Morton Swimmer Trend Micro
download slides (PDF)
Ever since the Al Qaeda attacks on the New York World Trade Center buildings in 2001, terrorism has had a level of prominence in people's consciousness that it hasn't seen in most of the West since the 1970s events of the RAF, PLO and SLA groups. Even previous actions of regional terrorist groups such as the Provisional IRA did not have the same impact worldwide as this single event. This and the rise of cybercrime and hactivism has raised the spectre of cyberterrorism - effectively an online version of an act of terror that would target our information technology and control infrastructure. The logic is compelling: a single motivated cyberterrorist could bring down our financial or SCADA system far more economically than an armed attack could ever achieve. Furthermore, large multinational companies are beginning to act as sovereign meta-nations and are coming increasingly in the crosshairs of hactivists and by extension cyberterrorists. But is this a reasonable conclusion to draw?
In 1993, the author carried out a study with the BBC on computer and network use of left- and right-wing extremist/militant groups and found that both shared a deep skepticism of IT in general, but at the same time embraced it as a mode of communication and information dissemination. While there were the occasional pot-shots at each other's BBS systems, the targets of the militant wings of these groups never included any such soft targets. Since then only a few attacks could be attributed to actual terrorists and even then with only little circumstantial evidence that it wasn't a hacktivist or cybercrime extortion attempt instead. In the meantime, however, the Internet has become much more important to society, so have terrorist and militant attitudes to technology changed as well?
To understand how likely a cyberterrorist attack is, we first need to understand terrorists, their motivations and their playbooks, and extrapulate this to IT. We need a definition of terrorism. Unfortunately, in decades of trying even the United Nations has not been able to agree on a definition of terrorism, although A.P. Schmid has come close to providing one that most can live with. The source of the problem is that intention plays an important part of defining a terrorist, and intention, as we know in computer security, is incredibly hard to define and measure. Since 2007, starting with a study group at John Jay College of Criminal Justice and later independently, I have been revisiting the subject with the intention of determining the risk of an actual cyberterrorist act. While so far cybercrime and hactivism is alive and thriving, my findings indicate that cyberterrorism remains as unlikely as in 1993. However, this could be poised to change and so this paper will show my findings and what would have to change in society and the extremist landscape for cyberterrorism to become a reality or at least a complicit act to a more traditional act of terrorism.