The US Naval Postgraduate School’s Professor Dorothy Denning’s definitions of cyberterrorism are probably the most well-known and respected. Denning’s (2007: 124) most recent definition of cyberterrorism is as follows:
highly damaging computer-based attacks or threats of attack by non-state actors against information systems when conducted to intimidate or coerce governments or societies in pursuit of goals that are political or social. It is the convergence of terrorism with cyberspace, where cyberspace becomes the means of conducting the terrorist act. Rather than committing acts of violence against persons or physical property, the cyberterrorist commits acts of destruction and disruption against digital property.
Denning (2007: 125) goes on to say that:
To fall in the domain of cyberterror, a cyber attack should be sufficiently destructive or disruptive to generate fear comparable to that from physical acts of terrorism, and it must be conducted for political and social reasons. Critical infrastructures…are likely targets. Attacks against these infrastructures that lead to death or bodily injury, extended power outages, plane crashes, water contamination, or billion dollar banking losses would be examples.
Another well-known definition was proposed by Mark M. Pollitt in his article ‘Cyberterrorism: Fact or Fancy?’ (1998) in which he unified a definition of cyberspace with a well-known definition of terrorism. For Pollitt, cyberspace may be conceived of as “that place in which computer programs function and data moves.” He employed the definition of terrorism contained in Title 22 of the United States Code, Section 2656f(d): “The term ‘terrorism’ means premeditated, politically motivated violence perpetrated against non-combatant targets by sub-national groups or clandestine agents, usually intended to influence an audience.” Pollitt arrived at the following definition of cyberterrorism by combining these two: “Cyberterrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents” (Pollitt 1998, 9).
Denning’s and Pollitt’s definitions share similarities, but also significant differences. A crucial point on which Denning and Pollitt are in agreement is that an act may not be classified as cyberterrorism absent a (socio-)political motive. Even very large scale attacks carried out for purposes of, say, self-enrichment, one-upmanship, or similar are thus excluded. With regards to the impacts of a cyberterrorist attack however, Denning’s definition appears wider than Pollitt’s as she explicitly distinguishes between traditional terrorism’s physical violence against persons and property as opposed to cyberterrorism’s “acts of destruction and disruption against digital property.” Pollitt, on the other hand, refers fairly unambiguously to activity that “results in violence” against persons (see also Schmitt 2013, 123; Hardy & Williams, this volume). Both definitions nevertheless prohibit classification of everyday terrorist uses of the Net (e.g. for social networking, radicalisation, researching and planning, financing, and other purposes) as cyberterrorism as these are not in themselves either directly violent or massively disruptive or destructive. Both definitions also rule out (distributed) denial of service ((D)DoS) attacks and similar. An additional issue covered by both definitions are the wider intimidatory or coercive purposes of terrorism and thence also cyberterrorism. An interesting case in this respect is recent revelations, contained in previously classified intelligence reports, of al-Qaeda’s interest in hacking into and disabling US drones’ satellite links and remote controls (Whitlock & Gellman 2013). If successful, this would not in itself be terrorism however, in the same way as IRA bombings were counted as terrorist acts, but IRA bank robberies were largely not. This is because the former had a terror-inducing and thus directly coercive purpose, but the latter were largely a funding mechanism. For interference with a drone to be classified as an act of cyberterrorism under either of the two definitions under discussion here, I suggest, al-Qaeda operatives would need to hack into and take control of a drone and then successfully re-route and re-aim it to cause civilian fatalities.
The fourth pertinent issue worth drawing attention to in regard to definition is Denning’s requirement that for an attack to be labelled cyberterrorism it should be undertaken by ‘non-state actors’. This contrasts with Pollitt’s approach that mentions ‘clandestine agents’, in addition to ‘sub-national groups’. If the 2010 Stuxnet attack on Iran’s Natanz nuclear facility was a joint operation by the United States and Israel (Denning 2012), then it might be conceived as cyberterrorism on Pollitt’s definition. It is, however, ruled out as such by Denning’s, and the same may be said for the 2007 cyber attacks on Estonia (Rid 2013, 6-7). Both the Estonia attacks and Stuxnet were nevertheless described in the press and elsewhere—including by the Estonian government—as instances of cyberterrorism (see, for example, Agence France Presse 2007; Baltic News Service 2007; Finch 2007; Lloyds 2014). The fifth and final definitional issue I want to address is Denning’s and Pollitt’s differing perspectives on the role of cyberspace in cyberterrorism. Denning is clear in her definition that cyberterrorism must use cyberspace as the method of attack and not just its target. This clearly distinguishes her approach from Pollitt’s as the latter’s definition would appear to include, for example, a car bomb attack on an Internet hub while Denning’s emphatically does not (see also Macdonald et al. 2013, 9). This distinction is, I suggest, as important in respect of the cyber component of the definition of cyberterrorism as the motive and violence issues are to the terrorism component of same. In fact, Pollitt’s definition would appear to allow for the label of cyberterrorism to be retrospectively applied to a whole range of attacks, including bomb attacks on electricity sub-stations, telephone exchanges, etc., undertaken decades prior to the invention of the term. This is the main reason why Denning’s definition is preferred over Pollitt’s in this chapter.