Lethal Cyberterrorism: A Capability Acquisition Model

In 1991, the US National Research Council concluded: ‘Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb.’ Yet, a generation later we are still asking ourselves whether lethal cyberterrorism is possible?

What is lethal cyberterrorism? Without going into academic definitions, I consider it the ability for terrorists to cause fatalities through computer networks. For instance, the manipulation of train line controls to cause a deadly collision.

For the last 18 months I've been researching cyberterrorism for a book I'm writing on the topic. Whilst scholars have explored whether cyberterrorism is possible, there has been less focus on how terrorists could gain lethal capabilities. I've created a model to help us explore that question.

Lethal cyberterrorism would most likely?require the targeting of cyber-physical systems, that is, those digital systems that interact with physical entities, for example, military platforms, manufacturing plants, or traffic management. Such attacks commonly fall within what is known as ‘Offensive Cyber Operations’ (OCO), their objective: disruption, denial, degradation, or destruction of digital assets.

Max Smeets created the very useful PETIO (people, exploits, tools, infrastructure, organisation) framework to explain the components required for successful OCOs:

• People?represents the skills needed for OCO. This includes technical specialists, such as developers, operators, and vulnerability analysts, as well as supporting staff, such as linguists and strategists.
• Exploits?are code that takes advantage of system vulnerabilities to achieve specific ends (e.g., provide privileged access).
• Tools?are software to achieve specific objectives.
• Infrastructure?encompasses assets used for attack testing and execution. This can include digital command and control (C2), such as domain names and computer servers, as well as test infrastructure for target emulation.
• Organisation:?Smeets states that ‘organizational characteristics and processes can severely impede (or enable)’ OCO. Smeets highlights the requirement for ‘effective organizational integration’ and ‘coordination of intelligence and military activities’, as variables that can stimulate knowledge circulation, increase resources for specialisation, and enable code and infrastructure sharing.

Smeets developed the PETIO model for nation-states. Some components, such as lawyers, terrorists would likely discard. Not all OCO require all PETIO elements. The framework describes the requirements for a sustained capability complete with force integration and national strategy alignment. To enact a singular OCO a terrorist group may require less capability (for instance, organisational components such as knowledge sharing maybe superfluous).

Now that we have a OCO model, we need an acquisition framework. This new framework I have created comprises acquisition paths: indigenous, recruited, learned, purchased, gifted, and stolen (IRLPGS) (I have no ability to create Marvel like acronyms!).

• Indigenous?refers to a pre-existing OCO capability. For instance, an organisation may identify members possessing OCO skills. Alternatively, capability could be inadvertently recruited.
• Recruited?capability involves a targeted recruitment of individual(s) with OCO skills.
• Learned?refers to capability acquisition through study.
• Purchased?is when capabilities are paid (or traded) for on legal or illegal markets.
• Gifted?capabilities are bestowed by a third party, almost certainly a nation-state.
• Stolen?capabilities may be accessed via illegal markets, or by commissioning a theft. These capabilities may be available due to unauthorised disclosures (leaks), or terrorists may themselves steal capabilities.

Now we can grid the PETIO and the IRLPGS frameworks for risk assessment:

Now, we need a probability yardstick.

This allows us to start making some judgements about the chance of each capability being acquired through each path.

Note the below judgements are ILLUSTRATIVE ONLY and do not represent my views, they just allow model demonstration.

We can then isolate the most likely acquisition paths for each capability component:

This framework will provide a common lexicon on how we talk about cyberterrorism capability acquisition risk, and how we map countermeasures and identify priorities and gaps.

I have this framework written up as an academic article that I will try to publish later in the year. It may change between now and then as I take on board comments and suggestions from friends and colleagues.

I also have the framework in a slide deck, so if any corporate friends need an event speaker on cyberterrorism please let me know!

I do have some views on what the risk levels should be, but I think it will be more impactful and comprehensive if the risks represent a view from a number of experts. Therefore, I will be approaching around 25 people shortly to survey their views and create a community assessment. I will be sure to publish the findings when complete.