By Sebastian J. Bae
Abstract:
Cyber-terrorism has been touted as the new imminent threat to security. Doomsday scenarios of apocalyptic cyber-terrorism have captured the popular imagination from politicians to mainstream media. However, how real is the threat of cyber-terrorism? This essay argues there undoubtedly exists vulnerabilities within cyber space. A myriad of factors from the Heartbleed bug to military exercises have shown security gaps exist, which can potentially be used by terrorist organizations. However, vulnerability does not equate to disaster or even cyber-terrorism. Despite popular preconceptions, there has never been a recorded incident of cyber-terrorism. There exist significant barriers to the advent of cyber-terrorism from a skill gap to organizational motivation. Ultimately, cyber-terrorism remains more a product of fear mongering than concrete reality –– at least for the moment.
Introduction:
Recently, there have been no shortage of cyber security headlines. In their July 12th issue, The Economist presented a special briefing on cyber security. Eye-catching titles like "Hackers Inc" and "Defending the Digital Frontier" painted the Internet as the new wild, wild West –– rampant with virus slinging hackers. Similarly, on July 10th, the cover story of Times magazine was "World War Z: How Hackers Fight to Steal Your Secrets." Compounded by the seemingly endless revelations of electronic surveillance and misconduct of the NSA by Edward Snowden, cyber security has become the new hot button topic. However, among the chatter and fear mongering of hackers and cyber wars between states, where does cyber-terrorism fit in the new digital world of rising threats?
Since the Global War on Terror, cyber-terrorism has become the new encompassing threat. In 2008, the World Cyber Security Summit or WCSS gathered in Malaysia to discuss future steps against the potential disastrous consequences of cyber intrusions. The meeting represented “the largest ministerial-level gathering ever organized about cyber-terrorism” drawing representatives from all over the world (Salek, 2008). Meanwhile, mainstream media has warned the public of doomsday scenarios where terrorists hijack critical infrastructures like the water supply and electrical grid with deadly consequences. Consequently, cyber-terrorism has become the new obsession of the security community as cyber-security centres have emerged one after another. The United States like many other Western states has established various cyber-security orientated agencies like newly established US Cyber Command to combat the threat of cyber-terrorism and cyberwar. meanwhile, existing agencies like the FBI, CIA, and NSA have expanded their purviews into the cyber realm as well. Reacting to the new digital threat of terrorism, the International Multilateral Partnership Against Cyber-Terrorism or IMPACT has even boldly announced, “cyber-terrorism is real” (Salek, 2008). However, the line between cyber criminals and cyber terrorist is a slippery slope. For years, academics and policy makers alike have spilled an ocean of ink over the definition of terrorism and who qualifies as an terrorist -- and there still is no definitive answer. Thus, we must begin with the basics: Does cyber-terrorism even exist?
For the confines of this essay, cyber-terrorism is “the pre-meditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by subnational groups or clandestine agents” (Verton, 2003, 27). The definition does not restrict cyber-terrorism to the narrow confines of cyber space. For instance, a computer virus or an explosive device targeting critical computer systems are both equally acts of cyber-terrorism within this context. The wider definitional berth is given due to the multi-faceted nature of terrorist operations –– involving multiple tactics and tools simultaneously. In essence, cyber-terrorism can be understood as the convergence of virtual space and politics of terrorism. Within cyber-terrorism, the capability of computers and the reach of the Internet supplement or replace the traditional methods of physical damage through explosives and small arms (Weimann, 2006, 154).
The vulnerabilities in cyber security are significant, and should not be underestimated. Maintaining security in the constantly evolving digital age remains a daunting challenge. Physical society and the digital world are colliding and converging at a frightening speed from smart houses to our dependence on automation. However, the hysteria surrounding cyber-terrorism is more myth than reality. The hyper–securitized post-9/11 world has found imagined enemies everywhere including cyber space. For the moment, cyber-terrorism remains more a product of our own fears and imaginations than rooted in reality. In the end, the threat of cyber-attacks is very real, but the reality of cyber-terrorism has not yet materialized.
Vulnerable, But Not Doomed:
In the modern era, interconnectedness and interdependency of systems has become a given, a fact of life. For instance, electrical grids are largely computerized which support sectors ranging from commercial banking to first responders. Technology has become the bloodline of modern states. The danger of cyber-terrorism lies in underestimating our “overwhelming dependency upon IT-related resources to continue business operations and execute recovery plans” (Verton, 2003, 23). The fear of cyber-terrorism exists in the potential ability of a terrorist group to obtain access to critical infrastructure systems with devastating consequences. For instance, trillions of dollars rely on electronic transactions and payment systems on a daily basis. Hence, a terrorist organization could potentially create an electrical blackout with subsequent denial of services of key industries, throwing a digital economy into turmoil. A national economy could potentially be crippled instantaneously with millions lost in moments (Verton, 2003, 47-48). These scenarios represent the core fears rooted in cyber-terrorism, a combination of the fear of terrorism and the pervasiveness of technology.
Although such apocalyptic scenarios are unlikely, computerized systems do inherently have three key risk factors –– access, integrity, and confidentiality. Computer systems fundamentally depend on the system’s ability to access information and programs to operate. Networking various systems together has enabled greater speed and productivity. At the same time, networking computer systems together has inherently increased the collective vulnerability. Computerized systems must remain accessible to proper authorities, while maintaining system integrity from outside forces simultaneously (Pollitt, 1998, 9). The demand to balance free flowing information and cutting-edge speed, while maintaining secure servers remains a constant challenge. According to recent studies, “power and energy companies averaged 12.5 severe or critical attacks requiring immediate intervention per company” (Verton, 2003, 39). The cyber incursions reflect the dynamic nature of cyber space, constantly demanding attention and adaptation to new threats. Thus, many pundits of the cyber-terrorism threat camp argue supervisory control and data acquisitions systems or SCADA systems inherently possess vulnerabilities to cyber-terrorism. SCADA systems control a myriad of critical infrastructure systems ranging from nuclear plants, water supplies, and the electrical grid. Many argue that a determined enemy could gain access and orchestrate devastating consequences ranging from flooding communities through dams or instigate rolling blackouts. Although companies claim their security measures are sufficient, critics like Dan Verton argues, “If you talk to state and local governments and local utilities, they’ll tell you they have great response plans. The problem is, they write them in isolation” (Verton, 2003, 20). The challenge is not whether one company is secure or not, but whether the entire network of individual companies and systems remains secure.
Computer vulnerabilities remain a grim reality of digital age. In April 2014, security researches announced a critical security flaw known as the Heartbleed bug in the popular data encryption standard, OpenSSL. The Heartbleed bug is the unforeseen vulnerability in the system’s verification method. In OpenSSL, a computer will send a ‘heartbeat’ or a small packet of data to verify another computer is on the other end of the secure line. However, the Heartbleed bug reveals a systemic vulnerability where hackers can extract massive data from servers, which are supposedly ‘secure,’ by creating a false ‘heartbeat’ (Russell, 2014). In essence, the Heartbleed bug renders the popular encryption program critically fallible. According to a recent survey, “959,000,000 websites, 66% of sites are powered by technology built around SSL” are vulnerable (Russell, 2014). Thus, the Heartbleed bug, the latest cyber threat, demonstrates cyber vulnerability is not a myth, but very real. At the same time, cyber-attacks “against the Internet increase at an annual rate above 60% (Weimann, 2006, 153). The ever-increasing number of attacks reflects both the vulnerabilities of computer systems, but also the decreasing skill gap among states and sub-state actors. As with any new technology, “the cost and other barriers to developing an advanced cyber offensive are declining each year” (Knake, 2010).
Similarly, the public sector remains equally vulnerable to cyber-attacks. In 1997, the US Joint Chiefs of Staff organized an exercise to assess the Pentagon’s ability to defend against a coordinated cyber incursion code named Eligible Receiver. The operational NSA Red Team were allowed to use any software freely available on the Internet, but were not allowed to break any laws. During the exercise, the NSA Red Team effectively mapped Pentagon networks, acquired passwords, created false administrator accounts, and gained almost unfettered access to particular servers (Verton, 2003, 31-33). The operation proved far more successful than any of the Joint Chiefs imagined possible. Nonetheless, Eligible Receiver provides a poignant reflection of the current cyber-terrorism landscape –– one of concrete vulnerability and imagined threat. The operation doubtlessly revealed gaps in security at the Pentagon in regards to cyber threats. However, at the same time, the NSA Red Team was comprised of elites in the computer science field who had intimate knowledge of the government systems. The collective operational skills of the NSA Red Team arguably surpass most terrorist organizations. The inherent technical bias of the operators playing the Red Team adds a dimension of skepticism to the ability of terrorists to gain the same level of access.
However, there is no doubt vulnerabilities will only increase “as societies move to a ubiquitous computing environment” where more daily activities rely on remote computer automation (Lewis, 2002, 11). However, complete security is a myth whether in the physical world or in cyber space. Vulnerabilities will always exist, as total security often is synonymous with complete isolation. Thus, within a society where information and goods can move relatively freely, impregnable security is an unachievable standard. Vulnerability does not necessarily equate to disaster. For instance, banks are far from impregnable, as the history of bank robberies has clearly demonstrated. Nevertheless, despite their continual vulnerability, banks continue to adapt and function as an integral aspect of the economy. Similarly, computer systems may possess vulnerabilities that require constant evolution, but it does not doom a society to a ‘Digital Pearl Harbour’. The 1998 attack by the Internet Black Tigers, a branch of the LTTE, remains the closest act to cyber-terrorism ever recorded. The Internet Black Tigers initiated an email bombardment of the Sri Lankan embassies creating a temporary denial-of-service (Denning, 2001, 281). However, the coordinated denial-of-service operation is far from the ‘doomsday scenarios’ often perpetuated in the security community. Moreover, the cyber-attack by the LTTE barely compares to their deadly campaigns of suicide bombings in 1990 against Indian peacekeeping forces in Sri Lanka (Pedahzur, 2005, 76-77). Ultimately, vulnerability does not necessarily equate to disaster.
The Imagined Spectre of cyber-terrorism:
Terrorist organizations have turned to the Internet as a powerful tool in regards to logistics, propaganda, and communication. For instance, Hezbollah independently operates three different website domains for specific purposes –– one for the central press office, one dedicated to attacks on Israel, and one for news and information (Denning, 2001, 252). Furthermore, a 1998 report by US News & World Report indicated 12 of the 30 groups on the US State Department terrorist list were featured on the Internet (Denning, 2001, 252). The number has only increased since the advent of the Global War of Terror and the rise of radical Islam. The Internet has become a digital frontier where militias, freedom fighters, mercenaries, propagandists, and terrorists find both refuge and support. However, the use of computers and technology by terrorist organizations “as facilitators of activities, whether for propaganda, communication, or other purposes is simply that: use” –– not cyber-terrorism (Weimann, 2006, 154). For instance, the use of computers to create travel plans, communicate, and purchase tickets by a group of terrorists in Delray Beach, Florida, in 2001, does not constitute cyber-terrorism, merely use (Gordon & Ford, 2002, 637). For the moment, terrorist organizations have not ventured into the realm of cyber-terrorism.
Despite theories and rampant fears surrounding cyber-terrorism, “interest does not equal capability” (Knake, 2010). Although cyber-terrorism holds destructive potential, the ability to execute a complicated and deadly cyber-attack requires a sophisticated knowledge and skill set. In 2007, a research survey indicated roughly 48.5% of a sample of 404 members of violent Islamist groups possessed higher education (Conway, 2011, 27). The study disproves the popular notion that most terrorists are uneducated fanatics of the developing world. However, the study also concluded “less than 2% of the jihadis came from a computing background” (Conway, 2011, 28). Furthermore, merely possessing a computing background does not necessarily translate to the technical ability to execute a complex cyber-attack. The Centre for the Study of Terrorism and Irregular Warfare at the Naval Postgraduate School (NPS) reported, “terrorists generally lack the wherewithal and human capital needed to mount attacks that involve more than annoying but relatively harmless hacks” (Weimann, 2004, 10). Essentially, terrorist organizations have not nurtured or acquired the capability to match their interest in cyber-terrorism.
In 2002, the US government hosted a joint war exercise, code named Digital Pearl Harbour, to further assess the validity of doomsday cyber-terrorism scenarios. The results of the war exercise were far from the widespread fears surrounding cyber-terrorism. Although the opposition was able to cause sporadic damage, their primary objective to crash the Internet failed. The subsequent report by CNet concluded that a high profile cyber terrorist attack “would require a syndicate with significant resources, including $200 million, country-level intelligence and five years of preparation time” (Weimann, 2004, 10). The exercise demonstrated vulnerabilities could potentially be exploited to cause temporary disruptions. The prevalence of cybercrime and hackers has clearly demonstrated the potential for criminal elements to exploit weaknesses for personal or political motives. However, the crippling cyber-terrorism of our imaginations was abruptly debunked by operation Digital Pearl Harbour. Despite the political paranoia, “no single instance of cyber-terrorism has yet been recorded” (Weimann, 2006, 149). The fact remains the threat of cyber-terrorism has not yet truly materialized. According to the Centre of Strategic & International Studies, “electronic intrusion represents an emerging, but still relatively minor threat” (Lewis, 2002, 5). Terrorists have not joined the ranks of hackers, activists, and cyber criminals who comprise the large majority of cyber-attacks.
Since 9/11, discourses in security and terrorism have become a mixture of politics, reality, and fear mongering. As a result, statistics and research have often been skewed and manipulated to fit within particular political agendas of individuals and administrations. For instance, in December 2001, the Potomac Institute, a think tank with intimate ties with the Pentagon, announced the existence of an ‘Iraq Net.’ According to the think tank, Iraq established a network of over one hundred websites globally to launch denial-of-services or DoS attacks against American companies. However, similar to reports of weapons of mass destruction in Iraq, the Iraq Net has proven to be more fiction than truth (Weimann, 2004, 3). Similarly, cyber-terrorism has become the new galvanizing term in the Global War on Terror –– attracting both funding and influence. Since the 9/11 attacks, the US government has dedicated roughly $4.5 billion USD to infrastructure protection, while the FBI “boasts more than one thousand cyber-investigators” (Weimann, 2005, 134). Thus, the domestic dimension of cyber-terrorism cannot be ignored in the perpetuation of the fear mongering plaguing cyber-terrorism. Jim Harper, director of information policy studies at the CATO Institute, states, “we’re convincing ourselves that cyberspace is an endless sea of vulnerabilities that leave us weak and exposed. It’s not” (“The Underwhelming”, 2011). The perceived threat of cyber-terrorism has created an entire industry, both public and private. From IT companies to intelligence agencies, cyber-terrorism has launched a flurry of new cyber security centres and programs. Director Harper adeptly states, “cyber-terrorism is ‘cyber–snake oil’” (“The Underwhelming”, 2011). Tragically, the snake oil of cyber-terrorism does not come cheap.
Additionally, there exist doubts on the assumed success of a singular cyber-attack by terrorist organizations. During WWII, strategic bombing had entered the war’s arsenal with unfettered restraint. Similar to cyber-terrorism, strategic bombing targeted critical infrastructure to destroy the enemy’s ability in regards to economic and military production with the added dimension of social fear. The parallels between strategic bombing and cyber-terrorism are striking. Allied Forces bombarded entire cities including Berlin, Dresden, and Tokyo. Regardless of one’s moral judgment on the merits of strategic bombing, the Strategic Bombing Survey concluded, “The German experience showed that, whatever the target system, no indispensable industry was permanently put out of commission by a single attack. Persistent re-attack was necessary” (Lewis, 2002, 3). Thus, strategic bombing provides a critical insight into the nature of cyber-terrorism. A singular act of cyber-terrorism will not destroy a nation or an economy. Like strategic bombing, truly effective cyber-terrorism will require persistent, unrelenting cyber incursions to fully cripple a nation. In essence, “the sky is not falling, and cyber weapons seem to be of limited value in attacking national power or intimidating citizens” (Lewis, 2002, 10).
Furthermore, unlike physical attacks, cyber operations introduce new operational challenges to terrorist organizations. Computer systems are complex and involve a high level of operational coordination and control. Nurturing new innovative skills sets prove challenging for any organization including terrorist groups. The capacity building around cyber-terrorism has stalled similar to maritime terrorism. At the moment, the current generation of terrorist organization lacks the technical prowess for cyber-terrorism. However, this may not always be the case. Frank Cilluffo, the Associate Vice President for Homeland Security at George Washington University, warned, “While bin Laden may have his finger on the trigger, his grandchildren may have their fingers on the computer mouse” (Weimann, 2005, 146). Terrorist organizations like al-Qaeda have proven themselves to be startlingly innovative and adaptive. Nevertheless, even a successful cyber-attack upon critical infrastructure may not conjure the same level of trauma, drama, and damage as traditional terrorist methods (Denning, 2001, 282). For instance, when Enron and El Paso Corps orchestrated power outages and rolling blackouts through California in 2002, there was no cataclysmic fallout in death and destruction (Thurm, Gavin, & Benson, 2002). The blackouts affected the 32 million residents of California and virtually stalled its 32 trillion dollar economy overnight –– similar to the feared consequences of cyber-terrorism. However, the incident did not embody the panic of any Digital Pearl Harbour scenario, but demonstrated the resiliency of critical infrastructure to recover relatively quickly. In the end, the fact remains “no human death has been clearly linked to cyber-attacks whether they were terrorism or criminal act” (Gorge, 2007, 12).
Conclusion:
James Lewis of the Centre for Strategic and International Security emphatically stated, “Digital Pearl Harbours are unlikely” (Lewis, 2002, 11). The fact remains the cyber-terrorism touted in official reports and mainstream media has not materialized. For the moment, cyber-terrorism remains more a product of fear and imagination than concrete reality. Nonetheless, in the new globalized digital world, the lines between foreign and domestic, private and public, and the virtual and physical worlds are rapidly blurring. Similarly, security challenges are progressively growing amorphous –– actions in cyber space possess growing physical consequences. Yet currently, the threat of cyber-terrorism remains largely exaggerated. Nevertheless, the potential cannot be completely ignored either. As the world becomes more intertwined with the digital world, cyber-terrorism may not remain a ghost of our fears, but a stark reality of the times. Terrorist organizations have proven to innovative, unconventional, and wholly determined. Hence, we must equally be innovative and adaptive, while maintaining our clarity of thought and resisting the easy answers of fear mongering. Yet for the moment, states and policy makers have a more pressing issues concerning cyber security –– the foremost being the precarious balance between cyber security and personal privacy. Before we can tackle the invisible enemies beyond our walls we must make sure we do not allow the guards to become the threat from within. Who will watch the watchers? Who reads their emails?
Sgt. Sebastian J. Bae is currently a masters student at Georgetown's Security Studies Program, specializing in international security. He served six years in the Marine Corps infantry as a Sergeant, and deployed to Iraq in 2008. He previously studied at UC Berkeley for his undergraduate degree, and did academic exchanges and fellowships at the University of Hong Kong as an undergraduate and a the University fo St. Andrews as a graduate student.