What could cyberterrorism look like? And is there such a thing?
Politicians and the media constantly talk about the dangers of a “cyberggedon” and a “cyber 9/11”, yet we lack a clear understanding of what type of activities are covered by this label. At this point activities including election meddling, the dissemination of propaganda through social media, hacktivism, and the targeting of critical infrastructures, amongst others, are all being considered acts of cyberterrorism. Whilst it is clear that cyberterrorism is a threat that cannot be ignored or underplayed, we must be careful when assigning this label to different incidents. Overusing the term can lead to unwarranted hysteria that can oversimplify cyber attacks. It can also unnecessarily shift our focus onto an area of research that might not be as deserving as other more pressing issues in the realm of cybersecurity. To avoid the issues just mentioned, this article will try to answer the following questions: what could cyberterrorism look like? And is there such a thing?
What is Cyberterrorism?: Definitions and Misconceptions
To this day there are no clear examples of cyberterrorism, instead we see a tendency for people to conflate cyberterrorism with other malicious cyber activities. This is seen at the highest levels of politics, with figures such as the former presidential candidate, Hillary Clinton, calling the 2016 Russian election meddling “Cyber 9/11”. Linking a disinformation campaign to a terrorist attack that resulted in the deaths of almost 3,000 people, is a clear example of how we lack a unifying definition for cyberterrorism. The problem of finding a common definition, stems from the fact that the term “terrorism” is highly contested in itself. This means that calling events “acts of terrorism” and labelling groups as “terrorists” is often very ambiguous. For instance, insurgencies and terrorists may employ the exact same tactics of terrorism, yet we tend to distinguish between insurgencies and terrorists. The same is true when these events cross into the realm of cyber.
For the purposes of this article, the focus will mostly be on terrorism as a tactic as opposed to a term used to label the groups that employ this tactic. The classification of what groups should or should not be called terrorists, goes beyond the scope of the article. Instead, the article looks at the activities or events that fall under the category of terrorism.
One of the most quoted definitions for terrorism is that of the academic Bruce Hoffman who defines terrorism as:
“…the deliberate creation and exploitation of fear through violence or the threat of violence in the pursuit of political change. All terrorist acts involve violence or the threat of violence…”[1]
From this definition, many cyberattacks, if not all, fall outside this category[2]. Yet, once the word “cyber” is attached to terrorism, we struggle to classify which cyberattacks fall outside the cyberterrorism label. In the simplest of terms, cyberterrorism is the “convergence of cyberspace and terrorism”[3], but this definition is too vague, as it could include the use of social media by terrorist groups to spread their ideology. Without the “cyber”, this activity would more likely be labelled propaganda, and thus we ought to still see it as propaganda once it makes its way onto cyberspace. Some academics have created new terms to describe this phenomenon. For instance, Martin Rudner calls this “Electronic Jihad”[4], and thus leaves the term cyberterrorism for a very distinctive set of activities. Activities that involve the use or threat of violence[5].
Hacktivism is another activity that is being conflated with cyberterrorism. In 2015, Jeremy Hammond, an Anonymous hacktivist was placed on a terrorism watch list. Civil liberties groups protested this decision, and expressed their concern “that a hacker with no apparent history of terrorist behaviour or affiliations should be classified this way”. Whilst hacktivism is politically motivated, there are some differences to terrorism. Gabriel Weimann explains that most Hacktivists will protest and disrupt, but to cross the threshold into terrorism, they would have to “kill or maim or terrify”. This highlights the importance of violence, as an identifying aspect of cyberterrorism. This is further exemplified by the information security researcher, Dorothy Denning, who defines cyberterrorism as:
“Unlawful attacks and threats of attacks against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear”[6].
Is there such a thing?
From the definition provided above, it can be concluded that no acts of cyberterrorism have occurred to date. This is because cyberattacks must express all of the following characteristics: fear, violence, and a political motivation. Whilst the definitions of these aspects may be quite broad, it is essential for an incident to present all three aspects to be considered cyberterrorism. Most cyberattacks these days will either have one or two elements, but will lack all three.
In a 2002 article on cyberterrorism, Susan Brenner describes a scenario were a cyberattack shuts down the subway system in New York. Brenner details how people would panic with fear as they learn that they are “caught up in an international shut down of the entire system”[7] that was “perpetrated by unknown persons whose identities and goals would remain unknown”[8]. Whilst there would certainly be a high level of confusion, and distress, the level of fear cannot be compared to that of a conventional terrorist attack. A scenario like the one Brenner proposes would require a lot more to create the same level of fear as an event such as the November 2015 attacks in Paris , or the London Bridge attack in 2017. Terrorists want to instil fear in the civilian population[10], and whilst a shutdown of a train system may be a nuisance, it will not invoke the same type of fear as when there are deaths or physical destruction involved. For now, there are no instances where a cyberattack has successfully created the same level of fear as a conventional terrorist attack.
To create fear, a level of physical violence is needed- or at least the threat of. Stuxnet is one of the very few examples of a cyberattack that had a destructive, physical effect. However, this case also showed that the resources and knowledge required to build a cyber weapon as such, are not easily accessible as it is often believed, and are in fact quite costly to build. Cyberattacks are often thought of as being the weapons of the weak, but as Jon R. Lindsay argues, this is quite misleading[11]. He explains that “weaker actors face steep barriers to weaponization for causing meaningful damage”[12] and that the level of sophistication required for something like Stuxnet is beyond the capacity of a weaker actor. This is because the same distance that makes it attractive for an individual to conduct a cyberattack, will limit the “intelligence preparation and operational control” needed for a targeted destructive cyberattack[13]. He therefore concludes that terrorists are more likely to use cheaper and more reliable ways of causing damage. Indeed, the increasing frequency of attacks involving a car or van mowing down civilians, indicates that terrorists are more likely to choose a cheaper and more primitive mode of attack.
Finally, fear and violence by themselves cannot be considered cyberterrorism if there is no political motivation. That is why it is absurd to think that anonymity is what attracts terrorists the most to cyberattacks. Terrorist groups want to be heard, want people to fear them, and want to spark an overreaction- otherwise their political aims become irrelevant. If the perpetrator does not want to be known, it is more likely that the cyberattack is an act of criminality and not of terrorism.
That it hasn’t happened, doesn’t mean that it won’t
Some cyberterrorism scenarios may seem far-fetched when they are discussed. But some are becoming a real possibility as our society becomes more dependent on the internet. The Cambridge Centre for Risk Studies reported that whilst it is unlikely for a cyberattack to “inflict severe physical destruction through digital means before 2020”, there is “evidence to suggest the risk of cyberterrorism” will increase and “intensify in the mid to long-term”. Terrorist groups have certainly expressed an interest in using cyber capabilities for their attacks. On February 2011, the leader of Al Qaeda, Ayman al-Zawahiri released a video where he urged his followers to find new innovative ways of attacking the West to “sabotage their complex economic and industrial systems and drain their powers” [14]. Additionally, a study from the University of Oxford on Islamic Radicals shows that “computer engineers are highly over-represented among members of militant jihadist groups”[15] across the world.
Whilst being overly pessimistic is not always good, it is important to at least conceive what the worst-case scenario may be. The failure to predict and prevent the terrorist attacks of September the 11th, is often linked to a failure of imagination. Very few would have imagined that the planes were going to be hijacked for those purposes. Only with hindsight can we see the clues of what was going to happen. The events of 9/11 highlight important lessons for intelligence agencies, one of which is to keep an open mind for the worst-case scenarios. Whilst it would take a lot of resources and effort to pull off a successful act of cyberterrorism, if done, it could be catastrophic. Intelligence agencies must therefore think outside the box of how terrorists could potentially use cyber capabilities to harm society, and hopefully in doing so be prepared to be resilient if it ever does happen.
That being said, we are unlikely to witness catastrophic cyberattacks in the near future, as terrorists have found more conventional methods to be more effective. Instead, what we are more likely to see are terrorist attacks accompanied by cyberattacks that serve to amplify the destructive and chaotic nature of the attack. In his argument as to why an act of cyberwar could exist, the academic John Stone explains that cyberattacks can be seen as force multipliers[15]. This same logic can be applied to cyberterrorism, in that a cyberattack can magnify the effects of a conventional terrorist attack[16]. The academic Christopher Cox lays out a scenario where terrorists are able to “interfere with emergency responses to a planned explosion”[17]. Whilst the cyberattack itself may not be enough to cross the threshold into the label of cyberterrorism, if used along with a conventional terrorist attack it may warrant the label.
Should we care about cyberterrorism?
Yes and No. Cyberterrorism, like every other subject under cybersecurity, is not a clear cut case. We have seen that not all cyberattacks can or should be labelled acts of cyberterrorism. Doing so creates unnecessary panic, but more importantly overusing the term would dilute its meaning, making it harder for us to understand what we are dealing with. As it is an interesting topic, it could also deviate researchers focus on more pressing issues in the cybersecurity field. Yet, we cannot simply forget about it completely. Whilst the chances of a devastating cyberterrorism attack that brings death and destruction in the same way as a conventional attack are quite slim, we need to be aware and prepared for that “worst-case” scenario. In short, we need to care enough to be aware of the potential danger, but not enough that we see it as the major threat facing our security.
Want to find out more? Follow our ProTechMe Series!
[1] Bruce Hoffman, Inside Terrorism, (New York: Columbia University Press, 1998), 63.
[2] Gabriel Weimann, “Cyberterrorism: The Sum of All Fears?”, Studies in Conflict and Terrorism, 28:2, 129–149 (2005): 132.
[3] Weimann, “The Sum of all Fears”, 135.
[4] Martin Rudner, “’Electronic Jihad’: The Internet as Al Qaeda’s catalyst for Global Terror”, Studies in Conflict and Terrorism, 40:1, 10–23 (2017): 11.
[5] Rudner, “Electronic Jihad”, 18.
[6] Ibid.
[7] Susan Brenner, “Cyberterrorism”, Media Asia, 29:3, 149–154 (2002): 151.
[8] Brenner, “Cyberterrorism”, 151.
[9] Michael Gross, Daphna Canetti, Dana Vashdi, “The Psychological Effects of Cyber Terrorism”, Bulletin of the Atomic Scientists, 72:5, 284–291 (2016): 285.
[10] Gross, Canetti, Vashdi, “Psychological Effects”, 284.
[11] Jon R. Lindsay, “Stuxnet and the Limits of Cyber Warfare”, Security Studies, 22:3, 365–404 (2013): 389.
[12] Lindsay, “Stuxnet”, 389.
[13] Ibid, 389.
[14] Rudner, “Electronic Jihad”, 19.
[15] John Stone, “Cyber War Will Take Place!”, Journal of Strategic Studies, 36:1, 101–108 (2013): 106.
[16] Gross, Canetti, Vashdi, “Psychological Effects”, 289.
[17] Cox, “Cyber Capabilities and Intent of Terrorist Forces”, Information Security Journal: A Global Perspective, 24:1–3, 31–38 (2015): 32.
