Cyber. Terrorism. Cyber terrorism.
I’m at the cyber war. I’m at the terrorism. I’m at the combination cyber war and terrorism
Recently, Danny Moore asked a question about cyber terrorism. His post, and the discussion, is on Mastodon here:
https://infosec.exchange/@danny/109422030713833568
The question is: has anyone seen an actual successful attack that could unequivocally be called “cyber terrorism.”
In short: no.
Thank you for coming to my TED talk.
Ha, like I’ll skip an opportunity to discuss cyber and terrorism at length!
To begin with, we need to discuss “what is terrorism” and what cyber terrorism could or would look like. There are a number of cases that I think illuminate the blurred lines around what “cyber terrorism” will be. And of course, there are psychological issues that have an outsized impact on cyber — because terrorism is an inherently psychological form of warfare.
Terrorism is what you make of it
Terrorism is a vibe.
Terrorism is notoriously difficult to define. There is a lot of academic literature that creates a definition and then runs with it. The issue is, really, that terrorism is a subvariant of war. But “war” is a label reserved for normative interstate violence.
War is violence between two (or more) groups of people waged for a higher purpose. That is, it is violence for a political (or religious, or ideological, or whatever) purpose. Something other than the violence itself or, like, stealing or whatever.
It starts to get complicated when separating terrorism from war. Is it targeting civilians? Well, strategic bombing theory during World War II treated civilians as legitimate military targets. And the Provisional IRA killed more British soldiers than civilians.
Defining terrorism is tricky. For example, robbing banks is a popular tactic for terrorists. Does the IRA robbing a post office to fund IRA activities count as terrorism? Not really; it’s just fund-raising. But, hopefully, the complexities involved are apparent.
What about the state aligned/connected angle?
I think any attempt to define terrorism based on some sort of state-aligned/connected angle is doomed to failure. Looking at the Global War on Terrorism it seems simple to separate states and terrorist groups. But this is false. There are many examples where terrorist groups have some degree of state capture.
Further, there are groups that are so closely tied to a state that they’re practically a state organization. For example, Hezbollah confuses everything. So does Hamas. The Provisional IRA and Sinn Fein are another very very grey area. The National Liberation Front of Vietnam won the war and now rules the country. Mao used terrorism for a while.
It isn’t useful to fixate on the state as the defining feature of “terrorists.” Let’s just agree that “state organisations (probably) don’t count.”
Summary
So I think the main issue with trying to decide if cyberterrorism is a thing is that we’re talking about cyberwar by proxy. Using an even more obscure and less clearly defined ontological concept.
Most people will agree that fundamentally terrorism is warfare, usually waged by non-state actors, frequently using unconventional means, typically against non military targets. But not always.
What is cyber terrorism?
Is terrorism using cyber even possible?
“Cyber attacks are not attacks” — Lukasz Olejnik
Right now, maybe. In the future, almost certainly. Has it happened yet? Not that I’m aware of.
On cyber terrorism: firstly, it won’t look anything like what the pundits think. They have an appalling track record of predicting what cyber will look like, why it is used, and what it can/can’t do. Secondly, transporting kinetic realm concepts directly into cyber doesn’t work.
Having a website isn’t the same as having a book, even though they both have text, pictures, and information. The internet isn’t (just) a new phone system. A word processor is more than just a typewriter with a delete key. Cyber is qualitatively different from the real world that it supposedly mimics. Reasoning about cyber by analogy is the path to failure.
Note: cyber terrorism as the pundits imagine could very well take place. A terrorist group could attack critical national infrastructure and cause loss of life. I believe there will be cyberterrorism that is uniquely enabled or enhanced by the cyber domain.
Case Studies
Cyber enhanced exploitation (?)
On November 23rd there were two bombs at Jerusalem bus stops. One of them was captured on a CCTV camera, and the video was released as a propaganda piece. The CCTV had been compromised before, almost a year ago. If the target was chosen with the intention of being captured on a known compromised CCTV so that it could be turned into a video, I believe that is hybrid cyber terrorism. A mix of cyber and kinetic to create a more powerful effect.
Many many caveats, of course. The biggest question is whether the bomb location and the CCTV compromise are related.
Shout out to Hamid Kashfi for bringing these tweets to my attention.
Warning Systems
There have also been attacks against the air raid siren system. That is more nebulous. It isn’t clear if that counts as terrorism, although the goal was to create terror (they triggered fake alerts.)
In May or June, there was a call by HakNet (or KillNet) to attack the air raid system in Odessa an hour before a missile strike on the city. This is less clear in terms of terrorism in general, but it shows the same idea of a non-state actor going after security infrastructure with cyber to make it easier to carry out more damaging physical attacks.
Critical Infrastructure
There was a failed attack against an Israeli water treatment facility. That might count, even though it was a failure. Failure doesn’t mean it wasn’t a terrorist attack; it just means it wasn’t a very successful terrorist attack. A failed terrorist attack still has some psychological impact, but cyber attacks have different success criteria. A failed cyberattack is a non event.
Success is not the determinant for a terrorist attack, but it is for cyber attacks. This is an important consideration when evaluating whether a group will choose cyber attacks for terrorism.
Harassment (?)
There are a number of hack and leak attacks that are conducted by terrorist groups in the hope of causing distress and problems for people. This is not quite terrorism, but it also isn’t not-terrorism.
Terrorism, Cyber, and Psychology
Let’s look at a hypothetical: would these case study examples be terrorism if done by humans and not computers?
Is it actually terrorism?
Would any of these cases count as terrorism if done by a person acting for that group? Well, they were done by a person acting for that group using a computer, but we all know what we mean. Someone physically there.
Aside: I want to emphasise this point a bit. This is why I think cyber terrorism won’t look like what people have predicted. Because it will be something that cannot (easily) be done physically by a person.
For example, disrupting power supplies can be done with a bomb, or a squirrel.
Cyber terrorism will be terrorism plus cyber.
What you’re referring to as cyberterrorism, is in fact, cyber terrorism, or as I’ve recently taken to calling it, cyber plus terrorism. Cyberterrorism is not a strategy or technique unto itself, but rather another component of a fully functioning cyber warfare system made useful by cyber capabilities, psychological impact, and vital information domain components that comprise a full cyber terrorism system.
Just squint and it looks like terrorism
It is tempting to apply the Stewart principle: “I know it when I see it.” And some of these cases come very close to terrorism, particularly if they were done physically rather than digitally. For example, triggering air raid alert sirens to scare people.
If someone physically set off the air raid sirens, I have no doubt it would be considered a terrorist attack. At least a percentage of people, maybe not a majority, but at least a measurable number, would believe this was an attack by terrorists. The general public would probably be far more concerned than they have been.
Poisoning drinking water… or trying to, anyway. This type of attack is unquestionably a terrorist attack. If someone was physically at the plant with a wrench trying to turn valves and contaminate the water, no one would question that it was terrorism. Even if it were stopped before it could succeed, it would be (rightly) perceived as a terrorist attack.
Disabling air raid sirens before a kinetic attack. I think this would be understood as a move to increase the casualties from a terrorist attack and viewed as part of the attack. Consider someone disabling the fire alarm in a building before setting it on fire. If the objective of the person was to cause a mass casualty event for the purpose of sending a message, or pressuring the government and the public to make a political concession, then it would be terrorism. The disabling of the fire alarm would be a particularly heinous part of the attack.
Would any terrorist group use cyber?
This is the more important question. Does cyber have the right impact to promote a cause, or to satisfy the terrorists and/or their supporters? I think right now the answer is “maybe.” Generally speaking, people don’t put as much weight on cyber incidents as they do on physical ones in the real world.
I don’t know if this will change, but I suspect that it greatly depends on the impact of the terrorist attack on the civilians involved. Do they feel attacked? Currently, I think some people who have had their data leaked by state actors feel very attacked, but I don’t think almost anyone else agrees.
Parthian shots
Cyber terrorism will exist when it happens. It won’t look like a normal terrorist attack. It will be as recognisable as cyber war has been for the current Ukraine conflict.
We will experience terrorism executed through cyber. It won’t look like terrorism with kinetic violence. Will we know it when we see it?
I'm curious to, does Mr. Moore consider the Oldsmar FL event just a cyber attack?
Would Danny Moore consider coming on GlassHouse to discuss this and more about OCO?