Sometimes I consider the threats to our information security as all sitting along a nearly endless continuum. There are so many degrees of issues, maybe as many as there are positive outcomes from our technological progress during the past 50 years since the internet came to be. Last week, for example, I discussed how modern-day bullying moved from the playground into our various social media platforms and online communications. It’s a nasty activity, this cyberbullying. It’s created real anguish and pain in families all over America. It resonates with its victims for years. Online bullying is also still new enough that my sense is that we don’t even realize all the problems that the cowardly act of anonymously harassing others online brings into reality. Sadly, more victims’ stories and heartbreaks, and their pains and even deaths, will need to be studied to ferret out its full implications.
Along the range of cybersecurity threats sits cyberbullying, as well as more conventional hacks where criminals steal identities or information. There is the newish type of threat known as ransomware. There’s an entire realm of obscenity that pervades the internet, much of which is criminal and all of which is questionable. Beyond all of these, problematic as they are, is another section of the continuum though that doesn’t seem to get much ink, to put it in almost old-timey parlance when morning and evening newspapers were your news source. That area of nefarious online conduct is way up the line, and may become more prevalent, while always newsworthy, and is known as cyberterrorism. Give me yet another chance to lament the prefix “cyber-” as I’m apt to do. No matter, cyberterrorism is real, it could be devastating, and it needs more attention.
We are, sorry to remind, familiar with terrorism. The 9/11 attacks should come front and center in your mind when you read the term. Oklahoma City’s federal building attack by Timothy McVeigh may be part of your understanding of terrorism. For decades the Irish Republican Army engaged in terrorism across the Atlantic. Those are blatant examples of terrorism, and they illustrate the scope and the disastrous ends that terrorists propagate. So, what is the mode of terrorism in the digital age? What is cyberterrorism?
Some components of it fit the old mold. Terrorists ply their trade because of criminal motivations, or just as commonly they are ideologists with political or religious agendas, for example. Such underlying motivations still drive the 21st century terrorists. Now though they deploy technological tools. They use online channels of communications. They are savvy with cryptography so encrypt their messages to be unreadable lest one possesses the decrypt key to decipher them. Like most updated definitions of conventional words that earned a “cyber” in front of them, the definition and description of cyberterror has to embrace the many ways that an organization utilizes our technologies before we understand the concept.
Some of the common language used in the ways that experts discuss cyberterrorism includes “the premeditated, ideologically motivated dissemination of information.” Okay. Aside from the trigger word “premeditated” so far a cyberterrorist sounds much like a believer who’s spreading the word about their faith. Then, the description becomes more familiar with our old notion of terrorists who are now “attacking physical targets, digital information, or computer systems” and by doing so intend to cause “social, financial, physical, or psychological harm.” The use of cyberterrorism techniques relies on “utilization of digital communications directly or indirectly” toward the harmful ends, whatever they may be.
Maybe if you take a moment to think about cyberterrorism, you conjure up the truly big players, the nation-state actors who have expansive resources, terroristic tendencies already, and the ideologies that lead to activating their plots. North Korea comes to mind, yes? Maybe Russia. But there are ample examples of non-nation-state cyberterrorists. Some of the U.S.’s leading banks were attacked by such a private group in 2013 after a YouTube video allegedly critiqued the Prophet Mohammed. The group known as Anonymous frequently creates digital havoc, sometimes earning the badge of “hacktivist,” though many in the security community perceive them as less noble, more destructive cyberterrorists.
The reason that cyberterrorism lands so far up the line of security threats, far from the still treacherous cyberbullying from last week’s piece, is that we’re in a territory that can cause truly apocalyptic danger to society. Everything runs with help from or reliance upon computers. Let’s get beyond our newfangled flat screen TVs, smart refrigerators, and Alexas for a moment here. Think more along the lines of nuclear power plants, or dams, or water treatment facilities After 9/11, when I happened to have been working in security systems in Chicago, many governmental and private actors convened to help understand this level of threat. It was the White House Critical Infrastructure Protection Board, and its Chicago breakout group examined such critical systems. I quickly understood the power and wrath of a cyberterrorist by trying to protect the internet trunk lines, the water systems, the electrical grid, and other critical systems and their vulnerabilities. Sometimes I’m personally amazed that a large-scale cyberterrorism event has not debilitated large or small populations of civilians in America.
It’s not that cyberterrorists haven’t tried. The Mexican government was attacked about 10 years ago by terrorists who used hacking tools to take down its president’s website; they later went after Clinton’s website as well. Jihadist groups created the Electronic Jihad hacking software to bring down Western cultures. Great Britain’s been hit. Turkey’s been taken offline, who then attacked Russia with cyberterrorism tools.
These examples, the many that have been thwarted, and sad to report the countless others that were so sophisticated and successful that we don’t even realize their occurrences are all part of the inordinately broad spectrum of online threats. What’s beyond cyberterrorism? I’ll save “cyberwarfare” for another day.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at email@example.com.