By Lee Roberts, February 16, 2018
Cyber-based terrorist operations number among the threats named in the U.S. Intelligence Community’s recently released 2018 Worldwide Threat Assessment. Does that mean our intelligence agencies believe that terrorists might deliver a spectacular attack via cyberspace?
In June of 1982, a Soviet gas pipeline in Siberia exploded with such spectacular force that the flash and ensuing flames were clearly visible from space. While no accident, the explosion was not the result of a controlled detonation or any sort of conventional physical sabotage. Instead, it is now widely considered to be the first recorded case of physical infrastructure damage as a result of intentionally malicious computer code. By some accounts, the CIA engineered the Soviet purchase of gas pipeline control software manipulated to “go haywire”; in other words, weaponized code.
Nearly four decades later, an attack that hinged on getting someone to purchase physical media carrying the weaponized software seems crude and clunky. Additionally, subsequent alleged successful uses of code to achieve physical destruction have only ever been attributed to state actors. But what if inspiring fear is a sufficient goal for a non-state cyber attacker? Doesn’t terrorism seek simply to inspire terror? Researchers at the University of Haifa found evidence to suggest that the psychological effects of cyberterrorism were similar to those experienced in the wake of more conventional terrorist attacks, yet even they struggle to pinpoint just what cyberterrorism actually is. To try and tackle this definition, it might be useful to start with what cyberterrorism isn’t.
Okay, I’ll play along – what isn’t cyberterrorism?
Cyberterrorism isn’t simply the use of the Internet or digital technology to facilitate the planning, funding, or execution of more conventional terrorist attacks. While it’s true that the advent of the Internet presents both terrorists and counterterror agencies with an ever-growing variety of tools and methods, simply using the Internet in the pursuit of terrorism doesn’t automatically make you a cyberterrorist.
In the same vein, cyberterrorism isn’t simply terrorist information warfare. This can get very confusing, since successful modern terrorist organizations are proficient in the use of the Internet to spread propaganda and recruit. Information warfare has been around for millennia, whereas “cyber-” anything necessarily involves software. Information warfare is often mistakenly referred to as occupying the “fifth domain” of warfare, when in fact that designation officially belongs to cyberspace (after the four domains of land, air, sea, and space).
Even cyber warfare isn’t synonymous with cyberterrorism. It’s true that cyber warfare consists of using code to sabotage or spy, as we worry terrorists may do. However, the term refers to ALL uses of software to damage or collect information on strategic or tactical resources, including by governments or sub-national organizations for conventional military purposes. So while both cyber warfare and cyberterrorism include the employment of cyber attacks, the primary purposes differ.
Cyberterrorism is also distinct from hacktivism, or the use of the Internet to further social or political goals in a manner that is transgressive (or not within accepted social boundaries) and civilly disobedient rather than violent. This is an important distinction; because hacktivism is politically motivated, typically anti-establishment, and can employ some of the methods employed by cyber warriors and cyber terrorists, hacktivists run a high risk of being confused with cyber terrorists.
Finally, cyberterrorism is distinct from what is usually labeled “cyber crime”. To be sure, all terrorism is a form of crime, but the prevailing usage of the term “cyber crime” is typically understood to be crime undertaken for purely or predominantly financial reasons that lacks the motivation of seeking political or social change.
That’s a long list. So what is cyberterrorism?
Like terrorism itself, cyberterrorism doesn’t have a universally accepted definition, but rather exists as a consensus topic. We’ll use a modified version of the United States Department of Defense definition of terrorism proposed by noted cybersecurity engineer Irving Lachow:
“…a computer based attack or threat of attack intended to intimidate or coerce governments or societies in pursuit of goals that are political, religious, or ideological. The attack should be sufficiently destructive or disruptive to generate fear comparable to that from physical acts of terrorism.”
This definition should help crystallize the reasons that cyberterrorism is distinct from logistical uses of the internet in support of conventional terrorism, cyber warfare, information warfare, hacktivism, and cyber crime. The key components are: 1) a computer-based attack or threat; 2) having intimidation, coercion, and/or fear as a primary goal; 3) in pursuit of political or ideological goals; and 4) of a magnitude to inspire as much fear as a conventional terrorist act.
What would a cyberterrorist attack consist of? How would we know when one occurs?
Cyberterrorists avail themselves of the same basic tools as are sometimes employed by cyber criminals, hacktivists, and cyber warriors; however, while those other groups may make use of only some of these methods and/or impose limits on their use, cyberterrorists could see all manner of techniques and any magnitude of employment justifiable to inspire fear.
|Denial of Service (DOS)||DoS attacks use code designed to overwhelm or impair networks or applications, typically by reconfiguring network settings or generating more traffic than a network can handle.|
|Malicious software, or “malware”, damages or compromises a computer system without the knowledge or approval of the administrator or owner. Once a system is compromised, malware may reconfigure its functions or give control of the system to the attacker.|
|Once a number of computers are compromised while connected to a network, attackers can use them to host automated software programs or “bots” to carry out further attacks or malicious actions en masse. The use of a botnet to execute a large- scale DoS attack is known as DDOS (Distributed Denial of Service).|
|Social Engineering is not an exclusive term to cyber attack, but in this context it means using misleading digital communication to gain information about or access to networks, systems, or users in order to compromise, attack, or exploit them. Phishing is a particularly prolific social engineering technique where attackers pose as legitimate institutions or companies via e-mail or phone and trick targets into giving up sensitive information.|
The main methods of cyber attack
While the table above should enable us to imagine any number of nefarious aims for the detailed techniques, would-be cyberterrorists’ incentive for employing them are on the rise thanks to rapidly increasing reliance on supervisory control and data acquisition, or SCADA. Successful anti-SCADA attacks present the most realistic chance for weaponized code to achieve a directly physically destructive effect (as in the pipeline example) due to SCADA’s central importance to many extremely hazardous military and industrial systems and resources. A successful disruptive attack on the control software of a nuclear power plant is just one of many catastrophic examples.
That’s a little unsettling. Who would do that stuff and why?
As we discussed, cyberterrorism is fundamentally terrorism executed in the domain of cyberspace – so cyberterrorists would be terrorists who possess the motives and expertise to employ the methods detailed above in order to instill fear in support of their political or ideological goals. However, just as in conventional warfare, the reality of cyber warfare is that the vast majority of destructive capacity resides with state actors and their clients.
How prevalent could cyberterrorism become, and how soon?
Essentially, any network-connected computer system is vulnerable to attack to some degree, particularly from motivated, skilled attackers who use penetrations as the basis for more damaging attacks (rather than bragging). Power infrastructure is particularly susceptible to cyber attack, and the combination of physical damage and widespread fear and panic that a power grid compromise would yield places it squarely in the realm of the desired effects of terrorism. A number of terrorist groups already display proficiency in social engineering, though they mainly use this to position operatives or obtain financial resources in support of conventional attacks. That extant capacity and a range of clear incentives imply that the advent of the “pure” cyberterrorist attack is close.
Yikes! So what do we do about it?
There is some good news: while the Global War on Terror and its reliance on monitoring terrorist communications have led terrorist groups to decentralize and avoid electronic coordination, cyber attacks would require terrorists to assume a highly elevated risk of their activity being detected by electronic surveillance. Additionally, disciplined conventional practices of cyber security and information assurance designed to counter cyber crime are largely effective against all but the most sophisticated cyber attacks.
State actors’ possession of the vast majority of cyber capability worldwide could mean good news, bad news, or both for those seeking to prevent the rise of truly destructive cyberterrorism. States’ near-monopoly on cyber capabilities could help to buy enough time and space to prevent successful cyberterrorist attacks while pursuing a comprehensive strategy to reduce the underlying regional and local causes of terrorism. Alternately or concurrently, as the IC Threat Assessment fears, the states who already enjoy some success in the pursuit of unscrupulous cyber activities could see sponsorship of cyberterrorists as a convenient way to advance their own agendas.
Lee Roberts is an Adjunct Professor with the Schar School of Policy and Government at George Mason University. A U.S. Army Strategic Intelligence Officer in his 11th year of active duty service, Lee currently also serves as a Research Associate with the National Intelligence University’s College of Strategic Intelligence. He is a graduate of the United States Military Academy at West Point and holds a Master’s Degree in International Security from the Schar School of Policy and Government. The views or opinions expressed in this post are strictly those of the author and do not represent the position of the National Intelligence University, the Defense Intelligence Agency, the Department of Defense, or any agency or office of the United States Government.
The articles and other content which appear on the Center for Security Policy Studies website and social media posts are unofficial expressions of opinion. The views expressed are those of the authors, and do not reflect the positions of the Schar School of Policy and Government or of George Mason University.
The Center for Security Policy Studies does not screen articles to fit a particular editorial agenda, nor endorse or advocate material that is published. The Center for Security Policy Studies merely provides a forum for scholars and professionals to share perspectives and cultivate ideas. Comments on any digital outlet of the Center for Security Policy Studies will be moderated to ensure logical, professional, and courteous application to intellectual content.