Unraveling the Complexities of Cyber Terrorism

Summary:  In chapter 3 of Edwin Covert’s series about the cyberterrorism he explains how it requires more than a hacker and a PC. Like most forms of conflict, attacks on a large scale require preparation and a complex structure. (1st of 2 posts today)

CyberSkull

.

Unraveling the Complexities of Cyber Terrorism

By Edwin Covert

From DarkMatters

8 December 2014

References appear at the end.

Posted with the author’s gracious permission

.

In the first installment in this series we examined the concepts behind cyberterrorism as a strategy, and the second article dove deeper into how cyberterrorism is being portrayed by interests ranging from the media to government and academia. This third part of the series looks at why cyberterrorism is actually much more complex than it is being portrayed.

While a terrorist using the Internet to bring down the critical infrastructures the United States relies on makes an outstanding Hollywood plot, there are flaws in the execution of this storyline as an actual terrorist strategy. Conway (2011) calls out three limitations on using cyber-related activities for terrorists (Against Cyberterrorism, 2011, p. 27):

  1. Technological complexity,
  2. image, and
  3. accident.

Each is important to consider. While critical infrastructures may make a tempting target and threat actor capabilities are certainly increasing (Nyugan, 2013), it is a complicated process to attack something of that magnitude. It is precisely the interconnectedness of these two disparate parts that make them a target, however.

Nyugan (2013) calls them cyber-physical systems (CPS): “A physical system monitored or controlled by computers. Such systems include, for example, electrical grids, antilock brake systems, or a network of nuclear centrifuges” (p. 1084).

In Verton’s (2003) imaginary narrative, the target of the Russian hackers, the SCADA system, is a CPS. However, Lewis (2002) argues the relationship between vulnerabilities in critical infrastructures (such as MAE-East) and computer network attacks is not a clear cut as first thought (p. 1). It is not simply a matter of having a computer attached to a SCADA system and thus the system is can now be turned off and society goes in a free fall of panic and explosions and mass chaos.

.

Cyber Security Forum Initiative
Cyber Security Forum Initiative

.

The first idea Conway (2011) posits reduces to the notion that information technology is difficult in most cases. There are reasons it takes veritable armies of engineers and analysts to make these complex systems interact and function as intended. However, there are a limited number of terrorists with the necessary computer skills to conduct a successful attack (pp. 27-28).

Immediately the argument turns to hiring external assistance from actual computer hackers (as most journalists and Hollywood scriptwriters do). Conway (2011) dismisses that idea, correctly, as a significant compromise of operational security (p. 28). The US Department of Defense as defines operational security, or OPSEC:

A process of identifying critical information and analyzing friendly actions attendant to military operations and other activities to: identify those actions that can be observed by adversary intelligence systems; determine indicators and vulnerabilities that adversary intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries, and determine which of these represent an unacceptable risk; then select and execute countermeasures that eliminate the risk to friendly actions and operations or reduce it to an acceptable level (US Department of Defense, 2012).

In the context of this paper, letting outside profit-motivated technicians into the planning and execution phase of a terrorist plot would be risky for conservative-minded individuals such a religious terrorists (Hoffman, 2006). As the number of people who are aware of a plot increases, the potential number of people who can leak operational details of the plot increases exponentially.

It is for this reason Verton’s (2003) scenario is most improbable.

CyberPirate

The second concern Conway (2011) notes is one of audience. Recalling the definition of terrorist put forth by Hoffman (2006), terrorists need to generate publicity to achieve their goals: they need to create a climate of fear through violence or the threat of violence. Simply attacking something and having no one notice it is not an operational success for a terrorist. Terrorists need to have their grievances known (Nacos, 2000, p. 176).

The terrorist act needs to be witnessed, such as the planes crashing into the World Trade Center or the hostage taking in Munich. in order to generate the necessary level of discourse to affect the goals the terrorist has in mind. Unfortunately, injecting code into a DNS server or shutting down Amazon.com does not generate the required intensity of chaos modern terrorists require (Conway, Against Cyberterrorism, 2011, p. 28).

This leads to Conway’s (2011) third point: the accident. The United States relies heavily on computer and information systems. However, if a system goes offline in today’s world, users are just as likely to suspect a system failure or accident as anything else is (p. 28).

As stated previously, this would be unacceptable to the terrorist organization. In order to generate a sufficient amount of concern on the part of the population, a series of cascading cyber-attacks would have to occur. Recalling Conway’s (2011) first concern about complexity, multiple system attacks of the necessary intensity and frequency are unlikely.

Hacker
While this might appear as merely an academic exercise, a review of the Global Terrorism Database maintained by the National Consortium for the Study of Terrorism and Responses to Terrorism at the University of Maryland shows only two incidents under the search term “cyber” (Global Terrorism Database Search Results).

The first involved two men in Morocco who got into an argument at an Internet café with the café owner about viewing bomb-making materials. During the altercation, an actual bomb strapped to one of the men accidentally exploded killing the would-be bomber and wounding three others.

The second involved a pay phone in Hong Kong that was wired with explosives and detonated.

A search of telecommunications facilities as targets in the database showed similar results: explosions or arson, not the use of computers as a weapon system.

The opinions expressed in this and other contributors’ articles are solely those of the author and do not necessarily reflect those Norse Corporation.

References

————————————————–

Edwin Covert

About the Author

Mr. Covert is a cybersecurity professional with over 20 years of cybersecurity and intelligence experience. He works for Booz Allen Hamilton in the Washington, DC metro area. He works with both government and commercial organizations and is an author on a diverse array of cybersecurity topics.

He holds the Certified Information Systems Security Professional (CISSP®) designation from (ISC)²® . He is also a certified Project Management Professional (PMP). He holds two designations from ISACA (previously known as the Information Systems Audit and Control Association): the Certified Information Security Manager (CISM), and the Certified in Risk and Information Systems Controls (CRISC). Additionally, he also has held the GIAC Certified Incident Handler designation from the SANS Institute. He is a member of the Order of the Sword & Shield, a national honor society for homeland security, intelligence, emergency management and other protective security disciplines.

From the Norse Corp website.Cyber-Ninja

Posts in this Series

  1. Cyber Terrorism as a Strategy
  2. Selling Fear: How Cyber Terrorism is Being Portrayed
  3. Unraveling the Complexities of Cyber Terrorism
  4. Consequences of Overstating the Cyber Terrorism Threat

For More Information

See all posts about Information & disinformation, in the new media & the old.

Posts by Marcus Ranum about cyber-espionage and cyberwar:

  1. Obama knows how to lead America by exploiting our fears,  5 June 2009 — About cyberwar
  2. Cyberwar: a Whole New Quagmire.  Part 1: The Pentagon Cyberstrategy, 2 September 2011
  3. “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
  4. Conflating Threats, 14 September 2011
  5. About Stuxnet‏, the next generation of warfare?, 29 September 2011 – Introducing Stuxnet and some of the issues surrounding practical malware-based warfare.
  6. Cyberwar: a Whole New Quagmire – When the Drones Come To Roost, 8 October 2011
  7. About Attribution (identifying your attacker), 21 October 2011
  8. You must Be >this< Tall To Play Cyberwar (has DoD grown enough yet?), 16 December 2011
  9. Parsing Cyberwar – Part 1: The Battlefield, 9 August 2012
  10. Parsing Cyberwar – Part 2: The Logistical Train, 10 August 2012
  11. Parsing Cyberwar – Part 3:Synergies and Interference, 13 August 2012
  12. Parsing Cyberwar – Part 4: The Best Defense is a Good Defense, 20 August 2012
  13. Cyberwar, the Power of Nightmares, 31 August 2012

.

.

Leave a Reply