Unraveling the Complexities of Cyber Terrorism

Summary: In chapter 3 of Edwin Covert’s series about the cyberterrorism he explains how it requires more than a hacker and a PC. Like most forms of conflict, attacks on a large scale require preparation and a complex structure. (1st of 2 posts today)

By Edwin Covert

From DarkMatters

8 December 2014

References appear at the end.

Posted with the author’s gracious permission

In the first installment in this series we examined the concepts behind cyberterrorism as a strategy, and the second article dove deeper into how cyberterrorism is being portrayed by interests ranging from the media to government and academia. This third part of the series looks at why cyberterrorism is actually much more complex than it is being portrayed.

While a terrorist using the Internet to bring down the critical infrastructures the United States relies on makes an outstanding Hollywood plot, there are flaws in the execution of this storyline as an actual terrorist strategy. Conway (2011) calls out three limitations on using cyber-related activities for terrorists (Against Cyberterrorism, 2011, p. 27):

Technological complexity,
image, and
accident.

Each is important to consider. While critical infrastructures may make a tempting target and threat actor capabilities are certainly increasing (Nyugan, 2013), it is a complicated process to attack something of that magnitude. It is precisely the interconnectedness of these two disparate parts that make them a target, however.

Nyugan (2013) calls them cyber-physical systems (CPS): “A physical system monitored or controlled by computers. Such systems include, for example, electrical grids, antilock brake systems, or a network of nuclear centrifuges” (p. 1084).

In Verton’s (2003) imaginary narrative, the target of the Russian hackers, the SCADA system, is a CPS. However, Lewis (2002) argues the relationship between vulnerabilities in critical infrastructures (such as MAE-East) and computer network attacks is not a clear cut as first thought (p. 1). It is not simply a matter of having a computer attached to a SCADA system and thus the system is can now be turned off and society goes in a free fall of panic and explosions and mass chaos.

The first idea Conway (2011) posits reduces to the notion that information technology is difficult in most cases. There are reasons it takes veritable armies of engineers and analysts to make these complex systems interact and function as intended. However, there are a limited number of terrorists with the necessary computer skills to conduct a successful attack (pp. 27-28).

Immediately the argument turns to hiring external assistance from actual computer hackers (as most journalists and Hollywood scriptwriters do). Conway (2011) dismisses that idea, correctly, as a significant compromise of operational security (p. 28). The US Department of Defense as defines operational security, or OPSEC:

A process of identifying critical information and analyzing friendly actions attendant to military operations and other activities to: identify those actions that can be observed by adversary intelligence systems; determine indicators and vulnerabilities that adversary intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries, and determine which of these represent an unacceptable risk; then select and execute countermeasures that eliminate the risk to friendly actions and operations or reduce it to an acceptable level (US Department of Defense, 2012).

In the context of this paper, letting outside profit-motivated technicians into the planning and execution phase of a terrorist plot would be risky for conservative-minded individuals such a religious terrorists (Hoffman, 2006). As the number of people who are aware of a plot increases, the potential number of people who can leak operational details of the plot increases exponentially.

It is for this reason Verton’s (2003) scenario is most improbable.

The second concern Conway (2011) notes is one of audience. Recalling the definition of terrorist put forth by Hoffman (2006), terrorists need to generate publicity to achieve their goals: they need to create a climate of fear through violence or the threat of violence. Simply attacking something and having no one notice it is not an operational success for a terrorist. Terrorists need to have their grievances known (Nacos, 2000, p. 176).

The terrorist act needs to be witnessed, such as the planes crashing into the World Trade Center or the hostage taking in Munich. in order to generate the necessary level of discourse to affect the goals the terrorist has in mind. Unfortunately, injecting code into a DNS server or shutting down Amazon.com does not generate the required intensity of chaos modern terrorists require (Conway, Against Cyberterrorism, 2011, p. 28).

This leads to Conway’s (2011) third point: the accident. The United States relies heavily on computer and information systems. However, if a system goes offline in today’s world, users are just as likely to suspect a system failure or accident as anything else is (p. 28).

As stated previously, this would be unacceptable to the terrorist organization. In order to generate a sufficient amount of concern on the part of the population, a series of cascading cyber-attacks would have to occur. Recalling Conway’s (2011) first concern about complexity, multiple system attacks of the necessary intensity and frequency are unlikely.

While this might appear as merely an academic exercise, a review of the Global Terrorism Database maintained by the National Consortium for the Study of Terrorism and Responses to Terrorism at the University of Maryland shows only two incidents under the search term “cyber” (Global Terrorism Database Search Results).

The first involved two men in Morocco who got into an argument at an Internet café with the café owner about viewing bomb-making materials. During the altercation, an actual bomb strapped to one of the men accidentally exploded killing the would-be bomber and wounding three others.

The second involved a pay phone in Hong Kong that was wired with explosives and detonated.

A search of telecommunications facilities as targets in the database showed similar results: explosions or arson, not the use of computers as a weapon system.

The opinions expressed in this and other contributors’ articles are solely those of the author and do not necessarily reflect those Norse Corporation.

References

Ahmad, R., & Yunos, Z. “A Dynamic Cyber Terrorism Framework“, International Journal of Computer Science and Information Security, 2012, 149-158
Berner, S. “Cyber-terrorism: reality or paranoia?” South African Journal of Information Management, March 2003
Conway, M. “What is Cyberterrorism?” Current History, 2002, 436-442. Gated.
Conway, M. (2007). Cyberterrorism: Hype and Reality. In L. Armistead, Information Warfare: Separating Hype from Reality (pp. 72-94). Potomac Books
Conway, M. “Against Cyberterrorism“, Communications of the ACM, 2011, 26-28. Gated.
Corrin, A. “Frequency, costs of cyberattacks on the rise“, Federal Computer Week, 8 October 2013
MAE East Colocation Birdseye. Cryptome. 13 February 2006
Gable, K. A. Cyber-Apocalypse Now: Securing the Internet Against Cyberterrorism and Using Universal Jurisdiction as a Deterrent. Vanderbilt Journal of Transnational Law, 6 July 2012
Hildebrandt, M. “Legal Protections by Design: Objections and Refutations”, Legisprudence, 5(2) – 2011, 223-248
Hoffman, B. (2006). Inside Terrorism. Columbia University Press
Jones, G. Cyber terror threat is growing, says Reid. The Telegraph, 26 April 2007
Lenzner, R., & Vardi, N. The Next Threat. Forbes, 20 September 2004
Lewis, J. A. “Assessing the Risk of Cyber Terrorism Cyber War and Other Cyber Threats“, Center for Strategic and International Studies, December 2002
Malone, M. S. “Silicon Insider: Fighting Cyberterror“, ABC News, 18 August 2005
Mueller, R. (Director of the FBI), Prepared Remarks at RSA Cyber Security Conference. San Francisco, 1 March 2012
Nacos, B. “Accomplice or Witness? The Media’s Role in Terrorism“, Current History, 2000, 174-178. Gated.
Global Terrorism Database of the National Consortium for the Study of Terrorism and Responses to Terrorism. (2012). University of Maryland
Nyugan, R. “Navigating Jus Ad Bellum in the Age of Cyber Warfare“, California Law Review, 104 #4 (2013), 1079-1129
Panetta, L “Defending the Nation from Cyber Attack“, speech to the Business Executives for National Security, NYC, 11 October 2012
Saint-Claire, S. Overview and Analysis of Cyber Terrorism. School of Doctoral Studies (European Union) Journal, 2011, 85-98
Shiryaev, Y. “Cyberterrorism in the Context of Contemporary International Law“, San Diego International Law Journal, Fall 2012, 139-192
Two arrested for cyber terror support. UPI, 24 August 2006
DoD Operations Security (OPSEC) Program. Defense Technical Information Center, 20 June 2012
Country Reports on Terrorism. Bureau of Counterterrorism, US Department of State, 30 May 2012
Critical Infrastructure Protection, Presidential Decision Directive 63, 22, May 1998
USA Patriot Act. US Government. 26 October 2001
Verton, D. (2003). Black Ice: The Invisible Threat of Cyber-Terrorism. McGraw-Hill/Osbourne
Weber, R. H. “Internet of things – Governance quo vadis?“, Computer Law and Security Review, August 2013, 341-347. Gated.
Witty, D. M. “Attacking al Qaeda’s Operational Centers of Gravity“, Joint Forces Quarterly, Q1 2008, 98-103

————————————————–

About the Author

Mr. Covert is a cybersecurity professional with over 20 years of cybersecurity and intelligence experience. He works for Booz Allen Hamilton in the Washington, DC metro area. He works with both government and commercial organizations and is an author on a diverse array of cybersecurity topics.

He holds the Certified Information Systems Security Professional (CISSP^®) designation from (ISC)²^® . He is also a certified Project Management Professional (PMP). He holds two designations from ISACA (previously known as the Information Systems Audit and Control Association): the Certified Information Security Manager (CISM), and the Certified in Risk and Information Systems Controls (CRISC). Additionally, he also has held the GIAC Certified Incident Handler designation from the SANS Institute. He is a member of the Order of the Sword & Shield, a national honor society for homeland security, intelligence, emergency management and other protective security disciplines.

From the Norse Corp website.