As evidenced by the recent cyberattack against Sony Pictures, acts of cyberterrorism are increasingly being committed by state actors.
From mid-2012 to early 2013, a group called the Izz ad-Din al-Qassam Cyber Fighters launched more than 200 distributed-denial-of-service (DDoS) attacks against PNC, JP Morgan Chase, Bank of America, and other financial institutions. DDoS attacks overwhelm websites with traffic, such as external communications requests, in order to overwhelm and create a bottleneck within the server’s operations, making the site unreachable.
The U.S. accused Iran and its Quds Force, the Islamic Republic’s expeditionary terrorist arm, of orchestrating the attacks.
The Syrian Electronic Army (SEA), loyal to Syrian President Bashar Assad, claimed responsibility for a number of cyberattacks in 2013. It hacked into the Associated Press’ Twitter account and released a tweet saying that President Obama had been wounded in a White House bombing. As a result, the Dow Jones average plunged 140 points. The SEA hacked the U.S. Marines’ website, posting a message accusing President Obama of siding with al-Qaeda in Syria. It also targeted Qatar’s domain name system, compromising government websites, including state-sponsored Al Jazeera.
One component of a comprehensive defense against terrorism is heightened public awareness of the threat. The same is true for cyberterrorism. Coincidentally, the Sony attacks occurred at a time when the U.S. was attempting to do just that. October was National Cyber Security Awareness Month and November was Critical Infrastructure Security and Resilience Month.
There are challenges to raising awareness of the threat from cyberterrorism, not the least of which is the lack of consensus on even a definition of the term.
NATO, for example, defines cyberterrorism as “a cyber attack using or exploiting computer or communication networks to cause sufficient destruction to generate fear or intimidate a society into an ideological goal.”
The FBI defines it as the “premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by sub-national groups or clandestine agents.”
In her book, Computer Forensics: Cybercriminals, laws and evidence, cybercrime expert Dr. Marie-Helen Maras defines it as:
“The politically, religiously, or ideologically motivated use of computers (or related technology) by an individual, group, or state targeting critical infrastructure with the intention of harming persons and/or damaging property in order to influence the population (or segment of the population) or cause a government to change its policies.”
To appropriately respond to cyberterrorism, authorities first need to reach consensus on how to define it. Until there is a standard definition, there cannot be effective laws and regulations aimed at preventing or curtailing this criminal activity. Also, differing country to country standards make transnational cooperation and enforcement needlessly complex. This gap was highlighted by the government’s debate over whether the recent attack on Sony was cyberterrorism or cybervandalism.
CEP has opened its own front in the cyberspace battle with the #Digital Disruption Campaign, designed to identify and expose extremists who are misusing social media platforms like Twitter to radicalize and recruit new members, and to plan violent attacks against innocent people. Through this rigorous research and crowdsourcing campaign, CEP has monitored hundreds of accounts and exposed violent calls to action and instances of direct threats against individuals that jihadis are propagating on Twitter.
On Jan. 27, CEP CEO Ambassador Mark Wallace, in testimony before the House Foreign Affairs Subcommittee on Terrorism, Nonproliferation and Trade, highlighted the need for more aggressive actions for identifying and removing extremists from social media platforms. Wallace outlined a number of mechanisms by which social media companies can be proactive in preventing the hijacking and weaponization of Twitter and other platforms. He reiterated CEP’s calls for Twitter, in particular, to significantly strengthen its policies along the lines of new guidelines it developed to prevent bullying and harassment of women.
Fighting cyberterrorism will also require strengthened public-private partnerships. The Pentagon spends about $3 billion a year on cyberdefenses. A 2013 Executive Order called for increased information sharing to protect critical infrastructure. It largely focused on what the government provides to the private sector and not what the private sector provides to the government. To be effective, information sharing must be a two-way street.
In July 2013, 50 financial institutions simulated a cyberattack to test their responses. A key finding was that information sharing between the public and private sectors is essential to protecting critical infrastructure from cyberterrorism. Former Senator Judd Gregg, CEO of the Securities Industry and Financial Markets Association, which led the exercise, said he hoped the test would encourage Congress to pass legislation promoting information-sharing.
Hopefully, an intensified awareness to the many dangers of cyberterrorism of all kinds, and greater cooperation between public and private entities can give this issue the exposure it deserves and boost the effectiveness of our efforts to prevent it.