Cyber Terrorism is a Strategy

Summary: Much as defense experts in 1913 thought more about cavalry than airplanes, today’s experts think more about the aircraft carriers and 5th generation fighters (e.g., F-35) than cyberwar and cyberterrorism. But that’s changing. To help you stay current about these developments, here’s the first chapter in another series about cyberterrorism. (1st of 2 posts today)

Cyber Terrorism as a Strategy

By Edwin Covert

From DarkMatters

19 November 2014

References appear at the end.

Posted with the author’s gracious permission

The Internet has fundamentally altered the world we live in and interact. As former Secretary of Defense Leon Panetta (2012) remarked in a speech before the Business Executives for National Security, “Cyberspace has fundamentally transformed the global economy. It’s transformed our way of live, providing two billion people across the world with instant access to information, to communication, to economic opportunities” (Panetta, 2012).

Examples of the changes he spoke of include using video applications instead of placing a call to another country, instant messaging and text messaging in lieu of writing a letter or even the growing ‘Internet of Things’ (IOT) where physical objects linked through IP-based connections are networked together (Weber, 2013) or what Hildebrandt (2011) calls “proactive technology infrastructure” (p. 224) that begins to anticipate our needs as consumers.

For all the vast opportunities the Internet provides, it exposes potential vulnerabilities that can be exploited by adversaries. Recent news reports indicate the level of sophistication and the costs of dealing with these vulnerabilities are increasing substantially (Corrin, 2013).

Presidential Decision Directive (PDD 63) documented the industries we rely on to preserve life and property and economic functions: information and communications, banking and finance, water, transportation, law enforcement, public health, and power (US Government, 1998).

With our reliance on the Internet connecting these infrastructures, terrorism via computer is thought to be an imminent concern. Unfortunately, cyberterrorism is a strategy that has been overstated to the public and policy makers leading to public fear and questionable public policy.

DEFINING THE STRATEGY

When one thinks of terrorism, the 2001 attacks on the Pentagon and the World Trade Center immediately come to mind as well as the subway bombings in London and Madrid by Al Qaeda that same decade. Other examples include the Achille Lauro hijacking in 1985 or the Black September attack in Munich at the Olympics in 1972 by the Palestinian Liberation Organization.

However, many posit that our reliance on computers makes us vulnerable to cyberterrorist attacks. As former Secretary Panetta (2012) said, “A cyber-attack perpetuated by nation states or violent extremist groups could be as destructive as the terrorist attack on 9/11. Such a destructive attack could virtually paralyze the nation” (Panetta, 2012). Therefore, it would a mistake to not consider it under the banner of ‘The Art of the Possible’.

Former Director of the Federal Bureau of Investigation (FBI) Robert Mueller, in a 2012 speech before an auditorium of cybersecurity professionals asserted modern terrorists are increasing their technological acumen. Specifically, he said, “much like every other multi-national organization, [terrorists] are using the Internet to grow their business and connect with like-minded individuals. And they are not hiding in the shadows of cyber space” (Mueller, 2012).

He goes on to say that terrorists themselves believe that cyber-warfare is the way of the future. As important as understanding the weapons or threat actors involved is, it is equally as important to properly define the strategy those actors might employ. This has proven unfortunately elusive.

The US Department of State defines orthodox terrorism as “premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents, usually intended to in?uence an audience” (US Department of State, 2012). Others have provided variations on this theme.

For the sake of simplicity, this paper defines it as the calculated use of violence or its threatened use to force a political change by non-state actors (Hoffman, 2006, p. 40). Unfortunately, simply taking the term cyber and adding it to terrorism as Collins did does not make it any easier to comprehend (Conway, What is Cyberterrorism?, 2002).

Saying that (from the State Department definition) cyberterrorism is the calculated use of violence or its threatened use to force a political change by non-state actors using computers is not accurate. Simply using the Internet or cyberspace to “to grow their business and connect with like-minded individuals,” as Mueller (2012) noted, is not cyberterrorism. Nor is cyberterrorism using the Internet to increase pressure on a government as Saint-Claire (2011) says the Zapatista rebels did in the mid 1990’s (p. 85).

Simply “being” in cyberspace does not satisfy the definition of terrorism. It is necessary to denote the function cyberspace plays in the terrorist act in order to consider it cyberterrorism (Conway, What is Cyberterrorism?, 2002).

In her paper “What is Cyberterrorism?” Conway (2002) runs through a litany of potential definitions of the strategy of cyberterrorism all centering around the idea of non-state entities causing politically motivated damage or destruction to information, computer systems and/or computer programs through a computer or information system that could result in violence or the threat of violence against innocent people (Conway, What is Cyberterrorism?, 2002).

This definition allows for the information system as a weapon (damage to an information system connected to a physical system such as a supervisory control and data acquisition (SCADA) system using a virus or worm) but not the physical destruction of a large network communications hub with conventional explosives, such as the Metropolitan Area Exchange, East (MAE-East) location in Reston, Virginia where a significant number of major Internet service providers provide connectivity (Cryptome, 2006).

This is an important distinction. Allowing a cyberterrorist attack to include the physical destruction of a facility like MAE-East blurs the definition of cyberterrorism with traditional terrorism and therefore hinders the discussion from making forward progress by rendering cyberterrorism as indistinguishable as a tactic.

Another critical distinction is that this definition does not include those organizations conducting state-sponsored acts of cyberterrorism. Receiving funding and/or technical assistance from a sovereign country should negate any proposed example since it would not be consistent with the “non-state” portion of the definition.

Ahmad and Yunos (2012) have also described five critical components of cyberterrorism that align with Conway’s decade-old definition (p. 151):

An attack must be politically-motivated in nature and lead to death or injury
An attack must cause fear and/or physical harm through cyber techniques
An attack must be against critical information infrastructures such as financial, energy, transportation, and government
An attack against non-essential services is not cyberterrorism
An attack for financial gain as its primary motive is not cyberterrorism

Ahmad and Yunos (2012) have developed a framework around these components to determine if something is actually cyberterrorism. This framework “provides a baseline when establishing and defining cyber terrorism” (p. 154).

Figure 1 outlines the key elements of the framework: Who is the target of the attack (target); why is the target being attacked (motivation); how is the target being attacked (method of attack); where is the attack happening (domain); what specific actions are the attackers performing (action by perpetrator); and what impact is the attack having to the target (impact)? Applying this framework is straightforward.

For example, Verton (2003) lays out a fictional scenario in his book Black Ice: The Invisible Threat of Cyber-Terrorism where traditional terrorist tactics such as using stolen fuel trucks as mobile bombs is combined with attacks from paid Russian computer hackers to start “a simultaneous cyber-onslaught against remaining utility control centers that penetrated critical Supervisory Control and Data Acquisitions (SCADA) systems – the digital brains of the electric grid and natural gas pipelines” (p. 8).

From the framework, we see the target is focused on a more dispersed audience than the organization that runs the grid; it is aimed at the public who relies on the grid (Ahmad & Yunos, 2012, p. 154). The attack is trying to generate fear.

The motivation in this scenario is religious ideology (Verton, 2003, p. 3). The method of attack (unleashing network-based attacks) is the Internet-as-weapon model Conway (2002) postulates. The domain of the attack is self-evident.

In this imaginary operation, the specific actions taken by the terrorists related to cyber were effects-based in that they were designed to, once undertaken, generate an emotional response (fear) on the part of the public that relies on the targeted service (Ahmad & Yunos, 2012, p. 156).

The final component of the framework involves impact. As cyberterrorism involves generating the emotion from the previous element across the wider audience in addition to the initial target, it has a larger impact than say a bank robbery (Ahmad & Yunos, 2012, p. 156).

It is clear from this example the proposed framework correctly identified the scenario as true cyberterrorism. However, when examined in more detail, Verton’s (2003) scenario remains fictional.

The opinions expressed in this and other contributors’ articles are solely those of the author and do not necessarily reflect those Norse Corporation.

References

Ahmad, R., & Yunos, Z. “A Dynamic Cyber Terrorism Framework“, International Journal of Computer Science and Information Security, 2012, 149-158
Berner, S. “Cyber-terrorism: reality or paranoia?” South African Journal of Information Management, March 2003
Conway, M. “What is Cyberterrorism?” Current History, 2002, 436-442. Gated.
Conway, M. (2007). Cyberterrorism: Hype and Reality. In L. Armistead, Information Warfare: Separating Hype from Reality (pp. 72-94). Potomac Books
Conway, M. “Against Cyberterrorism“, Communications of the ACM, 2011, 26-28. Gated.
Corrin, A. “Frequency, costs of cyberattacks on the rise“, Federal Computer Week, 8 October 2013
MAE East Colocation Birdseye. Cryptome. 13 February 2006
Gable, K. A. Cyber-Apocalypse Now: Securing the Internet Against Cyberterrorism and Using Universal Jurisdiction as a Deterrent. Vanderbilt Journal of Transnational Law, 6 July 2012
Hildebrandt, M. “Legal Protections by Design: Objections and Refutations”, Legisprudence, 5(2) – 2011, 223-248
Hoffman, B. (2006). Inside Terrorism. Columbia University Press
Jones, G. Cyber terror threat is growing, says Reid. The Telegraph, 26 April 2007
Lenzner, R., & Vardi, N. The Next Threat. Forbes, 20 September 2004
Lewis, J. A. “Assessing the Risk of Cyber Terrorism Cyber War and Other Cyber Threats“, Center for Strategic and International Studies, December 2002
Malone, M. S. “Silicon Insider: Fighting Cyberterror“, ABC News, 18 August 2005
Mueller, R. (Director of the FBI), Prepared Remarks at RSA Cyber Security Conference. San Francisco, 1 March 2012
Nacos, B. “Accomplice or Witness? The Media’s Role in Terrorism“, Current History, 2000, 174-178. Gated.
Global Terrorism Database of the National Consortium for the Study of Terrorism and Responses to Terrorism. (2012). University of Maryland
Nyugan, R. “Navigating Jus Ad Bellum in the Age of Cyber Warfare“, California Law Review, 104 #4 (2013), 1079-1129
Panetta, L “Defending the Nation from Cyber Attack“, speech to the Business Executives for National Security, NYC, 11 October 2012
Saint-Claire, S. Overview and Analysis of Cyber Terrorism. School of Doctoral Studies (European Union) Journal, 2011, 85-98
Shiryaev, Y. “Cyberterrorism in the Context of Contemporary International Law“, San Diego International Law Journal, Fall 2012, 139-192
Two arrested for cyber terror support. UPI, 24 August 2006
DoD Operations Security (OPSEC) Program. Defense Technical Information Center, 20 June 2012
Country Reports on Terrorism. Bureau of Counterterrorism, US Department of State, 30 May 2012
Critical Infrastructure Protection, Presidential Decision Directive 63, 22, May 1998
USA Patriot Act. US Government. 26 October 2001
Verton, D. (2003). Black Ice: The Invisible Threat of Cyber-Terrorism. McGraw-Hill/Osbourne
Weber, R. H. “Internet of things – Governance quo vadis?“, Computer Law and Security Review, August 2013, 341-347. Gated.
Witty, D. M. “Attacking al Qaeda’s Operational Centers of Gravity“, Joint Forces Quarterly, Q1 2008, 98-103

————————————————–

About the Author

Mr. Covert is a cybersecurity professional with over 20 years of cybersecurity and intelligence experience. He works for Booz Allen Hamilton in the Washington, DC metro area. He works with both government and commercial organizations and is an author on a diverse array of cybersecurity topics.

He holds the Certified Information Systems Security Professional (CISSP^®) designation from (ISC)²^® . He is also a certified Project Management Professional (PMP). He holds two designations from ISACA (previously known as the Information Systems Audit and Control Association): the Certified Information Security Manager (CISM), and the Certified in Risk and Information Systems Controls (CRISC). Additionally, he also has held the GIAC Certified Incident Handler designation from the SANS Institute. He is a member of the Order of the Sword & Shield, a national honor society for homeland security, intelligence, emergency management and other protective security disciplines.

From the Norse Corp website.