Cyberterrorism: The Sum of All Fears?
advertisement
Studies in Conflict & Terrorism, 28:129–149, 2005 Copyright Taylor & Francis Inc. ISSN: 1057-610X print / 1521-0731 online DOI: 10.1080/10576100590905110 Cyberterrorism: The Sum of All Fears? GABRIEL WEIMANN United States Institute of Peace Washington, DC, USA and Department of Communication University of Haifa Haifa, Israel Cyberterrorism conjures up images of vicious terrorists unleashing catastrophic attacks against computer networks, wreaking havoc, and paralyzing nations. This is a frightening scenario, but how likely is it to occur? Could terrorists cripple critical military, financial, and service computer systems? This article charts the rise of cyberangst and examines the evidence cited by those who predict imminent catastrophe. Psychological, political, and economic forces have combined to promote the fear of cyberterrorism. From a psychological perspective, two of the greatest fears of modern time are combined in the term “cyberterrorism.” The fear of random, violent victimization segues well with the distrust and outright fear of computer technology. Many of these fears, the report contends, are exaggerated: not a single case of cyberterrorism has yet been recorded, hackers are regularly mistaken for terrorists, and cyberdefenses are more robust than is commonly supposed. Even so, the potential threat is undeniable and seems likely to increase, making it all the more important to address the danger without inflating or manipulating it. Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb. —National Research Council1 For the foreseeable future, acts of cyberterrorism, such as the ones usually imagined, will be very difficult to perform, unreliable in their impact, and easy to respond to in relatively short periods of time. —Douglas Thomas, statement to the Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations2 Received 14 June 2004; accepted 19 August 2004. This article is an updated and detailed version of a previous special report, Cyberterrorism: How Real Is the Threat?, issued in May 2004 by USIP. Address correspondence to Gabriel Weimann, University of Haifa, Haifa 32905, Israel. Email: weimann@soc.haifa.ac.il 129 130 G. Weimann Our nation is at grave risk of a cyberattack that could devastate the national psyche and economy more broadly than did the 9/11 attacks. —Carnegie Mellon University computer scientist Roy Maxion in a letter to President G. Bush co-signed by 50 computer scientists Terrorists are interested in creating bloodshed and terror. The Internet doesn’t rise to this level of impact in a way that a truck bomb does. —George Smith, Co-editor, vmyths.com Introduction Cyberterrorism is the use of computer network tools to harm or shut down critical national infrastructures (such as energy, transportation, government operations). The premise of cyberterrorism is that as nations and critical infrastructure became more dependent on computer networks for their operation, new vulnerabilities are created—“a massive electronic Achilles’ heel.”3 Cyberterrorism is an attractive option for modern terrorists, who value its anonymity, its potential to inflict massive damage, its psychological impact, and its media appeal. The threat posed by cyberterrorism has grabbed the attention of the mass media, the security community, and the information technology (IT) industry. Journalists, politicians, and experts in a variety of fields have popularized a scenario in which sophisticated cyber-terrorists electronically break into computers that control dams or air traffic control systems, wreaking havoc and endangering not only millions of lives but national security itself. And yet, despite all the gloomy predictions of a cyber-generated doomsday, no single instance of real cyberterrorism has been recorded. Just how real is the threat that cyberterrorism poses? Because most critical infrastructure in Western societies is networked through computers, the potential threat from cyberterrorism is, to be sure, very alarming. Hackers, although not motivated by the same goals that inspire terrorists, have demonstrated that individuals can gain access to sensitive information and to the operation of crucial services. Terrorists, at least in theory, could thus follow the hackers’ lead, and then, having broken into government and private computer systems, could cripple or at least disable the military, financial, and service sectors of advanced economies. The growing dependence of our societies on information technology has created a new form of vulnerability, giving terrorists the chance to approach targets that would otherwise be utterly unassailable, such as national defense systems and air traffic control systems. The more technologically developed a country is, the more vulnerable it becomes to cyberattacks against its infrastructure. Concern about the potential danger posed by cyberterrorism is thus well founded. That does not mean, however, that all the fears that have been voiced in the media, in Congress, and in other public forums are rational and reasonable. Some fears are simply unjustified, whereas others are highly exaggerated. In addition, the distinction between the potential and the actual damage inflicted by cyberterrorists has too often been ignored, and the relatively benign activities of most hackers have been conflated with the specter of pure cyberterrorism. This article examines the reality of the cyberterrorism threat, both present and future. It begins by outlining why cyberterrorism angst has gripped so many people, defines what qualifies as “cyberterrorism” and what does not, and charts cyberterrorism’s appeal for terrorists. The report then looks at the evidence both for and against Western society’s vulnerability to cyberattacks, drawing on a variety of recent studies and publications to Cyberterrorism 131 illustrate the kinds of fears that have been expressed in order to assess whether there is a need to be so concerned. The conclusion looks to the future and argues that we must remain alert to real dangers while not becoming victims of overblown fears. Cyberterrorism Angst The roots of the notion of cyberterrorism can be traced back to the early 1990s, when the rapid growth in Internet use and the debate on the emerging “information society” sparked several studies on the potential risks faced by the highly networked, high-tech dependent United States. As early as 1990, the National Academy of Sciences began a report on computer security with the words, “We are at risk. Increasingly, America depends on computers. . . . Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.” At the same time, the prototypical term “electronic Pearl Harbor” was coined, linking the threat of a computer attack to an American historical trauma. “It’s no surprise,” argues Green, “that cyberterrorism now ranks alongside other weapons of mass destruction in the public consciousness . . . but there’s just one problem: There is no such thing as cyberterrorism—no instance of anyone ever having been killed by a terrorist (or anyone else) using a computer. Nor is there compelling evidence that al Qaeda or any other terrorist organization has resorted to computers for any sort of serious destructive activity.”4 It seems fair to say that the current threat posed by cyberterrorism has been exaggerated. No single instance of cyberterrorism has yet been recorded: there were politically motivated cyberattacks, as a form of protest, usually involving website defacements (with a political message) or some types of denial of service (DoS) attack.5 However, while the cyberattacks were politically motivated, from the outset the attacks were incapable of harming people or property or instilling fear into the target population. Its impact was primarily designed to cause disruption and did not have a serious impact on critical services or infrastructure. The vast majority of cyberattacks are launched by hackers with few if any political goals and no desire to cause the mayhem and carnage of which terrorists dream. So, then, why has so much concern been expressed over a relatively minor threat? The reasons for the popularity of cyberterrorism angst are many. Psychological, political, and economic forces have combined to promote the fear of cyberterrorism. First, from a psychological perspective, two of the greatest fears of modern time are combined in the term “cyberterrorism.”6 The fear of random, violent victimization segues well with the distrust and outright fear of computer technology. An unknown threat is perceived as more threatening than a known threat. Although cyberterrorism does not entail a direct threat of violence, its psychological impact on anxious societies can be as powerful as the effect of terrorist bombs. Moreover, the most destructive forces working against an understanding of the actual threat of cyberterrorism are a fear of the unknown and a lack of information or, worse, too much misinformation. Second, the mass media have added their voice to the fearful chorus, trumpeting the threat with front-page headlines such as the following, which appeared in The Washington Post in June 2003: “Cyber-Attacks by Al Qaeda Feared, Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say.” Cyberterrorism, the media have discovered, makes for eye-catching, dramatic copy. A typical report published in The Washington Post represents hundreds of similar news items: This situation is alarming when one considers that America has many thousands of dams, airports, chemical plants, federal reservoirs and of course 132 G. Weimann power plants (of which 104 are nuclear), most of whose integral systems are operated and controlled by sophisticated computer systems or other automated controllers. These systems are now experiencing cyber attacks. In the second half of 2002 alone, 60 percent of power and energy companies experienced at least one severe cyber attack. Fortunately, none incurred catastrophic loss.7 Screenwriters and novelists have likewise seen the dramatic potential, with movies such as the 1995 James Bond feature, Goldeneye and 2002’s Code Hunter, the 2004 television series The Grid, and novels such as Tom Clancy’s and Steve R. Pieczenik’s Netforce popularizing a wide range of cyberterrorist scenarios. The mass media frequently fail to distinguish between hacking and cyberterrorism and exaggerate the threat of the latter by reasoning from false analogies such as the following: “If a sixteen-yearold could do this, then what could a well-funded terrorist group do?” Thus, as Denning has observed, “cyberterrorism and cyberattacks are sexy right now. . . . [Cyberterrorism is] novel, original, it captures people’s imagination.”8 Ignorance is a third factor. Cyberterrorism merges two spheres—terrorism and technology—that many people, including most lawmakers and senior administration officials, do not fully understand and therefore tend to fear. Moreover, some groups are eager to exploit this ignorance: “Numerous technology companies, still reeling from the collapse of the tech bubble, have recast themselves as innovators crucial to national security and boosted their Washington presence in an effort to attract federal dollars.”9 Law enforcement and security consultants are likewise highly motivated to have everyone believe that the threat to the nation’s security is severe. As Ohio State University law professor Peter Swire argued, “Many companies that rode the dot-com boom need to find big new sources of income. One is direct sales to the federal government; another is federal mandates. If we have a big federal push for new security spending, that could prop up the sagging market.”10 To study terrorism, on the Internet or elsewhere, a definition of what terrorism is must be found. Even though most people can recognize terrorism when they see it, experts have had difficulty coming up with an ironclad definition. There are more than one hundred different definitions offered by scholars.11 Thus, a more fruitful approach would be to characterize terrorism; Mullins provides a starting point by highlighting “the terror of terrorism,” that is, the argument or pre-condition that “without the terror induced by the terrorist, there can be no terrorism.”12 Fear is a key element in terrorism, and it is “the fear evoked by the individuals or the small groups of individuals whose capacity to constraint the behavior of others resides not in reason, in numerical preponderance, or in any legitimate exercise of authority, but only in their perception that they are able and willing to use violence unless their demands are satisfied.”13 Hoffman defined terrorism as “Violence, or the threat of violence, used and directed in pursuit of, or in service of, a political aim.”14 The U.S. State Department defines terrorism as “premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents, usually intended to influence an audience.” These characteristics clearly leave most of the cyberattacks if not all of them outside the cyberterrorism category. There is also the confusion between cyberterrorism and cybercrime.15 Such confusion is partly caused by the lack of clear definitions of the two phenomena. Cybercrime and cyberterrorism are not coterminous. Cyberspace attacks must have a “terrorist” component in order to be labeled cyberterrorism. The attacks must instill terror as commonly understood (that is, result in death and/or large-scale Cyberterrorism 133 destruction), and they must have a political motivation. Moreover, regarding the distinction between terrorist use of information technology and terrorism involving computer technology as a weapon/target, only the latter may be defined as cyberterrorism. Terrorist use of computers as a facilitator of their activities, whether for propaganda, recruitment, datamining, communication, or other purposes, is simply not cyberterrorism.16 Terrorists increasingly are using the Net to post messages, launch psychological campaigns, learn about potential targets, coordinate their actions, raise funds, and even conduct virtual training, but all these activities belong to the conventional, instrumental category and not to cyberattacks aimed at computer networks or the Internet itself. A fourth reason is that some politicians, whether out of genuine conviction or out of a desire to stoke public anxiety about terrorism in order to advance their own agendas, have played the role of prophets of doom. After 9/11, the security and terrorism discourse soon featured cyberterrorism prominently. Following an October 2001 meeting with high-tech executives, including several from the security firm Network Associates, President Bush appointed Richard Clarke as his first special advisor on cyberspace security. After 11 September, Clarke created for himself the position of cybersecurity czar and continued heralding the threat of cyberattack. Understanding that in Washington attention leads to resources and power, Clarke quickly raised the issue’s profile. “Dick has an ability to scare the bejesus out of everybody and to make the bureaucracy jump,” says a former colleague.17 The government was also stepping up its efforts to share information on cyberterrorism threats through public advisories. The National Infrastructure Protection Center (NIPC) has issued an advisory that warns website operators of the threat of DDoS (distributed denial-of-service) attacks. The NIPC advisory stated that it has information that certain groups “have indicated they are targeting websites of the U.S. Department of Defense and organizations that support the critical infrastructure of the United States.” When Tom Ridge, the director of the newly created Office of Homeland Security, announced Clarke’s appointment, he hammered home the fact that information technology now pervades everyday life—from communications and emergency services to water and electricity delivery. “Destroy the networks,” he said, “and you shut down America as we know it and as we live it and as we experience it every day.” A special congressional commission examining terrorism after the 11 September attacks was very concerned that future attacks against the United States might occur in conjunction with a cyberattack that would maximize the destructive effects of physical weapons such as bombs or chemical assaults. “There has been substantial concern [about] the potential consequences of cyberattacks,” said Virginia Gov. James Gilmore, chairman of the commission examining the nation’s ability to respond to an attack involving a weapon of mass destruction.18 Gilmore said the commission believes that a cyberattack could take place in concert with a physical attack. In a National Public Radio interview with NPR’s Bob Edward, senators Jon Kyl (R-AZ) and Dianne Feinstein (DCA) expressed their fears about the threat of cyberterrorism. They both said the nation’s computer systems are overly vulnerable to attack and need better security measures.19 This discourse was understandable, given that more nightmarish attacks were expected and that cyberterrorism seemed to offer Al Qaeda opportunities to inflict enormous damage. But there was also a political dimension to the new focus on cyberterrorism. Debates about national security, including the security of cyberspace, always attract political actors with agendas that extend beyond the specific issue at hand—and the debate over cyberterrorism was no exception to this pattern. For instance, Yonah Alexander, a terrorism researcher at the Potomac Institute—a think tank with close links 134 G. Weimann to the Pentagon—announced in December 2001, the existence of an “Iraq Net.” This network supposedly consisted of more than one hundred websites set up across the world by Iraq since the mid-1990s to launch denial-of-service or DoS attacks (DoS attacks render computer systems inaccessible, unusable, or inoperable) against U.S. companies. “Saddam Hussein would not hesitate to use the cyber tool he has. . . . It is not a question of if but when. The entire United States is the front line,” Alexander claimed.20 Whatever the intentions of its author, such a statement was clearly likely to support arguments then being made for an aggressive U.S. policy toward Iraq like Saddam’s WMD stockpiles. No evidence of an Iraq Net has yet come to light. Fifth, combating cyberterrorism has become not only a highly politicized issue but also an economically rewarding one. As Green argues, “an entire industry has arisen to grapple with its ramifications—think tanks have launched new projects and issued white papers, experts have testified to its dangers before Congress, private companies have hastily deployed security consultants and software designed to protect public and private targets.”21 Following the 9/11 attacks, the federal government requested $4.5 billion for infrastructure security, and the FBI now boasts more than one thousand “cyber investigators.” Spending on security-related technology is expected to increase over the next couple of years, leveling off at 5 percent to 8 percent of the Information Technology budget of global companies, according to a survey.22 Security spending takes up from 3 percent to 4 percent of IT budgets today but that amount, however, is expected to increase at a compound annual growth rate of between 8 percent and 10 percent through 2006, before reaching a plateau. Even before 11 September 2001, George W. Bush was calling attention to the danger of an imminent attack on the United States by cyberterrorists. As a presidential candidate, he warned that “American forces are overused and underfunded precisely when they are confronted by a host of new threats and challenges—the spread of weapons of mass destruction, the rise of cyberterrorism, the proliferation of missile technology.” In the aftermath of 9/11, President Bush created the Office of Cyberspace Security in the White House, and appointed his former counterterrorism coordinator, Richard Clarke, to head it (Clarke has since resigned). Since then, the president, the vice president, and other officials have kept the issue before the public. “Terrorists can sit at one computer connected to one network and can create worldwide havoc,” cautioned Tom Ridge, director of the Department of Homeland Security, in a representative observation in April 2003. “[They] don’t necessarily need a bomb or explosives to cripple a sector of the economy or shut down a power grid.” The message is hitting home. For instance, a survey of 725 cities conducted by the National League of Cities for the second anniversary of the 9/11 attacks shows that cyberterrorism ranks alongside biological and chemical weapons at the top of a list of city officials’ fears.23 The net effect of all this attention has been to create a climate in which instances of hacking into government websites, online thefts of proprietary data from companies, and outbreaks of new computer viruses are all likely to be labeled by many including journalists as suspected cases of “cyberterrorism.”24 Indeed, the term has been improperly used and overused to such an extent that, if there is any hope of reaching a clear understanding of the danger posed by cyberterrorism, it must be defined with some precision. What Is Cyberterrorism? There have been several stumbling blocks to creating a clear and consistent definition of the term “cyberterrorism.” First, as just noted, much of the discussion of cyberterrorism Cyberterrorism 135 has been conducted in the popular media, where journalists typically strive for drama and sensation rather than for good operational definitions of new terms. Second, it has been especially common when dealing with computers to coin new words simply by placing the words “cyber,” “computer,” or “information” before another word. Thus, an entire arsenal of words—cybercrime, cyberwar, infowar, netwar, cyberterrorism, cyber harassment, virtual-warfare, digital terrorism, cybertactics, computer warfare, information warfare, cyberattack, cyberwar, and cyber break-ins—is used to describe what some military and political strategists describe as the “new terrorism” of these times.25 Fortunately, some effort has been made to introduce greater semantic precision. Most notably, Dorothy Denning, a professor of computer science, has put forward an admirably unambiguous definition in numerous articles,26 and in her testimony on the subject before the congressional House Armed Services Committee: Cyberterrorism is the convergence of cyberspace and terrorism. It refers to unlawful attacks and threats of attacks against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not. It is important to distinguish between cyberterrorism and “hacktivism,” a term coined by Denning to describe the marriage of hacking with political activism. (“Hacking” is here understood to mean activities conducted online and covertly that seek to reveal, manipulate, or otherwise exploit vulnerabilities in computer operating systems and other software.)27 Hacktivists have four main weapons at their disposal: virtual sit-ins and blockades; automated e-mail bombs; web hacks and computer break-ins; and computer viruses and worms. A virtual sit-in or blockade is the cyberspace rendition of a physical sit-in or blockade: political activists coordinate their visits to a website and attempt to generate so much traffic toward the site that other users cannot reach it, thereby disrupting normal operations while winning publicity—via media reports—for the protesters’ cause. When large numbers of individuals simultaneously attack a designated site, the operation is sometimes referred to as “swarming.” Swarming can also amplify the effects of the hacktivists’ second weapon: e-mail bombing campaigns (bombarding targets with thousands of messages at once, also know as “ping attacks”). In July 1997, for example, an e-mail bombing was conducted against the Institute for Global Communications (IGC), a San Francisco-based Internet Service Provider (ISP) that hosted the web pages of Euskal Herria (in English, the Basque Country Journal), a publication edited by supporters of the Basque separatist group Homeland and Liberty (ETA).28 The attackers wanted ETA’s site pulled from the Internet. To accomplish this they bombarded IGC with thousands of spurious e-mails routed through hundreds of different mail relays, spammed IGC staff and customer accounts, clogged IGC’s web page with bogus credit card orders, and threatened to employ the same tactics against other organizations using IGC services. IGC pulled the Euskal Herria site just a few days later. Many cyberprotesters use the third weapon in the hacktivists’ arsenal: web hacking and computer break-ins, whereby they hack into computers to access stored information, 136 G. Weimann communication facilities, financial information, and so on. For example, the Computer Emergency Response Team Coordination Center (CERT/CC), a federally funded research and development center operated by Carnegie Mellon University, reported 2,134 computer security incidents such as break-ins and hacks in 1997. This number rose to 21,756 in 2000, and to almost 35,000 during the first three quarters of 2001 alone. In 2003, CERT/CC received more than half a million e-mail messages and more than nine hundred hotline calls reporting incidents or requesting information. In the same year, no fewer than 137,529 computer security incidents were reported. Considering that many, perhaps most, incidents are never reported to CERT/CC or any other third party, these numbers become even more significant. Further, each incident that is reported corresponds to an attack that can involve thousands of victims. In April 2002, for instance, hackers broke into the payroll database for the state of California and gained access to the Social Security numbers, bank account information, and home addresses of 265,000 state employees. This rise in computer-based attacks can be attributed to several factors, including the growth of the Internet and a corresponding increase in the number of potential attackers and targets; a seemingly limitless supply of vulnerabilities that, once discovered, are quickly exploited; and increasingly sophisticated software hacking tools that allow even those with modest skills to launch devastating attacks. The fourth category of hacktivist weaponry comprises viruses and worms, both of which are forms of malicious code that can infect computers and propagate over computer networks. Their impact can be enormous. The Code Red worm, for example, infected about a million servers in July 2001, and caused $2.6 billion in damage to computer hardware, software, and networks, and the I LOVE YOU virus unleashed in 2000 affected more than twenty million Internet users and caused billions of dollars in damage. Although neither the Code Red worm nor the I LOVE YOU virus was spread with any political goals in mind, some computer viruses and worms have been used to propagate political messages and, in some cases, cause serious damage. During the NATO operation to evict Serbian forces from Kosovo, businesses, public entities, and academic institutes in NATO member-states received virus-laden e-mails from a range of Eastern European countries. The e-mail messages, which had been poorly translated into English, consisted chiefly of unsubtle denunciations of NATO for its unfair aggression and defenses of Serbian rights. But the real threat was from the viruses. This was an instance of cyberwarfare launched by Serbian hackers against the economic infrastructure of NATO countries. On Tuesday, 22 October 2002, the heart of the Internet network sustained its largest and most sophisticated attack ever: a distributed DoS attack struck the thirteen “root servers” that provide the primary road map for almost all Internet communications worldwide. According to security experts, the incident probably consisted of multiple attackers concentrating the power of many computers against a single network to prevent it from operating. Ordinary Internet users experienced no slowdowns or outages because of safeguards built into the Internet’s architecture; however, a longer, more extensive attack could have seriously damaged worldwide electronic communications. Little can be done to insulate targets from such attacks. Indeed, some of the world’s most powerful companies have been targeted. In February 2000, Amazon.com, e-Bay, Yahoo, and a host of other big-name e-commerce sites came to a grinding halt for several hours due to DoS attacks. Hacktivism, although politically motivated, does not amount to cyberterrorism. Hacktivists do want to protest and disrupt; they do not want to kill or maim or terrify. However, hacktivism does highlight the threat of cyberterrorism, the potential that individuals Cyberterrorism 137 with no moral restraint may use methods similar to those developed by hackers to wreak havoc. Moreover, the line between cyberterrorism and hacktivism may sometimes blur, especially if terrorist groups are able to recruit or hire computer-savvy hacktivists or if hacktivists decide to escalate their actions by attacking the systems that operate critical elements of the national infrastructure, such as electric power networks and emergency services. The Attraction of Cyberterrorism for Terrorists Cyberterrorism is an attractive option for modern terrorists for several reasons: • First, it is cheaper than traditional terrorist methods. All that the terrorist needs is a personal computer and an online connection. Terrorists do not need to buy weapons such as guns and explosives; instead, they can create and deliver computer viruses through a telephone line, a cable, or a wireless connection. • Second, cyberterrorism is more anonymous than traditional terrorist methods. Like many Internet surfers, terrorists use online nicknames—“screen names”—or log on to a website as an unidentified “guest user,” making it very hard for security agencies and police forces to track down the terrorists’ real identity. And in cyberspace there are no physical barriers such as checkpoints to navigate, no borders to cross, no customs agents to outsmart. • Third, the variety and number of targets are enormous. The cyberterrorist could target the computers and computer networks of governments, individuals, public utilities, private airlines, and so on. The sheer number and complexity of potential targets guarantees that terrorists can find weaknesses and vulnerabilities to exploit. Several studies have shown that critical infrastructures, such as electric power grids and emergency services, are vulnerable to a cyberterrorist attack because the infrastructures and the computer systems that run them are highly complex, making it effectively impossible to eliminate all weaknesses. • Fourth, cyberterrorism can be conducted remotely, a feature that is especially appealing to terrorists. Cyberterrorism requires less physical training, psychological investment, risk of mortality, and travel than conventional forms of terrorism, making it easier for terrorist organizations to recruit and retain followers. • Fifth, as the I LOVE YOU virus showed, cyberterrorism has the potential to affect directly a larger number of people than traditional terrorist methods, thereby generating greater media coverage, which is ultimately what terrorists want. The Growing Vulnerabilities In his vision of “The Future of Cyberterrorism,” Collin describes several scary scenarios:29 • A cyberterrorist will disrupt the banks, the international financial transactions, the stock exchanges. The key: the people of a country will lose all confidence in the economic system. Would a cyberterrorist attempt to gain entry to the Federal Reserve building or equivalent? Unlikely, since arrest would be immediate. Furthermore, a large truck pulling along side the building would be noticed. However, in the case of the cyberterrorist, the perpetrator is sitting on another continent while a nation’s economic systems grind to a halt. Destabilization will be achieved. 138 G. Weimann • A cyberterrorist will attack the next generation of air traffic control systems, and collide two large civilian aircraft. This is a realistic scenario, since the cyberterrorist will also crack the aircraft’s in-cockpit sensors. Much of the same can be done to the rail lines. • A cyberterrorist will remotely alter the formulas of medication at pharmaceutical manufacturers. The potential loss of life is unfathomable. • The cyberterrorist may then decide to remotely change the pressure in the gas lines, causing a valve failure, and a block of a sleepy suburb detonates and burns. Likewise, the electrical grid is becoming steadily more vulnerable. In 1997, the National Security Agency (NSA) conducted an exercise code-named “Eligible Receiver.”30 The results were chilling. The exercise began when NSA officials briefed a thirty-five person “Red Team” of NSA computer hackers on the ground rules. They were told that they were to attempt to hack into and disrupt U.S. national security systems. Their primary target was to be the U.S. Pacific Command in Hawaii, which is responsible for all military contingencies and operations conducted in the Pacific theater, including the tension-wracked Korean peninsula. Members of the Red Team were allowed to use only software tools and other hacking utilities that could be downloaded freely from the Internet through any one of the hundreds, and possibly thousands, of hacker websites. The Pentagon’s own arsenal of secret offensive information warfare tools was off limits to the hackers. Although they were allowed to penetrate various Pentagon networks, the Red Team was prohibited from breaking any U.S. laws. Posing as hackers hired by the North Korean intelligence service, the Red Team dispersed around the country and began digging their way into military networks. They navigated through cyberspace with ease, mapping networks and logging passwords gained through “brute-force cracking” (a trial-and-error method of decoding encrypted data such as passwords or encryption keys by trying all possible combinations) and the more subtle tactic of social engineering—sometimes it was just easier to call somebody on the telephone, pretend to be a technician or high-ranking official, and ask for the password. The team gained unfettered access to dozens of critical Pentagon computer systems. With that level of access, they were free to create legitimate user accounts for other hackers, delete accounts belonging to authorized officials, reformat server hard drives and scramble the data, or simply shut systems down. They were able to break through network defenses with ease, after which they could conduct DoS attacks, read or make minor changes to sensitive e-mail messages, and disrupt telephone services. They did so without being traced or identified. The results of the exercise stunned all who were involved. Using hacking tools that were available to anybody on the Internet, the Red Team could have crippled the U.S. military’s command-and-control system for the entire Pacific theater of operations. From a military perspective, that alone was appalling. But it soon became clear that the exercise had revealed much broader vulnerabilities. During the course of analyzing what the Red Team had accomplished, NSA officials discovered that much of the private-sector infrastructure in the United States, such as the telecommunications and electric power grids, could easily be sent into a tailspin using the same tools and techniques. The vulnerability of the energy industry is at the heart of Black Ice: The Invisible Threat of Cyberterror, a book published in 2003 and written by Computerworld journalist and former intelligence officer Dan Verton.31 Verton argues that America’s energy sector would be the first domino to fall in a strategic cyberterrorist attack against the United States. The book explores in frightening detail how the impact of such an attack Cyberterrorism 139 could rival, or even exceed, the consequences of a more traditional, physical attack. Verton claims that during any given year, the average large utility company experiences about one million cyberintrusions that require investigation to ensure that critical system components have not been compromised. Data collected by Riptech, Inc.—a Virginiabased company specializing in the security of online information and financial systems— on cyberattacks during the six months following the 9/11 attacks showed that companies in the energy industry suffered intrusions at twice the rate of other industries, with the number of severe or critical attacks requiring immediate intervention averaging 12.5 per company.32 Deregulation and the increased focus on profitability have forced utilities and other companies to move more and more of their operations to the Internet as a means of improving efficiency and reducing costs. The energy industry and many other industrial sectors have opened their enterprises to a vast array of cyberdisruptions by creating inadvertent Internet links (both physical and wireless) between their corporate networks and the digital crown jewels of most industrial processes: the supervisory control and data acquisition (SCADA) systems. These systems manage the actual flow of electricity and natural gas and perform other critical functions in various industrial control settings, such as chemical processing plants, water purification and delivery systems, wastewater management facilities, and a host of manufacturing firms. A terrorist’s ability to control, disrupt, or alter the command and monitoring functions performed by these systems could threaten regional and possibly national security. New vulnerabilities that could leave the way open to a cyberattack are being discovered all the time: according to Symantec, one of the world’s corporate leaders in the field of cybersecurity, the number of “software holes” (software security flaws that allow malicious hackers to exploit the system) reported in the nation’s computer networks grew by 80 percent in 2002. Still, the company says it has yet to record a single cyberterrorist attack—by its definition, one originating in a country on the State Department’s terror watch list. That could be because those inclined to commit terrorist acts do not yet have the know-how to inflict significant damage, or perhaps because hackers and adept virus writers are not sympathetic to the goals of terrorist organizations. However, should the two groups find common ground, the results could be devastating. Equally alarming is the prospect of terrorists themselves designing computer software for government agencies. Remarkably, at least one instance of such a situation is known to have occurred, as reported by Denning.33 In March 2000, Japan’s Metropolitan Police Department announced that a software system it had procured to track 150 police vehicles, including unmarked cars, had been developed by the Aum Shinryko cult, the same group that gassed the Tokyo subway in 1995, killing twelve people and injuring six thousand more. Additionally, members of this cult had developed software for at least eighty Japanese firms and ten government agencies. They had worked as subcontractors to other firms, making it almost impossible for the end users to know who had developed the software they purchased. As subcontractors, Denning argues, the cult could have installed Trojan horses to launch or facilitate Despite stepped-up security measures in the wake of 9/11, an Ipsos Public Affairs survey of 395 IT professionals, conducted on behalf of the Business Software Alliance during June 2002, revealed a lack of confidence in the government’s ability to defend itself against a cyberattack. Almost half (49 percent) felt than an attack is likely, and more than half (55 percent) said the risk of a major cyberattack on the United States has increased since 9/11. The figure jumped to 59 percent among individuals responsible for their company’s computer and Internet security. Almost three-quarters (72 percent) 140 G. Weimann believed there is a gap between the threat of a major cyberattack and the government’s ability to defend against it, with the figure increasing to 84 percent among those respondents who are most knowledgeable about security. Furthermore, 86 percent thought the U.S. government should devote more time and resources to defending against cyberattacks than it did to addressing Y2K issues, and 96 percent stressed the importance of securing sensitive information so that hackers will not be able to access it even if they break into the government’s computer system. Those surveyed were concerned about attacks not only on the government but on other likely targets as well. Almost threequarters (74 percent) believed that national financial institutions, such as Wall Street or big national banks, would be likely targets within the next year, and around two-thirds believed that attacks were likely to be launched within the next twelve months against the computer systems that run communications networks (e.g., telephones and the Internet), transportation infrastructure (e.g., air traffic control computer systems), and utilities (e.g., water stations, dams, and power plants). A study released in December 2003 appeared to confirm the IT professionals’ skepticism about the ability of the government to defend itself against cyberattacks.34 Conducted by the House Government Reform Subcommittee on Technology, the study examined computer security in federal agencies over the course of a year and awarded grades. Scores were based on numerous criteria, including how well an agency trained its employees in security and the extent to which it met established security procedures such as limiting access to privileged data and eliminating easily guessed passwords. More than half the federal agencies surveyed received a grade of D or F. The Department of Homeland Security, which has a division devoted to monitoring cybersecurity, received the lowest overall score of the twenty-four agencies surveyed. Also earning an F was the Justice Department, the agency charged with investigating and prosecuting cases of hacking and other forms of cybercrime. Thirteen agencies improved their scores slightly compared with the previous year, nudging the overall government grade from an F up to a D. Commenting on these results, Rep. Adam H. Putnam (R-FL), chairman of the House Government Reform Subcommittee on Technology, declared that “the threat of cyberattack is real. . . . The damage that could be inflicted both in terms of financial loss and, potentially, loss of life is considerable.”35 Such studies, together with the enormous media interest in the subject, have fueled popular fears about cyberterrorism. A study by the Pew Internet and American Life Project found in 2003 that nearly half of the one thousand Americans surveyed were worried that terrorists could launch attacks through the networks connecting home computers and power utilities. The Pew study, based on telephone interviews with 1,000 adults, found that 11 percent of respondents were “very worried” and 38 percent were “somewhat worried” about an attack launched through computer networks. The survey was taken in early August, before the major blackout struck the Northeast and before several damaging new viruses afflicted computers throughout the country. Because of those events, the level of awareness concerning cyberterrorism might be even higher today, said Lee Rainie, director of the project.36 Former National Security Advisor Anthony Lake, in his book Six Nightmares, argues, “Millions of computer-savvy individuals could wreak havoc against the United States.”37 Lake, whose chapter “e-Terror, e-Crime” is a veritable case study in cyberattack alarmism, worries that cyberattackers could crash planes; tamper with food or medicines to poison populations; or disrupt the economy by shutting down electrical and communication systems. “The genie is well outside the bottle,” he claims, now that attackers have jammed 911 lines in Miami, overwhelmed the e-mail system at one Air Force Cyberterrorism 141 base, and infiltrated an unclassified Pentagon computer. However, Lake and other alarmists do not distinguish between hackers and terrorists. They also fail to ask an obvious question: If there are so many malicious hackers at work (19 million, by Lake’s count), why have their attacks been, by and large, fairly innocuous? Confusing Hackers with Terrorists Despite significant investment in technology and infrastructure to protect against attacks, cyberterrorism represents one of the greatest challenges in present and future terrorism. In the 2002 research study conducted by the Computer Crime Research Center, 90 percent of respondents detected computer security breaches within the last 12 months. In another more recent study conducted by CIO Online, 92 percent of companies have experienced computer attacks and/or breaches in the last 12 months.38 But there are various actors involved in cyberattacks and most of them are not terrorists. According to Michael Vatis, head of the Institute for Security Technology Studies at Dartmouth College (and previously the head of the FBI’s cyberterrorism unit), the potential attackers are grouped in four categories:39 • Terrorists: To date, few terrorist groups have used cyberattacks as a weapon. However, terrorists are known to be extensively interested in the Internet as a weapon and as a target. Although it is unclear whether Osama bin Laden’s Al Qaeda organization has developed cyber attack capabilities, members of this network use information technology to formulate plans for cyberattacks. “Thus,” argues Vatis, “trends seem clearly to point to the possibility of terrorists using information technology as a weapon against critical infrastructure targets. • Nation-States: Several nation-states, including supporters of terrorism, such as Syria, North Korea, Iran, Sudan, and Libya, may develop information warfare capabilities that could be turned against the United States and its allies. China, Cuba, and Russia, among others, are also believed to be developing cyberwarfare capabilities. • Terrorist Sympathizers: This category contains those actors probably most likely to engage in attacks. If the American campaign against terrorism is perceived as a “crusade” against people of the Muslim faith, a variety of pro-Muslim hacker groups could launch cyberattacks against the United States and its allies. Others with anti-U.S. or anti-allied sentiments, such as members of the anti-capitalism and anti-globalization movements, or Chinese hackers still upset about the 2001 surveillance plane incident or the 1999 accidental NATO bombing of the Chinese Embassy in Belgrade, could join in such attacks. • Thrill Seekers (or “cyberjoyriders”): There are many hackers and “script kiddies” who simply want to gain notoriety through high profile attacks. However, such individuals can still have significant disruptive impact, as evidenced by the February 2000 DoS attacks and recent destructive worms. Although the first three categories are certainly related to terrorism, the last one may not be engaged in cyberterrorism. For now, the most damaging attacks and intrusions, experts say, are typically carried out either by disgruntled corporate insiders intent on embezzlement or sabotage, or by individual hackers—typically young and male— seeking thrills and notoriety. According to a report issued in 2002 by the IBM Global Security Analysis Lab, 90 percent of hackers are amateurs with limited technical profi- 142 G. Weimann ciency, 9 percent are more skilled at gaining unauthorized access but do not damage the files they read, and only 1 percent are highly skilled and intent on copying files or damaging programs and systems. Most hackers, it should be noted, concentrate on writing programs that expose security flaws in computer software, mainly in the operating systems produced by Microsoft. Their efforts in this direction have sometimes embarrassed corporations but have also been responsible for alerting the public and security professionals to major security flaws in software. Moreover, although there are hackers with the ability to damage systems, disrupt e-commerce, and force websites offline, the vast majority of hackers do not have the necessary skills and knowledge. The ones who do generally do not seek to wreak havoc. Douglas Thomas, a professor at the University of Southern California, spent seven years studying computer hackers in an effort to understand better who they are and what motivates them.40 Thomas interviewed hundreds of hackers and explored their “literature.” In testimony on 24 July 2002, before the House Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, Thomas argued that “with the vast majority of hackers, I would say 99 percent of them, the risk [of cyberterrorism] is negligible for the simple reason that those hackers do not have the skill or ability to organize or execute an attack that would be anything more than a minor inconvenience.” His judgment was echoed in Assessing the Risks of Cybertwrrorism, Cyber War, and Other Cyber Threats, a 2002 report for the Center for Strategic and International Studies, written by Jim Lewis, a sixteen-year veteran of the State and Commerce Departments.41 “The idea that hackers are going to bring the nation to its knees is too far-fetched a scenario to be taken seriously,” Lewis argued. “Nations are more robust than the early analysts of cyberterrorism and cyberwarfare give them credit for. Infastructure systems [are] more flexible and responsive in restoring service than the early analysts realized, in part because they have to deal with failure on a routine basis.”42 Why are hackers seen as threatening and why are quick associations made between hacker activity and terrorist activity? Most of what hackers do is write programs that expose security flaws in computer software, mainly in the operating systems produced by Microsoft. That process of hacking has been responsible, particularly over the past decade, for alerting the public and security professionals to major security flaws in software. Hackers force computer software manufacturers to pay attention to security. They find security flaws, and when they point them out, hackers tend to be associated with the flaws, blaming the messengers. Thus, what hackers see as a public service, pointing out dangerous and troubling security risks, many people see as criminal activity. And while there are hackers who can do damage to systems, disrupt e-commerce, or even force websites offline, the vast majority of them cannot. The ones who can, generally do not. Hackers tend to exaggerate their own abilities out of a sense of bravado. “Hacking stories make good copy,” argues Thomas, “but they are very rarely accurate, tending to exaggerate threats and downplay the realities of the event.”43 There is a big difference, he claims in the testimony, between hacking into NASA’s central control system (which has not happened) and hacking into the server that hosts their web page (which has happened repeatedly). Most media reports fail to distinguish between the two (or to explain that hacking a web page is essentially the same as spray painting a billboard, posing very little actual risk). The media, moreover, tends to exaggerate threats, particularly by reasoning from false analogies between hacking and virus spread and cyberterrorism. But the media are just one factor; law enforcement, security consultants, and even software corporations are all highly motivated to embrace similar outlooks. It is to their advantage to have everyone believe that the threat to the nation’s security is severe. Cyberterrorism 143 However, even the distinction between hackers and terrorists is becoming less lucid. In February 2004, Gen. John Gordon, Assistant Secretary for Intelligence at DHS who also serves as chairman of the Homeland Security Council, spoke at the RSA Conference in San Francisco.44 Gordon said that terrorists and so-called cyberterrorists—people that use the Internet to wreak havoc on the everyday lives of American citizens—have some key similarities in their tactics. “The al Qaeda enemy fights from the shadows,” Gordon said. “This is similar to the cyberterrorist community.”45 Both types of attackers also can carry out their plans on limited resources and can make multiple attempts to succeed in mounting an attack, he said. Gordon said that whether someone detonates a bomb that causes bodily harm to innocent people or hacks into a web-based IT system in a way that could, for instance, take a power grid offline and result in a blackout, the result is ostensibly the same; both are acts of terrorism. “The damage will be the same whether the attacker was a bored teenager, an organized criminal or a [hostile] nation or state. We need to focus on the vulnerabilities—and not get too hung up on who the attacker will be.” Because of the level of threat cyberterrorists pose, implementing cybersecurity technology is paramount among the aims of the Homeland Security Council, Gordon said. How Real is the Threat of Cyberterror? Amid all the dire warnings and alarming statistics that the subject of cyberterrorism generates, it is important to remember one simple statistic: so far, there has been no recorded instance of a terrorist cyberattack on U.S. public facilities, transportation systems, nuclear power plants, power grids, or other key components of the national infrastructure. Cyberattacks are common, but terrorists have not conducted them and they have not sought to inflict the kind of damage that would qualify them as cyberterrorism. As Green reported, when U.S. troops recovered Al Qaeda laptops in Afghanistan, officials were surprised to find its members more technologically adept than previously believed.46 They discovered structural and engineering software, electronic models of a dam, and information on computerized water systems, nuclear power plants, and U.S. and European stadiums. But, Green argued, the evidence did not suggest that Al Qaeda operatives were planning cyberattacks, only that they were using the Internet to communicate and coordinate physical attacks.47 Neither Al Qaeda nor any other terrorist organization appears to have tried to stage a serious cyberattack. Many computer security experts do not believe that it is possible to use the Internet to inflict death on a large scale. Some pointed out that the resilience of computer systems to attack is the result of significant investments of time, money, and expertise. As Green described, nuclear weapons and other sensitive military systems enjoy the most basic form of Internet security.48 He argued that they are “air-gapped,” meaning that they are not physically connected to the Internet and are therefore inaccessible to outside hackers. The Defense Department has developed various measures to protect key systems by isolating them from the Internet and even from the Pentagon’s internal computer network. Moreover, as a defensive measure, all new software must be submitted to the National Security Agency for security check and approval. The 9/11 events led to a growing awareness of airliners’ vulnerability to cyberterrorism. For example, in 2002, Senator Charles Schumer (D-NY) described “the absolute havoc and devastation that would result if cyberterrorists suddenly shut down our air traffic control system, with thousands of planes in mid-flight.” However, argues Green, cybersecurity experts give some of their highest marks to the Federal Aviation 144 G. Weimann Authority, which separates its administrative and air traffic control systems. Thus, he claims, it is impossible to hijack a plane remotely, which eliminates the possibility of a high-tech 9/11 scenario in which planes are used as weapons. Another source of concern are secondary targets such as power grids, oil pipelines, and dams that might be attacked to inflict other forms of mass destruction. Because most of these systems are in the private sector, they tend to be less secure than government systems. In addition, as Green notes, companies increasingly use the Internet to manage SCADA systems that control such processes as regulating the flow of oil in pipelines and the level of water in dams. To illustrate the threat of such attack, a story in The Washington Post in June 2003 on Al Qaeda cyberterrorism related an anecdote about a teenager hacker who allegedly broke into the SCADA system at Arizona’s Theodore Roosevelt Dam in 1998 and could, according to the article, unleash millions of gallons of water and thus threaten the neighboring communities. However, a subsequent probe by the tech-news site CNet.com revealed the story to be largely exaggerated; the hacker could not have gained control of the dam and no lives or property were really at risk. To assess the potential threat of cyberterrorism, experts such as Denning suggest that two questions be asked: Are there targets that are vulnerable to cyberattacks? And are there actors with the capability and motivation to carry out such attacks? The answer to the first question is yes: critical infrastructure systems are complex and therefore bound to contain weaknesses that might be exploited, and even systems that seem “hardened” to outside manipulation might be accessed by insiders, acting alone or in concert with terrorists, to cause considerable harm. But what of the second question? According to Green, only a few people besides a company’s own employees possess the specific technical know-how required to run a specialized SCADA system. In April 2002, an Australian man used an Internet connection to release a million gallons of raw sewage along Queensland’s Sunshine Coast after being turned down for a government job. When police arrested him, they discovered that he had worked for the company that designed the sewage treatment plant’s control software. It is possible, of course, that such disgruntled employees might be recruited by terrorist groups, but even if the terrorists did enlist inside help, the degree of damage they could cause would still be limited. As Green argued, the employees of companies that handle power grids, oil and gas utilities, and communications are well rehearsed in dealing with the fallout from hurricanes, floods, tornadoes, and other natural disasters. They are also equally adept at containing and remedying problems that stem from human action. Denning draws attention to a report published in August 1999 by the Center for the Study of Terrorism and Irregular Warfare at the Naval Postgraduate School (NPS) in Monterey, California titled Cyber-Terror: Prospects and Implications.49 The report, argues Denning, shows that terrorists generally lack the wherewithal and human capital needed to mount attacks that involve more than annoying but relatively harmless hacks. The study examined five types of terrorist groups: religious, New Age, ethnonationalist separatist, revolutionary, and far-right extremists. Of these, only the religious groups were judged likely to seek the capacity to inflict massive damage. Hacker groups, the study determined, are psychologically and organizationally ill suited to cyberterrorism, and any massive disruption of the information infrastructure would run counter to their selfinterest. A year later, in October 2000, the NPS group issued a second report, this one examining the decision-making process by which substate groups engaged in armed Cyberterrorism 145 resistance develop new operational methods, including cyberterrorism. Denning claims this report also shows that although substate groups may find cyberterror attractive as a nonlethal weapon, terrorists have not yet integrated information technology into their strategy and tactics and that significant barriers between hackers and terrorists may prevent their integration into one group. Another illustration of the limited likelihood of terrorists launching a highly damaging cyberattack comes from a simulation sponsored by the U.S. Naval War College. The college contracted with a research group to simulate a massive cyberattack on the nation’s information infrastructure. Government hackers and security analysts gathered in July 2002, in Newport, R.I., for a war game dubbed “Digital Pearl Harbor.” The results were far from devastating: the hackers failed to crash the Internet, although they did cause serious sporadic damage. According to a CNet.com report on the exercise published in August 2002, officials concluded that terrorists hoping to stage such an attack “would require a syndicate with significant resources, including $200 million, country-level intelligence and five years of preparation time.”50 In May 2004 cyberterrorism expert Andy Cutts of Dartmouth’s Institute for Security Technology Studies reported on Operation Livewire, a recent nationwide cyberterror simulation that tested America’s preparedness in the event of a major cyberattack.51 Cutts spoke specifically about the possibility of a sustained, campaign-level attack on U.S. computing networks, such as banking, law enforcement, energy and emergency response networks, by an unknown adversary. Because of the anonymous nature of cyberterrorism, he said, such an attack could come from virtually any source, including an enemy state or a small terrorist group. “There have been examples of cyber attacks that have gone on for years, and the National Security Agency still does not know who is perpetrating them,” Cutts said. “There are hundreds of thousands of computers in this country that are compromised.”52 When asked if there was any idea of who was controlling these computers, Cutts said there was not. He added that through Operation Livewire, the federally funded ISTS learned valuable lessons about how various agencies and entities respond to such attacks and that this information would help ISTS and other groups to correct the nation’s vulnerabilities. The simulation involved an East Coast state and city, a West Coast state and city, as well as various corporations in the telecommunications, trading, banking, and energy sectors. Because participants were wary of sharing their networks and security vulnerabilities with an outside organization, Cutts said, allaying their security concerns was of the utmost importance. Cutts was optimistic about the improvements in America’s cyber security that can result from simulations such as Operation Livewire, although he acknowledged that the nation has a long way to go in preparing itself for cyberterrorism. Concern over cyberterrorism is particularly acute in the United States; an entire industry has emerged to grapple with the threat—think tanks have launched new projects and issued white papers, experts have testified to its dangers before Congress, private companies have hastily deployed security consultants and software designed to protect public and private targets, and the media have trumpeted the threat with such front-page headlines as this one, in The Washington Post in June 2003: “Cyber-Attacks by Al Qaeda Feared, Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say.” The federal government has requested $4.5 billion for infrastructure security; the FBI boasts more than 1,000 “cyber investigators”; President Bush and Vice President Cheney keep the issue before the public; and in response to 11 September, Bush created the office of cybersecurity in the White House. 146 G. Weimann Conclusion As Denning concludes, “At least for now, hijacked vehicles, truck bombs, and biological weapons seem to pose a greater threat than cyber terrorism. However, just as the events of September 11 caught us by surprise, so could a major cyber assault. We cannot afford to shrug off the threat.”53 There is alarming evidence that modern terrorists consider seriously adding cyberterrorism to their arsenal. “While bin Laden may have his finger on the trigger, his grandchildren may have their fingers on the computer mouse,” remarked Frank Cilluffo, the Associate Vice President for Homeland Security at George Washington University in a statement that has been widely cited. Verton, for example, argues that “al Qaeda [has] shown itself to have an incessant appetite for modern technology,” and provides numerous citations from bin Laden and other Al Qaeda leaders to show their recognition of this new cyberweapon.54 In the wake of the 11 September attacks, bin Laden reportedly gave a statement to an editor of an Arab newspaper indicating that “hundreds of Muslim scientists were with him who would use their knowledge . . . ranging from computers to electronics against the infidels.”55 And indeed, in the caves in Afghanistan, American troops found plans for Al Qaeda to attack computer systems while some of Al Qaeda’s recruits were sent to train in high-tech systems. One of them was L’Houssaine Kherchtou, a 36-year-old Moroccan who joined Al Qaeda in 1991 and was sent to learn high-tech methods of surveillance from Abu Mohamed al-Ameriki (“the American”).56 He joined other trainees in using electronic databases to learn about potential targets such as bridges and major sports stadiums. After his basic training, Kherchtou joined Al Qaeda’s electronic workshop in Hyatabad in Peshawar, Pakistan, the center of Al Qaeda’s research and development for forging electronic documents, message encoding and decoding, encryption techniques, and methods of breaking encryption.57 Future terrorists may indeed see greater potential for cyberterrorism than do the terrorists of today. Furthermore, the next generation of terrorists are now growing up in a digital world, one in which hacking tools are sure to become more powerful, more simple to use, and easier to access. Cyberterrorism may also become more attractive as the real and virtual worlds become more closely coupled. For instance, a terrorist group might simultaneously explode a bomb at a train station and launch a cyberattack on the communications infrastructure, thus magnifying the impact of the event. Unless these systems are carefully secured, conducting an online operation that physically harms someone may be as easy tomorrow as penetrating a website is today. Paradoxically, success in “the war on terror” is likely to make terrorists turn increasingly to unconventional weapons such as cyberterrorism. The challenge is to assess what needs to be done to address this ambiguous but potential threat of cyberterrorism—but do so without inflating its real significance and manipulating the fear it inspires. In conclusion, the bulk of the evidence to date shows that terrorist groups are making widespread use of the Internet, but so far they have not resorted to cyberterrorism. The threat of cyberterrorism may be exaggerated and manipulated, but it can be neither denied nor ignored: Verton, in Black Ice: The Invisible Threat of Cyber-Terror, warns that “the terrorist organizations are moving toward cyberterrorism,” and, “I urge you to think differently about the future before the disaster occurs.”58 Notes 1. National Research Council. Computers at Risk (Washington, DC: National Academy Press, 1991). Cyberterrorism 147 2. D. Thomas. “Cyber Terrorism and Critical Infrastructure Protection.” Statement to the subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, 24 July 2002. 3. J. Lewis. “Assessing the Risks of Cybertwrrorism, Cyber War, and Other Cyber Threats.” Report submitted to the Center for Strategic and International Studies (CSIS), Washington, DC, 2002), p. 1. 4. J. Green. 2002. “The Myth of Cyberterrorism.” Washington Monthly, November, also available at (www.washingtonmonthly.com/features/2001/0211/green/html). 5. For example, the downing of a U.S. spy plane in Chinese airspace (April 2001) resulted in an increase in attacks from both Chinese and U.S. hackers (mostly web site defacements). Another example occurred in 1997 when a group aligned with the Liberation Tigers of Tamil Elam (LTTE) reportedly swamped Sri Lankan embassies with 800 e-mails a day over a two-week period. 6. A. Embar-Seddon. “Cyberterrorism.” The American Behavioral Scientist 45 (2002), pp. 1033–1043. 7. R. White and S. Sclavos. “Targeting our Computers.” The Washington Post, 15 August 2003, p. A27. 8. D. Denning. “Is Cyber Terror Next?” New York: U.S. Social Science Research Council, available at (http://www.ssrc.org/sept11/essays/denning.htm.2001). 9. Green, “The Myth of Cyberterrorism.” 10. Cited by Green, ibid. 11. G. Weimann and C. Winn. The theater of terror (New York: Longman Publication, 1994), p. 20. 12. Mullins, W. A Sourcebook on Domestic and International Terrorism, 2nd edition (Springfield, Illinois: Charles Thomas Publisher, 1997), p. 9. 13. Smart, I. “The Power of Terror,” in Contemporary Terrorism: Selected Readings, edited by J. D. Elliot and L. K. Gibson (Gaithersburg, MD: IACP, 1978). 14. B. Hoffman. Inside Terrorism (New York: Columbia University Press, 1998). 15. M. Conway. “What is Cyberterrorism? The Story so Far.” Journal of Information Warfare, 2(2) (2003), pp. 33–42; M. Conway. “Reality Bytes: Cyberterrorism and Terrorist ‘Use’ of the Internet.” First Monday, 7(11) (2002), available at (http://www.firstmonday.org/issues/issue7_11/ conway/index.html). 16. On the use of the Internet for “conventional” purposes by modern terrorists, see Y. Tzfati and G. Weimann. “WWW.Terrorism.com: Terror on the Internet.” Studies in Conflict and Terrorism 25(5) (2002), pp. 317–332; G. Weimann. “WWW.Terror.Net: How Modern Terrorism Uses the Internet.” Special Report, 116 (Washington DC: United States Institute of Peace, 2004). 17. Cited by Green, ibid. 18. Cited in P. Thibodeau. “US commission eyes cyberterrorism threat ahead,” Computerworld, 17 September 2001, available at (http://www.computerworld.com/securitytopics/security/story/ 0,10801,63965,00.html). 19. From NPR’s Bob Edwards talk with senators Jon Kyl and Dianne Feinstein, 18 March 2004. 20. Cited in R. Bendrath. “The American Cyber-Angst and the Real World.” In Robert Latham (Ed.): Bombs and Bandwidth: The Emerging Relationship between IT and Security (New York: The New Press, 2003), pp. 49–73. 21. Green, 2002. 22. A. Gonsalves. “Security Expected to Take a Larger Bite of IT Budgets.” TechWeb News, 8 June 2004, available at (http://www.crime-research.org/news/08.06.2004/414). 23. Green, 2002. 24. To illustrate the supposed ease with which our enemies could subvert a dam, The Washington Post’s June story on Al Qaeda cyberterrorism related an anecdote about a 12-year-old who hacked into the SCADA system at Arizona’s Theodore Roosevelt Dam in 1998, and was, the article intimated, within mere keystrokes of unleashing millions of gallons of water on helpless downstream communities. But a subsequent investigation by the tech-news site CNet.com re- 148 G. Weimann vealed the tale to be largely apocryphal—the incident occurred in 1994, the hacker was 27, and, most importantly, investigators concluded that he could not have gained control of the dam and that no lives or property were ever at risk. 25. D. Ronfeldt and J. Arquilla. “Networks, Netwars, and the Fight for the Future.” First Monday 6(10) (2001); J. Arquilla and D. Ronfeldt. “The Advent of Netwar” (revisited) (2001). In Networks and Netwars, edited by J. Arquilla and D. Ronfeldt (Santa Monica: RAND Corporation), pp. 1–25). 26. D. Denning. 1999. Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool for Influencing Foreign Policy (Washington, DC: Nautilus, 1999), available at (http://www.nautilus.org/ info-policy/workshop/papers/denning.html); D. Denning. 2000a. Testimony before the Special Oversight Panel on Terrorism, U.S. House of Representatives, Committee on Armed Services 23 May 2000a, available at (http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html); D. Denning. 2000b. “Cyberterrorism.” Global Dialogue (Autumn), (2000b), available at (http://www.cs.georgetown.edu/ ~denning/infosec/cyberterror-GD.doc); Denning, op. cit. 27. Ibid. 28. C. Nicol. (not dated). “Internet Censorship Case Study: Euskal Herria Journal,” The APC European Internet Rights Project, available at (http://europe.rights.apc.org/cases/ehj.html). 29. B. Collin. 1997. “The Future of Cyberterrorism.” Crime and Justice International (March issue, 1997), pp. 15–18, available at (http://afgen.com/terrorism1.html). 30. See “Realizing the Potential of C4I: Fundamental Challenges,” a report prepared by the Committee to Review DOD C4I Plans and Programs, Commission on Physical Sciences, Mathematics, and Applications, National Research Council, 1999. Available at (http://www.nap.edu/ catalog/6457.html). 31. D. Verton. Black Ice: The Invisible Threat of Cyberterrorism (New York: McGraw-Hill Osborne Media, 2003a). 32. Reported at (http://www.computerworld.com/securitytopics/security/story/). 33. D., Denning. 2001.“Is Cyber Terror Next?,” op. cit.. 34. Reported by B. Krebs. 2003. “Feds Building Internet Monitoring Center.” The Washington Post Online, January 31, at: http://www.washingtonpost.com/ac2/wp-dyn/A3409-2003Jan30. 35. Cited in Krebs, ibid. 36. Cited in The Washington Post, 3 September 2003. 37. A. Lake. Six Nightmares (New York: Little, Brown and Company, 2000). 38. K. Coleman. 2003. “Cyber Terrorism.” Directions Magazine, 10 October 2003, available at (http://www.directionsmag.com/article.php?article_id=432). 39. M. A. Vatis.. “Cyber Attacks During the War on Terrorism: A Predictive Analysis,” 2001. Special Report, Institute for Security and Technology Studies, available at (http://www.ists.dartmouth.edu/ISTS/counterterrorism/cyber_attacks.htm). 40. Thomas, op. cit. 41. Lewis, op. cit. 42. Cited in N. Shachtman. 2002. “Terrorists on the Net? Who cares?” Wired News, 20 December 2002, available at (http://www.wired.com/news/infostructure/0,1377,56935,00.html). 43. Op. cit. 44. See (http://2004.rsaconference.com/). 45. Cited in E. Montalbano. 2004. “Homeland Security Chair likens ‘Cyber Terrorists’ to Al Qaeda.” CRN News, available at (http://www.crn.com/sections/BreakingNews/ dailyarchives.asp?ArticleID=48215). 46. Green, 2002. 47. Green, op. cit. 48. Ibid. 49. Denning, op. cit. 50. Cited in Green, op. cit. 51. T. Spellman. 2004. “Expert: U.S. At Risk of Cyberterrorism.” The Dartmouth Online, 19 April 2004, available at (http://www.thedartmouth.com/article.php?aid=2004041901010k/). 52. Cited in Spellman, ibid. Cyberterrorism 149 53. Ibid. 54. Verton, 2003a, op. cit., p. 93. 55. Hamid Mir, editor of Ausaf newspaper, cited in Verton 2003a, op. cit., p. 108. 56. Court transcript, U.S. vs. Osama bin Laden, 21 February 2002. 57. Ibid. 58. D. Verton. Cyberterrorism & security: New definitions for new realities, paper presented at the Cato Institute Book Forum, 12 November 2003b, Washington, DC.
