Cyberterrorism: An Interim Assessment

This is behind a subscription firewall but you should be able to get a free subscription to Infosecurity magazine here [web-ready version now available here].

‘Cyberterrorism: A Look Into the Future’, Infosecurity, September/October 2009, pp.35-37:

Cyberterrorism might mean different things to different people, but one thing is certain – it needs to be taken incredibly seriously. What are we dealing with? How can we defend our nation? How will cyberterrorists of the future look to attack? The (ISC)² US Government Advisory Board Executive Writers Bureau answers these questions.

It’s not a bad little article, actually, and addresses upfront the problem of defining ‘cyberterrorism’. I wrote an op-ed recently that asked me to adopt the Dorothy Denning definition, which they cite here: cyberterrorism is,

the convergence of terrorism and cyberspace. It is generally understood to mean unlawful attacks against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political and social objectives.

The emphasis is mine, as this phrase is broadly in line with the general modern understanding of terrorism as acts that do not necessarily have to involve the loss of human life. This, of course, is sometimes taken to mean that non-casualty cyberterrorism is not terrorism at all, by those for whom terrorism must entail human casualties. I guess it depends which side of this particular fence you sit. I’m much more in the camp that suggests that the spectacular and demonstrative effects of terrorist acts are usually more important than the physical human harm they cause. Before anyone gets humpy about that, remember that 9/11 would have been construed as an act of terrorism even if the twin towers had been empty and no lives lost.

This leaves us unavoidably having to consider terrorism itself, and its objectives – we then assume that it must apply only to non-state actors (NSAs). Terrorists are non-state actors, even if sponsored by a state. Terrorism, though, is not so defined, as it is a tactic harnessed to strategic vision, even if the latter is weak.  I am not therefore so sure that cyberterrorism is purely a non-state act. Cyberterrorists might not necessarily commit cyberterrorism either. There is an ontological problem here.

Can cyberterrorism be committed by a state? Yes, I would suggest. This implies that the effects are more important than the intent, terminologically speaking. This is why terrorists have to publicise their actions. It’s also why uncritically calling everything ‘terrorism’, as has been the wont of the West in recent years, does more  harm than good in all manner of ways I won’t go into here. Cyberterrorism is perhaps best defined by its effects – or intended effects – rather than by the state/non-state character of its proponents. Terrorism reveals itself in being brought into the world, not by what we call those conspiring to commit it.

This article doesn’t flag up this particular equation, i.e. cyberterrorism ≠ (cyber)terrorists, but does the make the entirely valid point that I make more and more often that a successful counter-cyberterrorism/cyberdefensive strategy relies on an understanding that defence is more important than offence: vulnerabilities are more important than arms. Plugging those gaps and preventing exploits is the path to developing pre-event deterrence by denial, in strategic terms. In this sense, the cybersecurity wonks, military and academics could learn a lot from looking at work done in deterring terrorist CBRN.

Note: the article mentions an incident involving a Romanian hacker and an Antartica research station that I was unaware of. More from an old Register article here, including who called it ‘cyberterrorism’ and who did not.