Cyber Terrorism is a Strategy

Summary:  Much as defense experts in 1913 thought more about cavalry than airplanes, today’s experts think more about the aircraft carriers and 5th generation fighters (e.g., F-35) than cyberwar and cyberterrorism. But that’s changing. To help you stay current about these developments, here’s the first chapter in another series about cyberterrorism.  (1st of 2 posts today)

CyberTerrorism

.

Cyber Terrorism as a Strategy

By Edwin Covert

From DarkMatters

19 November 2014

References appear at the end.

Posted with the author’s gracious permission

.

The Internet has fundamentally altered the world we live in and interact. As former Secretary of Defense Leon Panetta (2012) remarked in a speech before the Business Executives for National Security, “Cyberspace has fundamentally transformed the global economy. It’s transformed our way of live, providing two billion people across the world with instant access to information, to communication, to economic opportunities” (Panetta, 2012).

Examples of the changes he spoke of include using video applications instead of placing a call to another country, instant messaging and text messaging in lieu of writing a letter or even the growing ‘Internet of Things’ (IOT) where physical objects linked through IP-based connections are networked together (Weber, 2013) or what Hildebrandt (2011) calls “proactive technology infrastructure” (p. 224) that begins to anticipate our needs as consumers.

For all the vast opportunities the Internet provides, it exposes potential vulnerabilities that can be exploited by adversaries. Recent news reports indicate the level of sophistication and the costs of dealing with these vulnerabilities are increasing substantially (Corrin, 2013).

Presidential Decision Directive (PDD 63) documented the industries we rely on to preserve life and property and economic functions: information and communications, banking and finance, water, transportation, law enforcement, public health, and power (US Government, 1998).

With our reliance on the Internet connecting these infrastructures, terrorism via computer is thought to be an imminent concern. Unfortunately, cyberterrorism is a strategy that has been overstated to the public and policy makers leading to public fear and questionable public policy.

.

Framework of Cyberterrorism

DEFINING THE STRATEGY

When one thinks of terrorism, the 2001 attacks on the Pentagon and the World Trade Center immediately come to mind as well as the subway bombings in London and Madrid by Al Qaeda that same decade. Other examples include the Achille Lauro hijacking in 1985 or the Black September attack in Munich at the Olympics in 1972 by the Palestinian Liberation Organization.

However, many posit that our reliance on computers makes us vulnerable to cyberterrorist attacks. As former Secretary Panetta (2012) said, “A cyber-attack perpetuated by nation states or violent extremist groups could be as destructive as the terrorist attack on 9/11. Such a destructive attack could virtually paralyze the nation” (Panetta, 2012). Therefore, it would a mistake to not consider it under the banner of ‘The Art of the Possible’.

Former Director of the Federal Bureau of Investigation (FBI) Robert Mueller, in a 2012 speech before an auditorium of cybersecurity professionals asserted modern terrorists are increasing their technological acumen. Specifically, he said, “much like every other multi-national organization, [terrorists] are using the Internet to grow their business and connect with like-minded individuals. And they are not hiding in the shadows of cyber space” (Mueller, 2012).

He goes on to say that terrorists themselves believe that cyber-warfare is the way of the future. As important as understanding the weapons or threat actors involved is, it is equally as important to properly define the strategy those actors might employ. This has proven unfortunately elusive.

The US Department of State defines orthodox terrorism as “premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents, usually intended to in?uence an audience” (US Department of State, 2012). Others have provided variations on this theme.

Cyberterrorism threatens Britain

For the sake of simplicity, this paper defines it as the calculated use of violence or its threatened use to force a political change by non-state actors (Hoffman, 2006, p. 40). Unfortunately, simply taking the term cyber and adding it to terrorism as Collins did does not make it any easier to comprehend (Conway, What is Cyberterrorism?, 2002).

Saying that (from the State Department definition) cyberterrorism is the calculated use of violence or its threatened use to force a political change by non-state actors using computers is not accurate. Simply using the Internet or cyberspace to “to grow their business and connect with like-minded individuals,” as Mueller (2012) noted, is not cyberterrorism. Nor is cyberterrorism using the Internet to increase pressure on a government as Saint-Claire (2011) says the Zapatista rebels did in the mid 1990’s (p. 85).

Simply “being” in cyberspace does not satisfy the definition of terrorism. It is necessary to denote the function cyberspace plays in the terrorist act in order to consider it cyberterrorism (Conway, What is Cyberterrorism?, 2002).

In her paper “What is Cyberterrorism?” Conway (2002) runs through a litany of potential definitions of the strategy of cyberterrorism all centering around the idea of non-state entities causing politically motivated damage or destruction to information, computer systems and/or computer programs through a computer or information system that could result in violence or the threat of violence against innocent people (Conway, What is Cyberterrorism?, 2002).

This definition allows for the information system as a weapon (damage to an information system connected to a physical system such as a supervisory control and data acquisition (SCADA) system using a virus or worm) but not the physical destruction of a large network communications hub with conventional explosives, such as the Metropolitan Area Exchange, East (MAE-East) location in Reston, Virginia where a significant number of major Internet service providers provide connectivity (Cryptome, 2006).

This is an important distinction. Allowing a cyberterrorist attack to include the physical destruction of a facility like MAE-East blurs the definition of cyberterrorism with traditional terrorism and therefore hinders the discussion from making forward progress by rendering cyberterrorism as indistinguishable as a tactic.

CyberTerror button

Another critical distinction is that this definition does not include those organizations conducting state-sponsored acts of cyberterrorism. Receiving funding and/or technical assistance from a sovereign country should negate any proposed example since it would not be consistent with the “non-state” portion of the definition.

Ahmad and Yunos (2012) have also described five critical components of cyberterrorism that align with Conway’s decade-old definition (p. 151):

  1. An attack must be politically-motivated in nature and lead to death or injury
  2. An attack must cause fear and/or physical harm through cyber techniques
  3. An attack must be against critical information infrastructures such as financial, energy, transportation, and government
  4. An attack against non-essential services is not cyberterrorism
  5. An attack for financial gain as its primary motive is not cyberterrorism

Ahmad and Yunos (2012) have developed a framework around these components to determine if something is actually cyberterrorism. This framework “provides a baseline when establishing and defining cyber terrorism” (p. 154).

Figure 1 outlines the key elements of the framework: Who is the target of the attack (target); why is the target being attacked (motivation); how is the target being attacked (method of attack); where is the attack happening (domain); what specific actions are the attackers performing (action by perpetrator); and what impact is the attack having to the target (impact)? Applying this framework is straightforward.

For example, Verton (2003) lays out a fictional scenario in his book Black Ice: The Invisible Threat of Cyber-Terrorism where traditional terrorist tactics such as using stolen fuel trucks as mobile bombs is combined with attacks from paid Russian computer hackers to start “a simultaneous cyber-onslaught against remaining utility control centers that penetrated critical Supervisory Control and Data Acquisitions (SCADA) systems – the digital brains of the electric grid and natural gas pipelines” (p. 8).

.

CyberAttack

.

From the framework, we see the target is focused on a more dispersed audience than the organization that runs the grid; it is aimed at the public who relies on the grid (Ahmad & Yunos, 2012, p. 154). The attack is trying to generate fear.

The motivation in this scenario is religious ideology (Verton, 2003, p. 3). The method of attack (unleashing network-based attacks) is the Internet-as-weapon model Conway (2002) postulates. The domain of the attack is self-evident.

In this imaginary operation, the specific actions taken by the terrorists related to cyber were effects-based in that they were designed to, once undertaken, generate an emotional response (fear) on the part of the public that relies on the targeted service (Ahmad & Yunos, 2012, p. 156).

The final component of the framework involves impact. As cyberterrorism involves generating the emotion from the previous element across the wider audience in addition to the initial target, it has a larger impact than say a bank robbery (Ahmad & Yunos, 2012, p. 156).

It is clear from this example the proposed framework correctly identified the scenario as true cyberterrorism. However, when examined in more detail, Verton’s (2003) scenario remains fictional.

The opinions expressed in this and other contributors’ articles are solely those of the author and do not necessarily reflect those Norse Corporation.

References

————————————————–

Edwin Covert

About the Author

Mr. Covert is a cybersecurity professional with over 20 years of cybersecurity and intelligence experience. He works for Booz Allen Hamilton in the Washington, DC metro area. He works with both government and commercial organizations and is an author on a diverse array of cybersecurity topics.

He holds the Certified Information Systems Security Professional (CISSP®) designation from (ISC)²® . He is also a certified Project Management Professional (PMP). He holds two designations from ISACA (previously known as the Information Systems Audit and Control Association): the Certified Information Security Manager (CISM), and the Certified in Risk and Information Systems Controls (CRISC). Additionally, he also has held the GIAC Certified Incident Handler designation from the SANS Institute. He is a member of the Order of the Sword & Shield, a national honor society for homeland security, intelligence, emergency management and other protective security disciplines.

From the Norse Corp website.Cyber-Ninja

Posts in this Series

  1. Cyber Terrorism as a Strategy
  2. Selling Fear: How Cyber Terrorism is Being Portrayed
  3. Unraveling the Complexities of Cyber Terrorism
  4. Consequences of Overstating the Cyber Terrorism Threat

For More Information

See all posts about Information & disinformation, in the new media & the old.

Posts by Marcus Ranum about cyber-espionage and cyberwar:

  1. Obama knows how to lead America by exploiting our fears,  5 June 2009 — About cyberwar
  2. Cyberwar: a Whole New Quagmire.  Part 1: The Pentagon Cyberstrategy, 2 September 2011
  3. “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
  4. Conflating Threats, 14 September 2011
  5. About Stuxnet‏, the next generation of warfare?, 29 September 2011 – Introducing Stuxnet and some of the issues surrounding practical malware-based warfare.
  6. Cyberwar: a Whole New Quagmire – When the Drones Come To Roost, 8 October 2011
  7. About Attribution (identifying your attacker), 21 October 2011
  8. You must Be >this< Tall To Play Cyberwar (has DoD grown enough yet?), 16 December 2011
  9. Parsing Cyberwar – Part 1: The Battlefield, 9 August 2012
  10. Parsing Cyberwar – Part 2: The Logistical Train, 10 August 2012
  11. Parsing Cyberwar – Part 3:Synergies and Interference, 13 August 2012
  12. Parsing Cyberwar – Part 4: The Best Defense is a Good Defense, 20 August 2012
  13. Cyberwar, the Power of Nightmares, 31 August 2012

.

.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.