Cyberterrorism

Zero. That is the number of people that have been hurt or killed by cyber terrorism at the time this went to press.

Peter W. Singer, "The Cyber Terror Bogeyman" (Nov. 2012) (full-text).

Definitions

Various definitions exist for the term cyberterrorism (also spelled cyber-terrorism), just as various definitions exist for the term “terrorism.”^[1]

Security expert Dorothy E. Denning defines cyberterrorism as "politically motivated hacking operations intended to cause grave harm such as loss of life or severe economic damage.^[2]

The Congressional Research Service defines cyberterrorism as

“

the politically motivated use of computers as weapons or as targets, by sub-national groups or clandestine agents intent on violence, to influence an audience or cause a government to change its policies.[3]

”

The FBI defines cyber terrorism as a

“

premeditated, politically motivated attack against information, computer systems, computer programs and data which results in violence against non-combatant targets by subnational groups or clandestine agents.

”

The Federal Emergency Management Agency (FEMA) defines cyberterrorism as

“

unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives.[4]

”

The ITU has defined cyberterrorism as

“

unlawful attacks and threats of attack against computers, networks, and stored information to intimidate or coerce a government or its people in furtherance of specific political or social objectives.[5]

”

The Office of the Comptroller of the Currency defines it as

“

[t]he use of computing resources against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives.[6]

”

Others indicate that a physical attack that destroys computerized nodes for critical infrastructures, such as the Internet, telecommunications, or the electric power grid, without ever touching a keyboard, can also contribute to, or be labeled as cyberterrorism.^[7]

At least two views exist for defining the term "cyberterrorism":

• Effects-based: Cyberterrorism exists when computer attacks result in effects that are disruptive enough to generate fear comparable to a traditional act of terrorism, even if done by criminals.
• Intent-based: Cyberterrorism exists when unlawful or politically motivated computer attacks are done to intimidate or coerce a government or people to further a political objective, or to cause grave harm or severe economic damage.

United States

Threats to the U.S. cyber and telecommunications infrastructure are constantly increasing^[8] and evolving as are the entities that show interest in using a cyber-based capability to harm the nation’s security interests.^[9] Concerns have been raised since the 1990s regarding the use of the internet and telecommunications components to cause harm to the nation’s security interests.

Activities producing undesirable results include unauthorized intrusion to gain access and view protected data, stealing or manipulating information contained in various databases, and attacks on telecommunications devices to corrupt data or cause infrastructure components to operate in an irregular manner. Of paramount concern to the national and homeland security communities is the threat of a cyber-related attack against the nation’s critical government infrastructures — "systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters."^[10] Early concerns noted attacks on components of the energy grid, infrastructure control systems, and military equipment as examples of telecommunications-based threats to physical infrastructures.^[11]

In response, the Department of Energy (DOE) conducted an experiment in 2007 in which the control system of an unconnected generator, containing similar components as that of larger generators connected to many power grids in the nation supplying electricity, was damaged and became inoperable.^[12] While data from federal agencies demonstrate that the majority of attempted and successful cyberattacks to date have targeted virtual information resources rather than physical infrastructures,^[13] many security experts are concerned that the natural progression of those wishing to harm U.S. security interests will transition from stealing or manipulating data to undertaking action that temporarily or permanently disables or destroys the telecommunications network or affects infrastructure components.

Many security observers agree that the United States currently faces a multi-faceted, technologically-based vulnerability in that “our information systems are being exploited on an unprecedented scale by state and non-state actors [resulting in] a dangerous combination of known and unknown vulnerabilities, strong adversary capabilities, and weak situational awareness.”^[14] This, coupled with security observers’ contention that the United States lacks the capability to definitively ascertain perpetrators who might unlawfully access a database or cause harm to a network, leaves the nation increasingly at risk. It also causes acts or discussions related to deterring cyberattacks to be ignored or negated by entities exploiting known or newly found vulnerabilities.

Prominent national security experts have emphasized the vulnerability of U.S. infrastructures. As recently as January 2009, former Director of National Intelligence (DNI) Mike McConnell equated "cyber weapons" with weapons of mass destruction when he expressed concern about terrorists’ use of technology to degrade the nation’s infrastructure. In distinguishing between individuals gaining access to U.S. national security systems or corporate data for purposes of exploitation for purposes of competitive advantage, former Director McConnell noted that terrorists aim to damage infrastructure and that the "time is not too far off when the level of sophistication reaches a point that there could be strategic damage to the United States."^[15]

Similarly, in elaborating on the potential consequences of a cyber attack, newly confirmed DNI Dennis Blair offered the following statement during the Annual Threat Assessment of the Intelligence Community for the Senate Select Committee on Intelligence:

“

Growing connectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt telecommunications, electrical power, energy pipelines, refineries, financial networks, and other critical infrastructures. Over the past several years we have seen cyber attacks against critical infrastructure abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts. A successful attack against a major financial service provider could severely impact the national economy, while cyber attacks against physical infrastructure computer systems such as [those] that control power grids or oil refineries have the potential to disrupt services for hours to weeks.[16] Also describing the evolving threat to U.S. security interests from a cyber-facilitated incident, Melissa Hathaway, Senior Advisor to the DNI and Chair of the National Cyber Study Group and President Obama’s appointee to lead the 60-day interagency Cyberspace Policy Review, wrote that "both state and non-state adversaries are targeting our information systems and infrastructure for exploitation and potential disruption or destruction."[17]

”

During the question and answer period of the most recent DNI Annual Threat Assessment of the Intelligence Community, Director Blair stated that a

“

cyber capability is not one in which I feel [terrorists] have the skills for the greatest destruction. I think that they have other terrible things they can do to us that they are working on harder, they’re better able to do, and they seem to be more motivated to do. So [a cyber terrorist attack is] possible, but I don’t think the combination of terror and cyber is the nexus that we are most worried about.[18]

”

However, threats could originate from foreign military or intelligence operatives rather than from terrorist groups.

In response to reports of the increasing pace and volume of cyber intrusions and a recognition that recent cyber-based threats have compelled the U.S. government to take security related actions that may negatively affect an agency's ability to perform its national security duties,^[19] legislators and analysts have expressed concerns that the current statutory framework inadequately addresses modern cybersecurity threats. One prominent voice is the Center for Strategic and International Studies's (CSIS) Commission on Cybersecurity for the 44th President, whose members testified before House and Senate committees and released its formal recommendations in fall 2008. The Commission recommended that federal cyber-crime provisions should be reexamined and that the "President should propose legislation that eliminates the current legal distinction between technical standards for national security systems and civilian agency systems and adopt a risk-based approach to federal computer security."^[20] In addition, it characterized the current statutory framework, particularly the Federal Information Security Management Act, enacted in 2002 to establish agency-level defenses against cyberthreats, as too weak to effectively prevent cyberintrusions.^[21]

Legislators made some attempts during the 110th Congress to strengthen or "modernize" the existing statutory framework. For instance, a bill introduced by Senator Carper, the Federal Information Security Management Act of 2008,^[22] would have added a “Chief Information Security Officer” position to supplement the Chief Information Officer position required in each federal agency under the Federal Information Security Management Act of 2002 and the Clinger-Cohen Act of 1996.^[23] However, analysts have argued that ultimately, no change to the existing statutory scheme will adequately equip executive agencies to prevent infiltrations into U.S. cyberspace. They argue that "only the White House has the necessary authority and oversight for cybersecurity."^[24]

Current state of cyberterrorism

There is reasonable evidence available that terrorist organizations use cyberspace to conduct the business of terrorism. Terrorists use the Internet and the World Wide Web to communicate with each other, recruit members, gather intelligence, raise money legally and illegally, organize and coordinate activities, obtain illegal passports and visas, and distribute propaganda. For instance:

• Some Afghan-based terrorists, such as Osama bin-Laden, reportedly have computers, communications equipment, and large data storage disks for their operations.^[25]
• Hamas, a Middle Eastern terrorist organization, reportedly uses Internet chat rooms and e-mail to plan and coordinate operations in Gaza, the West Bank, and Lebanon.^[26]
• Hizballah, another Middle Eastern group, manages several Internet websites for propaganda purposes ([7]), to describe attacks against Israel ([8]), and one for news and information.[9]
• Government computers reportedly were crashed by terrorist groups during elections in Indonesia, Sri Lanka, and Mexico.
• Irish Republican Army (IRA) supporters reportedly leaked sensitive details on British army bases in Northern Ireland on the Internet. Sinn Fein also maintains a web site.[10]

Labeling a computer attack as "cyberterrorism" is problematic because of the difficulty determining the identity, intent, or the political motivations of an attacker with certainty. Under 22 U.S.C. §2656, "terrorism" is defined as premeditated, politically motivated violence perpetrated against noncombatant targets by sub-national groups or clandestine agents, usually intended to influence an audience.

Criticism

Some observers feel that the term "cyberterrorism" is inappropriate, because a widespread cyberattack may simply produce annoyances, not terror, as would a bomb, or other chemical, biological, radiological, or nuclear explosive (CBRN) weapon. However, others believe that the effects of a widespread computer network attack would be unpredictable and might cause enough economic disruption, fear, and civilian deaths, to qualify as terrorism.

References

1. Under 22 U.S.C. §2656, "terrorism" is defined as premeditated, politically motivated violence perpetrated against noncombatant targets by sub national groups or clandestine agents, usually intended to influence an audience. The United States has employed this definition of terrorism for statistical and analytical purposes since 1983. U.S. Department of State, 2002, Patterns of Global Terrorism, 2003.[1].
2. Activism, Hactivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy, at 241; Dorothy E. Denning, "Is Cyber War Next?," Social Science Research Council (Nov. 2001) (full-text).
3. Computer Attack and Cyber Terrorism: Vulnerabilities and Policy Issues for Congress, at CRS-5.
4. FEMA Toolkit.
5. Global Strategic Report, at 24.
6. Office of the Comptroller of the Currency, Infrastructure Threats from Cyber-Terrorists 2 (Mar. 19, 1999).
7. Dan Verton, "A Definition of Cyber-terrorism," Computerworld, Aug. 11, 2003.[2]
8. Peter Eisler, Reported Raids on Federal Computer Data Soar, USA Today (Feb. 17, 2009).[3] Based on data reportedly provided to USA Today, the U.S. Computer Emergency Readiness Team (US-CERT), a Department of Homeland Security entity, found that known cyberattacks on U.S. government networks rose 40% in 2008 compared to 2007. While this survey focused on U.S. government computer systems, telecommunications networks are maintained by private industry, and any degradation to these services or components would necessarily have negative implications for both public and private cyber activities.
9. See Terrorist Capabilities for Cyberattack: Overview and Policy Issues.
10. 42 U.S.C. §5195c(e). See also Critical Infrastructures: Background, Policy, and Implementation.
11. Of note, many of the cyber-related incidences that were found to have negatively affected control systems connected to physical infrastructure components were resolved as being the work of current or former employees who had access to and knowledge of the architecture of the affected network.
12. Jeanne Meserve, "Staged Cyber Attack Reveals Vulnerability in Power Grid," CNN online (Sept. 26, 2007).[4] A video of the experiment, named Project Aurora, and the resulting damage to the generator is available on the CNN website.
13. See Securing Cyberspace for the 44th Presidency, at 12 ("we expected damage from cyber attacks to be physical (opened floodgates, crashing airplanes) when it was actually informational").
14. House Permanent Select Committee on Intelligence, Cyber Security: Hearing on the Nation’s Cyber Security Risks, 110th Cong., 1st Sess. (Sept. 18, 2008) (statement of Paul Kurtz, Former Senior Director, Critical Infrastructure Protection, White House Homeland Security Council).
15. The Charlie Rose Show, "Interview of Mr. Mike McConnell, Director of National Intelligence," PBS (Jan. 8, 2009.
16. U.S. Congress, Senate Select Committee on Intelligence, Annual Threat Assessment of the Intelligence Community: Hearing on the Threats to the Nation, 111th Cong., 1st Sess. (Feb. 12, 2009).
17. Melissa Hathaway, Cyber Security — "An Economic and National Security Crisis," Intelligencer: Journal of U.S. Intelligence Studies 31-36 (Fall 2008).
18. U.S. Congress, Senate Select Committee on Intelligence, Annual Threat Assessment of the Intelligence Community: Hearing on the Threats to the Nation, 111th Cong., 1st Sess. (Feb. 12, 2009).
19. In November 2008, it was reported that the Department of Defense notified all organizations to stop using portable storage devices as it has become "apparent that over time, our posture to protect networks and associated information infrastructure has not kept pace with adversary efforts to penetrate, disrupt, interrupt, exploit or destroy critical elements of the global information grid." Noah Shachtman, "Military USB Ban Meant to Stop Adversary Attacks," Wired Blog Network (Nov. 20, 2008).[5] Also, it has been reported that some U.S. military units have resorted to disconnecting computer networks from the internet for fear of cyber-related risks and a concern that the affected organization may not be managing its network properly thus "making everyone else vulnerable" to an attack. Noah Shachtman, "Air Force Unplugs Bases' Internet Connections," Wired Blog Network (Feb. 18, 2000).[6]
20. See Securing Cyberspace for the 44th Presidency. at 12, 67.
21. See, e.g., id. at 69 (stating that the Act "has become a paperwork exercise rather than an effective measure of network security"). The Federal Information Security Management Act is Title III of the E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899 (codified at 44 U.S.C. §3541 et seq.). Among other things, it created a position of Chief Information Officer within each federal agency.
22. Federal Information Security Management Act of 2008, S. 3474, 110th Cong. (2008). The bill was favorably reported by the Senate Homeland Security and Government Affairs Committee and was placed on the Senate calendar. It has not been reintroduced during the 111th Congress.
23. 44 U.S.C. §3506 (requiring Chief Information Officer positions). The Clinger-Cohen Act is the name given to the Federal Acquisition Reform Act of 1996 and the Information Technology Management Reform Act of 1996, which passed as Sections D and E, respectively, of the National Defense Authorization Act for Fiscal Year 1996, Pub. L. No. 104-106, 110 Stat. 642, 679 (1996).
24. House Homeland Sec. Comm., Cybersecurity Recommendations for the Next Administration: Hearing Before the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, 110th Cong. (Sept. 16, 2008) (statement of James A. Lewis, Director and Senior Fellow, Center for Strategic and International Studies).
25. "Afghanistan, Saudi Arabia: Editor's Journey to Meet Bin-Laden Described," London al-Quds al-‘Arabi, FBIS-TOT-97-003-L (Nov. 27, 1996) at 4.
26. "Israel: U.S. Hamas Activists Use Internet to Send Attack Threats," Tel Aviv IDF Radio, FBIS-TOT-97-001-L (Oct. 13, 1996).

See also

• Cyberterrorist

Source

• Terrorist Use of the Internet: Information Operations in Cyberspace.