A few years ago, the FBI Director at the time stated that ISIS was “waking up” to the idea of initiating a cyberattack against critical US infrastructure with sophisticated malware. “Logic tells me it's coming,” he said, adding that ISIS is “looking into” whether it would be capable of perpetrating such attacks. Over the last two years, he said, there has been more attention paid to potential cyberattacks against the US, and although he has not seen them yet, “it just makes too much sense” that destructive malware would end up in the hands of terrorists. “Destructive malware is a bomb, and terrorists want bombs.”
It is indeed likely that cyberattacks are not only here to stay, but given the increasing reliance on the internet, they are likely to increase significantly. Further work is needed to better understand and assess the risks associated with cyber terrorism – the threats, vulnerabilities, and consequences. Cyber security experts routinely expose vulnerabilities but there is a relative paucity of research on specific cyber terrorism threats and potential consequences. This is problematic, as vulnerability does not equal risk.
Stuxnet, discovered in June 2010 and nicknamed the “world’s first digital weapon”, marked a significant change to earlier cyberattacks. Stuxnet had moved beyond the virtual world and was capable of causing physical destruction, perpetrated by nation states against another nation state – an example of cyber warfare. Cyber terrorism seems to have found a different “niche”, whereby the destruction or disruption of service does not necessarily have to be a military or state target, but could also be a commercial entity or service.
The challenges in categorizing attacks as cyberattacks, and even more so as cyber terrorism, can be effectively illustrated through the following “real life” case: There was a mysterious explosion on the Baku-Tbilisi-Ceyhan (BTC) pipeline in Erzincan/Turkey just before the Russia-Georgia war began in 2008. The Turkish government claimed mechanical failure. Another explanation at the time was a bombing by the Kurdish PKK terrorist group, and the PKK even claimed responsibility. A pipeline bombing of this sort could indeed fit the attack profile of the PKK, which specializes, among others, in assaults on critical infrastructure. There was widespread speculation that the attack could have been a cyberattack. But the PKK does not have advanced cyberattack capabilities and nor is that their modus operandi. US intelligence officials believed the PKK – which according to leaked US State Department cables has received arms and intelligence from Russia – may have arranged in advance with the Russian cyber attackers to take credit. Years later, BP, one of the pipeline construction companies, claimed in documents filed in a legal dispute that it was not able to meet shipping contracts after the attack due to “an act of terrorism.”
It subsequently emerged that according to US intelligence officials, the chief suspect was Russia: the attack on the BTC pipeline – which follows a route through the former Soviet Union that the US government mapped out over Russian objections – would mark another chapter in the aggressive energy politics of Eurasia. The attack, according to this theory, was the result of a cyberattack on the computers managing the pipeline. Software planted in the pipeline system shut down alarms and raised the pressure in the pipeline to such a high level that it exploded. However, later, a leaked internal official inspection report concluded that the explosion was not caused by a cyber operation after all. Rather, it was a case of “traditional” terrorism using explosives. The assumed cyberattack simply could not have taken place, for various technical reasons.
Cyber terrorism is certainly an attractive option for “modern” terrorists, who might value its anonymity, potential to inflict massive damage, psychological impact, and media appeal. However, fears of cyber terrorism have frequently been exaggerated. Cyberattacks on critical components of the national (energy) infrastructure are not uncommon, but they have not yet been conducted by terrorist groups and have not sought to inflict the kind of damage that would qualify as cyber terrorism. For the case of cyber terrorism, we must consider the use of cyberattacks in the context of the political goals and motivations of terrorist groups, and whether cyberattacks are likely to achieve these goals. On a national level, where hundreds of different systems provide critical infrastructure services, failure is a fairly routine occurrence at the system or regional level. Cyber terrorists would need to attack multiple targets simultaneously for long periods of time to create “real” terror or achieve strategic goals. For much of the critical (energy) infrastructure, multiple sustained, effective attacks are not a very likely scenario for terrorist groups – at least at this point. But although the fear of cyber terrorism may sometimes be manipulated and exaggerated by vested interests, we should, of course, neither deny nor ignore it.
Paradoxically, success in the “fight against terrorism” is likely to make terrorist groups turn increasingly to unconventional weapons, such as cyberattacks. For terrorist groups, cyber-based attacks have some distinct advantages over physical attacks as they can be conducted remotely, anonymously, and relatively cheaply. The effects can be widespread and profound. Thus, incidents of cyber terrorism are likely to increase in the future. They might be conducted through denial-of-service attacks, malware, and other methods that are difficult to envision today. In an article about cyberattacks by Iran and North Korea, the New York Times’ leading “cyber reporters” once observed, “The appeal of digital weapons is similar to that of nuclear capability: it is a way for an outgunned, outfinanced nation to even the playing field.” The same rationale would perfectly fit the cost-benefit-analysis and modus operandi of terrorist groups.