and so by implication that of "Cyber Terrorism". I must confess I do not have the benefit of accessing the rich References cited by the Author nor could read the Literature extensively on the Subject: in far away India, our resources are very limited. As such, I may be excused if my Ideas have already been echoed.

Citing Ref (3) of the Author, the probability of a Internet-savvy "jihadi" attack is indeed small. But a realistic view points out to surreptitious "state sponsored (terrorist) attacks" which would cause hopeless havoc to the Community and Resources of the Victim (State)

While Terrorism is for attention grabbing, I wish to submit that the "lurking lone terrorist" with appropriate technology competence, is the one to be most feared (however small the probability of such attack may be) because the consequences of such an attack would be devastating to the victim (state).

"Cyber Terrorism" is beyond the ambit of the "Criminal Laws" of a Land. So States must be vigilant to protect themselves from such attacks; much more so, to harness a capability for restoration of the 'damaged installations' through 'Computer Emergency Response Teams' and such tech-savvy defenders.