#05 Securing Peace
Anna-Maria Talihärm

Emerging Security Challenges and Cyber Terrorism

Constant fear of cyber attacks – but no terrorism incident so far

The number of cyber incidents affecting the private sector, government entities, non-governmental organisations and individuals is increasing and continues to draw attention to modern cyber threats. Furthermore, concrete incidents still quite often serve as a wake-up call, a reminder to develop or enhance resilience against cyber threats. Although the scale of incidents has varied greatly – ranging from credit card fraud to depriving governments of their communication channels or targeting industrial software – malicious cyber activities, such as those that took place in Estonia in 2007 and Georgia in 2008, leave hardly any doubt about the importance of the link between information and communication technologies (ICT), critical information infrastructure and national security.

Cyber security is a wide term that encompasses several types of cyber threats, such as cyber crime, critical infrastructure protection, cyber terrorism and cyber war. All these cyber threats are widely spoken about but rarely with a common understanding of the scope or meaning of the terms. Arguably, the term cyber terrorism has caused the greatest confusion. Media and politicians invariably use the term with a number of different meanings and disregard the fact that, according to the majority of experts, not one single clear case of cyber terrorism has yet been witnessed. Consequently, cyber terrorism is an expression that has been and is being used to describe virtually anything from simple hacking to fatal cyber incidents resulting in severe financial harm and bloodshed.

This article aims to briefly shed light on the concept of cyber terrorism and clarify the different meanings of the term.

Hyped by the media

Linking terrorism and information technologies is nothing new. Grave declarations about the possible damage that could be done with the help of a simple keyboard have been made since the early 90s. The media still focuses on issues that touch on cyber terrorism, developing dreadful analogies to past tragedies and vividly describing potentially catastrophic threats to critical infrastructure. Thus, by now, there is no shortage of security reports, articles and speeches that mention the imminent threat of cyber terrorism.

What is lacking, however, is a clear understanding of the meaning of the term, sufficient rational to back up these dire predictions, critical analyses of the nature as well as the scale of possible threats and – to the surprise of many – an actual case of cyber terrorism. The vigorous media attention is also influencing the way internet users and companies see the threat of cyber terrorism. As perceptively expressed by Maura Conway, it also plays a significant role in "speaking cyber terrorism into existence". It is therefore not unexpected that several studies have indicated that a high percentage of internet users and companies officially recognise cyber terrorism as a serious threat they must face.

An undoubtedly generalised conclusion that can be drawn from the relevant literature is that journalists, security companies and government authorities tend to emphasise the dangers of cyber terrorism – whether to increase their own popularity, for commercial purposes or to take advantage of the public's interest in the issue –, whereas scholars attempt to underline the contrast between the media hype and the empirical reality. This gap between the presumed danger and identified cyber terrorist activities fuels the majority of the debates around cyber terrorism: there is a distinct group that believes 'digital Pearl Harbour' is a realistic scenario while their critics doubt the seriousness of the threat. Myriam Dunn Cavelty calls the former "hypers" and the latter "de-hypers" and suggests the main reason for the controversy lies in the fact that even though there have been a few incidents with at least the potential for serious consequences, so far cyber threats that actually breach national security have not materialised.

Despite overall agreement that the threat of such an attack is real, we should bear in mind that the constant exaggeration of the seriousness of the damage and continuous hyping of cyber terrorism will eventually devalue the term itself and may contribute to underestimating the importance of counter-terrorism activities.

The need for a legal definition

Since cyber terrorism is so often featured in the media, politics, literature and various debates, there have been several discussions about the need to create and operate from a specific definition of cyber terrorism. In addition to serving as a guide for distinguishing various cyber incidents, the definition would have a legally binding meaning. Critics claim that the focus on the legal definition of cyber terrorism is a positivist, facile solution to the problem. For lawyers, though, the need for a legal definition should be clear: it would provide a foundation for a prosecutor to open an investigation and for a judge's ruling and could result in serious consequences. If an action was then qualified as cyberterrorism, it could be pursued under special laws that would result in severe penalties. As noted by Clive Walker, the same would not necessarily apply to the definitions devised by political scientists or sociologists.

Should the legal definition be too wide, legal reactions could be excessive and impose inappropriately serious punishments for actions that should not be considered terrorism. As a legal principle, only those actions that wholly correspond to the definition would require a legal response.

It is therefore important to draw a line between cyberterrorism, cyberattacks, hactivism and other actions such as political activism. Should animal rights activists who bring down a website be considered cyber terrorists just because their actions targeted a website? Such examples stress the need for a precise definition on the one hand, while at the same time warning legislators to avoid possible ambiguity and misinterpretation. The balance between criminalised actions and various rights, such as freedom of speech and the freedom to protest, must also be considered.

On the other hand, it would be naïve to assume that one single legal definition is even possible for numerous reasons. Firstly, levels of development in terms of information technology and dependence on it differ from state to state. This means that while in some countries sending a threatening email bomb of a considerable size to a government body – as for example the email bombing by the Internet Black Tigers against the Sri Lankan embassies in 1998 – would create fear, great overall confusion and possible financial loss, in another country, such a case would be efficiently handled, maybe even prevented in the first place, and would probably not even reach the public eye. Secondly, various institutions and treaties need to operate on the basis of different definitions. And thirdly, we are not yet fully aware of the possible scale and mediums of future cyber terrorism.

In addition to the three reasons mentioned above, it is rather paradoxical that legislators are trying to legally define an action that has actually never wholly taken place. This means that even if there were a definition in use today, it would certainly need to be further modified and clarified as more cases relating to various models of cyberterrorism appeared. Case law and precedents are most likely to shape legislators' attitudes towards defining cyber terrorism.

Nations must examine whether legally defining cyberterrorism would be profitable. Even if such a definition is not reached universally, some states or institutions might develop their own personal interpretation. Laws must be precise, but at the same time wide enough to cover upcoming situations. And cyberterrorism is certainly a phenomena that must be closely watched.

Tangled up in terminology

What seems to cause confusion with the use of the term cyber terrorism is not so much the different understandings of the possible damage that may be caused by an act of cyber terrorism, but simply the ambiguity that surrounds the meaning of the term itself. As is the case for the majority of terminology used inside the cyber domain, the use of the term cyber terrorism distinctly illustrates the "cyber war of words" – a succinct expression used by White House cyber security czar Howard Schmidt.

To add to the confusion, it has been noted that cyber terrorism is often used in parallel with other more specific terms such as "cyber radicalisation", "ideological and political extremism", "virtual jihad" and "electronic jihad". These terms should by no means be utilized as synonyms for cyber terrorism, even if each of them refers to malicious cyber activities that share certain similar elements.

Moreover, the difficulty in identifying the intent of the perpetrator and in justly estimating the severity of the damage caused has resulted in the continuing failure to distinguish among different types of cyber incidents. This is why we continue to witness the media inadvertently encouraging the trend of labelling any slightly prominent malicious cyber activity as 'an act of cyber terrorism', thus only adding to the overall terminological confusion.

So far the most reasonable approach to defining cyber terrorism can be found in research conducted by Dorothy Denning who has proposed characterising cyber terrorism as politically or socially motivated attacks against computers, networks and information, whether carried out through other computers or physically, while indirectly causing injuries or death, serious damage or fear comparable to a traditional act of terrorism. The majority of prominent academic researchers in the area share her view of the meaning of the term.

Terrorist use of the internet

Even though it appears that most recent legal and policy documents are increasingly less keen on using the term cyber terrorism, the most common misunderstanding still appears to be the confusion surrounding the differentiation of cyber terrorism and terrorist use of the internet.

This can be explained by the observation that topical literature usually distinguishes between two main approaches to defining cyber terrorism. The first identifies all attacks against computers, networks and information, whether undertaken through other computers or physically, as cyberterrorism: "target-oriented" cyberterrorism, as previously refined by Dorothy Denning. The second labels all actions using the internet or computers to organise, complete, etc., terrorist actions as cyberterrorism: "tool-oriented" cyberterrorism.

Although the majority of authors commonly favour the target-oriented definition, several other sources suggest that the term cyber terrorism should also involve several activities carried out by terrorists via the internet. These activities include propaganda via terrorist websites, communication, public relations, sharing information such as instructions and detailed manuals, data mining, fundraising, financing, internal networking and international connections, and recruitment.

The internet offers terrorists a low-cost, fast and global medium for spreading information. Internet manifestos, terrorist group histories, leader profiles, engaging publicity as videos or forums, instructions on "how to make a bomb" and "how to execute a terror attack" and so on are accessible to everyone and easy to upload. Another aspect, financing, has been the most worrisome part of terrorists use of the internet, because funds for their activities can be raised both directly via websites – as for example donations of money and other items, or profits from e-stores –, but also by using internet infrastructure to engage in resource mobilization by illegal means.

The abovementioned activities do not necessarily result in serious economic harm or the loss of peoples' lives, and should therefore not be considered cyber terrorism.

Conclusion: We should continue to be vigilant

The frequency of cyber incidents may be growing at an alarming rate, but so far we have not witnessed a cyber attack carried out by terrorists with the motivation of causing severe damage and bloodshed. Nonetheless, the powerful media hype surrounding the concept of cyber terrorism has drawn attention to the problematic abundance of definitions of the term. The evident terminological confusion that surrounds cyber terrorism raises the question of whether it is feasible or even generally possible to clearly define an event that has never happened.

Even though the target-oriented approach to defining cyber terrorism – which focuses on politically or socially motivated attacks against computers or computer systems that cause injuries, death or serious damage – is supported by the majority of authors, the term is rarely used in that meaning.

Furthermore, ambiguous definitions and incomprehensive use of the term are contributing to the difficulties in finding a common language among governments and institutions for discussing the cyber terrorism threat. Clearly, without a general understanding of the terminology prevalent in the cyber domain, all discussions on the issue are likely to be less productive and not generate the desired results.

Nevertheless, we should continue to be vigilant about increasingly sophisticated politically motivated cyber attacks and terrorist use of the internet, since these malicious activities adequately mirror terrorists' capabilities for possibly carrying out future attacks of target-oriented cyber terrorism.

Related Articles

Cyberconflict and Hacktivism in a Contemporary Context

Cyberconflict, the role of networks and communication technology in future warfares.

» more

The Militarization of Space

The international militarization of space

» more