The distinctiveness of cyber terrorism in relation to other cybersecurity threats
An introduction to Terrorism
To contextualise and explore the distinctiveness of cyber terrorism in relation to other cyber security threats, it is first necessary to understand the more general concept of terrorism.
Terrorism is politically, ideologically or religiously motivated violence used to communicate a message of change and intimidation to individuals and groups beyond its immediate victims[1].?Terrorism is often interlinked with revolt and oppression and best understood as violence used as a form of political communication, designed to force the enemy into submission through killing and intimidation[2].?
The use of terror and fear to affect change within a population is not a new phenomenon.?There are examples of terrorism dated back almost 2000 years ago when the Jewish resistance was undertaking terror campaigns against Romans within Judea. These Sicarii-Zealots of AD 66–72 employed terror techniques that included the random stabbings of Roman soldiers and their Jewish collaborators; in addition to kidnappings and large-scale poisonings. The purpose of this reign of terror was to instil fear within the Jewish community and destroy the collaboration between the local population and their Roman occupiers[3].
The day of the Sicarii-Zealot is long gone. Nevertheless, with many changes to political structures, societies and technological advancements that have followed, the use of violence to achieve political or ideological motivated change remains with us today.?The modern terrorists of today also utilise public acts of violence, often using the appearance of randomness, to create public anxiety, fear and behavioural change. The terrorism of today has followed the emergence of modern mass politics and mass media, and whilst the victims of terrorism appear to be random – in the wrong place at the wrong time – the selection of targets is anything but, with a deliberate selection of targets with symbolic, economic or public value[4].?The attacks on the United States on September 11, 2001, demonstrated the enormous impact that a well-organised terrorist group could achieve, with the deaths of 3000 people striking fear into the US population and throughout the world[5].
Although terrorist violence has “been used as a political tactic since time immemorial”[6], there remains no current international agreement regarding its legal definition leaving many nation-states to approach the subject at a domestic level[7].??
What is Cyber Terrorism?
Throughout history, terrorist groups have employed various methods to create fear and cause harm to progress their agendas.??The emergence of the cyber domain at the tail end of the last century and the continued interconnectedness of the world provides an alternate means for terrorist organisations to cause disruption and communicate their message. In a conversation primarily centred around existing (and pre-cyber) international law, nation-states and the wider international communities are struggling to contend with the question of what constitutes cyber terrorism:
As the nations of the world wade through the semantics, cyber-attacks are increasing in impact and frequency, as is the fear that the cyber domain will increasingly be used as the theatre for terrorists to pursue their ideological goals.?Suppose cyber terrorism is ‘the convergence of terrorism and cyberspace’[8] it should be possible to determine what qualifies as an act of terror using existing legal frameworks as a base.
The domestic legislation of Australia, Canada, New Zealand and the United Kingdom do not have cyber terrorism specifically defined. However, they do define and focus on the more general concept of terrorism; and from there, it is possible to construct the narrower definition of cyber terrorism.
Australia has defined a terrorist act as an action or threat of action intended to advance a cause that will or is likely to result in harm or severe disruption and interference to persons, property, or electronic systems[9]. Figure 1 provides a visual representation of this relationship.
Figure 1: Terrorists Cyber Activities
There are three prerequisites required for classification as an act of terrorism[10].
1.?????Intent: the act intends to coerce or influence the public or Government through violence and intimidation; and
2.?????Motive: the act is motivated for purposes of advancement of a political, religious or ideological cause; and
3.?????Harm: the act causes harm or server disruption and interference to persons, property or electronic systems.
The prerequisite of harm implies that not all cyber activity undertaken by terrorist can be considered cyber terrorism. The implication of this is that general misuses of cyber infrastructure and systems to aid an act of terror or to support the operation of a terrorist organisation does not necessarily equate to cyber terrorism.
Accurate classification of cyber terrorism requires to focus on the consequences of the cyber attack, as opposed to the threat actor themselves.?Rid[11] proposes four categories of cyber attack:
Figure 2 provides a visual representation of these cyber attack categories in conjunction with the domestic terrorism of legislation of Australia.
Figure 2: Prerequisite for Terrorism / Cyber Attack Categories
Figure 2 serves as a visual definition of cyber terrorism, which when written, proposes cyber terrorism as “conduct involving a computer or Internet technology that:
The value proposition of Cyberspace to Terrorists
There is an increase in the targeting of critical infrastructure providers; however, this is not necessarily considered terrorism. The Australian Government has stated that terrorist groups pose “a relatively low cyber threat” and that it is other nation-states and their sponsored groups who are most prevalent targeting governments and critical infrastructure providers worldwide[13].?
The Irish Republic Army was known to have the technical ability to attack critical infrastructure remotely but preferred to utilise traditional methods of attack with kinetic weapons due to their preference and trust in them[14].?The US also discovered Al Quaeda’s plans for attacking digital systems and technical training plans for their recruits[15].?
So why have we not seen cyber attacks utilised by terrorists?
In many cases, a cyber attack will not generate the same amount of panic and fear as a traditional attack method, and this equates lower return on investment for the terrorist.?A comparison of the Stuxnet cyber attack with the Boston Marathon bombing supports this notion.?Figure 3 compares the return on investment and operational risk of these different attacks.
Figure 3 - Cyber Attack (Stuxnet) vs Traditional Attack (Boston Marathon) (adapted from Chen et al. 2014; Geisen 2013; Weimann 2015)
Cyber attacks tend to cost more, generate less fear and have an increased risk of failure when compared traditional methods of terrorism using kinetic weapons.?Cyber attacks can increase the anonymity of the attacker; yet, most terrorists are seeking the opposite and welcome publicity as a promotion of their cause.?Terrorists are reliant on public attention as it enables the propagation of fear to achieve the result they desire[16].?
Attack methods will continue to change as technology advances; however, the motivation and intent of the terrorist will remain constant – all terrorists seek to utilise fear and intimidation to advance their cause.?
Terrorism, Warfare & Cyber
Cyberspace is now referred to as “the fifth dimension of warfare” after land, water, air and space[18].??This fifth dimension on which cyber warfare plays out digresses from the traditional warfare on several fronts, most significantly:
Differences emerge when comparing highly advanced malware such as to conventional weaponry such as missiles and bombs. Utilising a cyber weapon to disable an enemy capability can occur with greater anonymity and reduced risk of loss of life and injury to all parties. There is also the possibility to reverse a cyber attack if the political situation changes. The destruction of a building cannot be undone; whereas a cyber weapon can have a deactivation capability built into its design.
Another challenge for both aggressors and defenders operating in the cyber domain is the dynamic nature of cyber targets. A building has coordinates that do not change, making it vulnerable to a variety of weapons and attack methods; whereas a system can be patched or upgraded, rendering the cyber weapon ineffective at any point in time[19].?This dynamic nature of cyber targets, where knowledge provides both the weapon and the defence, results in many cyber vulnerabilities being kept secret for as long as possible.?This is to lower the likelihood of remediation activities that would reduce the impact of cyber weaponry designed to exploit the vulnerability or rendering it completely obsolete.?
The advantage of a cyber weapon is that is can be deployed against a particular target and is designed to avoid causing damage to anything else. The precision of Stuxnet meant that damage beyond the targeted centrifuges could not occur[20], as its code was such that the damaging payload would only deploy if a specific model of Siemens PLC had been detected within the environment.?This level of precision would be almost impossible to achieve through a traditional attack using kinetic weaponry; and it is this targeted design and the intended damage and destruction to a physical object that qualifies Stuxnet as a weapon under International Humanitarian Law[21].
The Stuxnet infection statistics show that 60% of initial infections occurred within Iran with the next most infected country, a distant second[22].?The sophistication of the designs also meant that Stuxnet would sit dormant in other nations, never to activate as they launch conditions had not been met.?Weapon accuracy is of great significance when nation states are building their military capabilities.?Article 51 of the UN Charter cites an obligation for nations to develop acc for innocent parties to be kept away from hostilities and the avoidance of civilian casualties; with advice that development of high accuracy weapons as a method to achieve this[23].
Cyber Sabotage
Cyber sabotage refers to the targeting of cyber infrastructure through computer code and would meet the “harm” requirement for classification as terrorism.?This category of attack is particularly concerning when considering critical infrastructure as cyber-attacks on industrial control systems (ICS) are continuing to increase every year.?IBM research indicates that ICS attacks increased by 110% in 2016 compared to 2015, and ICS attacks increased by 636% between 2014 and 2016[24].?A more recent study by the SANS Institute found that the “percentage of control systems that experienced three or more incidents in the previous 12 months increased from 35.3% in 2017 to 57.7% in 2019”[25]. The continued growth in ICS incidents is being attributed to “foreign nation-states and organized crime where disruption or destruction is the main objective”[26].
ICS’s are an integral component of many of the essential services and utilities on which the population is reliant.?A loss of supply of clean drinking water combined with contamination and pollution of an environment could result in serious health issues and even death for residents of the targeted area.?A large-scale attack of this nature by a terrorist organisation could result in the political destabilisation of a region.?
An act of cyber sabotage has the potential to cause harm to persons or property, and when undertaken with the prerequisite motive and intent required to be categorised as terrorism, should be considered an act of cyber terrorism.
Other Misuse of Cyber Infrastructure and Systems by Terrorists
Due to the harm prerequisite required for the categorisation of an attack as terrorism, to can been proposed that “cyber sabotage” is the only attack category that could be considered an act of terror in cyberspace.?The other three categories of attack – cyber crime, cyber espionage and cyber subversion (including hacktivism) do not meet the required harm prerequisite; as such, attacks within these categories cannot be considered acts of terror.?This does not preclude terrorists from utilising cyberspace as a platform for influence and as a tool to support the planning of their cyber operations.
Cyber Crime
“Cybercrime will continue to be an attractive option for criminals due to its ability to generate large profits with a low risk of identification and interdiction”[27]. ?The use of criminal activities by terrorists to finance politically motivated activities is not a new phenomenon specific to the cyber domain.?In the past, Hezbollah generated income via smuggling cigarettes and methamphetamine; Al-Qaeda’s income illegal stream included credit card fraud and diamond smuggling operations; and long before the Internet, the Irish Republican Army was reliant on criminal gangs smuggling livestock and cars throughout the United Kingdom[28].??
The opportunities for criminal activity within cyberspace are vast with reports indicating that cyber attacks have been growing at a rate of two hundred percent each year.?In 2015, cyberattacks were reported as the cause of $400 billion in losses to organisations and individuals.?In 2016, McAfee Labs reported a 165% increase in ransomware attacks over a single quarter as hackers realised the potential financial windfall available through demanding cash to set the data free[29].?More recently, criminals have shifted from targeting individuals toward the specific targeting of enterprise systems of governments and organisations as a more lucrative target[30].?This shift in targeting aligns with one of the central tenants of terrorism, as terrorism does not seek specific victims, but instead seeks specific targets to achieve an outcome[31].
The illegal activities undertaken by terrorist organisations may be considered cyber crime, however these activities cannot be classified as acts of terror unless without also meeting the required harm prerequisite.?Denning’s[32] definition notes that an act of terror “should result in violence” or “at least cause enough harm to generate fear” and in the absence of this, the act cannot be considered cyber terrorism.
Cyber Espionage
Cyber espionage refers to the “malicious activity designed to covertly collect information from an adversary’s computer systems for intelligence purposes without causing damage to those systems”[33].?
Although “cyber-enabled” espionage has been occurring for decades, the unprecedented proliferation and interconnection of technology resulted in an explosion of its utilisation.?Cyber espionage has become “the favoured method for both state and non-state actors, for gathering information”[34].
Breaches of this nature can negatively impact the reputation of the targeted government or organisation once they are made public, but of more concern is the potential for compromise of intellectual property[35]. ?Considering it is the knowledge of cyber vulnerabilities that are being stockpiled to develop the cyber weapons of the future, a non-destructive breach as a result of a cyber espionage operations could have significant security implications for a nation state.
While it is generally accepted that cyber espionage does not violate international law, the way it is carried out could be unlawful[36].?Legalities aside, cyber operations of this nature do not meet the harm prerequisite to be classified as an act of terror.
Cyber Subversion (Hacktivism)
Subversion refers to actions and tactics that undermine the legitimacy and authority of the state to achieve strategic outcomes[37].
The dissemination of propaganda via social media during the 2016 US presidential campaign is a recent example of the impact of subversion techniques.?This alleged Russian subversion “created an ongoing political crisis at the highest levels of the US government”[38].
Cyber subversion operations involve the use of tools and techniques that fall below the threshold of an armed attack[39].?They therefore do not meet the required harm prerequisite for classification as an act of terror.?
Although this form of cyber operation does not result in physical harm to persons or property, they provide an opportunity for adversaries, including terrorists, to threaten the foundation of the state from within.?The cyber subversion operation targeting the 2016 US presidential campaign may have been orchestrated by a state however it was “implemented by and targeted actors beyond conventional state based structures and agencies”[40].?
Conclusion
The strength of the terrorist is built on a bedrock of fear and spread through the available communication channel of the day.?The Sicarii-Zealots understood this almost 2000 years ago; deliberately undertaking their attacks in public places with many witnesses.?It was not the victims of the attack that gave them power; it was the stories of witnesses that propagated fear and created anxiety amongst the Roman collaborators.?
The terrorism of 50 AD intended to enact change through fear; the same intent we see with the modern terrorism of today.?The distinctive feature of terrorism is that separates it from acts of war or guerrilla warfare; or “the desired effect of the use of terror, namely, installation of fear in the desired audience to cause behaviour change or change in policy”[41].
The emergence of the cyber domain and the growing dependence of society on information technology and cyberspace has not changed the motivation or intent of the terrorist. Instead, it has created new forms of vulnerability for the terrorists to exploit[42] whilst also providing a global platform on which they can communicate their message[43].
________________
Footnotes
[1] Fridlund, 2019
[2] Halliday, 2004
[3] Garrison, 2003, p.44
[4] Fridlund, 2019; Garrison, 2003
[5] Garrison 2003, p.39
[6] Fridlund, 2019
[7] UNODC, 2018
领英推荐
[8] Denning, 2000
[9] Australian Government, 2020b
[10] Hardy & Williams, 2014
[11] Rid, 2013
[12] Hardy & Williams, 2014
[13] Australian Government, 2020a, p.13
[14] Conway, 2003
[15] Weimann, 2005
[16] Conway, 2003
[17] Akhgar et al. 2014
[18] Orlend 2014; Eilstrup-Sangiovanni, 2018, p. 382; Gjelten, 2010
[19] Halpern 2019
[20] Knapp & Langill, 2015, p.42
[21] Schmitt, 2017, p.452
[22] Schmitt, 2017, p.337
[23] ICRC, 1987; Robertson, 1997; D?rmann, 2004
[24] Safayn & Madnick 2017, p.2
[25] SANS ICS 2019
[26] SANS ICS 2019
[27] ACSC 2017, p. 15
[28] Shelley et al. 2005, 36; Dishman 2001, p.48
[29] Astani & Ready 2016, p. 211
[30] Zimba & Chishimba 2019, p.28
[31] Garrison 2003, p.43
[32] Denning, 2000
[33] ACSC, 2020
[34] Paterson & Hanley, 2020
[35] Torten et al. 2018, p. 69
[36] CCDCOE, 2020
[37] Paterson & Hanley, 2020
[38] Burton, 2018, p.3
[39] Breitenbauch & Byrjalsen, 2019
[40] Burton, 2018, pp. 24 –25
[41] Garrison, 2003, p.40
[42] Ariely 2014
[43] Emery et al. 2004, p.24
________________
References
Akhgar, B., Staniforth, A. & Bosco, F. (2014). Cyber Crime and Cyber Terrorism Investigator's Handbook. 1st Edition. Rockland, USA: Elsevier Science & Technology Books. Retrieved from https://www-sciencedirect-com.wwwproxy1.library.unsw.edu.au/book/9780128007433/cyber-crime-and-cyber-terrorism-investigators-handbook.
Ariely, G. (2014). Adaptive Responses to Cyberterrorism. In: Chen, T., Jarvis, L. & Macdonald, S. (eds) Cyberterrorism: understanding, assessment, and response. New York, USA: Springer.
Astani, M. & Ready, K. (2016). Trends and Preventative Strategies for Mitigating Cybersecurity Breaches in Organisations. Issues in Information Systems 17(2). pp. 208-214. Retrieved from https://www.iacis.org/iis/2016/2_iis_2016_208-214.pdf.
Australian Cyber Security Centre (2020). Cyber espionage. Australian Government. Retrieved from https://www.cyber.gov.au/acsc/view-all-content/glossary/cyber-espionage.
Australian Government (2020a). Australia Cyber Security Strategy 2020. Department of Home Affairs. Retrieved from https://www.homeaffairs.gov.au/cyber-security-subsite/files/cyber-security-strategy-2020.pdf.
Australian Government (2020b, July 01). Criminal Code Act 1995. Compilation No. 133. amended 01 Jul 2020, viewed 24 Jul 2020, <https://www.legislation.gov.au/Details/C2020C00217>.
Breitenbauch, H. & Byrjalsen, N. (2019) Subversion, Statecraft and Liberal Democracy.?Survival, 61(4). 31-41. Retrieved from https://doi-org.wwwproxy1.library.unsw.edu.au/10.1080/00396338.2019.1637118.
Burton, J. (2018, April). Cyber Deterrence: A Comprehensive Approach? NATO Cooperative Cyber Defence Centre of Excellence [CCDCOE]. Retrieved from https://ccdcoe.org/uploads/2018/10/BURTON_Cyber_Deterrence_paper_April2018.pdf.
?Chen, T., Jarvis, L. & Macdonald, S. (2014). Cyberterrorism – Understanding, Assessment, and Response. New York, USA: Springer.
Conway, M. (2003). Hackers as terrorists? why it doesn’t compute. Computer Fraud & Security 2003(12). pp. 10–13. Retrieved from https://doi-org.wwwproxy1.library.unsw.edu.au/10.1016/S1361-3723(03)00007-1>.
CCDCOE (2020). Tallinn Manual 2.0: Cyber Espionage Generally Not Unlawful. Retrieved from https://ccdcoe.org/news/2017/tallinn-manual-2-0-cyber-espionage-generally-not-unlawful/.
Denning, D. (2000, May 23). CYBERTERRORISM. Special Oversight Panel on Terrorism Committee on Armed Services. U.S. House of Representatives.?Retrieved from https://faculty.nps.edu/dedennin/publications/Testimony-Cyberterrorism2000.htm.
Dishman, C. (2006, August 09). The Leaderless Nexus: When Crime and Terror Converge. Studies in Conflict & Terrorism 28(3).?Retrieved from https://www-tandfonline-com.wwwproxy1.library.unsw.edu.au/doi/full/10.1080/10576100590928124.
D?rmann, K. (2004, November 19). Applicability of the Additional Protocols to Computer Network Attacks. International Committee of the Red Cross. Retrieved from https://www.icrc.org/en/doc/assets/files/other/applicabilityofihltocna.pdf.
Eilstrup-Sangiovanni, M. (2018). Why the World Needs an International Cyberwar Convention. Philosophy & Technology 31. pp. 379-407.
Emery, N., Earl, R. & Beuttner, R. (2004). Terrorist Use of Information Operations. Journal of Information Warfare, 3(2). 14–26. Retrieved from https://www-jinfowar-com.wwwproxy1.library.unsw.edu.au/sites/default/files/JIW3.2.pdf.
Fridland, M. (2019, March 08). Terrorism: a very brief history. The Conversation. Retrieved from https://theconversation.com/terrorism-a-very-brief-history-107538.
Garrison, A. (2003). Terrorism: The Nature of its History. Criminal Justice Studies 16(1), pp. 39– 52. Retrieved from https://doi.org/10.1080/08884310309608.
Giesen, K. (2013). Towards a Theory of Just Cyberwar. Journal of Information Warfare, 12(1). pp. 22–31. Retrieved from https://www.jstor.org/stable/26486996.
Gjelten, T., (2010). 'SHADOW WARS: Debating Cyber Disarmament'. World Affairs, 173(4). pp. 33-42.
Halliday, F. (2004, April 22). Terrorism in Historical Perspective. transnational institute [tni]. ?Retrieved from https://www.tni.org/my/node/7793.
Halpern, S. (2019). How cyber weapons are changing the landscape of modern warfare. The New Yorker. Retrieved from https://www.newyorker.com/tech/annals-of-technology/how-cyber-weapons-are-changing-the-landscape-of-modern-warfare>.
Hardy, K. & Williams, G. (2014). What is ‘Cyberterrorism’? Computer and Internet Technology in Legal Definitions of Terrorism. pp1-23. In: Chen, T., Jarvis, L. & Macdonald, S. (eds) Cyberterrorism: understanding, assessment, and response. New York, USA: Springer.
International Committee of the Red Cross [ICRC] (1987). Commentary of 1987 Protection of the Civilian Population.?Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977.?Retrieved from https://ihl-databases.icrc.org/applic/ihl/ihl.nsf/1a13044f3bbb5b8ec12563fb0066f226/5e5142b6ba102b45c12563cd00434741>.
Knapp, E. & Langill, J. (2015). Industrial Cyber Security History and Trends.?Industrial Network Security (2nd Edition). pp.41 – 57. Retrieved from https://doi.org/10.1016/B978-0-12-420114-9.00003-4.
Orlend B. (2014). Fog in the Fifth Dimension: The Ethics of Cyber-War. In: Floridi L., Taddeo M. (eds) The Ethics of Information Warfare, Law, Governance and Technology Series 14.?Retrieved from https://doi.org/10.1007/978-3-319-04135-3_1.
Paterson, T. & Hanley, L. (2020). Political warfare in the digital age: cyber subversion, information operations and ‘deep fakes’.?Australian Journal of International Affairs, 74(4). 439-454, DOI: 10.1080/10357718.2020.1734772
Pollitt M. (1997). Cyberterrorism—Fact or Fancy? 20th National Information Systems Security Conference. Baltimore, USA. Retrieved from https://www.cs.georgetown.edu/~denning/infosec/pollitt.html.
Rid, T. (2013, December 09). What is cyberterrorism? The International Centre for the Study of Radicalisation and Political Violence [ICSR]. London, United Kingdom: Kings College.?Viewed at https://youtu.be/cPTPpb8Ldz8.
Robertson, H. (1997). The Principle of the Military Objective in the Law of Armed Conflict. United States Air Force Academy Journal of Legal Studies 8. pp. 35-70. Retrieved from https://scholarship.law.duke.edu/faculty_scholarship/102/.
SANS ICS (2019, July 09). The Risks of an IT Versus OT Paradigm.?SANS Industrial Control Systems Security Blog. SANS Institute.?Retrieved from https://ics.sans.org/blog/2019/07/09/risks-of-it-versus-ot-paradigm.
Sayfayn, N. & Madnick, S. (2017). Cybersafety Analysis of the Maroochy Shire Sewage Spill. ?Cambridge, USA: Cybersecurity Interdisciplinary Systems Laboratory, Massachusetts Institute of Technology.?Retrieved from https://web.mit.edu/smadnick/www/wp/2017-09.pdf.
Schmitt, M. (2017).?Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. 2nd ed. Cambridge, UK: Cambridge University Press.?Retrieved from https://doi.org/10.1017/9781316822524.
Shelley, L., Picarelli, J., Irby, A., Hart, D., Craig-Hart, P., Williams, P., Simon, S., Abdullaev, N., Stanislawski, B. & Covill, L. (2005, June 23). Methods and Motives: Exploring Links between Transnational Organized Crime & International Terrorism.?Research Report.?Retrieved from https://www.ncjrs.gov/pdffiles1/nij/grants/211207.pdf.
Torten, R., Reaiche, C. & Boyle S. (2018, November). The impact of security awareness on information technology professionals’ behaviour. Computers & Security 79.?pp. 68-79. Retrieved from https://doi.org/10.1016/j.cose.2018.08.007.
United Nations Office on Drugs & Crime [UNODC] (2018, July). Defining Terrorism. E4J University Module Series: Counter-Terrorism. Retrieved from https://www.unodc.org/e4j/en/terrorism/module-4/key-issues/defining-terrorism.html.
Weimann, G. (2005). Cyberterrorism: The Sum of All Fears. Studies in Conflict & Terrorism 28(2). pp. 129–149. Retrieved from https://doi.org/10.1080/10576100590905110.
Zimba, A. & Chishimba, M. (2019). Understanding the Evolution of Ransomware: Paradigm Shifts in Attack Structures.?International Journal of Computer Network and Information Security 2019(1). pp.26-39.?Retrieved from https://www.mecs-press.org/ijcnis/ijcnis-v11-n1/IJCNIS-V11-N1-3.pdf.