2 October 2012
Defining Cyberterrorism: Capturing a Broad Range of Activities in Cyberspace
While the term 'cyberterrorism' was first coined in the 1980s, agreeing on a universally accepted definition remains a challenge. The CTC's Jonalan Brickey analyzes the origin of the term and provides definitions that better reflect today’s realities.
By Jonalan Brickey for Combating Terrorism Center (CTC)
A 1999 study prepared for the Defense Intelligence Agency and produced at the Naval Postgraduate School began with a disclaimer stating, "cyberterror is not a threat. At least not yet, and not for a while." Nevertheless, the authors warned, "cyberterror is indeed coming." Around the same time, Richard Clarke, who at that time was the White House special adviser for cyberspace security, preferred use of the term "infowarfare" instead of cyberterrorism. More than a decade later, he still rejected the word cyberterrorism on the basis that it is a red herring that "conjure[s] up images of Bin Ladin waging war from his cave"; he did, however, caution that there may be such a term as cyberterrorism in the future.
Barry Collin first introduced the term cyberterrorism in the 1980s, although just as experts have not formed a consensus definition of terrorism, there is still no unifying definition of cyberterrorism. Cyberterrorism is an even more opaque term than terrorism, adding another layer to an already contentious concept. Cyber events in general are often misunderstood by the public and erroneously reported by the media. People tend to use the terms cyberwar, cyberterrorism, cybercrime, and hacktivism interchangeably, although there are important, sometimes subtle, differences.
The purpose of this article is to propose a comprehensive definition of cyberterrorism that captures the full range of how terrorists have used the internet in the past and how they will likely use more robust cyber capabilities in the future. This article will first look at clusters of cyberterrorism graphed according to methods and targets; it will then describe the clusters in more detail and provide examples. Finally, the article will offer a new definition of cyberterrorism incorporating these clusters.
Three Clusters of Cyberterrorism
Figure 1 [see PDF version] depicts the activities associated with the various cyberterrorism terms as described in the literature: online jihad, virtual jihad, electronic jihad, and pure cyberterrorism. While the chart is not a quantitative plotting of the activities, it is a qualitative approximation based on an understanding of the concepts along the x (targets) and y (methods) axes. Also, since terrorists are motivated by the pursuit of political goals, this two-dimensional graph intersects a "motivation" plane characterized by the pursuit of political goals. Some of these same activities may be carried out by other actors with different motivations, but they would appear in a different plane.
The x-axis represents the targets of cyberspace operations, spanning the cognitive, virtual, and physical domains. Cognitive targets are human minds—the cognitive faculties that enable thinking, reasoning, and judgment. Virtual targets are cyber manifestations of physical objects, such as organizations or people. This includes individual and organizational websites, which allow virtual interactions. Finally, the physical domain consists of what exists in the natural, physical world (as opposed to the man-made, virtual world).
The y-axis in Figure 1 [see PDF version] represents the methods of cyber activity: enabling, disruptive, and destructive. The range of the methods variable is similarly described by General Keith Alexander, National Security Agency director and commander of U.S. Cyber Command, who remarked that cyber attacks against U.S. information networks started as exploitative before becoming disruptive, but now such attacks are moving into the realm of destructive.
The activities in Figure 1 [see PDF version] form three clusters that represent different types of cyber militancy at the intersection of cyberspace and terrorism.
Enabling Cyber Militancy
The bottom-left grouping represents activities that are not directly associated with operational acts of traditional terrorism; however, they play a key supporting role in facilitating attacks in the cognitive and virtual domains. Enabling cyber militancy (ECM) activities include recruiting, inciting, radicalizing, financing, training, planning, and communicating. Research on terrorist use of the internet, often described as online jihad or virtual jihad, has revealed the many (similar) benefits that al-Qa`ida and other terrorists seek to achieve through the virtual world, including recruiting, radicalizing, financing, targeting, operational planning, and communicating.
There are several definitions in the literature that broadly include these activities as acts of cyberterrorism, and some courts agree with this characterization. A key operative associated with al-Qa`ida in the Islamic Maghreb (AQIM) conducted ECM-like activities in France in 2008 and 2009, leading to his conviction in 2012. Court documents described how Adlene Hicheur provided intellectual and logistical support to AQIM through the internet. His support included uploading pro-jihadist materials online, distributing encryption software to facilitate covert electronic communications, moderating a pro-jihadist website, and establishing virtual payment processes to finance AQIM operations.
Actors committing ECM do not have to be motivated by religious ideals, although to fit in this category they must seek political change. ECM activities may enable terrorists to achieve their goals via traditional means—knives, guns, and bombs—or through cyber means, although they are not disruptive or destructive acts themselves that leverage the full potential of the cyberspace domain.
Disruptive Cyber Militancy
The center cluster includes exposing, defacing, and denying. Disruptive cyber militancy (DiCM) is similar to electronic jihad, a cyberterrorism term described as jihadist hacking designed to take down websites and disrupt the normal (cyber-dependent) lifestyle of Westerners, which relies on critical infrastructure supporting medical, utility, transportation, and especially financial systems. Like ECM, electronic jihad also includes less nefarious, more nuisance-minded activities such as web defacement, denial of service attacks, and unauthorized access and disclosure of confidential (and oftentimes embarrassing) information.
At the outbreak of Syrian unrest in early 2012, Abu Hafs al-Sunni al-Sunni, a senior writer for jihadist websites and supporter of al-Qa`ida and mujahidin everywhere, proposed DiCM acts against the Syrian regime. In a detailed article posted online in February, al-Sunni enumerated several ways the mujahidin could attack the Bashar al-Assad regime. He called on "skilled hackers like Red Virus, Omar OX, and other jihadi hackers" to conduct electronic jihad against the Syrian regime. These hackers have also been active in cyber attacks between Palestinian and Israeli supporters that have disrupted financial, transportation, and other business websites.
Destructive Cyber Militancy
The goal of terrorists using destructive cyber militancy (DeCM) is to manipulate computer code and corrupt information system functions to damage or destroy virtual and physical assets. Manipulating or corrupting information may, at a minimum, provide misinformation and induce confusion and loss of confidence in critical systems. In the worst case, DeCM may cause catastrophic effects on critical infrastructure, possibly resulting in death and destruction. DeCM activities are often described in the literature as pure cyberterrorism, which is the direct use of cyber hardware, software, and networks to create kinetic effects on par with traditional acts of terrorism, as opposed to merely using information communication technology in support of organizational communication and traditional terrorism. Most experts in the field narrowly define cyberterrorism to include only the direct use of cyber capabilities, as opposed to ECM-like activities in support of terrorism.
Although there have been no destructive cyberterrorism attacks to date, terrorists may engage in DeCM to cause massive physical damage and economic disruption to critical infrastructure such as the power grid, fuel distribution and storage systems, public water sanitation systems, air traffic control systems, and financial systems (especially ATM networks). Many of these critical systems are either directly connected to the internet or indirectly accessible via removable media and out-of-band channels. A 2011 al-Qa`ida video called upon cyber-savvy mujahidin to attack U.S. critical information systems by conducting an "information raid in the manner of the raids of September 11." The video included translated interviews of cyber experts in the United States discussing how DeCM-like attacks may cause extensive damage to life-sustaining critical infrastructure. One example of a possible DeCM event would be the destruction of a key natural gas pipeline, the flow of which is regulated by electronic industrial control systems (ICS). These systems are vulnerable to hacking exploits, which could allow the manipulation of ICS functions such as a sudden increase in pipeline pressure, resulting in a large kinetic explosion.
A New Definition of Cyberterrorism
Bruce Hoffman defines terrorism as "the deliberate creation and exploitation of fear through violence or the threat of violence in the pursuit of political change." If one assumes for a moment that this was the accepted definition of terrorism, then the addition of cyber to this term results in a simple, though circular definition: cyberterrorism is the use of cyber to commit terrorism. Given the range of cyberterrorism activities described in the literature and depicted in the clusters shown in Figure 1 [see PDF version], this simple definition can be expanded to: cyberterrorism is the use of cyber capabilities to conduct enabling, disruptive, and destructive militant operations in cyberspace to create and exploit fear through violence or the threat of violence in the pursuit of political change.
Current definitions for cyberterrorism range from narrow to broad, although most experts subscribe to the narrow definition of pure cyberterrorism. The definition proposed here includes three shades of cyberterrorism to capture the full range of cyber activities terrorists use or wish to employ in the pursuit of political goals. Such a definition in the hands of practitioners and academics may engender more granular research, debate, and potentially strategies to counter the threat stemming from the three different shades of cyberterrorism.
More work is needed to understand and assess the risk associated with cyberterrorism—threats, vulnerabilities, and consequences. Computer security experts routinely expose vulnerabilities in cyberspace; however, there is a paucity of research on cyberterrorism threats and potential consequences. The cyberterrorism definition proposed here is broad enough to give researchers a wider lens to study the cyber capabilities of terrorists across the full spectrum of cyberspace.
For additional reading on this topic please see:
Defining Cyber Security
Development of Cyber Defense Strategies on the Foundations of Strategic Culture
Cybersecurity: Threats Impacting the Nation
Lieutenant Colonel Jon Brickey is the Army Cyber Command Fellow at the Combating Terrorism Center, West Point, NY.