June 29, 2022

Volume XII, Number 180


June 29, 2022

Subscribe to Latest Legal News and Analysis

June 28, 2022

Subscribe to Latest Legal News and Analysis

June 27, 2022

Subscribe to Latest Legal News and Analysis

Understanding Cyberterrorism

Without a doubt, cyberterrorism poses a real threat to governments, organizations and individuals around the globe. In today’s high-tech world, all types of computer networks are logical targets for all sorts of adversaries. In fact, according to a figure from U.S. officials, an astounding 60,000 new malicious computer programs are identified every day.

But how does one exactly define cyberterrorism? In a 2000 testimony before the Armed Services Committee of the U.S. Representatives, Dorothy Denning of Georgetown University coined a still-popular definition of cyberterrorism: “the convergence of terrorism and cyberspace…generally understood to mean unlawful attack and threats of attack against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives.”

While that may be a mouthful, it does seem to sum it up. Depending on who you ask, however, cyberterrorism can have a somewhat surprising variety of meanings. Why this ambiguity? Well, since cyberterrorism is a relatively new term and is a product of the technological age in which we currently live, its definition is naturally still evolving. And as the technology surrounding cyberterrorism itself changes, the definition of the term will continue to change as well.

“It’s hard to define something that’s so intangible, so shifty, so below the radar of an otherwise law-abiding society,” said Carmi Levy, an independent technology analyst and journalist. “It’s also hard to define something most of us would rather shunt out of sight. This is typical behavior, and nothing we haven’t seen with earlier forms of anomalous technology-related threats, such as viruses and malware.”

The other hurdle he sees is our collective unfamiliarity with the threat. “It’s hard to define something until the majority of society agrees it’s a problem and has seen enough of it to merit actual recognition,” said Levy. “Unfortunately, we’re not there yet. Until it touches more of us in a more direct manner, expect it to remain difficult to pin down.”

Perhaps the thorniest issue is that the term’s root word is something society still struggles to define. “The simpler term ‘terrorism’ itself can have a variety of definitions, and ‘cyber’ just adds layers of complexity and misunderstanding to the issue,” said Kurt Baumgartner, a senior security researcher at Kaspersky Lab, a Moscow-based computer security company.

As the terms “terrorist” and “freedom fighter” have been debated in the past, when it comes to cyberattacks, there can be a fine line between activism and terrorism. And which side of that line an event falls on often varies depending on your perspective. In today’s digital world, some see the progression from activist to “hacktivist” as a natural one.

“It’s pretty easy to imagine past activist heroes might well have engaged in some type of hacktivism depending if they’d had access to the technology,” said John Kindervag, a security expert and principal analyst at Forrester, a research company in Cambridge, Massachusetts.

Kindervag also wonders if defacing a website or bringing down an ecommerce portal, like the 2011 disruption of Sony’s PlayStation Network, an online video game platform, is actually terrifying or merely inconvenient. “For me, the issue is if individual lives are in jeopardy at the moment of the action,” said Kindervag. “Disrupting the air-traffic control system to make planes crash would definitely be cyberterrorism. The Sony PlayStation Network attack would not be.”

What Kind of Damage Can Cyberterrorism Do?

Since cyberterrorism is such a new brand of crime, we as a society do tend to be somewhat complacent when it comes to cybersecurity. However, in the near future, we can only expect to hear more about both cyberterrorism threats and actual incidents.

“The threat will only grow with the passage of time,” said Levy. “And it’s up to everyone to begin treating it as it deserves to be treated: with respect.”

Currently, the most frightening potential attacks are those that come from all angles. Baumgartner envisions a scenario in which cyberterrorists simultaneously disrupt communications systems, infrastructure controls and financial markets. Such a wide-net strike would be difficult to pull off, but the resources may exist—for the right price.

“It somewhat depends on the attackers’ goals and capabilities,” he said, “but capabilities are for sale.”

In terms of actually inciting terror, most rightfully fear bombings and explosions more than anything else. But the damage caused by cyberterrorism attacks can induce a different brand of fear since they are orchestrated by a faceless evildoer.

“Tangibly, we can all relate: a power plant could be taken offline, a company’s finances could be wrecked and a region’s ability to communicate wiped out,” said Levy. “Intangibly, the psychological impact could be even greater and longer-lasting, as cyberterrorism strikes at the very heart of what makes us feel safe in a supposedly safe society.”

This can lead to a feeling of helplessness. “It allows enemies to easily bypass the traditional barriers of military and geography, and it allows them to get at the soft underbelly of day-to-day society,” said Levy. “Fear of these types of attacks, in many respects, is just as debilitating as the overt effects might be.”

While definitive, public accounts of large-scale acts of cyberterrorism can be difficult to come by, there have been some comparatively smaller-scale examples of cyberattacks in the recent past. The hacker group Anonymous, for example, has launched multiple attacks against authorities. Founded in 2003, this group of loosely associated hackers is extremely opposed to any type of internet surveillance and censorship.

“These attacks illustrate the broadly disruptive impact of a distributed, focused campaign to take down resources controlled by forces they deem the enemy,” said Levy. “Chicago’s police department, for example, was taken down earlier this year, and law enforcement agencies in Ontario had usernames and passwords published by hackers claiming to be affiliated with Anonymous.”

While groups with agendas similar to Anonymous will likely continue to carry out attacks regardless of the day’s political climate, social factors have driven other hacktivists to action. “The Occupy movement as well as the Arab Spring spawned an upsurge in this type of activity,” said Levy.

With respect to governmental organizations, Stuxnet, a malicious computer “worm” designed to interfere with the nuclear program in Iran, was accidentally discovered in 2010 when the virus left the digital perimeter of Iran’s Natanz plant and reached the wider internet. According to the New York Times, this malicious code was developed by both the United States and Israel. Since then, two new versions of this worm have been discovered.

In May 2012, another piece of malware, a virus called Flame, was uncovered. This virus infiltrated the computers of high-ranking officials in Iran with the goal of collecting information. Flame appeared to be approximately five years old when it is was found, and the Washington Post has reported that it was designed by the United States; publicly, U.S. officials have not stated that they were responsible for creating this particular virus.

During April and May of 2007, Estonia was the victim of violence, riots and cyberattacks after officials moved a memorial commemorating the Soviet liberation of Estonia from the Nazis during World War II. Hackers shut down government ministry websites, two important banking websites and political party websites. They even disabled the email server for the Estonian parliament. Officials in Estonia accused the Russian government of orchestrating the denial-of-service attacks, but NATO and the European Commission were unable to find concrete evidence to prove these allegations.

In 2011, researchers from various high-tech companies uncovered a Trojan horse called Sykipot. This cyberweapon attempted to obtain documents from high-ranking executives, mainly those in the defense field at companies that developed unmanned drone planes. Officials believe that these attacks are coming from an established group located in China.

While we all like to hope that our government infrastructure is infallible, such attacks show that 100% protection is likely impossible. “Every system has areas of vulnerability, and there is no such thing as an inviolable or impenetrable solution,” said Levy. “Like conventional crime, military and quasi-military threats, it’s foolish to think we’ll ever be 100% safe. The world has simply never worked that way, and it isn’t about to start now.”

How Do We Stop Cyberterrorists?

While no amount of improvement will ever ensure society is cyberattack-free, experts say that governments and organizations should be proactive when it comes to investing in preventative measures. As technology continues to move forward at an alarming rate, so too must the laws regarding cyberactivities. Because currently, neither civilian nor government officials are truly able to combat this new and ever-changing threat. “Traditional law enforcement tools and processes need to be updated or replaced entirely,” said Levy.

Baumgartner feels similarly. “It is important to get past the short-term political gimmicks and silliness that we have seen and get down to business,” he said. “Addressing the problem effectively is a complex and difficult task, and overburdening defenders with ineffective tasks that waste time instead of necessary solutions is a difficult balance.”

To reach the proper balance, Levy recommends that law enforcement officials and business leaders strive for improved task forces, specialized training, and a re-prioritization of resources toward this class of crime. This, he believes, will greatly reduce the risk of attack and lower the severity and impact if an attack does occur.

“They can raise the vulnerability bar sufficiently high to discourage the lesser-skilled and motivated attackers, and make life sufficiently difficult on the true pros,” said Levy.

Unfortunately, in his view, those who built the last-generation standards of policing the digital world may not be up to the task without extensive and expensive retraining. And even then, they may not be able to adapt their capabilities to this new reality.

“The existing culture within law enforcement may be inadequate,” said Levy. “No one project or initiative will be enough to adapt. Nothing short of a wholesale rebuild of government and law enforcement best practices will do.”

Risk Management Magazine and Risk Management Monitor. Copyright 2022 Risk and Insurance Management Society, Inc. All rights reserved.National Law Review, Volume II, Number 307

About this Author

Risk Management Magazine is the premier source of analysis, insight and news for corporate risk managers. RM strives to explore existing and emerging techniques and concepts that address the needs of those who are tasked with protecting the physical, financial, human and intellectual assets of their companies. As the business world and the world at large change with increasing speed, RM keeps its readers informed about new challenges and solutions.

Risk Management Magazine is delivered monthly to 17,000 readers. It is published by the Risk and Insurance Management Society, Inc. (...