Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.
—National Research Council, Computers at Risk (1991)
Some years ago, in a television interview, I compared the threat of cyberterrorism to a dark cloud on the horizon: it is there, it is dark, it is coming, and yet we do not know when it will arrive. Today, I know that the dark cloud is already here. As this chapter will reveal, there is no doubt that terrorists today are considering the use of cyberattacks—by attempting to recruit the personnel and develop the know how to do so—and some have already launched such attacks. Yet even though the dark cloud of cyberterrorism is already here, its full dreadful capacities are not. The September 11 attacks present a tough challenge for any terrorists who would like to surpass the magnitude and impact of that day’s events. Cyberterrorism, from the terrorist perspective, is one of the most promising weapons to respond to this challenge.
What Is Cyberterrorism (and What Is Not)?
Cyberterrorism is commonly defined as the use of computer network devices to sabotage critical national infrastructures such as energy, transportation, or government operations. The premise of cyberterrorism is that as modern infrastructure systems have become more dependent on computerized networks for their operation, new vulnerabilities have emerged—“a massive electronic Achilles’ heel” (Lewis 2002, 1).
The roots of the notion of cyberterrorism can be traced back to the early 1990s, when the rapid growth in Internet use and the debate on the emerging “information society” sparked several studies on the potential risks faced by the highly networked, high-tech-dependent societies. As early as 1990, the prototypical term “electronic Pearl Harbor” was coined, linking the threat of a computer attack to an American historical trauma. The term itself was first used in the 1980s by Barry Collin, who discussed this dynamic of terrorism as transcendence from the physical to the virtual realm and “the intersection, the convergence of these two worlds” (Collin 1997, 15). Although cyberterrorism combines the terms “cyber” and “terror,” the full term “cyberterrorism” is an even more opaque and broadly defined term than “terrorism,” adding another layer to an already contentious concept.
Cyber events in general are often misunderstood by the public and erroneously reported by the media. Several difficulties have prevented the creation of a clear and consistent definition of the term “cyberterrorism.” First, much of the discussion has been conducted in the popular media, where journalists typically prefer drama and sensation to good operational definitions of new terms. Second, it has been especially common when dealing with computers to coin new words simply by placing variants of terms such as “cyber,” “computer,” or “information” before another word. Thus, a slew of terms—“cybercrime,” “infowar,” “netwar,” “cyberterrorism,” “cyberharassment,” “virtual warfare,” “digital terrorism,” “cybertactics,” “computer warfare,” “cyberattack,” and “cyber-break-ins”—is used to describe what some military and political strategists call “new terrorism” of our times.
Some efforts have been made to introduce greater semantic precision. Dorothy Denning, a professor of computer science, put forward an unambiguous definition in numerous articles and in her testimony on the subject before the House Armed Services Committee in 2000:
Cyberterrorism is the convergence of cyberspace and terrorism. It refers to unlawful attacks and threats of attacks against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not (Denning 2000, 1).
The National Conference of State Legislatures, an organization of legislators created to help policymakers with issues such as economy and homeland security, gives the following definition for cyberterrorism:
The use of information technology by terrorist groups and individuals to further their agenda. This can include use of information technology to organize and execute attacks against networks, computer systems and telecommunications infrastructures, or for exchanging information or making threats electronically. (Quoted in Gorge 2007)
It is important to distinguish the terms cyberterrorism, hacking, and “hacktivism.” Hacking is understood here to mean activities conducted online and covertly that seek to reveal, manipulate, or otherwise exploit vulnerabilities in computer operating systems and other software. Most hackers tend not to have political agendas, and concentrate on writing programs that expose security flaws in computer software. Their efforts in this direction have sometimes embarrassed corporations but have also been responsible for alerting the public and security professionals to major software security flaws. Moreover, although hackers have been known to damage systems, disrupt e-commerce, and force websites offline, the vast majority of hackers do not have the necessary skills and knowledge to inflict serious harm, and the ones who have those skills generally do not seek to do so (Denning 2001).
Hacktivism is a related term coined by scholars to describe hacking with a political activism component. Although hacktivism is politically motivated, it does not constitute cyberterrorism. Hacktivists want to protest and disrupt; they do not want to kill, maim, or terrorize. However, hacktivism does highlight the threat of cyberterrorism: individuals with no moral restraint may use methods similar to those developed by hackers to wreak havoc. The line between cyberterrorism and hacking or hacktivism may blur, especially if terrorist groups recruit or hire computer-savvy hacktivists or if hacktivists decide to escalate their actions by attacking the systems that operate critical elements of the national infrastructure, such as electric power networks and emergency services (Weimann 2005a, 136–37).
Michael Vatis (2001) has classified potential cyberattackers in four categories:
• Terrorists: Although only few terrorist groups have used cyberterrorism, many have shown interest in using it and are attempting to master it.
• Nation-states: Several nation-states, including supporters of terrorism (Syria, North Korea, Iran, Sudan, and Libya), have developed cyber-warfare capabilities and even employ them.
• Terrorist sympathizers: Various hacker groups have the ability to launch cyberattacks to show their support for a terrorist group or its cause. Vatis finds that these groups are the likeliest to engage in cyberterrorism.
• Thrill-seekers (or “cyber-joyriders”): According to Vatis (2001, 14), these hackers and “script kiddies” (a derogatory term used to describe individuals who attempt to break the security on computer systems without understanding the exploits they are using) simply want to gain notoriety through high-profile attacks. However, such individuals can and have had significant disruptive impact through their destructive attacks.
Vatis’s list provides a basis for classifying potential cyberattackers, though it does not include other categories of cyberattackers, including criminals who engage in extortion, identity theft, credit card and bank fraud, and corporate espionage; and “insiders” who engage in sabotage, fraud, and so on in systems to which they already have access.
The Appeal of Cyberterrorism
Cyberterrorism is an attractive option for modern terrorists for several reasons:
•
Minimal resources required: Cyberterrorism is cheaper than traditional terrorist methods. All that the terrorist needs is a personal computer and an online connection. Terrorists do not need to buy weapons such as guns and explosives; instead, they can launch digital attacks through a telephone line, a cable, or a wireless connection. The minimal resources that are needed for such an attack—one person in front of a computer connected to the Internet—helps groups that have limited funds.
• Anonymity: Cyberterrorism is more anonymous than traditional terrorist methods. Like many Internet surfers, terrorists use online nicknames—“screen names”—or log on to a website as an unidentified “guest user,” which makes it harder for security agencies and police forces to track down their real identity. Cyberspace also has no physical barriers to overcome, such as checkpoints to navigate, borders to cross, or customs agents to outsmart.
• Remote attacks: Cyberterrorism can be conducted remotely, a feature that is especially appealing to terrorists. In fact, a terrorist at a computer on one side of the world can launch an attack, route it through dozens of different countries, cover his tracks so that it is nearly untraceable, and cause great damage to a society or nation on the other side of the globe.
• Vulnerabilities: The variety and number of targets are enormous. Cyberterrorists can target the computers and computer networks of governments, individuals, public utilities, private airlines, and so forth. The sheer number and complexity of potential targets guarantee that terrorists can find weaknesses and vulnerabilities to exploit. Several studies have shown that critical infrastructures such as electric power grids and emergency services are vulnerable to a cyberterrorist attack because both the infrastructures and the computer systems that run them are highly complex, making it effectively impossible to eliminate all weaknesses.
•
Scope of damage: The potential scope of damage is another attractive feature of cyberterrorism. Consider the following comparative scenario: A suicide bomber can enter a bus, and if successful can manage to kill all the passengers on the bus and possibly harm bystanders and others in the immediate area. With cyberattacks, a terrorist can take control of traffic lights in a certain area, the air traffic control systems of a busy airport, or the computers controlling the underground transport system in a major city—and could cause hundreds or even thousands of fatalities over a much wider area.
1•
Greater “fear factor”: Cyberterrorism fits with terrorists’ goals of infusing fear into the lives of their enemies. Cyberterrorism can come without any warning, and there is not much that ordinary civilians can do to protect themselves against such attacks. This uncertainty and lack of control over one’s own world make the prospect of this form of terrorism such a dreadful option.
These factors are all reasons why cyberterrorism is a much more appealing form of attack. Terrorists are indeed getting interested in cyberwarfare. In his March 2012 testimony before a US House of Representatives appropriations subcommittee, Federal Bureau of Investigation (FBI) director Robert Mueller said that terrorists may seek to train their own recruits or hire outsiders with an eye toward pursuing cyberattacks on the United States. “Terrorists have not used the Internet to launch a full-scale cyber attack, but we cannot underestimate their intent,” Mueller said. He also stated that terrorists have shown interest in developing hacking skills, and that the evolving nature of the problem makes the FBI’s counterterrorism mission more difficult (quoted in Associated Press 2012).
The Forms of Cyberterrorism
Even now, we are under cyberattack. Using statistics from the online community hackerwatch.org, in one week of March 2014, more than three million serious computer attacks were reported, with 443,552 such attacks taking place in one 24-hour period—a rate of more than 300 attacks per minute.
2 Though most of these attacks are not committed by terrorists, there is a growing share in the part that terrorism plays in cyberattack patterns.
Cyberattacks have various forms and categorizations. One such classification relies on the objectives of the attackers, which include the following four areas:
1. Loss of integrity, such that information could be modified improperly;
2. Loss of availability, where mission-critical information systems are rendered unavailable to authorized users;
3. Loss of confidentiality, where critical information is disclosed to unauthorized users; and
4. Physical destruction, where information systems create actual physical harm through commands that cause deliberate malfunctions. (Rollins and Wilson 2007, 3)
A fifth objective often mentioned is publicity, where even a marginally successful cyberattack directed at a major facility or service is sufficient to garner considerable publicity and consequently increases public anxiety and distrust.
The cyberattack on Estonia may illustrate the potential of a well-orchestrated cyberattack directed at a specific nation (Landler and Markoff 2007). In May 2007, several key Estonian government and business computer systems were subjected to a mass cyberattack following the controversial removal of a Soviet-era World War II war memorial from downtown Tallinn. The attack was a distributed denial-of-service (DDoS) attack in which selected sites were bombarded with traffic in order to force them offline. The cyberattack affected nearly all Estonian government ministry networks as well as two major Estonian bank networks, all of which were knocked offline. Despite speculation that the attack had been coordinated by the Russian government, Estonia’s defense minister admitted that he had no evidence linking the cyberattacks to the Russian authorities. NATO and the United States sent computer security experts to Estonia to help the nation recover from these cyberattacks, and to analyze the methods used and determine the source of the attacks. Some security experts suspect the involvement of cybercriminals, possibly using a large network of infected personal computers (called a “botnet”), to help disrupt the Estonian government’s computer systems.
An attack against computers may disrupt equipment and hardware reliability, change processing logic, or steal or corrupt data (Wilson 2007; Wilson 2008). Various methods can be used for such attacks:
• Conventional kinetic weapons (e.g., firearms, explosives) can be directed against computer equipment, a computer facility, or transmission lines in a physical attack that disrupts the reliability of the equipment.
• Electromagnetic energy, most commonly in the form of an electromagnetic pulse, can be used to create an electronic attack directed against computer equipment or data transmissions. By overheating circuitry or jamming communications, electronic attacks disrupt equipment reliability and data integrity.
• A computer network attack (CNA), directed against computer processing code, instruction logic, or data, can generate a stream of malicious network packets intended to disrupt data or logic by exploiting vulnerability in computer software, or weaknesses in an organization’s computer security practices.
Cyberterrorism is often equated with the last method, the use of malicious code. The 2007 Estonian case is one such example. However, a cyber-terrorism event may also depend on the use of other measures. Thus, it is possible that if certain computer facilities were deliberately attacked for political purposes, all three methods described above (physical attack, electronic attack, and cyberattack) might contribute to or be labeled as “cyberterrorism.” Where do vulnerabilities lie, and what technological tools will terrorists use? The following sections discuss some of the types of “cyber weapons” that terrorists have at their disposal.
Botnets
Botnets, or “bot networks,” are made up of vast numbers of compromised computers that have been infected with malicious code and can be remotely controlled through commands sent via the Internet. Hundreds or thousands of these infected computers can operate in concert to disrupt or block Internet traffic for targeted victims. Once the botnet is in place, it can be used in DDoS attacks, proxy and spam services, malware distribution, and other organized criminal or terrorist activity. Botnets can also be used for covert intelligence collection or to attack Internet-based critical infrastructure. Additionally, botnets can be used as weapons in propaganda or psychological campaigns against their targets to instigate fear, intimidation, or public embarrassment. Botnets are becoming a major threat for future cyberterrorism, partly because they can be designed to disrupt targeted computer systems in different and effective ways, and because even terrorists that do not have strong enough technical skills to develop their own botnets can apply these disruptive measures in cyberspace simply by renting botnet services from a cybercriminal.
3 According to a June 2013 FBI report, the use of botnets is on the rise, and it estimated that “botnet attacks have resulted in the overall loss of millions of dollars from financial institutions and other major U.S. businesses. They’ve also affected universities, hospitals, defense contractors, law enforcement, and all levels of government” (Federal Bureau of Investigation 2013).
Botnet codes for infecting computers were originally distributed as infected email attachments, but additional methods can be used to acquire more computers for the system. A website may be unknowingly infected with malicious code in the form of an ordinary-looking advertisement banner, or the site may include a link to an infected website. Clicking on the banner or following the link may install botnet code. Botnet codes can also be silently uploaded to a user’s computer simply by exploiting an unpatched security vulnerability in the user’s Internet browser—even if the user takes no action while viewing the website. Some bot software can even disable the user’s antivirus security before infecting the computer. Once infected, the malicious software establishes a secret communications link to a remote “botmaster” in preparation to receive new commands to attack a specific target (Wilson 2008).
Attacks on SCADA Systems
SCADA (supervisory control and data acquisition) is a type of computer-controlled system that monitors and controls systems such as industrial, infrastructure, and facility-based processes. SCADA is one part of the broader category of industrial control systems, which include programmable logic controllers, remote terminal units, and other monitoring and automation devices used in all types of industrial, infrastructure, and facility processes and systems. Industrial processes that use SCADA systems include manufacturing, production, power generation, fabrication, and refining. Infrastructure processes may be public or private, and include water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms, civil defense siren systems, and large communication systems. Facility processes involve monitoring and controlling heating, ventilation, and air conditioning systems and energy consumption in buildings, airports, ships, and space stations.
SCADA systems have existed since the 1960s. In the early days, they were stand-alone, and few were networked. Today, virtually all are accessed via the Internet. This technological development has helped to cut costs, but from an information security perspective it introduces vulnerabilities. SCADA systems that tie together decentralized facilities such as power, oil, gas pipelines, and water distribution and wastewater collection systems were designed to be open, robust, and easily operated and repaired, but not necessarily secure. Alarmingly, in 1997 the President’s Commission on Critical Infrastructure Protection said of SCADA systems:
From the cyber perspective, SCADA systems offer some of the most attractive targets to disgruntled insiders and saboteurs intent on triggering a catastrophic event. With the exponential growth of information system networks that interconnect the businesses, administrative and operational systems, significant disruption would result if an intruder were able to access a SCADA system and modify the data used for operational decisions, or modify programs that control critical industry equipment or the data reported to control centers. (President’s Commission on Critical Infrastructure Protection 1997, A-27)
Advancements in the availability and sophistication of malicious software tools have increased the cyber threat to these systems, as new technologies raise new security issues that cannot always be addressed prior to adoption. The increasing automation of critical infrastructures provides more cyber access points for terrorists to exploit. As was described in the October 2005 joint hearing before the Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity:
Securing SCADA systems is similar to securing all of our cyber infrastructure; however, the consequences are potentially very different. Minimally, adversaries could target SCADA systems through cyber networks, utilizing common cyber attack methods to render the SCADA systems unusable. This could slow down, stop, or endanger the functions of the facility. This would result in not only serious problems at that facility but potential cascading effects on other facilities or processes that are dependent on the attacked facility. Even worse, terrorists could utilize SCADA systems for their own sinister motives—causing a pipeline to burst, opening flood gates on dams, or shutting down our electric supply, all without ever gaining access to the facility. (“SCADA Systems and the Terrorist Threat” 2005, 2)
All of our infrastructure systems rely on computers. Most of those computers may be especially vulnerable, and their importance for controlling the critical infrastructure may make them an attractive target for cyberterrorists. SCADA systems, once connected to isolated networks using only proprietary computer software, now operate using more vulnerable commercial off-the-shelf software and are increasingly being linked directly to corporate office networks via the Internet. Many experts believe that most SCADA systems are inadequately protected against a cyberattack and remain persistently vulnerable because many organizations that operate them have not paid proper attention to their unique computer security needs (Wilson 2005, 10).
Denial-of-Service Attacks
Cyberterrorists may also use denial-of-service attack methods to overburden the computers of a government and its agencies. Denial-of-service (DoS) attacks are designed to make a computer or network of computers unavailable to its users. One common method of attack involves saturating the target machine with external communications requests, to the point that it cannot respond to legitimate traffic or responds so slowly as to be rendered essentially unavailable. On a networked computer, such attacks usually overload the server and affect all of its users.
If an attacker uses a single host to launch the attack, this approach is classified as a DoS attack. However, if an attacker uses the capabilities of many systems (such as botnets) to launch simultaneous attacks against another host, this is classified as a DDoS attack. For this purpose, the attack can use viruses or other malware to infect several unprotected computers and then take control of them. Once control is obtained, the terrorists can manipulate these infected computers to initiate the attack, such as by using botnets to send information or demand information in such large numbers that the victim’s server effectively collapses under the strain of processing the information. A stronger version of this attack, known as permanent denial-of-service (PDoS), can even damage a system so badly that the system’s hardware must be reinstalled or even replaced. Unlike a DDoS attack, which attempts to overload a system, a PDoS attack exploits security flaws that enable the attacker to gain control over the victim’s hardware, such as routers, printers, or other networking hardware. The attacker uses these vulnerabilities to modify, corrupt, or install defective firmware to the victim’s system—a process which, when done legitimately (such as to upgrade the device), is known as flashing. The corrupted firmware “bricks” the device, rendering it unusable for its original purpose and requiring the victim to repair or replace it, often at great expense.
DDoS attacks became more commonly known in early 2000, when attackers managed successful strikes against popular websites such as CNN, Yahoo!, and Amazon. Although many years have passed since they first appeared in the mainstream, DDoS attacks are still difficult to block. Indeed, some DDoS attacks can be impossible to stop if they have sufficient resources behind them. It is estimated that at least 50 percent of Fortune 500 companies have been compromised by such attacks, and the potential financial damage to these organizations is almost impossible to quantify, but it is probably in the trillions of US dollars (Armerding 2012). In September 2012, DDoS attacks shut down the websites of Bank of America and JPMorgan Chase and crippled those of Wells Fargo, U.S. Bank, and PNC Bank. The Hamas-affiliated Islamist group Izz ad-Din al-Qassam Cyber Fighters publicly claimed responsibility for the attacks in what it called “Operation Ababil.” The group has launched attacks in the past, albeit ones that were far less coordinated than their 2012 success. As a report on these attacks concluded: “No matter who is behind the attacks, if a terror group can so easily crash a major banking website, what’s next? Government systems like air traffic control? Or, critical infrastructure targets such as power grids? The prospects are mind-numbing, and frankly, scary” (Rothman 2012).
In April 2013, a jihadist who went by the name “Abu Obeida al-Masri” posted a videotaped tutorial for a program he developed to facilitate DDoS attacks against “Zionist-Crusader” websites, and invited fellow al-Qaeda supporters to join the “Electronic Islamic Army.” Al-Masri asked members to join the Electronic Islamic Army’s Facebook page and download the DDoS program, explaining that while such attacks are old-fashioned and simple, they are effective and difficult to stop. On the forum, Al-Masri gave detailed instructions with pictures how to use the program, and on April 21 he uploaded a video tutorial to YouTube in which he used Facebook as an example of a targeted site. He told supporters: “I pray to Allah that this work be for Allah’s countenance and to benefit us all, and to make you and I a reason for the removal of the nation of disbelief, and to make us and you a thorn in the throat of the disbelievers and their helpers from among the tyrannical apostates. I remind you: Determination, determination, words for actions, and you are only responsible for yourself. Choose for yourself a field so that Allah will make you one of the knights. Don’t neglect action, but neglect discouragement and sitting down. Wait for everyone to react to the action. We don’t want slogans; instead, our slogan is action” (SITE Monitoring Service 2014b).
Cyber 9/11? The Likelihood of Cyberterrorism
The cyber terrorism threat is real, and it is rapidly expanding.
—FBI Director Robert S. Mueller III, Cyber Security Conference, March 4, 2010
On January 29, 2014, Director of National Intelligence James R. Clapper Jr. presented the 2014 annual US intelligence community worldwide threat assessment in congressional testimony. In the published report, Clapper provided a thorough review of the status of possible threats from a wide variety of nations and terror groups. The report highlighted that critical cyber threats are converging:
In the past several years, many aspects of life have migrated to the Internet and digital networks. These include essential government functions, industry and commerce, health care, social communication, and personal information.… We assess that computer network
exploitation and
disruption activities such as denial-of-service attacks will continue. Further, we assess that the likelihood of a
destructive attack that deletes information or renders systems inoperable will increase as malware and attack tradecraft proliferate (Clapper 2014 [emphasis in original]).
In the past, it was assumed that although terrorists were adept at spreading propaganda and attack instructions on the Internet, their capacity for offensive computer network operations was limited. Thus, in 2009 the FBI reported that cyberattacks attributed to terrorists were largely limited to unsophisticated efforts such as email bombing of ideological foes, DoS attacks, or defacing of websites.
4 However, the FBI report also noted that terrorists’ increasing technical competency could result in an emerging capability for network-based attacks. The FBI predicted that terrorists will either develop or hire hackers to complement future large conventional attacks with cyberattacks: “As shocking as 9/11 was to the nation, it was only a small breach compared to the systemic threats we face today,” said former National Security Agency director Michael McConnell in a 2009 interview. “When the terrorists get smarter, they won’t even need to come to our shores to create the kind of havoc and turmoil they did by flying planes into the Twin Towers. They will be able to do it from their laptops from overseas” (Gardels 2009). Clapper’s 2014 remarks highlight the shift in thinking since the FBI’s report five years earlier.
Continuing publicity about computer security vulnerabilities may encourage terrorists’ interest in attempting cyberattacks. Take, for example, the case of Stuxnet. The threat of terrorist cyberattack became more plausible after the 2009 discovery of Stuxnet, a powerful computer worm used to attack Iran’s nuclear program. The worm damaged Iran’s nuclear centrifuges by causing them to spin too fast, which gave false information to the plant operators. The worm’s creator has not been officially identified, though reports have alleged that the United States and Israel were behind the attack. Stuxnet could have a similar effect on other targets, and US officials expressed concern that the worm could be used by terrorists and their supporters. The US Department of Homeland Security (DHS) told Congress that it feared that the same attack could now be used against critical infrastructures in the United States and that the DHS “is concerned that attackers could use the increasingly public information about the code to develop variants targeted at broader installations of programmable equipment in control systems. Copies of the Stuxnet code, in various different iterations, have been publicly available for some time now” (Zetter 2011).
The Iranian nuclear program has not been the only victim of malicious computer code. In April 2012, cyberterrorists used a deadly computer virus to attack the information network of Aramco, the Saudi oil company. The virus, which annihilated all of the data on 35,000 desktop computers, also displayed the image of a burning American flag on the screens of the infected computers. A group called the Cutting Sword of Justice claimed credit for the attack (Dorgan 2013). In 2012 alone, NATO suffered around 2,500 cyberattacks on its networks, according to the alliance’s secretary general (Farmer 2013). In March 2013, American Express customers trying to gain access to their online accounts were met with blank screens or an “ominous ancient type face” (Perlroth and Sanger 2013). The company confirmed that its website had been attacked. The assault was the latest in an intensifying campaign of unusually powerful attacks on American financial institutions that have taken dozens of them offline intermittently, costing millions of dollars. Similar attacks took JPMorgan Chase offline and incapacitated 32,000 computers at South Korea’s banks and television networks (Perlroth and Sanger 2013).
Some terrorist hackers have moved beyond attacks on government and corporate targets and set their sights on online media. In May 2013, computer hackers hijacked the Twitter account of the Associated Press and sent a tweet stating that there had been two explosions at the White House and that President Barack Obama was injured. Within two minutes, the stock market dropped by 143 points. The Syrian Electronic Army later claimed credit for the attack. In August 2013, media companies including Twitter, the New York Times, and the Huffington Post lost control of some of their websites after hackers supporting the Syrian government breached the Australian Internet company that manages many major site addresses. Tweets from the Syrian Electronic Army claimed credit for the Twitter and Huffington Post attacks, and electronic records showed that NYTimes.com, the only site with an hours-long outage, redirected visitors to a server controlled by the Syrian group before it went down (Shih and Menn 2013).
Recent considerations of cyberterrorism have stressed the seriousness of the problem. As Meg King, the national security adviser to Jane Harman, director, president, and CEO of the Woodrow Wilson International Center for Scholars, argued:
Many information technology experts suggest that terror groups aren’t now—and might never be—capable of carrying out an act of cyberterror.… But recent plots and propaganda suggest that the motive exists and the know-how is growing. Cyberterror is just around the corner: It could be a physical attack on the Internet’s infrastructure, as attempted in London in 2007, that could halt important financial traffic. Or it might be an attack on a system controlling critical infrastructure—from oil refineries and nuclear plants to transportation networks. And we aren’t prepared. (King 2014)
If terrorists want to surpass the magnitude and impact of 9/11, it seems that only a catastrophic cyberattack will be their option. Are they aware of it, and are they interested in launching this attack?
The Growing Interest of Terrorists in Cyberattack
“Hacking on the Internet is one of the key pathways to Jihad, and we advise the Muslims who possess the expertise in the field to target the websites and the information networks of big companies and government agencies of the countries that attack Muslims, and to focus on the websites and networks that are managed by the media centers that fight Islam, Jihad, and mujahideen.”
—Al-Qaeda video, “You Are Held Responsible Only for Thyself—Part 2,” posted online on June 3, 2011
It is difficult to determine whether or which terrorist groups are capable of launching an effective cyberattack. However, there is growing evidence that modern terrorists are seriously considering adding cyberterrorism to their arsenal, as indicated by the widely cited statement by Frank Cilluffo of the Office of Homeland Security: “While bin Laden may have his finger on the trigger, his grandchildren may have their fingers on the computer mouse.” Cyberterrorism expert Dan Verton, for example, argues that “al-Qaeda has shown itself to have an incessant appetite for modern technology” (Verton, 2003, 93) and provides numerous citations from Osama bin Laden and other al-Qaeda leaders that show their recognition of this new cyberweapon. In the wake of the September 11 attacks, bin Laden reportedly gave a statement to Hamid Mir of the Pakistan newspaper Ausaf indicating that “hundreds of Muslim scientists were with him who would use their knowledge … ranging from computers to electronics against the infidels” (quoted in Verton 2003, 108). Captured literature indicates that many al-Qaeda members are well educated and familiar with engineering and other technical areas (Spring 2004). In November 2001, when al-Qaeda fighters fled from a US attack on their base in Kabul, Afghanistan, they left behind documents and other information that exposed the degree to which some al-Qaeda operatives had been educated and trained in the use of computer systems (Davis 2002). One captured al-Qaeda computer contained engineering and structural architecture features of a dam, which had been downloaded from the Internet and would enable al-Qaeda engineers and planners to simulate catastrophic failures. US investigators also found evidence on other captured computers showing that al-Qaeda operators had spent time on sites that offer software and programming instructions for the digital switches that run power, water, transportation, and communications grids (Weimann 2008f).
Extremist groups that use and operate online platforms have also shown a significant increase in the level of their technical sophistication. In 2002, the Central Intelligence Agency (CIA) stated in a letter to the US Senate Select Committee on Intelligence that cyberwarfare attacks against the US critical infrastructure will become a viable option for terrorists as they become more familiar with the technology required for the attacks. Also according to the CIA, various groups (including al-Qaeda and Hezbollah) are becoming more adept at using the Internet and computer technologies, and these groups could possibly develop the skills necessary for a cyberattack (Verton 2003, 87). Later, FBI director Robert Mueller testified before the Senate Select Committee on Intelligence that terrorists show a growing understanding of the critical role of information technology in the US economy and have expanded their recruitment to include people studying math, computer science, and engineering.
5This technological familiarity encompasses more than simple computer know-how. A 2006 study of more than 200,000 multimedia documents on 86 sample websites concluded that extremists exhibited similar levels of web knowledge to US government agencies, and that the terrorist websites employed significantly more sophisticated multimedia technologies than US government websites (Qin et al. 2007). In 2010, “The Brigades of Tariq ibn Ziyad,” a jihadist group with the stated goal of using cyber capabilities to penetrate US Army networks, launched a massive malware attack designed to impact businesses and government agencies. This particular attack was ideologically based, reinforced by the official video comment, “Listen to me about my reasons for the 9 September virus that affected NASA, Coca-Cola, Google, and most American [names]. What I wanted to say is that the United States doesn’t have the right to invade our people and steal the oil under the name of nuclear weapons.” Ominously, the creator of the video noted that the virus “wasn’t as harmful as it could have been” (Greenberg 2010).
The monitoring and analysis of terrorist online chatter certainly reveal a growing interest in cyberattacks. In November 2011, a British government report on cybersecurity indicated that British intelligence had picked up “talk” from terrorists planning an Internet-based attack against the United Kingdom’s national infrastructure. Indeed, the terrorist chatter reveals such interest: for example, a prominent jihadist not only suggested cyberattacks but also expressed interest in organizing a center for jihadists who have expertise in hacking, networking, and programming language. The jihadist, “Yaman Mukhdhab,” posted his call for establishing an e-jihad center on the Shumukh al-Islam forum on June 11, 2011. Concerning cyberattacks, the posting highlights such attacks as a way to inflict massive damage to the economy of an enemy country, and noted that the United States is ill-prepared for an attack on its electrical grid, for example. Mukhdhab outlined the mission and requirements for the e-jihad center and stressed that only the “masters of disbelief”—France, the United Kingdom, and the United States—are to be targeted. He gave a priority list of targets in these countries, noting that SCADA systems that monitor industrial and infrastructure processes are at the top of the list, followed by systems that manage financial sites and companies, and sites in general that are connected with the “daily activities of the ordinary citizen.” Mukhdhab provided forum members with a list of 19 categories for further study, including understanding SCADA systems, having fluency in machine and assembly languages, and having knowledge of websites frequented by hackers. He asked that they volunteer for only those categories in which they have expertise (Macdonald 2011).
The self-proclaimed Izz ad-Din al-Qassam Cyber Fighters, which successfully hit numerous major financial targets with DDoS attacks in September 2012, declared its future plans to continue its cyberterrorism campaign. In December 2012, the group announced that it will launch “phase 2” of its campaign to hack banking and financial websites, and named Bank of America, JPMorgan Chase, PNC, SunTrust, and US Bancorp as targets. The Cyber Fighters stated: “In [this] new phase, the wideness and the number of attacks will increase explicitly; and offenders and subsequently their governmental supporters will not be able to imagine and forecast the widespread and greatness of these attacks” (SITE Monitoring Service 2012a). Later, in a message posted on its Pastebin.com account on January 1, 2013, the Cyber Fighters reported that in the past few weeks of the second phase of its “Operation Ababil,” it had attacked the websites of JPMorgan Chase & Co, Bank of America Corp, Citigroup Citibank, Wells Fargo & Company, US Bancorp, PNC Financial Services Group, BB&T Corporation, Suntrust Banks, and Regions Financial Corporation. The Cyber Fighters stated: “We, like most people in the United States, are banks’ customers and we do not desire to disrupt the banks’ financial transactions. But the American profiteer rulers’ insistence and persistence in disregarding this reasonable demand of all Muslims of the world and not taking an action to remove this offensive film
6 shows these tyrants insist that continue to insult Muslim saints.… So due to this irrational insistence on continuing the insults, it seems we should accustom ourselves to disruption in banking” (Kovacs 2013b).
In April 2013, a hacking group calling itself the “al-Qaeda Electronic Army” released a video threatening to attack America’s “vital sectors” if the US government did not withdraw its soldiers from Muslim lands. The video, titled “Message from Ahmad bin Laden to the White House,” was uploaded to YouTube (SITE Monitoring Service 2013a). A fellow hacking group, the “Tunisian Cyber Army,” posted the video on its Facebook and Twitter pages and notified users that the threat is part of an upcoming operation dubbed “Black Summer” (Kovacs 2013a).
Terrorist Capabilities for Cyberattacks
The capability to launch cyberattacks against critical infrastructure using cyber resources is demonstrable and observable by looking at numerous past attempts and even successes. But do terrorists have the capabilities and the intent to apply the digital weaponry? As this chapter has revealed, terrorist organizations are realizing the value of the Internet both as a means of accomplishing their goals and as an objective in itself. In other words, the Internet can be seen as both a weapon and a target for cyberwarfare. In his analysis of existing jihadist cyberattack capabilities, Christopher Heffelfinger (2013, 1) argues that:
The current pool of jihadist hackers is youthful, ambitious in its goals, and largely lagging in terms of its technical capabilities. This is best illustrated by the fact that these hackers have carried out few effective large-scale attacks to date. Jihadist hacktivists remain a loosely to [sic] disorganized set of individual hackers who form and disband hacking groups they create, and frequently enter into counterproductive rivalries with fellow hackers. Perhaps as a result, despite more than seven years of efforts to construct and recruit for jihadist hacking attacks via online forums, they have yet to form a jihadist hacking group that can demonstrably perform effective cyber attacks.
However, as Heffelfinger notes, jihadist-inspired hackers have a range of skillsets, leadership abilities, and hacking experience, and some of them have carried out small- to medium-scale cyberattacks against US government and private sector targets, with moderate impact in terms of data loss and exposure. Compared with hackers sponsored or controlled by state actors, jihadi hackers are clearly behind in terms of the impact of their attacks, their technical skillset, and their overall organizational and recruitment abilities. Their hacking activities frequently include website defacements, wherein the attackers leave antagonistic imagery and comments on the victimized web-sites. However, the activities of some jihadist hackers indicate that there is a gradual sophistication of attack modes and intended attack impacts, occurring alongside a growing contingent of young jihadist enthusiasts who see cyberattacks as an increasingly effective and relatively easy way to fight the West. As Heffelfinger (2013, 2) concludes,
While jihadist-themed cyber attacks have been modest and often rudimentary over the past decade, the advancement and ambitions of certain jihadist hacking groups, individual hacktivists and proponents of cyber jihad over the past one to two years give some cause for concern in this area, particularly as those adversaries are growing more adept at identifying vulnerabilities in U.S. and other government targets, as well as those in the private sector.… The continuance of vulnerable attack targets and the likely increase in Islamist hacking activity in the near term combine to form a potentially challenging security environment for U.S. and other Western governments and private companies.
Many terrorist groups are reportedly building a massive and dynamic online library of training materials, many of which are supported by subject-matter experts who answer questions on message boards or in chatrooms. This online library covers many areas, including cyberterrorism. One online forum popular with supporters of terrorism (called Qalah, or “Fortress”), has a discussion area called “electronic jihad” in which potential al-Qaeda recruits can find links to the latest computer-hacking techniques. Iman Samudra, who was convicted and sentenced to death for taking part in the 2002 bombings of two Bali nightclubs, wrote a book titled Aku Melawan Teroris (I Fight the Terrorists). In this 2004 book, Samudra advocated that Muslim youth actively develop hacking skills “to attack U.S. computer networks.” Samudra names several websites and chat rooms as sources for increasing hacking skills (Rollins and Wilson 2007, 15).
The real threat appears to come from hackers linked with state sponsors of terrorism. In April 2004, the US Department of State listed seven designated state sponsors of terrorism: Cuba, Iran, Iraq, Libya, North Korea, Syria, and Sudan (Perl 2004).
7 Some of these countries may be involved in sponsoring and promoting cyberterrorism, and others already are. There are cyberterrorists linked with Iran, Iraq, North Korea, and Syria. Today, Iran is one of the world’s most notorious sponsors of terror groups like Hezbollah, Hamas, Palestinian Islamic Jihad, the al-Aqsa Martyrs’ Brigades, and various militant groups in Iraq. As cyberterrorist efforts begin to look more fruitful, Iran is working to develop the virtual capacities of its proxies. This currently means sending computer and network equipment, security packages, and relevant software, but it also could mean in-person training of cyberterrorists in Iran or by skilled Iranian cyberteams.
The Syrian government, for example, is certainly behind a series of cyber-attacks launched by the Syrian Electronic Army hackers’ group. According to the group’s website, the Syrian Electronic Army was created in 2011 “when the Arab media and Western [media] started bias in favor of terrorist groups that have killed civilians [and] the Syrian Arab Army, and [destroyed] private and public property” (Syrian Electronic Army 2014). The attacks it has carried out since the start of its operation demonstrates that its mission is to advance Syrian interests through the use of cyberattacks. It is not involved in protecting Syrian websites or computer systems, but rather chooses to execute attacks against those it considers to be domestic and foreign enemies of Syria. The group’s various activities attest to its central targets: government officials in countries throughout the region, Western and Arab media outlets, and recently even Internet media applications. In addition to its hacks on the Associated Press Twitter account and the CNN, Time, and Washington Post websites, in 2013 the Syrian Electronic Army hacked numerous high-profile social media accounts and websites associated with major news and human rights organizations: on January 9, the Saudi Defense Ministry and other Saudi government websites; on March 17, Human Rights Watch; on March 21, the BBC; on April 16, NPR; on April 21, CBS; on April 23, AP, as mentioned above; on April 29, the Guardian; on May 17, Financial Times; on May 26, Sky’s Android Apps and Twitter account; and in July, @Thomsonreuters, Truecaller, Tango, and Viber, and the Twitter accounts of several White House staffers (Stalinsky and Sosnow 2013b).
Though there is no explicit known connection between the Syrian Electronic Army and the Syrian regime, the regime is believed to be behind the group’s activities and has recognized its legitimacy. The Syrian Computer Society, which was headed by Bashar al-Assad before he became president in 2000 (and which is Syria’s domain registration authority), is also believed to be connected to Syria’s state security apparatus. In a June 2011 speech at Damascus University, President Assad compared online warriors to his military: “The army consists of the brothers of every Syrian citizen.… Young people have an important role to play at this stage, because they have proven themselves to be an active power.” He added, “There is the electronic army, which has been a real army in virtual reality.” (“Syria: Speech by Bashar al-Assad” 2011).
The link between terrorists and hackers presents another alarming scenario. As Eric Schmidt and Jared Cohen (2013, 39) predict regarding the rise of terrorist-hackers,
Sudden access to technology does not in and of itself enable radicalized individuals to become cyber terrorists. There is a technical skills barrier that, to date, has forestalled an explosion of terrorist-hackers. But we anticipate that this barrier will become less significant as the spread of connectivity and low-cost devices reaches remote places.… Hackers in developed countries are typically self-taught, and because we can assume that the distribution of young people with technical aptitude is equivalent everywhere, this means that with time and connectivity, potential hackers will acquire the necessary information to hone their skills. One outcome will be an emergent class of virtual soldiers ripe for recruitment. Whereas today we hear of middle-class Muslims living in Europe going to Afghanistan for terror-camp training, we may see the reverse in the future. Afghans and Pakistanis will go to Europe to learn how to be cyber terrorists.
Terrorist groups, as well as governments and security agencies, are trying to recruit cybersavvy specialists and hackers to fight for their side. Recognizing how a cadre of technically skilled programmers enhances their destructive capacities, terrorists will increasingly target engineers, students, programmers, and computer scientists at universities and companies, building out the next generation of cyberwarriors. Such attempts have been recorded in the past and are only becoming more serious. In April 2012, FBI director Robert S. Mueller warned that “[t]errorists have shown interest in pursuing hacking skills and they may seek to train their own recruits or hire outsiders, with an eye toward pursuing cyberattacks. These adaptations of the terrorist threat make the F.B.I.’s counterterrorism mission that much more difficult and challenging” (quoted in Schmidt 2012). Indeed, it is hard to persuade someone to become a cyberterrorist, given the legal consequences, but money, ideology, religion, and blackmail will continue to play a large role in the recruitment process. As Schmidt and Cohen (2013, 162) noted, “Unlike governments, terrorist groups can play the antiestablishment card, which may strengthen their case among some young and disaffected hacker types. Of course, the decision to become a cyber-terrorist is almost always less consequential to one’s personal health than signing up for suicide martyrdom.”
Finally, the most threatening combination may be the emerging combination of state-terrorists-hackers. This triangle is not just viable, but in fact is already functional. Iran, for example, has produced a number of well-known hacker groups since the Internet was first introduced to the public in 2000 (Wheeler 2013). Today, Iran’s Cyber Force is one of the most powerful in the world. Their force of cyberwarriors has executed a number of crippling attacks, and their cyberwarriors are among an extensive and secretive network of hackers, some of which cannot be traced to any one particular group. The majority of attacks stemming from Iran are DDoS attacks targeted at US banking institutions, including Wells Fargo, Bank of America, PNC, and Citigroup Citibank. The Iranian Revolutionary Guard first proposed the establishment of the Iranian Cyber Army (ICA) in 2005, but its implementation was accelerated as media attacks against the Ahmadinejad administration grew. Because of the ICA’s development, Iran’s cyber capabilities increased dramatically in a short number of years. ICA began to make its presence known in late 2009, after the Stuxnet virus attack on Iranian nuclear facilities. In response to these attacks, Iranian officials focused on developing cyberdefensive measures, but also have explored more offensive measures. In 2009, the American security and military institute Defense Tech included Iran among the top five in its list of the most powerful countries in terms of cyber force. Defense Tech also stated that the ICA was a subdivision of Iran’s Revolutionary Guard cyber team, with an annual budget of $76 million and more than a billion-dollar investment in infrastructure. The ICA also enjoys access to large pool of talented hackers (Wheeler 2013).
Since its creation, the ICA has launched numerous cyberattacks. In December 2009, the ICA attacked Twitter, making it inaccessible in some countries and redirecting the users to an English-language webpage, which contained the following message: “This site has been hacked by the Iranian Cyber Army.… The USA thinks they control and manage Internet access, but they don’t. We control and manage the internet with our power …” (Beaumont 2009). In February 2011, the ICA attacked the Voice of America’s website, replacing its Internet home page with a banner bearing an Iranian flag and an image of an AK-47 assault rifle. It left a message on the Voice of America sites that stated, “We have proven that we can.” It also called on the United States to stop interfering in Islamic countries. Later, an Iranian government official announced that the Iranian Revolutionary Guard Corps was behind a recent computer attack that disrupted Voice of America Internet programming (Gertz 2011). In 2011, the ICA reportedly hacked into 500 Internet security certificates and then used them to attack around 300,000 Iranian Internet users. According to the Dutch government, attackers stole the certificates from DigiNotar, a Dutch web security firm. The Dutch Justice Ministry published a list of the users of fake certificates that were sent to sites operated by Yahoo!, Facebook, Microsoft, Skype, AOL, the Tor Project, WordPress, and intelligence agencies (Associated Press 2011).
On June 2013, Israeli prime minister Benjamin Netanyahu told a conference on cyberwarfare that Israel’s computer systems are subject to nonstop cyberattacks from Iran. He claimed that critical infrastructure, including that in the power, water, and banking sectors, have all come under cyber-attack. He added, “In the past few months, we have identified a significant increase in the scope of cyber-attacks on Israel by Iran. These attacks are carried out directly by Iran and through its proxies, Hamas and Hezbollah” (quoted in Heller 2013).
In an escalation of Iranian cyberintrusions targeting the US military and critical infrastructure, in September 2013, US officials reported that Iran hacked unclassified Navy computers. The officials said that the attacks were carried out by hackers working for Iran’s government or by a group acting with the approval of Iranian leaders. Later, in February 2014, it was reported that the attacks were more extensive than first thought: the cyber-attack targeted the Navy Marine Corps Internet, which is used by the Navy Department to host websites; store nonsensitive information; and handle voice, video, and data communications. The
Wall Street Journal reported that the hackers were able to remain in the network until November 2013. Thus, it took the Navy about four months to finally purge the hackers from its biggest unclassified computer network (Gorman and Barnes 2014). Also in 2013, it was reported that Iranian hackers were able to gain access to control-system software that could allow them to manipulate American oil or gas pipelines (Kumar 2012). Control systems run the operations of critical infrastructure, regulating the flow of oil and gas or electricity, turning systems on and off, and controlling key functions. The hacking campaign, which the United States believes has direct backing from the Iranian government, focused on the control systems that run oil and gas companies and, more recently, power companies, current and former officials said (Gorman and Yadron 2013).
The threat of cyberterrorism is certainly alarming and dreadful. However, in the virtual war between terrorists and counterterrorism forces and agencies, the actions that the terrorists themselves have taken can suggest possible countermeasures. These countermeasures, both technological and psychological, are the subject of the following chapters.