Wednesday, November 01, 2006

Cyberterrorism: FUD or . . . ?

Last week I was in Europe speaking at a workshop on cyberterrorism. When I started to prepare my presentation, I decided to focus on the whole issue of cyberterrorism – on whether it exists as a valid source of concern or is, as some say, merely FUD.

FUD stands for “fear, uncertainty and doubt” and refers to what some consider hype spread by computer security professionals who use the “myth” of cyberterrorism to generate business. Those who take this view tend to deny that cyberterrorism exists as a distinct threat category.

So I thought about that, about why there might be a divergence of views on this issue and about why some seem to deny the very possibility of cyberterrorism. I could not – can’t – understand the latter position because it seems to me computer technology is a tool, and I can’t understand why any tool can’t be used in some fashion to facilitate an act of terrorism. Cars can be turned into IEDs, and in 1994 Ramzi Yousef used Casio digital watches to assemble a bomb he planted, and detonated, on Philippine Airlines Flight 434. If cars, watches and other mundane devices can become tools of terrorism, why can’t computers?

As I thought about it, I decided that the divergence of views may be due to imprecise definitions – to the fact that one person’s conception of cyberterrorism may be very different from another person’s conception of the same phenomenon. It seemed, and seems, to me that maybe we need some definitional clarity here. Maybe we need to reflect on how cyberterrorism should be defined.

It seems to me that the definition of cyberterrorism needs to have two components: (i) semantic; and (ii) operational. The first goes to the legal concept – to the “harm” this hypothesized type of conduct inflicts. The second goes to the processes used to inflict that hypothesized “harm.”

I’m going to try to keep this relatively short (out of self-interest, if nothing else, as I am still jet-lagged), so let me briefly run through both dimensions.

Semantic definition: Cyberterrorism consists of using computer technology to advance terrorists’ goals. We can divide the goals into two arenas: primary goals and secondary goals.

Primary goals are the terrorists’ pursuit of their ideological agenda because terrorism is, after all, the use of certain methods in an effort to advance an ideological message or strategy. A federal criminal statute defines terrorism as using certain proscribed means (inflicting death, physical injury, damage to/destruction of property) in an effort to coerce a government or influence a civilian population for ideological purposes). So, regardless of whether the terrorists are white supremacists, jihadists or the labor terrorists that posed a problem in the nineteenth century U.S., the goal is to use violence and the threat of violence to demoralize governments and populations and thereby advance the terrorists’ agenda. This definition of primary goals holds for all types of terrorism, but I am, of course, focusing only on cyberterrorism.

Secondary goals are the terrorists’ use of certain methods to sustain their pursuit of the primary goals. Secondary goals go to issues such as recruiting and retaining members of the terrorist group, fundraising, propaganda, communication and coordination of activities, etc.

Operational definition: Here, I want to focus only on the operational definition of cyberterrorists’ primary goals. I think we need to divide this definition into three categores – three types of (forgive me) WMD: weapon of mass destruction; weapon of mass distracton; and weapon of mass disruption.
  • Weapon of mass destruction: This, I think is the primary source of FUD – the notion that a cyberterrorism attack will be a “digital Pearl Harbor,” or a “digital 911” – that it will be analogous to flying planes in the World Trade Center. I don’t think that is true; I think this notion, to the extent it exists, misunderstands how terrorists can use computer technology. I do not think that cyberterrorism – the use of computer technology to pursue an ideological agenda by those we regard as terrorists – can ever have the kind of visceral, demoralizing effect we experienced in 911. Indeed, I suspect that may be one reason why we have so far not, at least to my knowledge, seen any real instances of cyberterrorism.
  • Weapon of mass distraction: Here, computer technology is used to demoralize a civilian population (and undermine faith in government and other essential processes) by inflicting psychological “harm.” A few years ago, a federal official who worked in the area of terrorism/public security told me he got a call from the local authorities, in a very large American city. The local authorities said, “we have to evacuate the city.” The federal fellow asked why, and was told that “there’s a suitcase nuclear device” on a train in the subway system. He asked how they knew this, and the answer was uncertain; they had “heard” it. He asked if any subway train operator had described the rather unique appearance of a subway nuke, and was told none had. He pursued the matter in some more detail, and ultimately convinced the local authorities not to evacuate the city which, as he pointed out, would have done about as much damage – given the panic that would ensue – as a suitcase nuke. Point being: Misinformation, cleverly disseminated, can be used to sow chaos and confusion, which will in turn cause injury and property damage – the net effect being to undermine faith in our systems, our leaders and perhaps even our ideology.
  • Weapon of mass disruption: Here, computer technology is used to achieve a similar effect but the direct target is systems, not psychology. The U.S. Secret Service and Department of Homeland Security ran an exercise earlier this year – CyberStorm – in which a loosely linked set of domestic terrorist groups attacked various systems in the U.S. They interfered with the operation of air traffic control systems (thanks to help from a disgruntled FAA employee), did the same for some commuter trains, attacked at least one news website, altered balances in some accounts, went after power grids, etc. – a kind of smorgasboard of systemic attacks. To the extent that attacks such as this work, they would undermine our faith in our reality – in the stability of the systems we rely on to conduct our lives. That, of course, results in the demoralization of a civilian population which is, as I said before, a primary goal of any terrorist group.
I could write a lot more, but I think (hope?) this is enough to get my point across. The point is, simply, that we must not think of terrorists using computer technology in ways that are directly analogous to their use of IEDs and other traditional instruments of violence. Violence, I submit, is not what cyberterrorism is/would be about. It’s a much more subtle, and therefore perhaps more dangerous phenomenon, because it works on our minds and on our reality.

No comments: