Like the 2007 cyber attacks on Estonia, the October 2010 Stuxnet botnet attack on Iranian nuclear facilities made cyber-based attacks global news. The Estonian attacks were largely labeled a cyberwar by journalists, although some did invoke the concept of cyberterrorism. The Stuxnet attack, on the other hand, has been very widely described as cyberterrorism, including by the Iranian government.
Cyberterrorism is a concept that appears recurrently in contemporary media. It is not just reported upon in newspapers and on television, but is also the subject of movies (such as 1990's Die Hard II and 2007's Die Hard IV: Live Free or Die Hard) and popular fiction books (for example, Winn Schwartau's 2002 novel Pearl Harbor Dot Com). This coverage is particularly interesting if one believes, as I do, that no act of cyberterrorism has ever yet occurred and is unlikely to at any time in the near future. Having said that, it is almost always portrayed in the press as either having already occurred or being just around the corner. As an academic, I'm not alone in arguing that no act of cyberterrorism has yet occurred and, indeed, some journalists agree; most, however, seem convinced as to the salience of this threat. Why?
I can only surmise that, just as a large amount of social psychological research has shown, the uncertain and the unknown generally produce fear and anxiety. This is the psychological basis of an effective movie thriller: the fear is greatest when you suspect something, but you're not certain what it is. The term "cyberterrorism" unites two significant modern fears: fear of technology and fear of terrorism. Fear of terrorism, though the likelihood of any one of us being the victim of terrorism is statistically insignificant, has become perhaps normalized; but fear of technology? In fact, for those unfamiliar with the workings of complex technologies, these are perceived as arcane, unknowable, abstract, and yet increasingly powerful and ubiquitous. Many people therefore fear that technology will become the master and human-kind the servant. Couple this relatively new anxiety with age-old fears associated with apparently random violence and the result is a truly heightened state of alarm. Many journalistsalthough fewer technology journalists than othershave succumbed, like members of the general population, to these fears, to which the journalists have then added further fuel with their reporting.
The second stumbling block for journalists is that just as the definition of terrorism is fraught, so too is the definition of cyberterrorism. My preference is to distinguish between cyberterrorism and terrorist use of the Net. This is the distinction FBI Director Robert Mueller seemed implicitly to be drawing in a March 2010 speech in which he stated that "the Internet is not only used to plan and execute attacks; it is a target in and of itself...We in the FBI, with our partners in the intelligence community, believe the cyber terrorism threat is real, and it is rapidly expanding."a Where the FBI Director and I diverge is in the efficacy of the cyberterrorist threat as opposed to that of everyday terrorist use of the Net (that is, for radicalization, researching and planning, financing, and other purposes).
Dorothy Denning's definitions of cyberterrorism are probably the most well known and respected. Her most recent attempt at defining cyberterrorism is: "...[H]ighly damaging computer-based attacks or threats of attack by non-state actors against information systems when conducted to intimidate or coerce governments or societies in pursuit of goals that are political or social. It is the convergence of terrorism with cyberspace, where cyberspace becomes the means of conducting the terrorist act. Rather than committing acts of violence against persons or physical property, the cyberterrorist commits acts of destruction or disruption against digital property."2
Analyses of cyberterrorism can be divided into two broad categories on the basis of where the producers stand on the definition issue: those who agree broadly with Denning versus those who wish to incorporate not just use, but a host of other activities into the definition. The literature can also be divided on the basis of where the authors stand on the magnitude of the cyberterrorism threat. Dunn-Cavelty uses the term "Hypers" to describe those who believe a cyberterrorist attack is not just likely, but imminent,b and the term "De-Hypers" to describe those who believe such an attack is unlikely.1 Most journalists are hypers, on the other hand I'm emphatically a de-hyper. In this column, I lay out the three major reasons why.
In my opinion, the three most compelling arguments against cyberterrorism are:
The first argument is treated in the academic literature; the second and third arguments are not, but ought to be. None of these are angles to which journalists appear to have devoted a lot of thought or given adequate consideration.
In the speech mentioned earlier, FBI Director Mueller observed "Terrorists have shown a clear interest in pursuing hacking skills. And they will either train their own recruits or hire outsiders, with an eye toward combining physical attacks with cyber attacks." That may very well be true, but the argument from Technological Complexity underlines that 'wanting' to do something is quite different from having the ability to do the same. Here's why:
Violent jihadis' IT knowledge is not superior. For example, in research carried out in 2007, it was found that of a random sampling of 404 members of violent Islamist groups, 196 (48.5%) had a higher education, with information about subject areas available for 178 individuals. Of these 178, some 8 (4.5%) had trained in computing, which means that out of the entire sample, less than 2% of the jihadis came from a computing background.3 And not even these few could be assumed to have mastery of the complex systems necessary to carry out a successful cyberterrorist attack.
Real-world attacks are difficult enough. What are often viewed as relatively unsophisticated real-world attacks undertaken by highly educated individuals are routinely unsuccessful. One only has to consider the failed car bomb attacks planned and carried out by medical doctors in central London and at Glasgow airport in June 2007.
Hiring hackers would compromise operational security. The only remaining option is to retain "outsiders" to undertake such an attack. This is very operationally risky. It would force the terrorists to operate outside their own circles and thus leave them ripe for infiltration. Even if they successfully got in contact with "real" hackers, they would be in no position to gauge their competency accurately; they would simply have to trust in same. This would be very risky.
So on the basis of technical know-how alone cyberterror attack is not imminent, but this is not the only factor one must take into account. The events of Sept. 11, 2001 underscore that for a true terrorist event spectacular moving images are crucial. The attacks on the World Trade Center were a fantastic piece of performance violence; look back on any recent roundup of the decade and mention of 9/11 will not just be prominent, but pictures will always be provided.
The problem with respect to cyber-terrorism is that many of the attack scenarios put forward, from shutting down the electric power grid to contaminating a major water supply, fail on this account: they are unlikely to have easily captured, spectacular (live, moving) images associated with them, something weas an audiencehave been primed for by the attack on the World Trade Center on 9/11.
The only cyberterrorism scenario that would fall into this category is interfering with air traffic control systems to crash planes, but haven't we seen that planes can much more easily be employed in spectacular "real-world" terrorism? And besides, aren't all the infrastructures just mentioned much easier and more spectacular to simply blow up? It doesn't end there, however. For me, the third argument against cyberterrorism is perhaps the most compelling; yet it is very rarely mentioned.
The term "cyberterrorism" unites two significant modern fears: fear of technology and fear of terrorism.
In 2004, Howard Schmidt, former White House Cybersecurity Coordinator, remarked to the U.S. Senate Committee on the Judiciary regarding Nimda and Code Red that "we to this day don't know the source of that. It could have very easily been a terrorist."4 This observation betrays a fundamental misunderstanding of the nature and purposes of terrorism, particularly its attention-getting and communicative functions.
A terrorist attack with the potential to be hidden, portrayed as an accident, or otherwise remain unknown is unlikely to be viewed positively by any terrorist group. In fact, one of the most important aspects of the 9/11 attacks in New York from the perpetrators viewpoint was surely the fact that while the first plane to crash into the World Trade Center could have been accidental, the appearance of the second plane confirmed the incident as a terrorist attack in real time. Moreover, the crash of the first plane ensured a large audience for the second plane as it hit the second tower.
Alternatively, think about the massive electric failure that took place in the northeastern U.S. in August 2003: if it was a terrorist attackand I'm not suggesting that it wasbut if it was, it would have been a spectacular failure.
Given the high costnot just in terms of money, but also time, commitment, and effortand the high possibility of failure on the basis of manpower issues, timing, and complexity of a potential cyberterrorist attack, the costs appear to me to still very largely outweigh the potential publicity benefits. The publicity aspect is crucial for potential perpetrators of terrorism and so the possibility that an attack may be apprehended or portrayed as an accident, which would be highly likely with regard to cyberterrorism, is detrimental. Add the lack of spectacular moving images and it is my belief that cyberterrorism, regardless of what you may read in newspapers, see on television, or obtain via other media sources, is not in our near future.
So why then the persistent treatment of cyberterrorism on the part of journalists? Well, in this instance, science fiction-type fears appear to trump rational calculation almost every time. And I haven't even begun to discuss how the media discourse has clearly influenced the pronouncements of policymakers.c
3. Gambetta, D. and Hertog, S. Engineers of Jihad. Sociology Working Papers, No. 200710, Department of Sociology, University of Oxford, (2007), 812; http://www.nuff.ox.ac.uk/users/gambetta/Engineers%20of%20Jihad.pdf.
4. Virtual Threat, Real Terror: Cyberterrorism in the 21st Century (Serial No. J10858), hearing before the Subcommittee on Terrorism, Technology and Homeland Security of the Committee on the Judiciary, United States Senate, 108th Congress, Second Session, (Feb. 4, 2004), http://cip.gmu.edu/archive/157_S108VirtualThreathearings.pdf.
a. The text of Director Mueller's March 2010 speech at a cyber security conference in San Francisco is available at http://www.fbi.gov/pressrel/speeches/mueller030410.htm.
c. For more on the issues relating to media coverage of cyberterrorism raised in this column, including analysis of the pronouncements of policymakers in this regard, see "Media, Fear and the Hyperreal: The Construction of Cyberterrorism as the Ultimate Threat to Critical Infrastructures." In M.D. Cavelty and K.S. Kristensen, Eds., Securing "The Homeland": Critical Infrastructure, Risk and (In)Security (Ashgate, London, 2008), 109129.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2011 ACM, Inc.
Nicely written article, but I disagree. Ultimately, we're trying to judge the likelihood of "black swans". While one doesn't happen, you're right. Once it does, you will have been retroactively and "obviously" wrong. It's worth discussing, though.
First of all, considering the ease with which large-scale Internet phenomena ("epidemics") and events affecting SCADA systems (Stuxnet, the purported Brazilian power blackout, and even the dumping of sewage into water reservoirs in Australia a few years ago), it is a very dangerous and largely baseless assumption that terrorists will not be able to acquire the know-how. Also keep in mind that several nation states consistently (and others periodically) engage with and patronize terrorist groups; weapons, training and other support is routinely passed along. How difficult would it be for expertise or at least tools to flow through the same channels? Furthermore, keep in mind the various analyses showing that a disproportionate number of terrorists have engineering backgrounds; these folks aren't (all) dummies.
On the second point: failed physical attacks don't seem to deter further physical attacks. Trial-and-error as well as radical changes in approach seem to be within the practice of terrorists, whether operating in cells or in isolation. Why not keep trying? There are a lot of attack tools out there that can be purchased (or even acquired for free) in the underground market. All that's necessary is a suitably vulnerable target and a bit of luck. (Consider the purported failed(?) attack on the City of London stock exchange last year, which recently surfaced in the news. What would the impact of that have been if successful, and at what risk/cost to the attackers?)
On the third point, I will simply refer you to the various analyses of the underground cyber-insecurity market. Anything (including zero-day exploits) can be had for the right price. There are even software-as-a-service attack tools that can be used with no downloads and very little expertise; and, the sellers will be happy to customize a tool. These transactions occur over largely anonymous online channels, with very little risk to the participants. The risk to operational security just isn't there.
As a side note, how would you classify the Estonia and Georgia cyber-attacks? Supposedly, they were launched and managed by non-state-actors. Arguably, they weren't terribly catastrophic, therefore one might be inclined to dismiss them; but, that would be analogous to arguing that the failed bombing attempt of the Northwest flight to Detroit in 2009 was not an act of terrorism.
Having said all that, do I believe we're likely to experience a catastrophic cyber-terrorism attack imminently? No, mostly because of the lack of "imminent" *and* "catastrophic" consequences of such attacks. On the other hand, we're close to a point (if we haven't already crossed it) where such attacks are possible simply because a lot of our physical infrastructure is instrumented and remotely controllable. (Until not-too-many years ago, it would have been possible to purposely and remotely cause an oil-spill event such as the BP disaster remotely, since the drill heads had no safeguards whatsoever. One of the big if silent successes of DHS.)
The article is well-written and brings interesting arguments to light. However, while I agree with the author that cyberattacks are unlikely to be perpetrated by terrorist groups for the reasons mentioned, these arguments do not apply for attacks that can be started by non-terrorist groups, such as governments. In this case, the exact opposite applies: 1) governments need to trust cyber-mercenaries no more than they already trust the real-world spies and soldiers that work for them; 2) the lack of high-impact media images is precisely the kind of covert action required by intelligence operations.
It has often been said that inter-state wars of the future will inflict losses on a "cyber battleground", and recent rumors about the origin of StuxNet are consistent with that belief.
Thanks for the comments. In response:
Angelos, youre doubtless correct to point out the inadvisability of predicting that something wont happen. I have, in past writings on this subject, tended to cover myself in this respect by arguing not that cyberterrorism cannot happen or will not happen, but that, contrary to popular perception, it has not happened yet. Given the reignited fear of cyberterrorism that I have noticed in the media and amongst policymakers in recent times, however, I decided to more unambiguously nail my colours to the mast in this particular opinion piece!
On your first substantive point, Im not sure that we can describe the Stuxnet attack as easy and I understand that many observers now believe it was the work of a state or states, which suggests a significant investment of personnel, know-how, time, and money. As for the dumping of sewage into water reservoirs in Australia a few years ago, that was carried out by a disgruntled former employee (i.e. it was an inside job). The latter sort of attack has always presented and, indeed, continues to present a far greater threat to such infrastructure than a cyberterrorist attack, in my opinion.
While its true that numerous states have been known to supply weapons, training, and other support to an assortment of terrorist groups, supplying the same groups with a high-level cyber weapon or the expertise to develop same would, I think, be a different matter. Why? Because the fungible nature of such a weapon or such expertise and the borderless nature of the Internet means that it might double back on the same state and its cyber infrastructures in short order.
Im familiar with the various analyses showing that a disproportionate number of violent jihadis rather than terrorists in general have engineering backgrounds. My point was that relatively few have advanced IT education, which is surely necessary to carry out a significant cyberterrorist attack. Basically, Im tired of hearing media commentators elevating script-kiddies to potential cyberterrorists and insinuating that just because X or Y group has the capacity to build a website or distribute content online, the next step is a major attack by them using the Internet.
These folks, you say, aren't (all) dummies. I never suggested that they were. Almost half of the random sampling of violent Islamists I mentioned in my column had a higher education, which is significantly higher than amongst the general population of most countries, including the US (at c.35%). Two points are worth making in this respect: 1.) there is a difference between having a university degree and having the expertise necessary to carry out some specific task. Thence my mention of the failed car bomb attacks carried out by medical doctors in London and Glasgow in 2007. On the other hand, 2.) terrorists groups composed of persons with very little formal education, such as the IRA, showed that technological savvy is not limited to those with university degrees. (The latter example is much more akin to the situation obtaining for violent jihadis with respect to, for example, the development of IEDs, in the Iraq and Afghan conflicts than it is to the situation in the contemporary cyber realm however).
Moving on to your second point, which was that failed physical attacks don't seem to deter further physical attacks. No, but then terrorists of all stripes have a long history of successful terrorist attacks, the means of which are still available to them and as effective as ever. Why carry out a cyber attack on the London stock exchange when one could just engage in a conventional attack with a much higher likelihood of success and immediate blanket media coverage? In fact, your assertion that radical changes in approach seem to be within the practice of terrorists is off the mark and means that the latter is much more likely than the former. There are a relatively small number of types of attacks that feature in terrorists arsenals and are repeated across different time periods, ideological groupings, geographies, etc. A list of such types of attacks would include car bombings, airline hijackings, and suicide bombings, or some combination of these. (The events of 9/11 do not negate this assertion as individually airplanes and suicide attacks have a long history of use amongst terrorists).
On your third point: if this is as easy as described, why hasnt anybody done it yet?
But, hey, Im not a techie, I study terrorism and so the larger part of my comments was with respect to the calculations likely to be made by terrorist groups in weighing the costs and benefits of cyberterrorism versus other methods available to them. You dont address these issues, which in my opinion are at least as important, if not more so, than the technological aspects of cyberterrorism. What I wanted to bring to light in my column was that journalists tend to think about, and privilege, the technology and not the terrorists. As, so it seems, do many techies! The technology is less than half the story though.
A brief follow-up:
Angelos, you mention, as a side note, the Estonia and Georgia cyber attacks and ask how I would classify these: if a state had a significant hand in these, I would consider whether they might fall into the domain of cyberwar, if not I would tend to place them into some other category of cyber activism. I do not consider them to fall into the realm of cyberterrorism for a number of reasons, including my belief, which I share with Dorothy Denning and others, that cyber attacks that do not directly result in loss of life should not be termed cyberterrorism unless the effects are otherwise massively catastrophic.
Finally, Sylvain mentions cyber attacks perpetrated by states/governments and points out that my arguments do not apply in respect of these: absolutely correct! Cyberwar and cyberterrorismlike war and terrorismare different things and not (generally) engaged in for the same purposes.
I think your piece in ACM 02-2011 is an excellent and important article for a host of reasons.
All of which I explained in a lengthy thrice-edited response on the site, hoping I would offer another perspective to your ever-so-serious correspondents who, in a nutshell, seem to be saying, "well OK, maybe it not like totally likely but that doesn't mean it can't happen and therefore..."
Sadly I hit a wrong button while posting, of course just on the final few lines of the edit, and the words are but a memory.
Trying to train people on understanding relatively risk has always proved far less satisfying that just telling them what they want to be hearing anyway. I try, for pure sport, to raise some of the ill-defined concerns that inform our determination to act with the same salutary effects as found when carefully sorting newsprint from "other print" and "yummy mulch." My mother used to wash it all very carefully as well: she was doing her part, she was.
Having been deputized lo these many years to watch for suspicious bags in the airport and bus terminal, and to stare at fellow passengers' shoes on overseas flight (and now also on the lookout for passenger who set fire to their undies), I assume that we've got a bunch of able volunteers available to thwart cyberterrorism. Heck, if they could just clamp down once and for all on a few spammers; they can display their little deputy badges proudly.
But who will see them?
I'm sorry to allow a defeatist note in my content when I conclude that,"Daddy's [Already] Gone to War."
This is an interesting Contribution from an expert on the subject, surely, it would sooth our nerves, ever fearing a Cyber Terrorist attack !
I would agree with the theme of the Author. my intention is to present a bit different perspective of the notion "terrorism" and so by implication that of "Cyber Terrorism". I must confess I do not have the benefit of accessing the rich References cited by the Author nor could read the Literature extensively on the Subject: in far away India, our resources are very limited. As such, I may be excused if my Ideas have already been echoed.
Citing Ref (3) of the Author, the probability of a Internet-savvy "jihadi" attack is indeed small. But a realistic view points out to surreptitious "state sponsored (terrorist) attacks" which would cause hopeless havoc to the Community and Resources of the Victim (State)
While Terrorism is for attention grabbing, I wish to submit that the "lurking lone terrorist" with appropriate technology competence, is the one to be most feared (however small the probability of such attack may be) because the consequences of such an attack would be devastating to the victim (state).
"Cyber Terrorism" is beyond the ambit of the "Criminal Laws" of a Land. So States must be vigilant to protect themselves from such attacks; much more so, to harness a capability for restoration of the 'damaged installations' through 'Computer Emergency Response Teams' and such tech-savvy defenders.
Displaying all 6 comments