Reality Check: Assessing the (Un)Likelihood of Cyberterrorism

On a related note, but perhaps even more importantly, a terrorist event that has the possibility of being portrayed as an accident is a failed attack. Consider the observation that

Download 131.15 Kb.
Size131.15 Kb.
1   2   3   4   5   6   7

On a related note, but perhaps even more importantly, a terrorist event that has the possibility of being portrayed as an accident is a failed attack. Consider the observation that:

Publicity would be also one of the primary objectives for a terrorist attack. Extensive coverage has been given to the vulnerability of the US information infrastructure and to the potential harm that could be caused by a cyberattack. This might lead terrorists to feel that even a marginally successful cyberattack directed at the United States may garner considerable publicity. Some suggest that were such a cyberattack by a terrorist organization to occur and become known to the general public, regardless of the level of success of the attack, concern by many citizens may lead to widespread withdrawal of funds and selling of equities [my emphasis] (Rollins & Wilson 2007, 5).

In testimony before a US Senate committee Howard Schmidt, the Obama administration’s onetime Cybersecurity Coordinator, made a similar observation: “…during NIMDA and Code Red, we to this day don’t know the source of that. It could have very easily been a terrorist…” (US Senate Committee on the Judiciary 2004, 28). These observations betray a fundamental misunderstanding of the nature and purpose(s) of terrorism, particularly its attention-getting function. A terrorist attack with the potential to be hidden, portrayed as an accident, or otherwise remain unknown is unlikely to be viewed positively from a terrorism perspective. One of the most important aspects of the 9/11 attacks in New York from the perpetrators’ viewpoint was surely the fact that while the first plane to crash into the WTC could have been accidental, the appearance of the second plane confirmed the incident as a terrorist attack in real time (as, of course, did subsequent events in Washington DC and Pennsylvania). This is a characteristic of all VBIEDs; stationary vehicles do not generally explode absent their containing explosives and being triggered to do so. If one considers that, in addition, many contemporary VBIED attacks are at the same time suicide attacks, it becomes clear that deniability (as suggested in, for example, Collins & McCombie 2012, 89) is not a major concern of many contemporary terrorists nor has it ever been. On the contrary, “[c]oercion requires attribution”, which explains why “terrorist spend as much time marketing their exploits as they do fighting, bombing, assassinating, and so on” (Gartzke 2013, 46 – 47).


Stuxnet cannot be classed as an act of cyberterrorism on the basis of either of the definitions of cyberterrorism described in this chapter’s opening section. It is, however, connected to the cyberterrorism debate given that it is accepted by many to be the most consequential cyber attack to have yet occurred. It was, by all accounts, an enormously complex attack to get right, involving for its development and deployment an estimated 10,000 person hours of coding by a team or teams of individuals and costing anywhere from millions to tens of millions of US dollars (Halliday 2010; Langner 2013, 20; US Senate 2010; Zetter 2010). In fact, such was the complexity and cost of this undertaking that it is generally agreed that it could not have been carried out by any entity other than a state or states (Langner 2013, 20; see also Gross 2011; Halliday 2010). The damage caused by the Stuxnet worm to the Iranian nuclear programme is said to have put it back at least two years (Langner 2013, 15) and thus was a major event not only in the cyber realm, but in international affairs more generally.

Now let’s consider the Boston Marathon bombing. If the VBIED attacks described throughout this paper were of a mid-range sort of terrorism in terms of their complexity, cost, and destructive outcomes, the Boston Marathon attack was of the lowest-level type of ‘real world’ terrorism imaginable. At a cost of $100 to $180 each (Bucktin 2013; Wallack & Healy 2013), the two pressure-cooker bombs were considerably less expensive than a VBIED in even Afghanistan. The complexity of both the bombs themselves and the overall attack strategy was low. Given their design, the Tsarnaev brothers may have based the devices construction on instructions contained in al-Qaeda in the Islamic Maghreb’s (AQIM) English language magazine Inspire, which is freely available on the Internet (Leonard 2013). The cheap financial cost and low level of sophistication of the attack notwithstanding, it cost two young women and a child their lives and 14 others their limbs, and is estimated to have caused upwards of $333 million in property damage, lost sales, medical costs, etc. (see Dedman & Schoen 2013 for breakdown). So while the Stuxnet attack was complex and high-cost, the Boston Marathon attack was easy and low-cost. And while Stuxnet caused disruption and destruction, it caused no direct harm to human beings. The starkest difference between Stuxnet and the Boston Marathon bombings however was their widely differing media impacts. A search of ‘All English Language News’ on Lexis-Nexis on 20 October 2013 returned 881 items with ‘Stuxnet’ in the headline, but 2,482 items with ‘Boston Marathon Bombing’ in the headline. Put another way, a conservative estimate puts the amount of media coverage afforded the Boston Marathon attack at almost triple that of Stuxnet, illustrating once again that it is perfectly possible for cheap and easy attacks to trump their costly and complex counterparts.

It may be true, therefore, that from a technological perspective, “Stuxnet has proved that cyber terrorism is now a credible threat” (Collins & McCombie 2013, 89). Not from a terrorism perspective however. As Dunn-Cavelty (2011) has pointed out, “careful threat assessments…necessarily demand more than just naval-gazing and vulnerability spotting. Rather than simply assuming the worst, the question that must be asked is: Who has the interest and the capability to attack us and why?”. Cyberterrorism should not therefore ever be considered in isolation from more traditional forms of terrorism as if its cyber component renders it separate to the latter; thence the focus on careful definition and comparison in this chapter.

In their 2002 paper, Brenner and Goodman pose the question: “Why has cyberterrorism not yet manifested itself? And follow-up with: “This is concededly something of a mystery. There are no reliable answers as to why cyberterrorism remains an as-yet unrealized phenomenon” (Brenner & Goodman 2002, 44). On the contrary, as illustrated in this chapter, there are at least four pretty straightforward and convincing reasons for why no act of cyberterrorism has ever yet occurred. VBIED construction is cheap. Cyberterrorism scenarios vary hugely in their potential size and scope and for this and other reasons are thus hugely difficult to cost; having said this, even the most conservative analyst would probably be forced to agree that no major cyberterrorism attack is likely to cost less than the average price of construction of a VBIED. Cost need not be a determining factor however; the complexity issue is a different matter. VBIED construction is relatively easy. The components are widely available and the know-how accessible via personal connections, bookstores, libraries, and online. The know-how necessary to cause the necessary levels of disruption, destruction, or even violence for a cyber attack to be deemed cyberterrorism is unlikely to be readily available to terrorists and therefore risky to obtain. The potential for destruction of a cyberterrorism attack is difficult to estimate too, but the available evidence suggests that wide disruption or destruction, not to say fatalities, would be costly and difficult to achieve. Cheap and easy methods, such as VBIED attacks, can be widely destructive however, which accounts for their contemporary ubiquity. Finally, apart from practical matters relating to cost, complexity, and destructive capacity, cyber-based activities are unlikely to work as terrorism precisely for the reasons they are touted in other realms: stealth and deniability; attention-getting and credit-claiming are at the core of terrorism. Arguments such as the latter have been eclipsed by arguments based on modern societies’ technological vulnerabilities on the one hand and potential terrorists’ capabilities on the other. The capacity to launch a cyberterrorism attack, which is itself challenged herein, bears very little relationship to the actual likelihood of attack however. “Many threats are conceivable, but relatively few actually materialize” (Gartzke 2013, 51). Cyberterrorism is therefore conceivable, but very unlikely. Why? Because ‘real world’ attacks are cheaper and less complex while also being significantly destructive of lives and property and, importantly, emotionally impactful so therefore also attention-getting to an extent that cyberterrorism will struggle to achieve.

Guide to Further Reading and Resources
Dr. Thomas Rid of King’s College London's Department of War Studies explains the concept of cyberterrorism and explores the risks associated with militants conducting attacks through the Internet (7 mins).
‘Squirrel Power!’

This 2013 New York Times article is perhaps my favourite shut-down-the-power-grid-scenario detailing as it does the very real threat posed by Kamikaze squirrels!
Video (2Hrs 10Mins) of UK House of Commons Science and Technology Committee hearing on cyber attacks on 17 November, 2010 with contributions from, amongst others, Prof. Ross Anderson, University of Cambridge; Professor Bernard Silverman, Chief Scientific Adviser, UK Home Office; Dr Steve Marsh, Deputy Director, Office of Cyber Security, UK Cabinet Office; Professor Mark Welland, Chief Scientific Adviser, UK Ministry of Defence.

Video (2Hrs 11Mins) of UK Public Accounts Committee hearing on cyber security on 13 March, 2013 with contributions from, amongst others, Prof. Sadie Creese, Professor of Cybersecurity, Oxford University; Dr. Thomas Rid, Kings College London; Mark Hughes, Managing Director of Security for British Telecom; Oliver Robbins, Deputy National Security Adviser, UK Cabinet Office.


Aasland Ravndal, Jacob. 2012. ‘A Post-Trial Profile of Anders Behring Breivik.’ CTC Sentinel 5(10): 16 – 20.

Ackerman, Spencer. 2011. ‘$265 Bomb, $300 Billion War: The Economics of the 9/11 Era’s Signature Weapon.’ Wired 8 Sept.

Agence France Presse. 2007. ‘EU Should Class Cyber Attacks as Terrorism: Estonia.’ Agence France Presse 7 June.

Al-Arabiya. 2013. ‘Car Bombs Kill at Least 54 people in Baghdad Area.’ Al-Arabiya 27 Oct.

Baltic News Service. 2007. Cyber Terrorism is not Only Estonia’s Problem – Russian Senator.’ Baltic News Service 25 June.

Brenner, Susan W. and Marc D. Goodman. 2002. ‘In Defense of Cyberterrorism: An Argument for Anticipating Cyber-attacks.’ University of Illinois Journal of Law, Technology & Policy No.1: 1 – 58.

Bucktin, Christopher. 2013. ‘Boston Bombers on a Budget: “Shoestring” Terrorist Brothers’ Bombs Cost Less than £120 to Make.’ The Mirror (UK) 24 April.

Carter, Shan and Amanda Cox. 2011. ‘One 9/11 Tally: $3.3 Trillion.’ The New York Times 8 Sept.

Collins, Sean and Stephen McCombie. 2012. ‘Stuxnet: The Emergence of a New Cyber Weapon and its Implications.’ Journal of Policing, Intelligence and Counter Terrorism 7(1):

80 – 91.

Conway, Maura. 2002a. ‘Reality Bytes: Cyberterrorism and Terrorist ‘Use’ of the Internet.’ First Monday 7(11).

Conway, Maura. 2002b. Cyberterrorism. Current History 101(659): 436 – 444.

Conway, Maura. 2003. ‘Cyberterrorism: The Story so Far.’ Journal of Information Warfare 2(2): 33 – 42.

Conway, Maura. 2003b. ‘Hackers as Terrorists? Why it Doesn’t Compute.’ Computer Fraud and Security Iss.12 (Dec.): 1 – 13.

Conway, Maura. 2007. ‘Cyberterrorism: Hype and Reality.’ In E.L. Armistead (Ed.), Information Warfare: Separating Hype from Reality. Washington, DC: Potomac Books.

Conway, Maura. 2012. ‘What is Cyberterrorism and How Real is the Threat? A Review of the Academic Literature, 1996 – 2009.’ In P. Reich and E. Gelbstein (Ed.s), Law, Policy, and Technology: Cyberterrorism, Information Warfare, and Internet Immobilization. Hershey, PA: IGI Global.

Dedman, Bill and John Schoen. 2013. ‘Adding up the Financial Costs of the Boston Bombings.’ NBC News 30 April.

Denning, Dorothy. 2007. ‘A View of Cyberterrorism Five Years Later.’ In K. Himma, Ed., Internet Security: Hacking, Counterhacking, and Society. Sudbury, MA: Jones and Bartlett Publishers.

Denning, Dorothy. 2012. ‘Stuxnet: What Has Changed?’ Future Internet 4(3): 672 – 687.

Dorgan, Byron. 2013. ‘Cyber Terror is the New Language of War.’ The Huffington Post 18 July.

Dunn-Cavelty, Myriam. 2011. ‘Cyberwar: A More Realistic Threat Assessment.’ International Relations and Security Network (ISN).

Dunn-Cavelty, Myriam. ‘Cyber-Terror: Looming Threat or Phantom Menace? The Framing of the U.S. Cyber-threat Debate.’ Journal of Information Technology and Politics 4(1): 19 – 36.

Gallagher, Sean. 2013. ‘Security Pros Predict “Major” Cyber Terror Attack This Year.’ Ars Technica 4 Jan.

Gambetta, Diego and Stefan Hertog. 2007. ‘Engineers of Jihad.’ Sociology Working Papers, No. 2007–10, Department of Sociology, University of Oxford.

Gordon, Sarah and Richard Ford. 2002. ‘Cyberterrorism?’ Computers & Security 21(7): 636 – 647.

Gross, Michael Joseph. 2011. ‘Stuxnet Worm: A Declaration of Cyber-War.’ Vanity Fair April.

Halliday, Josh. 2010. ‘Stuxnet Worm is the “Work of a National Government Agency.”’ The Guardian (UK) 24 Sept.

Hsiao-Rei Hicks, Madelyn, Hamit Dardagan, Peter M. Bagnall, Michael Spagat, John A. Sloboda. 2011. ‘Casualties in Civilians and Coalition Soldiers from Suicide Bombings in Iraq, 2003 – 10: A Descriptive Study.’ The Lancet 378(9794): 906 – 14.

Lloyds. 2014. ‘Cyberterrorism.’

Kenney, Michael. 2010. ‘Beyond the Internet: Mētis, Techne, and the Limitations of Online Artifacts for Islamist Terrorists.’ Terrorism and Political Violence 22(2).

Langner, Ralph. 2013. To Kill a Centrifuge: A Technical Analysis of What Stuxnet’s Creators Tried to Achieve. Arlington, VA: The Langner Group.

Leonard, Andrew. 2013. ‘Homemade Bombs Made Easier.’ Salon 26 April.

Michel, Lou and Dan Herbeck. 2001. American Terrorist: Timothy McVeigh and the Oklahoma City Bombing. New York: Harper.

Oklahoma City Police Department. 1995. Alfred P. Murrah Building After Action Report. Oklahoma City: Oklahoma City Police Department.

Police Ombudsman for Northern Ireland. 2001. ‘Statement by the Police Ombudsman for Northern Ireland on Her Investigation of Matters Relating to the Omagh Bombing on August 15 1998.’ Belfast: Police Ombudsman for Northern Ireland.

Pollitt, Mark. 1998. ‘Cyberterrorism: Fact or Fancy?’ Computer Fraud & Security Iss.2: 8 – 10.

Rid, Thomas. 2013. Cyber War Will Not Take Place. London: Hurst & Co.

Riley, Ed. 2011. ‘Cyber Spies Terror War; MoD and Treasury Targeted.’ Daily Star (UK) 13 June.

Rollins, John and Clay Wilson. 2007. Terrorist Capabilities for Cyberattack: Overview and Policy Issues. Washington, DC: Congressional Research Service.

Sandelson, Michael and Lyndsey Smith. 2013. ‘Oslo Government Headquarters Building Fate Due for New Review.’ The Foreigner 20 Sept.

Schmitt, Michael N. (Ed.). 2013. Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge UK: Cambridge University Press.

Sengupta, Kim. 2010. ‘Terrorists ‘Gaining Upper Hand in Cyber War”’. The Independent (UK) 6 Feb.

Singer, Peter. 2012. ‘The Cyber Terror Bogeyman.’ Armed Forces Journal 150(4): 12 – 15.

Singer, Peter and Alan Friedman. 2014. Cybersecurity and Cyberwar: What Everybody Needs to Know. Oxford: Oxford University Press.

US Department of Justice. 1997. ‘Report on the Availability of Bombmaking Information, the Extent to Which Its Dissemination Is Controlled by Federal Law, and the Extent to Which Such Dissemination May Be Subject to Regulation Consistent with the First Amendment to the United States Constitution.’ Washington, DC: US Department of Justice.

US Senate. 2010. ‘Securing Critical Infrastructure in the Age of Stuxnet.’ Washington, DC: US Senate Committee on Homeland Security and Government Affairs.

Wallack, Todd and Beth Healy. 2013. ‘Tsarnaev Brothers Appeared to Have Scant Finances.’ The Boston Globe 24 April.

Whitlock, Craig and Barton Gellman. 2013. ‘U.S. Documents Detail al-Qaeda’s Efforts to Fight Back Against Drones.’ The Washington Post 4 Sept.

Zetter, Kim. 2010. ‘Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target.’ Wired 23 Sept.

Share with your friends:
1   2   3   4   5   6   7

The database is protected by copyright © 2020
send message

    Main page