General security

Explaining cyberterrorism

Introduction

People feel endangered by cyberterrorists, and this topic has raised an alarm in many societies. Many experts in the IT field and many political figures have elaborated on the possibility of cyberterrorists infiltrating governmental agencies, private corporations or damaging the technological part of the military or the services and financial areas of the globalized international space.

Nonetheless, there is no single cyberterrorism act recorded in our history. We have to think: how realistic is this threat in our 21^st century world? The panic that the topic of 'cyberterrorism' causes in people is due to the dread from possible random and forceful victimization, which leads to suspicion and deep fear of information technology. In this paper, we will discuss what cyberterrorism is, what terrorism is, how those two concepts relate to one another, how can countries react to the attacks of terrorist organizations according to international law, and what is necessary for them to react legally, and we will also tackle the issue of how to know if a cyberterrorism attack has taken place. Also, we will discuss some laws on cyberterrorism, and we will present some hypothetical cases.

Definitions of cyberterrorism

The U.S Federal Bureau of Investigation defines cyberterrorism as any "premeditated, politically motivated attack against computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine [hidden, illegal] agents."

Firstly, we have to say what "data" is. Data is not the same as information in this context. Information is what we would have if we write "Americans speak English" on a piece of paper. Data here would then refer either to the string "Americans speak English" stored on a machine or some representation of it.

Next, we must pinpoint that the attack has to target a computer, regardless of whether there are real people behind that machine or whether those computers help a real facility to function. What we are saying is that if a known terrorist organization robs a bank by pointing a gun to the staff – this would 99% not be considered a cyberterrorism attack even if the staff uses a computer to withdraw funds and give them to the robbers. This is attack against real people and is an armed robbery, not an act of cyberterrorism.

Similarly, if you use the Internet to download a bomb manual or buy the parts online and plant a bomb on a crowded street – this is also not a cyberterrorism act, as you are both not using a computer to launch the attack and the attack is not aimed at such infrastructure, despite the fact that the Internet and a computer helped you to carry out the attack.

Also, in the USA, the attack has to be premeditated and politically motivated. To illustrate, if there is a bug in the server of a governmental website and it gives a random user administrative access to the server's database and resources, to which he responds by opening and downloading some confidential data, he would most likely not be considered a cyberterrorist, since his "attack" is not politically motivated and the intent and premeditation can hardly be proven, since he was given, in a sense, free access.

Furthermore, the U.S Commission of Critical Infrastructure Protection enumerated some sectors whose attack would be regarded as a cyberterrorist attack: those include the 'banking industry, military installations, power plants, air traffic control centers, and water systems'

Those are all crucial infrastructures to all governments and all civilian populations, and tinkering with them could cause panic, fear, violence, and severe financial repercussions. Thus, we can see that a DoS attack against a non-essential service like Amazon or eBay would not be considered cyberterrorism, since it does not involve any infrastructure that would have severe economic and financial repercussions and disperse panic in the public to the extent that the former will, yet that depends.

Most importantly, it has to be mentioned that each country has its own laws defining cyberterrorism ,and each country defines it differently, so if a cyber attack is not considered a cyberterrorist act in one country – it could be interpreted as such in another with ease.

To continue with our definitions, it must be noted that the definition of cyberterrorism is subject to a lot of wrong interpretations. It is made up of the really familiar "cyber" and the not so familiar "terrorism". The problem comes with the second part of the world – "terrorism". "Cyber" is known by almost all segments of the population to mean anything connected with Information Technology and the Internet, while "terrorism" is hard to define, with each country defining it differently. There are quarrels even within the U.S government for the "correct" definition of terrorism. When we are discussing terrorism, we take the maxim "One man's terrorist is another man's freedom fighter" to be a crucial thought to keep in mind and be aware of. For Iran, the Stuxnet worm was a cyberterrorist act against their PLCs. Thus, the alleged wrongdoers Israel and the USA can be seen as cyberterrorists by Iran, but this is not the perspective in Europe and in the USA.

William Church, a former U.S Army Intelligence officer, stated that "none of the groups that are conventionally defined as terrorist groups have used information weapons against the infrastructure".

All these reflections can lead us to the simple conclusion: that cyberterrorism is the use of information technology in all its forms to target critical infrastructure where the action is carried out by a terrorist group or agent.

Hence, we have the following four requirements: 1) use of electronic equipment to carry out the attack, 2) target critical infrastructure like banking, water, energy, military, 3) attack an electronic equipment as opposed to physical objects and resources, and lastly, 4) the attack must be carried out by a group or agent proclaimed to be "terrorist".

All those four requirements must be met for an attack to be considered "cyberterrorism", which is why none has occurred so far. These requirements give us the ability to easily distinguish between cyberterrorism and cybercrime or hacktivism, because in the latter, the 4^th and the 2^nd requirement need not be met to be existent.

How can countries react to the attacks of terrorist groups and agents?

There are 47 countries and 820 million people who are party to the Convention on Cybercrime signed in 2001 under the auspices of the Council of Europe, which is an international organization. This Convention does not tackle cyberterrorism, but addresses issues that a cyberterrorist attack would involve in all cases. Article 2, which prohibits illegal access; Article 4, which forbids data interference; Article 6, which prohibits the misuse of devices; and Article 5, which disallows system interference are crucial in a possible cyberterrorist attack, as if such is carried out it would, in all cases, involve one or more of those illegal actions. Under these Articles of the Convention, states confirm that they have made or shall make those actions offences and punishable, and Article 13 on sanctions and measures states that deprivation of liberty shall be allowed for the above mentioned offences.

Thus, in Europe cyber attacks are punishable by "effective, proportionate and dissuasive sanctions", although there is no single penalty for cyberterrorism itself across Europe or across the other continents.

The UN General Assembly stipulates that "each country will determine its own critical infrastructures" and defines critical infrastructure to include energy, air and maritime transport, banking and financial services, e-commerce, water supply, food distribution and public health. We have to note that the UN General Assembly cannot enact any binding legislation on the parties of the United Nations. Thus, this is a mere recommendation.

If implemented though, an attack against eBay or Amazon could be considered cyberterrorism. This means that the recent attack on eBay that compromised data such as usernames, passwords, emails, physical addresses, phones and dates of birth of around 145 million of its users can be proclaimed to be a cyberterrorist attack, but reality shows that this is not the case, as no such reaction occurred. It is true that the attackers of eBay did not get to the financial information of the users, but sensitive personal information was revealed which could easily spread panic and havoc in society. However, the 4^th requirement that we discussed above is probably not met, as there is no evidence that a terrorist group or agent carried out the attack on eBay – it could be that this is the reason why the cyberattack has not been proclaimed as such – but it probably is not. 145 million people victimized is around 2.07% of the world's population, definitely not a negligible number.

The European Union defines critical infrastructure as those electronic thingies which if destroyed or disrupted would have grave repercussions on the health, safety, security and/or economic well-being of its citizens or the functioning of a particular government of a member state.

Defending against cyberterrorism

The hardship when defending against possible cyberterrorist acts is that around 85% of the infrastructure which can be considered crucial for the USA is in the hands of private owners. From this follows that those networks are not maintained and secured centrally, which makes making the critical infrastructure of countries hard to secure, test for vulnerabilities, and coordinate on a central level. The Comprehensive National Cybersecurity Initiative's 12^th initiative is oriented toward defining the federal role to broaden cybersecurity in domains that are considered 'critical infrastructure' (USA). This would involve better coordination between state entities and private entities in the common goal of eradicating cybercrime, and may solve many of the issues at hand.

People already see cyberterrorism as a plausible threat to international and national security, as results from a survey conducted by the Cyberterrorism Project concluded that 69% of people asked thought that states can perform a cyberterrorist act, exemplifying attacks on Iran, Estonia and Georgia, and a staggering 58% believed cyberterrorism to be a major threat for the international community. Also, 49% were of the opinion that a cyberterrorist attack has already occurred in the world (maybe they were thinking of Stuxnet when responding).

Hence, further coordination must be done on the European level on the issue of cyberterrorism to prevent possible panic in the public provoked by threats made by terrorist groups and agents, as well as further coordination between the public and the private sectors. There is a need for standardization of defense mechanisms. This involves uniform requirements on the minimum level of protection ensured by firewalls, proxy servers and routers, network controls, software controls and data encryption.

What is 'terrorism' without the 'cyber' part?

The United Kingdom defines terrorism in its Terrorism Act (2000) as the use of action or the threat of its use when its aim is to exercise power over the government, scare the public or a portion of the public, and this use of action or threat of use is made for achieving a political, religious or ideological cause. What is added to make it cyberterrorism in the UK Act is that its design has to be with the purpose of seriously interfering or disrupting a given electronic system. Hence, at this point we can add to our four requirements the following fifth requirement: the attack has to be aimed at advancing some particular malevolent objective of the given group which can be based on political, religious or ideological grounds. All five requirements are listed to the right.

The USA defines terrorism as acts that are violent or that endanger human life and violate federal and state law and which scare or force civilians or which influence the policy-making in the country's government via intimidation and/or coercion or which involve an attempt to change the conduct of the government through mass destruction, assassinations or kidnappings. (U.S Code Chapter 113B, 18 U.S.C. § 2331)

Hence, we can see that those two countries' definitions of terrorism resemble each other, but we can easily conclude that the definitions are way too broad leaving much space for political decisions on a case-by-case basis, and they do not tackle concrete cases.

Case-by-case evaluation

Hereby, we will evaluate some hypothetical scenarios on the basis of the criteria that we have created to shed light on our hypothesis.

1. An Al-Qaeda agent takes control of the London Stock Exchange

The 4^th criteria is met as Al-Qaeda is a terrorist group, the 3^rd criteria met as the London Stock Exchange is computerized, 5^th criteria met as Al-Qaeda is based on all three grounds, 2^nd criteria met as the targeted infrastructure is critical to the country at stake, and 1^st criteria probably met, unless the attack involved some kind of physical penetration, which is unlikely.

2. A 14 year old boy infiltrates and takes down the Treasury website

There needs to be evidence that he is a member of a terrorist group and has some political, ideological or religious objective to disperse, otherwise only requirements 1, 2 and 3 are met. If the 4^th and 5^th requirement are not met, he would probably be guilty of cybercrime.

Conclusion

We can conclude from the discussion above that there is a strong need for further convergence between sovereign states on the issue of cyberterrorism and the concept of terrorism itself, both in terms of prevention, protection and reaction to such events. Also, the five requirements that we created from individual requirements can be further elaborated and discussed upon. We do not know what the future might hold, and we cannot predict with certainty whether the threat of cyberterrorism is real, imminent, or just a fruit of the panic of the public.

References:

1. Wikipedia, 'Stuxnet'. Available at: http://en.wikipedia.org/wiki/Stuxnet. Accessed 19/5/2014.

2. Wikipedia, 'Стъкснет'. Available at: http://bg.wikipedia.org/wiki/%D0%A1%D1%82%D1%8A%D0%BA%D1%81%D0%BD%D0%B5%D1%82. Accessed 19/5/2014.

3. Mark Ciampa, 'Security Awareness: Applying Practical Security in Your World'. Available at: http://books.google.bg/books?id=kdsWAAAAQBAJ&pg=PA18&lpg=PA18#v=onepage&q&f=false. Accessed 20/5/2014.

4. Serge Krasavin Ph.D. MBAv, 'What is Cyber-terrorism'. Available at: http://www.crime-research.org/library/Cyber-terrorism.htm. Accessed 20/5/2014.

5. Gabriel Weimann, 'Cyberterrorism How Real Is the Threat'. Available at: http://www.usip.org/sites/default/files/sr119.pdf. Accessed 20/5/2014.

6. CoE, 'Convention on Cybercrime'. Available at: http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm. Accessed 21/5/2014.

7. The US White House, 'The Comprehensive National Cybersecurity Initiative'. Available at: http://www.whitehouse.gov/sites/default/files/cybersecurity.pdf. Accessed 21/5/2014.

8. Jim Finkle, Soham Chatterjee and Lehar Maan, 'EBay asks 145 million users to change passwords after cyber attack'. Available at: http://www.reuters.com/article/2014/05/21/us-ebay-password-idUSBREA4K0B420140521. Accessed 21/5/2014.

9. Samanta Murphy Kelly, 'eBay Urging Millions of Users to Change Passwords After Cyberattack'. Available at: http://mashable.com/2014/05/21/ebay-cyberattack/. Accessed 21/5/2014.

10. Search Security, 'cyberterrorism' . Available at: http://searchsecurity.techtarget.com/definition/cyberterrorism. Accessed 19/5/2014.

11. Dimitar Kostadinov, 'Jus in Cyber Bello: How the Law of Armed Conflict Regulates Cyber Attacks Part I'. Available at: https://resources.infosecinstitute.com/jus-cyber-bello-law-armed-conflict-regulates-cyber-attacks-part/. Accessed 22/5/2014.

12. FBI, 'Definitions of Terrorism in the U.S. Code'. Available at: http://www.fbi.gov/about-us/investigate/terrorism/terrorism-definition. Accessed 22/5/2014.

13. Dimitar Kostadinov, 'Fitting cyber attacks to jus ad bellum – Target-based approach'. Available at: https://resources.infosecinstitute.com/fitting-cyber-attacks-to-jus-ad-bellum-target-based-approach/. Accessed 22/5/2014.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

14. The Cyberterrorism Project, 'What is Cyberterrorism'. Available at: http://www.cyberterrorism-project.org/what-is-cyberterrorism/. Accessed 22/5/2014.