In a March 2010 speech, then FBI Director (2001 – 2013) Robert Mueller observed “Terrorists have shown a clear interest in pursuing hacking skills. And they will either train their own recruits or hire outsiders, with an eye toward combining physical attacks with cyber attacks.” That may very well be true, but ‘wanting’ to do something is quite different from having the ability to do the same. Violent jihadis’ IT knowledge is not superior to the ordinary publics. Research found that of a random sampling of 404 members of violent Islamist groups, 196 (48.5%) had a higher education, with information about subject areas available for 178 individuals. Of these 178, some 8 (4.5%) had trained in computing, which means that out of the entire sample, less than 2% of the jihadis came from a computing background (Gambetta & Hertog 2007, 8 – 12) And not even these few could be assumed to have mastery of the complex systems necessary to carry out a successful cyberterrorist attack. Journalists therefore need to stop elevating so-called ‘script-kiddies’ to potential cyberterrorists and insinuating that just because some group has the capacity to establish a website, distribute content online, and/or engage in DDoS attacks the next step is a major attack by them using the Internet. This threat framing has taken on renewed salience in the wake of recent ‘attacks’ by the al-Qassam Cyber Fighters and the Syrian Electronic Army, which have been repeatedly characterised as cyberterrorism.
Many people respond to the above arguments by saying that if one doesn’t have the requisite know-how in-house, an alternative option is to hire “outsiders” to undertake a cyberterrorism attack on one’s behalf. This would force the terrorists to operate outside their own trusted circles and thus leave them ripe for infiltration however. Moreover, even if contact with “real” hackers was successful, the terrorist group would be in no position to gauge their competency accurately; they would simply have to rely on trust. This would be very personally and operationally risky (Conway 2003b, 10 – 12). Turning to the possibility of online crowd sourcing as a response to these types of challenges then; if proxies could be employed to actually commit acts of cyberterrorism, terrorists would improve their ability to avoid culpability or blame altogether. The problem with this is two-fold: first, it would require gathering a ‘crowd’ which would, in turn, require fairly wide dissemination of information about the activity to be undertaken thus opening-up the very real possibility of the attack plans coming to the attention of the authorities. Second, the terrorists would lose control over when, where, how, or even if the attack took place. This might be advantageous in terms of instigating low-level ‘real world’ (e.g. jihadi-inspired lone actor terrorism) and cyber operations (e.g. (D)DoS attacks), but is not a suitable method for undertaking a major cyberterrorism operation. Furthermore, while the potential anonymity provided by crowd sourcing might protect the instigators from being detected, it would also lose them their credit for the attack. On the basis of technical knowhow alone, then, cyberterrorism is not feasible.
Stuxnet is the only cyber attack to date that is agreed to have caused actual physical destruction. This, moreover, was to a system and not to human beings. VBIEDs, on the other hand, have a long and very widely proven history of destruction of lives and property. “Trucks and vans can easily deliver the explosive equivalent of the bomb load of a B-24 (the workhorse heavy bomber of the Army Air Forces in World War Two) to the door step of a prime target. Even the average family SUV with 10 cubic feet of cargo space can transport a 1000-pound bomb” (Davis 2008, 8). Indeed, some authors go so far as to portray the September 11 attacks as simply a scaled-up version of the 1993 van-bombing of the World Trade Centre. Basically, the entire range of ground transportation options is available for attacks based on the same fundamental principles. The destruction to lives and property that can be wrought by such devices is, unsurprisingly, potentially massive.
One of the deadliest such attacks was carried out by radical Islamists in closely-timed suicide truck bomb attacks on the US Marine barracks and French members of the Multinational Force in Lebanon on 23 October 1983 in Beirut. The combined death toll from the attacks was 305. The already-mentioned Oklahoma City Bombing killed 168 people, including 19 children and three pregnant women, injuring nearly 700 others. The “single worst terrorist incident” of the Northern ‘Troubles’ took place on 15 August, 1998 in the town of Omagh in County Tyrone (Police Ombudsman for Northern Ireland 2001, 1). On that Saturday afternoon, the Real IRA—a dissident offshoot of the Provisional Irish Republican Army—parked and subsequently detonated a car filled with 500 lbs of fertiliser-based explosive in the town, killing 29 people, including a woman pregnant with twins, and injuring some 250 others. The Northern Ireland conflict was characterised by a long string of car bombings that began in Belfast in 1972, but that has since been eclipsed by the alacrity with which the VBIED has been deployed in the Iraq conflict. It is estimated that some 664 suicide VBIED attacks alone took place in Iraq between March 2003 and December 2010 (see Table 6.1). Nine separate car bombs exploded in Baghdad on a single Sunday in October 2013. The blasts, which hit eight different Shiite-majority areas in and around the Iraqi capital, killed at least 54 people and wounded more than 90. The pan-Arab news channel Al-Arabiya reported that at the time of the blasts the Iraqi government had actually restricted many Baghdad residents from using their cars in an attempt to thwart car bombings (Al-Arabiya 2013).
The ‘worst’ terrorist attacks are generally conceived as those that have the highest number of fatalities and injuries associated with them. The destruction of human lives is not the only type of destruction associated with VBIED attacks however, many of which also cause enormous property damage. In addition to the fatalities associated with it, the Oklahoma City bombing blew the front from the targeted Alfred P. Murrah building and “caused major damage to adjacent structures, touched off car fires, and blew out glass windows and doors in a three-square-mile area on the north side of downtown Oklahoma City” (Oklahoma City Police Dept. 1995, 1). While the Omagh bomb killed the greatest number of people in a single terrorist attack in Northern Ireland, the property destruction associated with it was minimal compared to that wrought by the Provisional IRA’s 1992 to 1996 mainland bombing campaign. Total combined property damage arising from the 1991
*Results do not total across suicide bomb subtypes for two reasons because not ot all suicide VBIEDs were described in adequate detail to identify vehicle sub-type. Adapted from Table 1 (p.907) in Hsiao-Rei Hicks et al. (2011).