All across the world, individuals, companies, governments, and even militaries have become increasingly reliant on the Internet for a diverse array of activities. Although this shift to Internet based activity has brought substantial benefits to consumers, companies, and governments, it has also created new vulnerabilities, which both state and non-state actors have sought to exploit.
In recent years, there has been an alarming increase in the number of cyber attacks upon government, corporate, and military systems—many by unknown actors. Responding to this emerging threat, governments across the world have launched a number of efforts to secure their nation's cyber space from both state and non-state actors.
There is, however, some contention about the magnitude and direction of these policies, as analysts disagree on both the degree of danger posed by cyber attacks and the most effective way to coordinate one's cyber security efforts. This disagreement is particularly acute when dealing with the threat posed by terrorist groups, as no consensus exists as to whether or not these groups pose a danger.
Attempting to clear up some of this confusion, this article examines the nature and severity of the threat posed by cyber terrorism and argues that cyber terrorism should be treated as a distinct and serious threat.
Are they a threat?
As things currently stand, there have been no publicly recorded instances of cyber terrorism. Instead, most cyber attacks are attributed to states—such as China, Russia and the United States—or criminal groups. As a result, the potential danger posed by terrorist groups is often overlooked, as it is argued that such groups either lack the capability or interest to launch such attacks. This is not, however, universally accepted. Indeed, there is considerable evidence to suggest that such groups may have both the incentive and resources to eventually acquire such a capability. If so, it may only be a matter of time until such groups become dangerous cyber actors.
As Gabriel Weimann has argued, cyber attacks have a number of features that would lend themselves to use by terrorist groups:
1. Cheap. Cyber attacks are relatively cheap. They can often be carried out using commercially available equipment and programs acquired from the shadier corners of the Internet. As such, the barriers to entry are relatively low, which is often an important consideration for groups with comparatively limited resources, such as terrorist organizations.
2. Anonymous. Cyber attacks can be conducted anonymously, as they can easily be routed across multiple jurisdictions. This makes them notoriously difficult to trace. Following up on such attacks often requires investigators to obtain warrants in multiple countries. Although 2001’s Convention on Cybercrime was designed to speed the process of obtaining such warrants, the treaty’s coverage is still rather thin. Only forty states have signed and ratified the treaty and the signatories are largely confined to the member states of the Council of Europe (with the notable exception of Russia) and a few smaller states. Outside of Europe, the only major treaty members are the United States, Australia, and Japan. Unfortunately, this coverage hardly provides the global scope necessary to quickly follow up on ongoing or recent attacks.
3. Target rich environment. The variety of targets is enormous. In the United States alone, there are over 80,000 dams, 60,000 chemical plants, 2,800 power plants, and 1,600 water treatment plants; many of these facilities have come to rely on the Internet, rather than proprietary networks, for control functions. The vast majority of such infrastructure is also owned and operated by the private companies, who often face incentives to cut corners on securing their networks. As such, there is a high likelihood that a determined attacker would be able to find systems vulnerable to infiltration.
4. Remotely conducted. Cyber attacks can be conducted from far beyond the borders of the countries in which one's targets lie, which means that terrorists do not need to risk arrest by domestic law enforcement agencies in order to launch their attacks. Conducting attacks remotely also nullifies many of the security advantages provided by state's investments into physical border security.
5. Widespread effects. Such attacks can potentially affect a large group of people. In 2000, the Lovebug virus affected 50 million systems in ten days and caused up to $15 billion in economic damage—and it was all launched by Filipino student working out of his dorm room in Manila.
Given these five advantages, it would be surprising if terrorist groups were not already developing, or at the very least interested in developing, the capacity to conduct operations in cyber space.
For many groups, adopting cyber attacks would also be a relatively natural evolution. Most terrorists already rely upon the Internet for communication, recruitment, and propaganda purposes. Using the internet to actually carry out attacks would only take things one step further. The recent rash of state-launched cyber attacks—including the United States’ attacks on Iranian centrifuges and Chinese incursions against American companies—will only further encourage such adoption.
Indeed, a number of prominent policy makers have already suggested that some groups are interested in doing so. As President Obama warned in his 2009 address on cyber security, “Al Qaeda and other terrorist groups have spoken of their desire to unleash a cyber attack on [the United States]." James Clapper, the U.S. Director of National Intelligence, also issued a similar warning in the American intelligence community’s latest worldwide threat assessment in which he highlighted cyber attacks—including those by non-state actors—as one of the most critical threats facing the United States and the international community.
Weapons of mass inconvenience?
If the characteristics of cyber attacks suggest that we should be worried about their adoption by terrorist groups, it becomes important to analyze whether or not such weapons could cause significant damage or whether they are merely a “weapon of mass inconvenience,” as Douglas Birch has suggested. Such an analysis will be an important in determining the appropriate level of government attention to devote to the issue.
As things currently stand, there is considerable evidence to suggest that a well-executed cyber attack could cause significant damage, as an increasing portion of the world's critical infrastructure has come to rely on the Internet in order to operate.
Of particular concern is the increasing number of industrial Supervisory Control and Data Acquisition (SCADA) systems controlled via the Internet rather than through proprietary networks. These systems are frequently cited as potential targets for terrorists, because they control complex industrial infrastructure, such as power grids, dams, and chemical plants. If a terrorist group were able to breach the security of one of these systems, they could potentially cause a plant to explore, unleash millions of cubic feet of water upon an unsuspecting communities, or leave a large swathe of the continent in the dark. This type of attack would have devastating consequences.
Deadly or just inconvenient?
There are, however, a number of analysts who cast doubt on the actual impact of cyber attacks. Douglas Birch, for example, notes that power outages are a fairly common occurrence, which provides a good baseline to estimate the potential damage that could be caused by an attack against a nation's power grid. The effects of blackouts, he observes, are rarely catastrophic, even when the power goes out for several days, as most critical systems, such as emergency services and hospitals, have backup generators. This, in turn, leads him to conclude that cyber attacks are more likely to be a ‘weapon of mass inconvenience’ than a significant threat.
While Birch and others like him, such as James Lewis, have a legitimate point about the first order impact of a potential cyber attack, they fail to consider the secondary impact of terrorist attacks: the widespread fear and panic that they can cause. In addition to its initial impact, there is a substantial risk that a major incident of cyber terrorism would prompt a backlash against Internet based activity. This would have significant ramifications for western economies, as a large per cent of economic activity has come to rely upon Internet for a wide variety of functions.
High-tech terrorists
It might also be questioned whether or not terrorist groups have the technological capabilities to pull off such an attack. Rose Tsang of the Goldman School of Public Policy estimates that it would take a team of highly trained hackers six months to design a program to penetrate and control an industrial control system. If correct, this means that the barriers to employing an attack might be higher than some analysts have suggested.
This relatively high barrier to entry does not mean, however, that the possibility of cyber terrorism should be dismissed. Although terrorist groups are often imagined as drawing their members from the poor and disaffected masses, evidence from the social sciences suggests that terrorist groups often recruit members with significant levels formal education. Most of the suicide bombers involved in the events of 9/11, for example, had either university degrees or at least some form of post-secondary education. Engineers, in particular, seem to be over represented in Islamic terrorist groups. Indeed, both Khalid Sheikh Mohammed and Mohamed Atta, the planners responsible for the events of 9/11, had backgrounds in engineering. This trend suggests that terrorist groups might be far more capable of assembling a cabal of sophisticated hackers than public perception would anticipate.
State versus non-state attacks
There are also those who dismiss the threat posed by potential cyber terrorists by arguing that we should be primarily worried about the cyber attacks that are already being committed by states. While states certainly have more organizational capacity and resources than terrorist groups, the threat posed by cyber terrorism is unique and should not be neglected.
States, unlike terrorist groups, have a limited incentive to cause major destruction, as they are often reliant upon the systems that a major attack would disrupt. Most states continue to depend on the west’s economic viability for their own economic fortunes, which discourages major attacks. China, for example, is highly dependant on the world financial system for its continued well being. It has, as a result, only a limited incentive to cause major disruption to to it. This means that states are far more likely to limit their online exploits to activities such as industrial espionage. Terrorist groups, by contrast, are not particularly reliant upon the Internet. As such, they are far less constrained than states. This, as Joseph Nye suggests, means that a “a cyber 9/11 may be more likely than the often mentioned cyber Pearl Harbor.”
Unique Threats Require Unique Policy Prescriptions
When taken together, the factors outlined above suggest that there is a need to craft specific cyber policies to address the unique and dangerous threat posed by cyber terrorism. The nature of the threat means that policies designed to deal with traditional cyber threats, such as state based attacks and cyber criminals, will not properly address the dangers of cyber terrorism. If nations should fail to take the unique nature of the full spectrum of cyber threat into consideration, they will leave themselves vulnerable to a potentially catastrophic attack.
No comments:
Post a Comment