General security

Cyber Terrorism: Complexities and Consequences

Edwin Covert
January 13, 2015 by
Edwin Covert

While a terrorist using the Internet to bring down the critical infrastructures the United States relies on makes an outstanding Hollywood plot, there are flaws in the execution of this storyline as an actual terrorist strategy. Conway (2011) calls out three limitations on using cyber-related activities for terrorists: Technological complexity, image, and accident (Against Cyberterrorism, 2011, p. 27).

Each is important to consider. While critical infrastructures may make a tempting target and threat actor capabilities are certainly increasing (Nyugan, 2013), it is a complicated process to attack something of that magnitude. It is precisely the interconnectedness of these two disparate parts that make them a target, however.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Nyugan (2013) calls them cyber-physical systems (CPS): "A physical system monitored or controlled by computers. Such systems include, for example, electrical grids, antilock brake systems, or a network of nuclear centrifuges" (p. 1084).

In Verton's (2003) imaginary narrative, the target of the Russian hackers, the SCADA system, is a CPS. However, Lewis (2002) argues the relationship between vulnerabilities in critical infrastructures (such as MAE-East) and computer network attacks is not a clear cut as first thought (p. 1). It is not simply a matter of having a computer attached to a SCADA system and thus the system is can now be turned off and society goes in a free fall of panic and explosions and mass chaos.

The first idea Conway (2011) posits reduces to the notion that information technology is difficult in most cases. There are reasons it takes veritable armies of engineers and analysts to make these complex systems interact and function as intended. However, there are a limited number of terrorists with the necessary computer skills to conduct a successful attack (pp. 27-28).

Immediately the argument turns to hiring external assistance from actual computer hackers (as most journalists and Hollywood scriptwriters do). Conway (2011) dismisses that idea, correctly, as a significant compromise of operational security (p. 28).

The US Department of Defense as defines operational security, or OPSEC:

A process of identifying critical information and analyzing friendly actions attendant to military operations and other activities to: identify those actions that can be observed by adversary intelligence systems; determine indicators and vulnerabilities that adversary intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries, and determine which of these represent an unacceptable risk; then select and execute countermeasures that eliminate the risk to friendly actions and operations or reduce it to an acceptable level (US Department of Defense, 2012).

In the context of this paper, letting outside profit-motivated technicians into the planning and execution phase of a terrorist plot would be risky for conservative-minded individuals such a religious terrorists (Hoffman, 2006). As the number of people who are aware of a plot increases, the potential number of people who can leak operational details of the plot increases exponentially.

It is for this reason Verton's (2003) scenario is most improbable.

The second concern Conway (2011) notes is one of audience. Recalling the definition of terrorist put forth by Hoffman (2006), terrorists need to generate publicity to achieve their goals: they need to create a climate of fear through violence or the threat of violence. Simply attacking something and having no one notice it is not an operational success for a terrorist. Terrorists need to have their grievances known (Nacos, 2000, p. 176).

The terrorist act needs to be witnessed, such as the planes crashing into the World Trade Center or the hostage taking in Munich. in order to generate the necessary level of discourse to affect the goals the terrorist has in mind. Unfortunately, injecting code into a DNS server or shutting down Amazon.com does not generate the required intensity of chaos modern terrorists require (Conway, Against Cyberterrorism, 2011, p. 28).

This leads to Conway's (2011) third point: the accident. The United States relies heavily on computer and information systems. However, if a system goes offline in today's world, users are just as likely to suspect a system failure or accident as anything else is (p. 28).

As stated previously, this would be unacceptable to the terrorist organization. In order to generate a sufficient amount of concern on the part of the population, a series of cascading cyber-attacks would have to occur. Recalling Conway's (2011) first concern about complexity, multiple system attacks of the necessary intensity and frequency are unlikely.

While this might appear as merely an academic exercise, a review of the Global Terrorism Database maintained by the National Consortium for the Study of Terrorism and Responses to Terrorism at the University of Maryland shows only two incidents under the search term "cyber" (Global Terrorism Database Search Results).

The first involved two men in Morocco who got into an argument at an Internet café with the café owner about viewing bomb-making materials. During the altercation, an actual bomb strapped to one of the men accidentally exploded killing the would-be bomber and wounding three others.

The second involved a pay phone in Hong Kong that was wired with explosives and detonated. A search of telecommunications facilities as targets in the database showed similar results: Explosions or arson, not the use of computers as a weapon system.

There are side effects of the mischaracterization of cyberterrorism by the media and popular culture. In the United States, the Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act of 2001, or PATRIOT Act, was passed in the immediate aftermath of the September 11, 2001 attacks.

It has two key provisions designed to counter potential cyberterrorist activity and increase the punishment for computer crimes (US Government, 2001). Section 814 of the PATRIOT Act enumerated specifically the goals of deterring and preventing cyberterrorism.

It increased the minimum prison terms for unauthorized access to a computer system, regardless of activity once in the system i.e. mixing criminal activity and cyberterrorism under a cyberterrorism section heading (§ 814.a.4).

Additionally, the law amended "the Federal sentencing guidelines to ensure that any individual convicted of a violation of section 1030 of title 18, United States Code, can be subjected to appropriate penalties, without regard to any mandatory minimum term of imprisonment" (§ 814.f).

In other words, simply being convicted of unauthorized access to a computer system allowed a federal judge (who most likely was not familiar with the nuances of cyber threats and threat + actors) to assume the worst and lock someone up for a very long time. Outside of the United States, others have made similar decisions regarding cyber threats and the law.

In the United Kingdom, Parliament changed its Terrorism Act so that using a computer system or threatening to use a computer system that interferes or disrupts another computer system is now considered terrorism (Conway, Cyberterrorism: Hype and Reality, 2007, p. 91).

Of concern of course is who makes the determination as to what constitutes disruption. Right now, that falls to Scotland Yard. That leaves a sour taste and no small amount of anxiety for human rights workers and other civil libertarians (p. 91).

Since the advent of the Internet, life has changed remarkable for citizens of the United States and the world. Unfortunately, this pace of change brings fear.

When the legitimate danger terrorists create is married to our dependence on technology, it is understandable how people become concerned. This new sense of panic is the fear of terrorists using the computer systems we depend on against us.

Fortunately, the evidence of cyberterrorism very limited thus far. Of course, an assumption is made that cyberterrorism is properly defined as a non-state organization that creates politically motivated destruction to information, computer systems and/or computer programs leading to violence or the threat of violence (Conway, What is Cyberterrorism?, 2002).

Any implication of state-sponsorship of cyber-attacks is outside the scope of this paper and could constitute an act of war (Shiryaev, 2012, p. 150). An analysis of the issue has demonstrated that cyberterrorism as a strategy for actual terrorists has been over-hyped through the media, academia, and popular literature.

This exaggeration of capabilities has led to several instances of questionable law made by people who do not understand the intricacies involved in launching a cyberterrorist attack. Rather, they acted out of fear and doubt.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

More cybersecurity professionals need to counter such sentiments by public and public officials to ensure actual threats are mitigated and unsubstantiated ones are given less priority and fewer resources. Only then can the more important threats be dealt with.

Edwin Covert
Edwin Covert

Edwin Covert is a cybersecurity professional with over 20 years of cybersecurity and intelligence experience. He works for Booz Allen Hamilton in the Washington, DC metro area.