The four factors with respect to which VBIED attacks and cyberterrorism are compared below are those that have been evidenced by experience to matter, to varying extents, to almost all terrorists. Put another way, these are the factors, it is suggested, that would be taken into account by terrorists in the early stages of planning an attack and evaluating the desirability of cyber versus more traditional methods. In terms of the comparison, some of the arguments may strike the reader as more convincing than others; I’m less interested however in the merits of each comparison taken separately than in the compelling nature of considering them in tandem.
Even though exact figures are difficult to obtain, one thing is clear, car bomb construction is cheap. The first World Trade Centre attack in 1993 killed six people and injured more than a thousand; the truck bomb is estimated to have cost $400 to construct (Giacomello 2004, 397). In April 1995, the Oklahoma City bombing, which prior to 9/11 was the largest terrorist attack on US soil in history, killed 168 people. It is estimated to have cost less than US$5,000, which was outlaid for fertiliser, fuel, and van rental fees (Michel & Herbeck 2001, 176). The 9/11 attacks—although not strictly VBIED attacks—were also relatively cheap to carry out; the 9/11 Commission Report estimated that it cost just $400,000 - $500,000 in total financing over nearly two years, including living expenses for and other payments to the nineteen hijackers (2004, p.172; see also Wilson, this volume). VBIED attacks are commonplace in on-going conflicts, such as in Iraq and Afghanistan. The US Department of Defense’s Joint Improvised Explosive Device Defeat Organisation (JIEDDO) estimated that the average cost to construct a car bomb in Afghanistan in 2006—the most recent year for which such information is (publicly?) available—was just $1,675 (Ackerman 2011).
If the exact cost of VBIED construction is difficult to estimate due to the diversity of components used, significant cost disparities depending on where the vehicle and/or other components are purchased, and so forth, the challenge of estimating the cost of a potential cyberterrorism attack is exponentially greater. Giampiero Giacomello nevertheless engaged in a speculative analysis that addressed precisely this issue in 2004. In his ‘Bangs for the Buck: A Cost-Benefit Analysis of Cyberterrorism,’ Giacomello considered the cost of two common cyberterrorism scenarios: a cyber attack on a hydroelectric dam and a cyber attack on air traffic control systems. He estimated the cost of the dam attack at $1.2 – 1.3 million with potential fatalities of between 50 – 100 and the cost of the air traffic attack at $2.5 – 3 million with the potential for 250 – 500 casualties (Giacomello 2004, 397-398). The dam attack, he pointed out, “would look like an attractive investment, if it were not the case that a suicide bomber would cause roughly the same amount of casualties at a fraction of that cost” (Giacomello 2004, 397). Now consider that according to the author of the definitive analysis of Stuxnet, testing for that attack, “must have involved a fully-functional mock-up [uranium enrichment test bed] operating with real uranium hexafluoride” (Langner 2013, 20). This puts the cost of just a portion of that attack at (conservatively) tens of millions of dollars. As such, there is every appearance therefore that Giacomello got it right when he concluded that on the basis of financial considerations alone “cyberterrorism would be a highly inefficient solution for terrorists, due to high costs and meagre returns” (2004, 388).
VBIEDs are relatively simple to build and deliver. Bicycles, scooters, motorcycles, cars, vans, mini-buses, trucks, and tankers are everywhere. Many people own small vehicles and so are already in possession of an important component of the finished device; larger vehicles can be bought, rented, or stolen. In terms of a delivery mechanism, VBIEDs are highly innocuous and therefore difficult to guard against. Fertiliser is the other major component of many VBIEDs. Large amounts of it can still be purchased easily (and relatively cheaply) due to its wide legitimate use in agriculture, despite governments’ efforts to place curbs on sales of large amounts due to its explosive capacities. A great many groups and individuals have the necessary expertise to themselves construct and/or to educate others how to construct VBIEDs. These include members or former members of terrorist organisations, such as Hamas, Hizbollah, the Liberation Tigers of Tamil Eelam (LTTE), and the Provisional IRA, and increasing numbers of violent jihadi bomb-makers active in Afghanistan, Iraq, and elsewhere. Individuals with no known links to any terrorist organisation have also demonstrated the capacity for VBIED-construction; these include Timothy McVeigh and Terry Nichols, the perpetrators of the Oklahoma City bombing, and Anders Breivik, who deployed a VBIED against government offices in Oslo, Norway on 22 July, 2011 that killed 8 people and injured over 200.
There has been heightened concern amongst policymakers, law enforcement agencies, and others since the 9/11 attacks regarding the proliferation of “how to” information online devoted to explaining, amongst other things, the technical intricacies of making VBIEDs. In fact, as early as 1997, the US Department of Justice had concluded that the availability of bomb-making information played a significant role in facilitating terrorist and other criminal acts (pp.’s 15 – 16). Today, there is easy online access to various types of forums and content containing bomb-making information. The level of threat posed by this remains a source of debate with some commentators insisting that legislation must be put in place to outlaw such online content, and others pointing out both that this material is already easily accessible in bookstores and libraries (Leonard 2013) and also that much of the information is unreliable or simply wrong (Kenney 2010). Sophisticated terrorist organizations do not need to rely on the Internet for developing their bomb-making skills, but disaffected individuals prepared to use terrorist tactics to advance their politics, of whatever stripe, appear to have increasing recourse to online content. While Faisal Shazad, the failed Times Square car-bomber, is said to have travelled to acquire his bomb-making skills in Pakistan where he received three to five days of training (Hoffman 2010), Anders Breivik produced a new type of fertiliser bomb through combining knowledge from different recipes he located on the Internet (Aasland Ravndal 2012, 17). The main point here is that rudimentary bomb-making skills can be easily and quickly obtained in a number of different ways. On the other hand, the failed Times Square attack, along with the failed car bomb attacks planned and carried out by medical doctors in central London and at Glasgow airport in June 2007, shows that even relatively unsophisticated real-world attacks have a level of difficulty and are routinely unsuccessful. Cyberterrorism can be expected to have an exponentially greater margin of difficulty.