This chapter argues that debates around the threat posed by cyberterrorism have been dominated by a focus on issues relating to technological potentialities. To balance this, it focuses on the ‘terrorism’ aspect of cyberterrorism, arguing that it is important to situate cyber attacks within an analysis of terrorist interests and options. Doing so, it argues, leads to a far more optimistic forecast of the likelihood of cyberterrorism than is common, for four reasons. First, the costs of cyber attacks – although difficult to estimate – are vastly higher than those of non-cyber equivalents, such as car bombings. Second, terrorist groups typically lack the mastery to carry out successful cyber attacks which are exponentially more difficult than non-cyber terrorism. Third, the destructive potential of non-cyber attacks can be far more readily materialised than that of cyber attacks. And, fourth, cyberterrorism lacks the theatricality of more conventional attacks and therefore is likely to be less desirable to terrorist groups. Taken together, these four arguments indicate that cyberterrorism remains far less likely than is frequently supposed.
A January 2013 article on the prominent technology news website ArsTechnica headlined ‘Security Pros Predict “Major” Cyber Terror Attack This Year’ reports upon the results of a survey of computer security professionals at the October 2012 Information Systems Security Association conference in Anaheim, California. The survey found that of 105 attendees surveyed, 79 percent believed, “there will be a ‘major’ cyberterrorism event within the next year.” Read the piece more closely however and it emerges that what the survey respondents actually believe is that there will be some sort of large-scale attack on the information technology powering some element of America’s critical infrastructure (i.e. the electrical grid, energy sector, financial institutions, etc.). In fact, the survey didn’t mention cyberterrorism; it “didn’t give a definition for a major cyber attack” at all. “We left that to the security professionals to interpret for themselves,” a representative from the company that conducted the survey is reported as saying; “[t]he general idea of the question was ‘is something big going to happen?’” (Gallagher 2013). Unfortunately, the assumption that any ‘big’ attack with a cyber-component may be deemed ‘cyberterrorism’ is commonplace as is the assertion that cyberterrorism is just around the corner. There is no doubt that cyber insecurity and thus cyber threats are serious, increasing, and warrant attention, including from IT professionals, media, scholars, and policymakers. It is certainly the case that, globally, critical cyber infrastructures are insufficiently secured and are thus highly vulnerable to attack. However, the widespread assumption that such an attack will be of a cyberterrorist sort completely omits the calculations likely to be made by terrorists in weighing the costs and benefits of cyberterrorism versus other methods available to them. Such calculations are at least as important, if not more so, than the technological aspects of cyberterrorism. Just because IT professionals, journalists, policymakers, and some scholars tend to narrow their thinking to and thence privilege the technology, it should not be assumed that terrorists are of a similar mind. The technology is only half the story, in other words; this chapter addresses the other half (compare with Wilson, this volume).
My approach here is two-pronged. I begin by briefly revisiting definitional issues (see Conway 2002a, 2002b, 2003a, 2007, 2012; Hardy & Williams, this volume; Jarvis, Nouri & Whiting, this volume). This is necessary, because any ‘reality check’ on cyberterrorism – such as that offered in this chapter - requires a reminder that terrorism is not merely ‘something big’, hence cyberterrorism may not be defined as ‘something big in cyberspace.’ Having underlined the importance of the ‘terrorism’ in cyberterrorism, the greater part of the chapter is taken-up with a comparison of cyberterrorism with car bombing that again privileges a terrorism over a technology approach. This is a useful comparison, it is posited, because those hyping the cyberterrorism threat have a tendency to equate opportunity with outcome rather than reflecting upon whether something that could happen is in fact likely given the potential perpetrators’ motives, capabilities, and ends.
It is today commonplace when dealing with computers and the Internet to create new words by placing the handle ‘cyber,’ ‘electronic,’ or ‘information’—often shortened to simply ‘e’ or ‘i’—before another word. This may appear to denote a completely new phenomenon, but often it does not and confusion ensues. Cyberterrorism is the convergence of cyberspace and terrorism. Not the convergence of cyberspace and ‘something big’ or even the convergence of cyberspace and ‘something bad’—although, as will be illustrated below, a cyber-attack would probably need to be both ‘big’ and ‘bad’ to be properly deemed cyberterrorism. But the convergence of cyberspace and terrorism, the latter of which is something, albeit subject to a high level of definitional contestation, that has a long history and a basic outline shape. First, in order for an attack to be classified as terrorism, it must have a political motive; that an attack is carried out via the Internet does not make this requirement any less necessary. To fail to recognise the importance of motive is to seriously mischaracterize what it is that constitutes terrorism. The second necessary requirement for traditional or ‘real world’ terrorism is violence or the threat of violence. The problem that arises here is that although ‘real world’ political violence—and violence more generally—is very heavily studied, virtual ‘violence’ is a relatively new phenomenon and thus under-researched. It is clear enough that the destruction of another’s computer with a hammer is a violent act, but should destruction of the data contained in that machine, whether by the introduction of a virus or some other technological means, also be considered ‘violence’? (Gordon & Ford 2002, 640). And even if destruction of data or systems meets the ‘violence’ threshold, can disruption do likewise? Two well-known definitions of cyberterrorism are compared below with respect to their treatment of motive, violence, and a number of other points germane to the follow-up comparison between cyberterrorism and Vehicle-Borne Improvised Explosive Devices (VBIED) attacks.