Australia's Leading Computer Emergency Response Team

Putting cyberterrorism into context
Date: 24 October 2003
Original URL: http://www.auscert.org.au/render.html?cid=2997&it=3552


by Kathryn Kerr

With the growth of the Internet in both its size and functionality from the 1970s through to the present, we have seen a massive change in both the nature of the threats and the level of malicious attack activity directed against Internet-connected systems.

During the last decade, broad sections of government and industry have embraced the Internet as a generally reliable and cost-effective platform for business critical communication and services. During the same period, with increased exposure to and dependence on Internet connectivity and dependent services, government, media and the public have also increasingly given more attention to the potential threat of cyberterrorism to these Internet-connected systems, particularly for the critical information infrastructures of nation states. In this regard, Australia is no different from most affluent and technology dependent nations.

For sometime now (even dating back to the Gulf War in 1991) there has been a heightened level of interest in the potential threat of cyberterrorism coupled with an unhelpful amount of hype and misinformation surrounding the use of the term.

Part of the problem is one of definition - there are broadly different definitions as to what actually constitutes 'cyberterrorism'. There are a number of well-accepted definitions which share common similarities and are outlined below. But increasingly, there are a number of loose definitions which are promulgated to encourage the purchase of particular computer security products or services or to generate interest in a story by the media. If these definitions are not clearly articulated, an uninformed reader/viewer may rely on their own, possibly misinformed, understanding of the nature of the threat of cyberterrorism. As long as the term 'cyberterrorism' continues to be used loosely and inconsistently, misinformation and hype associated with the threat will remain.

The purpose of this article is to present a legitimate definition of 'cyberterrorism' and identify some common misuses of the term. Once we are clear about accepted uses of the term, we will then provide an assessment of the threat of cyberterrorism for Australian networks and compare this threat with other existing cyber threats.

Definition

Before defining 'cyberterrorism' it is necessary to define and understand what we mean by 'terrorism' - afterall there should be similarities between the usage of the terms. The United States' State Department defines terrorism as politically motivated acts of violence against non-combatants. [3]

In Australia, the recently enacted Security Legislation Amendment (Terrorism) Act 2002 defines a terrorist act to mean:

an action or threat of action where:

(a) the action falls within subsection (2) and does not fall within subsection (2A); and
(b) the action is done or the threat is made with the intention of advancing a political, religious or ideological cause; and
(c) the action is done or the threat is made with the intention of:

(i) coercing, or influencing by intimidation, the government of the Commonwealth or a State, Territory or foreign country, or of part of a State, Territory or foreign country; or
(ii) intimidating the public or a section of the public.
(2) Action falls within this subsection if it:
(a) causes serious harm that is physical harm to a person; or
(b) causes serious damage to property; or
(c) causes a personís death; or
(d) endangers a personís life, other than the life of the person taking the action; or
(e) creates a serious risk to the health or safety of the public or a section of the public; or
(f) seriously interferes with, seriously disrupts, or destroys, an electronic system including, but not limited to:
(i) an information system; or
(ii) a telecommunications system; or
(iii) a financial system; or
(iv) a system used for the delivery of essential government services; or
(v) a system used for, or by, an essential public utility; or
(vi) a system used for, or by, a transport system.
(2A) Action falls within this subsection if it:
(a) is advocacy, protest, dissent or industrial action; and
(b) is not intended:
(i) to cause serious harm that is physical harm to a person; or
(ii) to cause a personís death; or
(iii) to endanger the life of a person, other than the person taking the action; or
(iv) to create a serious risk to the health or safety of the public or a section of the public.
[4]
In a study of 109 academic and official definitions of terrorism, three common elements were identified:
  • the use of violence
  • political objectives
  • the purpose of sowing fear within a target population[5]

For cyberterrorism to apply, these same elements should also exist as they do in the following definitions:

  1. According to the US Federal Bureau of Investigation:
    Cyberterrorism is any premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents. [6]

  2. A definition of cyberterrorism proposed by the US National Infrastructure Protection Center is
    a criminal act perpetrated by the use of computers and telecommunications capabilities, resulting in violence, destruction and/or disruption of services to create fear by causing confusion and uncertainty within a given population, with the goal of influencing a government or population to conform to a particular political, social, or ideological agenda. [7]

  3. Dorothy Denning defines cyberterrorism as
    unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. [8]
  4. James A. Lewis, Centre for Strategic and International Studies (2002) defined cyberterrorism as
    the use of computer network tools to shut down critical national infrastructures (such as energy, transportation, government operations) or to coerce or intimidate a government or civilian population. [9]

Interestingly, two of the definitions (2 and 4) specify that computer systems or telecommunication cababilities are used to conduct cyberterrorist attacks. The other two definitions (1 and 3) only specify that computer and information systems are the targets of cyberterrorist attacks. Arguably both elements should apply. While an information system can be attacked in any number of ways (eg, conventional methods involving bombing, arson, etc), for an act to be classed as cyberterrorism, the attacker must use information systems or other electronic means to launch the attack (as applies to the term 'bioterrorism', where the method of attack is a toxic biological agent).

Cyberterrorism is but one form of cyber attack. Too often the terms cyberterrorism and cyber attack are used interchangeably and may result in a misunderstanding of the cyber threat in general and the threat of cyberterrorism in particular. These definitions demonstrate that for cyberterrorism to be perpetrated there are at least three elements which must be satisfied in order to distingish a cyberterrorist attack from an ordinary cyber attack. Denning notes that politically motivated cyber attacks that lead to death or bodily injury, explosions, or severe economic loss would be examples of cyberterrorism. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt non-essential services or that are mainly a costly nuisance would not. [12] Most cyber attacks in Australia, even 'serious' ones, will be offences under the Commonwealth Cybercrime Act 2001 or similar State legislation rather than offences under the Security Legislation Amendment (Terrorism) Act 2002.

To date, there is no known publicly reported incident of cyberterrorism in the world that meets the first three definitions outlined above. The fourth definition, has been met, but only in so far as there have been several serious cyber attacks against critical information infrastructures but these are not assessed to be politically motivated [13].

What cyberterrorism is not

In contrast to the above definitions, cyberterrorism has been used improperly to refer to the use of:
  • encryption technologies for secure electronic storage of data and communication by and between supporters/members of known terrorist groups;
  • various forms of electronic communications (web sites, email etc) for the purposes of recruiting supporters, organising and communicating the messages (propaganda) of known terrorist groups;
  • the occasional use by known terrorist groups of cyber attack techniques which are incapable of causing bodily harm, fear or serious economic damage; and
  • the occurrence of port scans from countries considered to sponsor terrorism or which harbour known terrorist groups.

What is the threat of cyberterrorism?

Assessments of the threat of cyberterrorism require an assessment of the intent and capability of attackers to cause fear and/or physical harm through cyber attack techniques. Except perhaps for national security agencies which are tasked with collecting and analysing intelligence about terrorist threats, there are few who are able to comment authoritatively on the intent or capability of known terrorist groups to conduct acts of cyberterrorism.

Notwithstanding this, there are however, some factors which are relevant to an assessment of the threat.

  1. Terrorists by and large are not innovators

    Despite a relatively long history of terrorism, to date terrorists' modus operandi mostly has involved the threat of physical harm; actual maiming or killing of people; and damage to property. In the vast majority of cases, terrorists have used conventional methods which involve the use of affordable, accessible and volatile substances, eg improvised explosive devices or weaponry. Less often non-conventional methods have been used such as the Aum Shinrikyo sarin gas attack on the Tokyo subway in 1995. [14] But through the use of a chemical weapon, Aum Shinrikyo still sought to cause physical harm to a large group of people - necessary for instilling fear within a target population.

  2. Terrorist attacks on critical infrastructures have used conventional methods of attack

    Terrorists have frequently targeted critical infrastructure and sometimes this has been to cause disruption only. For example, during the 1990s, some of the operations planned and conducted by the Provisional Irish Republican Army were assessed to have the primary goal of causing damage and disruption to critical infrastructures while minimising harm to people. Two examples include the October 1992 week-end bombing of the Square Mile financial district of London.[16] and the planned bombing of six substations of the London power grid in 1997. [15]

    At other times terrorists have targed critical infrastructures, including critical information infrastructures to maximise disruption in addition to generating fear through deliberate attacks on human life (as occurred with the World Trade Center attacks). World-wide there have been numerous cases of conventional methods used to attack critical information and other infrastructures. [17]

  3. Cyber attack as a tool for terrorism has limitations and would not be regarded as the tool of choice by most terrorists

    • Uncertainty of attack impact

      A computer network attack on a critical information system such as a Supervisory Control and Data Acquisition (SCADA) system that controls devices which provide essential services such as power or gas, may potentially cause a harmful and unwanted incident that could seriously damage property or endanger lives. This is the essential concern associated with a cyberterrorist attack. While this is a possibility, unless the attacker has an intimate knowledge of the system being targeted then the best an attacker can expect is that the impact will be unknown or unreliable. Add to this the ability of network operators to manually over ride critical systems in the event of a malfunction or fail safe mechanisms to be triggered, then it is more difficult for an attacker to be certain his actions will achieve the desired result. By contrast, the impact of a conventional attack, on a critical information system or other target, is immediate and unequivocal and would require significantly less knowledge of the inner workings of the system itself [19].

    • Recovery from a cyber attack is likely to be quicker and easier

      A computer network or electronic attack on critical computer control systems, such as SCADA systems, requires the attacker to manipulate data within that system to affect the way the systems being controlled by the attacked system, function. Once a computer network attack has been detected and diagnosed, corrections can usually be made to prevent further damage and compromise to the system itself and to the systems it controls. Recovery from a computer network attack on a critical information system can occur more quickly than a conventional attack - perhaps requiring a reinstall of operating system or other critical applications, back-up files, or additonal network hardening etc. By contrast, a conventional attack will usually involve serious physical damage and require the rebuilding of complex pieces of equipment and facilities which is likely to take considerably more time and resources than would be to recover from the system changes due to a cyber attack. If recovery is able to occur quickly then from a terrorist perspective, the attack may be less effective as a means of instilling fear or causing serious damage [18].

    • Plausible deniability

      "Plausible deniability" in the context of cyber attacks generally refers to the ability of an attacker to conceal the true source of the attack, ie plausibly deny they did it [20]. But 'plausible deniability' may also extend to the attacked site. In the event a critical service disruption or malfunction occurs due to a cyber attack, without evidence of clear physical damage, operators may plausibly deny the cause of the disruption or malfunction was due to a cyber attack. The detection and correct diagnosis of a cyber attack relies on the examination and analysis of largely hidden computer forensic evidence (assuming it is collected and retained for examination). By contrast, conventional attacks exhibit clear observable physical evidence that an attack took place. Denying it would be more difficult, if not infeasible. Regardless of how successful a cyber attack may prove to be in causing serious disruption to critical services or serious economic damage, without the targeted population being aware that the disruption was the result of a terrorist operation, then the incident loses its ability to generate fear and be an effective tool of terror, and becomes indistinguishable from other prolonged disruptions to essential services that have occurred in Australia and elsewhere.

  4. Vulnerability of critical information systems to cyber attack

    Finally, an assessment of the threat of cyberterrorism depends on the extent to which critical information systems are vulnerable to cyber attack. The greater their perceived and actual vulnerability, the more likely a terrorist may consider or experiment with cyber attack and the easier an attack will be. In theory, if the systems are recognised as being critical then the owners and operators of these systems should seek to mitigate the risk by protecting against cyber attacks to these systems - not only from cyber terrorists, but from others who may hold greater intent and capability to conduct attacks, including disgruntled employees or contractors, competitors, or ordinary hackers (attackers), or possibly nation states with identified information warfare programs during times of war.

    If critical information infrastructures are being protected to the extent required of a critical system, ie commensurate with the risk, then the opportunities for targeting these systems by terrorists or others should theoretically be low. (Admittedly, "should be" and "will be" are not the same and this assumption may not apply to all critical systems. There have been an increasing number of reports claiming that some SCADA and other critical information systems are vulnerable to cyber attack [21], but while relevant, is beyond the scope of this current paper).

What is the threat of other forms of politically-motivated cyber attacks?

During recent international conflicts or events and particularly since the emergence of the world wide web in the early 90s, politically motivated cyber attack activity or 'hacktivism' has been used as a form of protest around the world. But in comparison to other cyber attacks, it occurs less often. Politically motivated cyber attacks were launched during the Balkans conflict, during globalisation talks and in response to the Bali bombings, to name just a few examples [22].

Politically motivated cyber attacks, as a form of protest, usually involve web site defacements (with a political message) or some types of denial of service (DoS) attack and are usually conducted by loosely organised hacker groups or individuals, with hacker skills, sympathetic to a particular cause or who align themselves with a particular side in a conflict. For example, the downing of a US spy plane in Chinese airspace, resulted in an increase in attacks from both Chinese and US hackers (mostly web site defacements) who were apparently displeased with 'the other side' [23]. Another example occurred, in 1997 when a group aligned with the Liberation Tigers of Tamil Elam (LTTE) reportedly swamped Sri Lankan embassies with 800 e-mails a day over a two-week period. The messages read "We are the Internet Black Tigers and we're doing this to disrupt your communications." [10] While the cyber attack was politically motivated, from the outset the attack was incapable of harming people or property or instilling fear into the target population. Its impact was primarily designed to cause disruption to the Sri Lankan embassies' email operations but with alternative forms of electronic communications available to the embassies, in all likelihood, the attack did not have a serious impact on critical lines of communication.

While DoS attacks have been used as form of political protest, they are most effective when the attacker publicly advertises the reason for the attack, eg through virtual-sit-ins which invite participation from ordinary Internet users as a form of political protest [24]. Such attacks are usually symbolic expressions of protest and while they may be illegal are not intended to, or are incapable of causing damage or disruption sufficient to endanger life or cause serious economic damage. Such attacks are likely to continue on an opportunistic basis in response to international and global conflict.

What is the threat of common forms of cyber attack?

Any organisation with an Internet connection faces a significant threat of cyber attack. The rate of malicious scanning that occurs against networks, the rate of new information about serious computer vulnerabilities and the frequency of reports of serious computer attacks crime demonstrate that the opportunities for attack are numerous as are the number of attackers willing to launch such attacks. The motives for other forms of cyber attack also vary and may range from illicit financial gain, personal use of resources, competitor advantage or malicious damage. Additionally, many attacks are indiscriminate, as attackers are less concerned with who they are attacking rather than launching the attack itself.

Conclusion

The threat of cyber attack for organisations with Internet connections is high. For the most part this threat has little to do with the occurrence of conventional terrorist attacks, increased international tensions or nation state conflicts. Certainly, these events may increase the threat of politically motivated web site defacements or other forms of politically motivated low impact cyber attack, but only slightly. These forms of attack still occur relatively infrequently, despite tumultous events over the last few years, and requires a system to be vulnerable in order for a compromise to succeed. Cyberterrorism, while possible, is assessed to be very unlikely - and indeed, as far as we and others are aware - there have been no reported cases of it which match the above definitions. At present, terrorists seem to prefer the mileage to be gained from conventional methods of attack.

Misuse of the term or a pre-occupation with cyberterrorism as the seeming greatest source of threat may divert attention from addressing other forms of cyber attack which are capable of causing serious harm to organisations and infrastructures and which have occurred far more often and will continue to do so. Our focus should be on preventing serious and harmful cyber attack regardless of who conducts them or what their motives may be. If organisations are taking steps to protect themselves from ordinary cyber attacks of the type that are reported in the media and the 2003 Australian Computer Crime and Security Survey, then they will be well placed to protecting against all forms of cyber attack.

As a final footnote, the Canberra bushfires earlier this year illustrated how a natural disaster, assessed to be a one in a hundred year event, was able to disrupt and damage critical telecommunications, power, gas, water and sewerage infrastructures, for an extended period of time and affected individuals, businesses, government and organisations that depended on these services. Organisations and businesses should therefore ensure they focus on managing all threats - deliberate, accidental or natural - logical or physical - and implement appropriate security measures to manage that risk. This includes having in place sound disaster recovery or business continuity plans and computer incident response plans.

Endnotes

First published in AusCERT Member Newsletter, Vol. 7, No. 2 in July 2003

3. Pollitt, M.M., Cyberterrorism Fact or Fantasy? http://www.cs.georgetown.edu/~denning/infosec/pollitt.html

4. http://www.comlaw.gov.au/comlaw/Legislation/ActCompilation1.nsf/0/18BFD93E176C8F0ACA256F7100572147/$file/SecLegAmTerrorism2002.pdf

This definition of terrorism also appears in the amended Criminal Code Act 1995, s. 100.1, http://www.austlii.edu.au/au/legis/cth/consol_act/cca1995115/sch1.html.

5. Merari, A., (1993) Terrorism as a Strategy of Insurgency, Terrorism and Political Violence, Volume 5, No. 4, http://www.st-andrews.ac.uk/academic/intrel/research/cstpv/pdffiles/Terrorism%20as%20a%20Strategy.pdf

6. http://searchcrm.techtarget.com/gDefinition/0,294236,sid11_gci771061,00.html

7. Garrison, L and Grand, M. (ed) (2001) Cyberterrorism: An evolving concept, NIPC Highlights, http://www.nipc.gov/publications/highlights/2001/highlight-01-06.htm

8. Denning, D. (2000), Cyberterrorism, http://www.cs.georgetown.edu/~denning/infosec/cyberterror-GD.doc

9. Lewis, J.A., (2002) Assessing the risk of cyber terrorism, cyber war and other cyber threats, Center for Strategic and International Studies, http://www.csis.org/tech/0211_lewis.pdf

10. http://www.worldpaper.com/2000/April00/vittachi.html

11. Denning, D.E. (nd) Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy, http://www.nautilus.org/info-policy/workshop/papers/denning.html

12. Denning, D.E. (2000) Cyberterrorism, http://www.cs.georgetown.edu/~denning/infosec/cyberterror-GD.doc

13. Denning, D., (1999) Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy, http://www.nautilus.org/info-policy/workshop/papers/denning.html

14. http://www.terrorismfiles.org/organisations/aum_supreme_truth.html

15. Devost, M.G., Houghton, B.K. and Pollard, N.A., Information Terrorism, http://www.geocities.com/CapitolHill/2468/itpaper.html

16. http://www.geocities.com/CapitolHill/2468/itpaper.html

17. http://www.geocities.com/CapitolHill/2468/itpaper.html

18. Denning, D.E., (1999) Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy, http://www.nautilus.org/info-policy/workshop/papers/denning.html

19. Denning, D.E., (2000) Cyberterrorism, http://www.cs.georgetown.edu/~denning/infosec/cyberterror-GD.doc

20. Littleton, M.J. (1995) Information Age Terrorism: Toward Cyberterror, http://www.fas.org/irp/threat/cyber/docs/npgs/ch5.htm

21. Green, J. (2002), The Myth of Cyberterrorism, http://www.washingtonmonthly.com/features/2001/0211.green.html

22. Denning, D.E., (2001) Is Cyber Terror Next? http://www.ssrc.org/sept11/essays/denning.htm

23. eCommerce Times (2001), US, Chinese Hackers Wage Quiet War http://www.ecommercetimes.com/perl/story/9203.html

24. Denning, D.E., (1999) Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy http://www.nautilus.org/info-policy/workshop/papers/denning.html.