Cyberterrorism: It might seem like a silly, dreamed-up concept right out of the pages of a novel, or at least a multimillion-dollar Bruce Willis vehicle (the hugely successful 2007 film Die Hard 4: Live Free or Die Hard revolves around computer hackers) — but the myth is based at least somewhat in truth.
Experts generally agree that, to be counted as full-blown acts of cyberterrorism, cyberspace attacks have to amount to more than just minor disturbances, even if those result in money losses. According to Georgetown University Professor Dorothy Denning’s testimony to the U.S. House of Representatives in 2000, “to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact.” In other words, spam links in your e-mail inbox don’t count.
A Brief History
Examples of internet sabotage in recent history include a number of widespread attacks that caused significant damage. In May 2007, after the removal of a World War II memorial in Estonia, infuriated hackers attacked a number of critical institutions (banks, ministries, parliament, news media organizations). Estonia, one of the most wired countries in Europe, traced the attacks back to the Russian Kremlin, though they later admitted they had no real substantial evidence. Estonia later called on the European Union to make cyber attacks a criminal offense. Eventually, a member of the Nashi pro-Kremlin youth group admitted to being the source of the attacks.
Another attack, referenced in Dr. Denning’s same above testimony, involved the NATO (North Atlantic Treaty Organization): In 1999, NATO’s computers were hit with Denial of Service Attacks (DDoS) and e-mail blasts by “hacktivists” protesting the (then known as) Yugoslavia bombings. E-mails laced with viruses were sent from a number of Eastern European countries, and website spamming/hacking was also prevalent. Chinese “hacktivists” posted messages that said, “We won’t stop hacking until the war stops!”
And of course, most recently, an amorphous group of hacktivists — calling themselves only “Anonymous” — launched a flurry of Denial of Service attacks toward such corporations as Visa, Mastercard, Amazon.com, and Paypal.com, among others, in order to protest their withdrawal of financial and structural support for WikiLeaks, the controversial whistleblower website that leaked Afghanistan war logs and secret diplomatic cables to the public, in 2010. In one case, the attacks were so severe that Mastercard.com was knocked completely offline.
The fear of cyberterrorism has been propagated since at least the 1980′s, but September 11, 2001 changed our perceptions for the worse. Since then, a number of security conferences, white papers, and FBI research reports on mass-level hacking have made their way to the general public. A lengthy 2002 Washington Post report entitled “Cyber Attacks by Al Qaeda Feared” details the discovery of Silicon Valley computer probing by visitors in Saudi Arabia, Pakistan, and Indonesia, which “suggested planning for a conventional attack,” maintaining that the real threat lies not in small disruptions of internet services, but instead “instead at the meeting points of computers and the physical structures they control.” In 2009, the Wall Street Journal reported that the FBI was investigating hackers with surreptitious links to Al-Qaeda. And NPR listed “cyberterrorism” as a top U.S. threat in 2010.
A Sector5 Conference in 2002 invented the following doomsday scenario: Cyberterrorists take temporary jobs as IT employees and work on the floor of the New York Stock Exchange. They then plug into open data ports and plug into their employee accounts, then release a worm that overtakes all the computers on the trading floor, has the capability of penetrating all operating systems, burrows security holes into e-mails and web servers, and eventually dismantles the entire internet. Other popular scenarios involve the large-scale raiding of bank accounts, the disabling/activation of nuclear warheads, and the widespread dissemination of viruses and malware — even to government-owned computers with sensitive data.
Still, calls that the fear of cyberterrorism has been overblown by the media and even by scientists themselves remain prevalent. The United States Institute of Peace’s 2004 report, “Cyberterrorism: How Real Is The Threat?” addressed these issues, arguing that despite fears, no recorded instances of cyberterrorism (in the Denning sense) have ever occurred. They do acknowledge that, “Because most critical infra- structure in Western societies is networked through computers, the potential threat from cyberterrorism is, to be sure, very alarming,” but despite isolated incidents of “hacktivist” and other cyber attacks, our institutions are quite resilient, and moreover, nuclear weapons systems and other Department of Defense systems are “air-gapped,” meaning that they are completely inaccessible from the internet or any open computer network.
What’s Being Done?
In 2009, Leonard Bailey, who headed the Obama administration’s Department of Justice (DOJ) Computer Crimes and Intellectual Property Division, was recently transferred to the new National Security Division (NSD) as the nation’s first “Cyber Czar.” In an address, Obama remarked that “America’s economic prosperity in the 21st century will depend on cybersecurity,” and that “we’re not as prepared as we should be, as a government or as a country.” Currently, a controversial bill that would grant the President the power to “kill” the internet during a national security crisis is floating around in Congress. And the government has already granted millions of dollars to universities and other think tanks in order to develop tools to combat cyberterrorism.
So, what is this trillion-dollar effort coming to? We really can’t be sure, just yet. For now, let’s just hope that the next blockbuster movie released about cyberterrorism is more of a historical drama than a futuristic one.