Cyber terrorism: a clear and present danger, the sum
Transcription
Cyber terrorism: a clear and present danger, the sum
Crime Law Soc Change DOI 10.1007/s10611-007-9061-9 Cyber terrorism: a clear and present danger, the sum of all fears, breaking point or patriot games? Michael Stohl # Springer Science + Business Media B.V. 2007 Abstract Over the past two decades there has developed a voluminous literature on the problem of cyber terrorism. The themes developed by those writing on cyber terrorism appear to spring from the titles of Tom Clancy’s fiction, such as Clear and Present Danger, The Sum of All Fears and Breaking Point, or somewhat more cynically, Patriot Games. This essay examines both the gap between the presumed threat and the known cyber terror behaviors and the continuing literature which suggests an attack is imminent. It suggests that at least part of the explanation lies both in the continuing failure to distinguish between what Denning (Activism, hacktivism, and cyber terrorism: The internet as a tool for influencing foreign policy, 1999) referred to as hactivism and cyberterrorism and also the failure to distinguish between the use of digital means for organizational purposes (information, communication, command and control) and the use of digital communications to actually commit acts of terror. Introduction Over the past two decades there has developed a voluminous literature on the problem of cyber terrorism. The themes developed by those writing on cyber terrorism appear to spring from the titles of Tom Clancy’s fiction, such as Clear and Present Danger, The Sum of All Fears and Breaking Point, or somewhat more cynically, Patriot Games. But perhaps, as we shall see, the appropriate Tom Clancy titles to describe the state of the cyber terrorism literature should be State of Siege, Without Remorse and Hidden Agendas; to distinguish between the literature and the empirical reality of cyber terror. M. Stohl (*) Department of Communication, University of California, Santa Barbara, CA 93106, USA e-mail: [email protected] M. Stohl Much before 9/11 there had been great angst about the possibilities of cyber terrorism, including oft stated fears about a digital Pearl Harbor.1 This fear was further enhanced by the Y2K problem often referred to as the millennium bug by those who sought to dramatize the threat.2 Despite the fact that these fears have yet to be matched by real events,3 in the context of the post 9/11 concern with terrorism and the global war on terrorism, the threat of cyber terrorism remains high on the list of public and professional fears.4 In the post 9/11 world, journalists and governmental officials have often tied the threat of cyber terror to Al Qaeda and other terrorist organizations to obtain maximum effect. For example Lenzner and Vardi [22] write, “Four years ago al Qaeda operatives were taking flying lessons. Today they are honing a new skill: hacking.” However, “[t]here is little concrete evidence of terrorists preparing to use the Internet as a venue for inflicting grave harm ([9]:24). In summary, there have been no instances where cyber terrorism has mirrored a catastrophic loss of life or physical destruction associated with the most violent acts of “conventional” terrorism. The study of terrorism routinely exaggerates both the threat of WMD terrorism and the spectacular and deadly events that have infrequently occurred. It creates an assumption that most terrorism events involve large numbers of deaths and enormous property damage. However, the spectacular events actually account for a relatively small portion of what occurs within the rubric of the terrorism experience and while enormously important and correctly feared, must not stop us from looking at the overall problem and the entirety of the threat.5 The same is true with respect to cyber terrorism. It is thus important to examine both the divergence from reality with respect to cyber terrorism prevalent in the literature and to consider why there appears to be such a large gap between the presumed threat and the known behaviors. 1 “The most popular term, ‘electronic Pearl Harbor,’ was coined in 1991 by an alarmist tech writer named Winn Schwartau to hype a novel. For a while, in the mid-1990s, ‘electronic Chernobyl’ was in vogue. Earlier this year, Sen. Charles Schumer (D-N.Y.) warned of a looming ‘digital Armageddon.’ And the Center for Strategic and International Studies, a Washington think tank, has christened its own term,”digital Waterloo [18]. http://www.washingtonmonthly.com/features/2001/0211.green.html See also Debrix [7]. “Cyberterror and Media-Induced Fears: The Production of Emergency Culture,” Strategies: Journal of Theory, Culture and Politics, Vol. 14, No. 1, 149–168. 2 Of course the millennium bug was not the result of a terrorist threat but rather the result of an outdated programming system which had not accounted for the transition from 1999 to 2000. See for example http:// www.soci.niu.edu/~crypt/other/harbor.htm. By 1999 Crypt newsletter noted that “Electronic Pearl Harbor” and variations on it, could be found in over 500 citations for the phrase in on-line news archives, military research papers and press releases. Simpson [32] writes “The nearest thing to cyber terror involved the March 2000 case of Vitek Boden, who infiltrated the systems of a sewage treatment plant in Australia. His attacks resulted in the release of an estimated 265,000 gallons of untreated sewage into local water courses... ...Boden had been employed by the company that installed the control network and his laptop contained a software application needed to access the system. The motive was revenge for rejection of his job application by the local authority in Queensland.” 3 4 “The consensus among security experts is that there has never been a recorded act of cyberterrorism pre- or post-September11” ([15]:388). 5 Whether or not this appreciation of terrorism actually receives its due in the formulation of counter terrorist policy, particularly in the post 9/11 environment, it was clearly articulated in the 1999 State Department report on global terrorism. “Furthermore, terrorist acts are part of a larger phenomenon of politically inspired violence, and at times the line between the two can be difficult to draw” (2000:5). Cyber terrorism State of siege It is clear that despite the continuing reality that cyber terror remains a potential threat rather than an ongoing series of events, there has not developed a sense of security, comfort or complaisance in the popular press but rather a fear that this year or next is “in fact” the year of maximum danger. The public is constantly reminded that “we” remain vulnerable to cyber attack and that it is only a question of time before we are surprised by the still lurking digital Pearl Harbor. Many different factors converge to keep the concept of cyber terrorism on the public agenda. Cyber terror concerns serve many different and often unconnected actors, whose collective needs are served by keeping the threat on the public’s list of concerns. Underlying much of the concern with the misunderstood nature of the threat of cyber terrorism is a combination of fear and ignorance.6 Embar-Seddon citing Richard Lazarus (“An unknown threat is perceived as more threatening than a known threat.”) argues that The most destructive forces working against an understanding of the threat of Cyber terrorism are a fear of the unknown and a lack of information or, worse, too much misinformation. The word cyber terrorism brings together two significant modern fears: the fear of technology and the fear of terrorism. Both technology and terrorism are significant unknowns ([11]:1034). Likewise, Weimann argues “from a psychological perspective, two of the greatest fears of modern time are combined in the term ‘cyber terrorism’ ([42]:131).” Thomas ([39]:115– 116) elaborates further The Internet produces an atmosphere of virtual fear or virtual life.People are afraid of things that are invisible and things they don’t understand. The virtual threat of computer attacks appears to be one of those things. Cyberfear is generated by the fact that what a computer attack could do (bring down airliners, ruin critical infrastructure, destroy the stock market, reveal Pentagon planning secrets, etc.) is too often associated with what will happen (emphases in original). There is a regular cycle of cyber sector and government press releases which are eagerly reported by both the mainstream press and trade sector publications. The vast majority of these releases discuss the threat and the precautions, investments and critical needs of the cyber sector. Rarely, do such releases call attention to the lack of actual cyber terror events, as opposed to, cyber crime, hacking or hoaxes and rarely do they inform the reader that the same type of threat and the same “crisis mode” of release appeared in each of the previous years since the early 1990s. The cycles and concerns mirror the types of competition between administrations and their opposition that took place in the 1950s and 1960s with respect to nuclear weapons and the arms race. Both incumbents and challengers sought to demonstrate potential weaknesses and emerging threats and the need therefore to remain vigilant and invest in preventive measures and improved systems. What we find therefore are systematic leaks tied to the budgetary cycles of various states and systematic leaks tied to the election cycle. Governments also engage in the creation of systematic studies and blue ribbon panels, none of which are likely to report that they can guarantee that no threat exists and that it 6 This fear of cyberterror mirrors the fear of crime found in many studies during the past quarter century. (See Glassner [16]; Gerbner and Gross [14]; Altheide [1]) M. Stohl won’t grow larger in the future for fear of looking weak or contributing to a state of unpreparedness (see Barnett [4]). In the cyber terrorism realm, Richard J. Clarke emerged from bureaucratic obscurity and became a media favorite when he resigned from and authored his critique of the Bush administration’s handling of the terrorism threat. Clarke, who had long been acknowledged within Washington as a capable bureaucratic infighter, had for many years regularly referenced the threat of an electronic Pearl Harbor at budget time and kept the issue “boiling” during much of the rest of the year.7 After 9/11 Clarke incorporated the concept of the post 9/11 world to continue to advance his agenda. Thus Weimann [42]:133) argues that “Following an October 2001 meeting with high-tech executives, including several from the security firm Network Associates, President Bush appointed Richard Clarke as his first special advisor on cyberspace security. After 11 September, Clarke created for himself the position of cybersecurity czar and continued heralding the threat of cyberattack. Understanding that in Washington attention leads to resources and power, Clarke quickly raised the issue’s profile. “Dick has an ability to scare the bejesus out of everybody and to make the bureaucracy jump,” says a former colleague.” After another of the Clarke briefings, Squitieri [33], writing in USA today wrote: The vast array of potential targets and the lack of adequate safeguards have made addressing the threat daunting. Among the recent targets that terrorists have discussed, according to people with knowledge of intelligence briefings: & & & & & & The Centers for Disease Control and Prevention, based in Atlanta. It is charged with developing the nation’s response to potential attacks involving biological warfare. The nation’s financial network, which could shut down the flow of banking data. The attack would focus on the FedWire, the money-movement clearing system maintained by the Federal Reserve Board. Computer systems that operate water-treatment plants, which could contaminate water supplies. Computer networks that run electrical grids and dams. As many targets as possible in a major city. Los Angeles and San Francisco have been mentioned by terrorists, intelligence officials say. Facilities that control the flow of information over the Internet. Richard Clarke, the White House special adviser on cybersecurity, says such sites, of which there are 20 to 25, are “only secure in their obscurity.” For example see Ryter [29]. “You might say 1999 – the year of the Y2K fears – was ‘the year of the Clarke.’ For a very brief period, Clarke became a second tier player with a first string chorus – but only because it served the interests of the Clinton–Gore Administration to promote Clark’s fantasies about cyberarmageddon. It helped Clinton and the liberals in Congress push through a legislative agenda that likely could never have been enacted without the Y2K fantasy fodder fed by Clarke. And Clarke enjoyed the limelight.” “Can we trust the guy who gave us Y2K??” Jon Christian Ryter March 27, 2004 NewsWith Views.com. Retrieved on February 1, 2006 from http://www.newswithviews.com/Ryter/jon28.htm and George Smith Crypt Newsletter 1999 Like old Jacob Marley, Richard Clarke – the broken record of the National Security Council – is produced to rattle his electronic chains and howl menacingly for the rubes. “... Richard A. Clarke of the National Security Council, repeatedly warns them that ‘cyberterrorists’ could launch computer attacks ‘shutting down a city’s electricity, shutting down 911 systems, shutting down telephone networks and transportation systems,’ as he said in a recent interview.” http://www.soci.niu.edu/~crypt/other/ harbor.htm 7 Cyber terrorism & & The nation’s communications network, including telephone and 911 call centers. Air traffic control, rail and public transportation systems. But it was not simply Richard Clarke who was interested in the use of the cyber terror threat within the Bush administration. Stanton ([34]:1020) recounts the story of the Code Red Scare in the July–August 2001 period. He characterizes the campaign as “an example of either an ongoing government disinformation campaign designed to demonize the Internet and frighten the public or just plain government ignorance and fear of how the Internet might be used by the public.” (W. Madsen, personal communication, June 2001)8 Hidden agendas Further, there are also many security firms that have services to sell which are designed to protect us from “them.” Since 1997 the Computer Security Institute (CSI) has produced an annual survey which “documents” the increasing number of attacks against corporate networks and the increasing dollars placed at risk because of these attacks. The Institute asks respondents to report on various security issues and to estimate the costs of protection and the costs of the attacks. These include various forms of system penetration from the outside, detected denial of service attacks, and detected computer viruses. Despite numerous methodological problems (including a non-random sample of respondents), CSI has been particularly adept at obtaining widespread media coverage. The media, for their part, report but do not evaluate the methodology or the calculations. In addition other security firms have been quick to build upon the survey for their own benefit. After this year’s release the following appeared: IBM has released a new product that tackles internal network security threats... In a 2005 survey by the FBI and US Computer Security Institute it was found that 56% of US firms had reported internal security breaches [30]. and there followed software fixes advertised by other enterprising organizations. As has been noted many times (see e.g., Weimann [42], Green [18], Flemming and Stohl [12]) there are many incentives for security firms to advertise vulnerabilities and sell “solutions” as the number of digital users increases and the importance of digital transactions expands to every sector of our daily lives. Patriot games As with the exploitation of legitimate and expanding concerns with digital transactions in the private sector, there are also opportunities beyond simply improving bureaucratic material and influence resources within the governmental sector. As with the debates about national security during the cold war, the discussion about cyber security also involves 8 Stanton continues “Why the Code Red Scare? Well, maybe its just coincidence, but sometime over the next couple of months President Bush is expected to issue a new Executive Order on Cybersecurity and, of course, the new budget cycle starts. He will appoint an interagency cybersecurity and Continuity of Operations Board. Soon after the hype surrounding Code Red, [then head of the] National Information Infrastructure Protection Commission, Ron Dick, got a jump start on things with a press conference on cybersecurity at the National Press Club. Hyping Code Red was a sure fire way to ensure the conference was covered by all the talking head networks. And it didn’t hurt that Code Red provided a convenient backdrop while then-FBI Director designate Robert Mueller was fielding some questions during his Senate conformation hearings on what the FBI will do on cybersecurity during his watch.” M. Stohl some misinformation (also called disinformation within the foreign policy realm) and exploitation of fears and risk. After 9/11 the discussion of cyber security and cyber terrorism has been no exception. Much investigation and analysis has been conducted with respect to the development of the Bush administration case against Iraq as a justification to declare war in 2003, and in addition to its case with respect to WMD it is important to remember there was also an attempt to tie Saddam Hussein to Al Qaeda and the “Global terror network.” Those terror ties were not limited only to what many refer to as the BTKP (Break things, kill people) forms of terrorism (see [15]). Some “packaged” Saddam and Hussein within the cyber frame. In the Fall of 2001 when the Bush administration began to trumpet the connection between Saddam Hussein and Al Qaeda, Joshua Dean reported the assertions of terrorism analyst Yonah Alexander of the Potomac Institute connecting Iraq and cyber terrorism. Iraq has quietly been developing a cyber arsenal called Iraq Net since the mid-1990s. Alexander said it consists of a series of more than 100 Web sites located in domains throughout the world. Iraq Net, he said, is designed to overwhelm cyber-based infrastructures by distributed denial of service and other cyber attacks. “Saddam Hussein would not hesitate to use the cyber tool he has,” Alexander said. “It is not a question of if but when. Like the assertions of Iraq’s cache of WMD, the existence of Iraq Net has yet to be proven ([40]:134).9 Six months later FBI officials and Richard Clarke discussed their fears that Al Qaeda would employ the web as a “Tool of Bloodshed.” Gellman [13] reported, “Cyber-Attacks by Al Qaeda Feared, Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say.” And the media, when they report the possibilities raised by various governmental officials, bureaucrats as well as elected officials, don’t necessarily discriminate between those threats which are possible and/or possible and those which are not. These articles persistently remind the public of the continued danger of, and the lack of preparations to defend against, cyber attacks and the continuing emergence of ever greater threats, even while all the old threats such as a digital Pearl Harbor never disappear. As Weimann ([42]:132) reminds us, they also frequently fail to distinguish between hacking and cyber terrorism and exaggerate the threat of the latter by reasoning from false analogies such as the following: “If a 16-year old could do this, then what could a well-funded terrorist group do?”10 9 “Until recently, Ridge has seemed basically levelheaded about the real dangers of cyberterrorism. Someone who’s close to Ridge told me that the secretary simply doesn’t care that much about the topic, which would explain his silence. But now that agency budgets are up for review, Ridge seems to be treading the same alarmist path as did his former cybersecurity deputy, Richard Clarke, who quit in January. Clarke was a professional paranoiac, a modern-day Chicken Little blinkered by a career spent in the cloistered intelligence community. It didn’t help that Clarke’s résumé featured such harrowing tasks as planning for the ‘continuity of government’ after a nuclear strike on Washington – a job where no precaution is too extreme. Soon after President Clinton appointed him to a ‘national coordinator’ post in 1998, Clarke became infamous for darkling warnings about the spectre of a ‘digital Pearl Harbor’ that would snarl computers and roil the world’s economy.” Declan McCullagh Cyberterror and professional paranoiacs March 24, 2003 retrieved on 1 February 2006 from http://www.crime-research.org/news/2003/03/Mess2502.html 10 See also Lemos et al. [21]. It is also useful to recognize that all “cyberspace-based threats.” are not terrorism. Rand analysts Hundley and Anderson ([20]:1) consider these as, “adverse actions involving and mediated by computer and telecommunications systems and networks.” Accordingly, there are a wide spectrum of possibilities for “evil actions” in cyberspace. “These include attacks on the data contained within the systems, the programs and processing hardware running those systems, and the environment (communications, networks, etc.) in which they operate” ([20]:12). Cyber terrorism There can be no denial that the continuing expansion of the role of cyber activities in every dimension of organizational and personal life creates both increasing possibilities of potential harm and continuing pressures to alleviate potential threats and opportunities for harm. The increasingly digital environment has and will continue to transform how people interact, how they maintain connections, form groups and organize. Digital technologies thus offer contemporary terrorists and terrorist organizations a wide range of opportunities to support their campaigns of violence and if they are proficient, significantly further their political objectives.11 Therefore, some label any use of digital technology by terrorist organizations as cyber terrorism; some are even more expansive and label any use of digital networks which can damage critical infrastructure as terrorism. For example, Weimann ([42]: 130) argues that Cyber terrorism is “the use of computer network tools to harm or shut down critical national infrastructures (such as energy, transportation, government operations).” However, this expansive definition does not serve us well. It still remains important that we distinguish among cyber terror, cyber attack, and cyber crime as well as many other possibilities. Rollins and Wilson ([28]: 3) argue that At least two views exist for defining the term Cyber terrorism: Effects-based: Cyber terrorism exists when computer attacks result in effects that are disruptive enough to generate fear comparable to a traditional act of terrorism, even if done by criminals. Intent-based: Cyber terrorism exists when unlawful or politically motivated computer attacks are done to intimidate or coerce a government or people to further a political objective, or to cause grave harm or severe economic damage. I would maintain that it continues to be very important to distinguish between cyber crime and cyber terror and that we restrict cyber terrorism to activities which in addition to their cyber component have the commonly agreed upon components of terrorism. In previous work ([37], forthcoming) I have argued that all the definitions include some form of intimidate, coerce, influence as well as violence or its threat. To illustrate, Stohl ([36]:3) defines terrorism as The purposeful act or the threat of the act of violence to create fear and/or compliant behavior in a victim and/or audience of the act or threat.12 11 In addition, using the web, while it provides additional organizational opportunities, also introduces potential threats. As Conway ([5]:20–21) argues The more terrorist groups use the Internet to move information, money, and recruits around the globe, the more data that is available with which to trail them. Since 9/11 a number of groups have undertaken initiatives to disrupt terrorist use of the Internet, although a small number of such efforts were also undertaken previous to the attacks. .. Perhaps most importantly, however, the Internet and terrorist Web sites can serve as a provider of open source intelligence for states’ intelligence agencies. Although spy agencies are loathe to publicly admit it, it is generally agreed that the Web is playing an ever-growing role in the spy business. In addition Warner argues that Intelligence agencies are also said to be deploying the classic spy tactic of establishing so-called ‘honey pots’ with a high-tech twist: in this case, setting up bogus Web sites to attract those people they are seeking to monitor (Warner [40]). 12 Similarly the United States Department of State since 1983 has the same elements but restricts the target to noncombatants and the perpetrators to subnational groups or clandestine agents Premeditated, politically motivated violence perpetrated against noncombatant* targets by subnational groups or clandestine agents, usually intended to influence an audience.” M. Stohl Thus, there is no good theoretical or practical argument for rejecting the approach advocated by Denning [9] who argued that: Cyber terrorism is the convergence of terrorism and cyberspace. It is generally understood to mean unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyber terrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyber terrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not.13 As indicated above, scholarly analyses of cyber terrorism, as opposed to sensational news stories and futurist scenarios concur that at present cyber terrorist events as defined by Denning have yet to occur. But there is no doubt that cyber technology has dramatically influenced how terrorists may choose to organize, communicate amongst themselves and transmit their messages. Conway ([5]:3) argues that there are five core terrorist uses of the Internet: information provision, financing, networking, recruitment, and information gathering. Grabosky and Stohl [17] cite intelligence, communications, propaganda, psychological warfare, fund raising, recruitment and training, while Thomas [39] identifies 16 different ways that the internet can be used for cyber planning and organizational activities which offer further elaborations of the uses mentioned above. In short, terrorist groups increasingly use computer technology (as many political, commercial and criminal entities do) to secure many of their organizational goals.14 It is to be expected that organizations will adopt those aspects of digital technology that will enable them to operate and grow with a greater degree of efficiency. In this sense, terrorist groups are simply exploiting modern tools to accomplish the same goals they sought in the past. Terrorist thus might employ digital technologies to enhance ease of operations; information acquisition and distribution; and increase the ease of anonymous communication. None of these activities are easily detected or countered (but as we shall see below, they do lead to other interesting counterterrorism and information gathering possibilities) and therefore 13 See also Bruce Schneier, Beyond Fear: Thinking Sensibly about Security in an Uncertain World (New York: Copernicus Book 2003); Joshua Green, “The Myth of Cyberterrorism,” Washington Monthly, November 2002, available at (http://www.washingtonmonthly.com/features/2001/0211.green.html);Andrew Donoghue “Cyberterror: Clear and present danger or phantom menace?,” ZDNet, 2004, available at (http://insight.zdnet.co.uk/ specials/networksecurity/0,39025061,39118365-2,00.htm).Lewis, James, “Assessing the Risk of Cyber Terrorism, Cyber War and Other Cyber Threats” (Washington,DC: Center for Strategic and International Studies, December 2002), available at (http://www.csis.org/ tech/0211_lewis.pdf) and Dorothy Denning, “Is Cyber Terror Next?” In Understanding September 11, edited by C. Calhoun, P. Price, and A. Timmer (2001), available at ( http://www.ssrc.org/sept11/ essays/denning.htm). 14 The Report of the National Commission on Terrorism ([26]:12) concurs suggesting that “[t]errorists are using the same modern technology as the rest of us....” Likewise, Denning [9] argues Terrorists do use cyberspace to facilitate traditional forms of terrorism such as bombings. They put up Web sites to spread their messages and recruit supporters, and they use the Internet to communicate and coordinate action. However, there are few indications that they are pursuing cyber terrorism, either alone or in conjunction with acts of physical violence. Cyber terrorism terrorist groups may use digital technology to great advantage in furthering their tactical and strategic goals on a more global as well as local basis.15 Specific examples of the facilitation of terrorism through the use of digital technology illustrate the appeal this technology has for terrorist groups interested in advancing their particular agendas. The use of the Internet for propaganda and disinformation purposes is an especially popular one. Rathmell recounts the exploitation of the web by exiled political opposition groups emanating from such states as Iran, Iraq, Mexico, Northern Ireland and Saudi Arabia ([27]:4–5). In Western Europe and the United States, Neo-Nazi groups [43] have been major users of the web as have the Colombian ELN, Hezbollah and Zapatistas ([41]:1) all of whom have also adopted similar tactics.16 Broadcasting videos via web sites has become a favorite tool. One of the first examples involved the December, 1996 takeover of the Japanese Ambassador’s residence in Lima, Peru by the Tupac Amaru Revolutionary Movement (MRTA). The MRTA not only employed the Web to communicate their revolutionary message via a European website, they even offered a video clip of its members preparing for their mission ([6]:216).17 More recently, groups have added even the most gruesome videos to their websites, to horrifying effect. The beheadings of Wall Street Journal Reporter Daniel Pearl in February 20-04 and Nick Berg, an American seeking employment in Iraq in May 2004, were broadcast via videos posted on Islamic Web sights and then broadcast and reported via the mainstream media. In August 2005, the self proclaimed “Jihad Brigades in Palestine” claimed missile attack on a Jewish settlement in Gaza by posting a video to a German server that allows visitors to upload materials and also shows apparent members setting up a missile, readying it for launch and firing it off.18 The Web thus enables sometimes previously anonymous groups to establish a presence and perhaps exploit their activities far beyond the impact of previous terrorist organizations with far less danger. Thomas ([39]: 115–116) argues that the Web thus empowers small groups and makes them appear much more capable than they might actually be, even turning bluster into a type of virtual fear. The net allows terrorists to amplify the consequences of their activities with follow-on messages and threats directly to the population at large, even though the terrorist group may be totally impotent. In effect, the Internet allows a person or group to appear to be larger or more important or threatening than they really are.” When mainstream news then incorporates the reporting of events via these web sites, they also often then repeat the major themes of their campaigns and thus increase the propaganda message’s reach. Organizations employing terrorism have also brought materials which in the past could only be distributed clandestinely and often with much danger to the attention of not only current members but future recruits and anyone else who might “benefit” from the 15 As early as the 1998 (1999:17) report on terrorism in the United States, the Federal Bureau of Investigation finds: “Terrorists are known to use information technology and the Internet to formulate plans, raise funds, spread propaganda, and communicate securely.” 16 In the case of the Zapatistas, group of supporters called the Electronic Disturbance Theater (EDT) have used the Internet stage disturbances as a means of on-line protest ([9], 2). 17 Internet sites were also established in Canada and the United States in support of the MRTA’s activity (Anti-Defamation League [2]:1). 18 See http://www.adl.org/main_Terrorism/jihad_brigades_80805.htm M. Stohl destructive capabilities which are taught. Thus, training videos featuring instructions on how to build explosive devices and prepare gunpowder have recently appeared on several Web sites regularly used by militant Islamic groups. These sites also feature tips on money laundering and many other organizational needs.19 Some organizations also use the web to provide recruitment videos. Thus Al Qaeda in Iraq, an Al Qaeda affiliated terrorist group led by Abu Musab al-Zarqawi, posted the second edition of its recruitment magazine on the Internet in June 2005 (see http://www.adl.org/ main_Terrorism/qaedamag_2_62005.htm).20 Terrorist groups using computers for communication are likely to move beyond hierarchical organizational structures and employ networked ones.21 The foregoing notwithstanding, we must reemphasize the conclusions of Denning [9], Flemming and Stohl [12] and subsequently Weimann ([42]:133) that “Terrorist use of computers as a facilitator of their activities, whether for propaganda, recruitment, datamining, communication, or other purposes, is simply not cyber terrorism.” Focusing upon the types of activities that the cited authors above would argue fall under the rubric of cyber terrorism, such as attacks on critical infrastructure it is important to investigate the conditions under which terrorists would choose to employ digital means to advance their cause over conventional methods. Denning [9] suggests that To understand the potential threat of cyber terrorism, two factors must be considered: first, whether there are targets that are vulnerable to attack that could lead to violence or severe harm, and second, whether there are actors with the capability and motivation to carry them out. To determine motivation we have to ask not simply if they desire to cause harm and exploit fear but also if the investments needed to create the event are more or less “costly” than traditional means of terror. An expected utility approach provides useful insights into the process of understanding why oppositional organizations might choose not only terrorism as a tactic or strategy and which groups are more likely to do so as well as the conditions under which it would make sense (from their perspective) to employ digital rather than conventional tools to accomplish their ends. Duvall and Stohl [10] argued that that an expected utility model is useful for understanding the choice of terrorism as a tactic or strategy in domestic affairs and Stohl [35] argued that it could be applied to behaviors in the international realm as well. Such an approach calculates the benefit thought possible from the desired outcome, the believed probability with which the action will bring about the desired state of affairs and the believed probable cost of engaging in the action. Two kinds of costs, response costs and productions costs, can be distinguished. Response costs are those costs which might be imposed by the target group and/or sympathetic or offended bystanders. The bystanders 19 (See http://abcnews.go.com/WNT/IraqCoverage/story?id=766276&page=1 and http://www.pbs.org/wgbh/ pages/frontline/shows/front/special/tech.html). 20 For many other earlier examples see Damphousse and Smith [6]; Arquilla et al. [3]:91–92, Stanton [34] for many other examples. 21 See Arquilla, Ronfeldt and Zanini [3] for a detailed discussion of this point especially as it relates to Al Qaeda and Stohl and Stohl ([38], forthcoming) on network research on terrorism since 2001. Cyber terrorism may include domestic and foreign audiences and the target audience may be wider than the attacking party may have intended when choosing the victims and the actions. Production costs are the costs of taking the action regardless of the reactions of others. In addition to the economic and organizational costs – paying the participants, acquiring the weapons and the like, there is the psychological cost of behaving in a manner which most individuals would, under normal conditions, characterize as unacceptable behavior. More recently Giacomello ([15]:390) argued: The terrorists are faced with budget constraints that depend on the cost of cyber terrorism and other activities. Assuming that terrorists are rational actors, the shape of the indifference curve is determined by (a) the preferences of terrorists and also (b) the effectiveness of cyber terrorism in achieving the terrorists’ goals. The moment of calculating costs, risks, and advantages is the focus of this analysis, supposing that a terrorist organization is about to consider cyber terrorism as a more efficient alternative compared, for example, with suicidal bombs. Thus as Flemming and Stohl [12] argued: “at one level, the use of cyber technology for inflicting harm on a victim requires a greater level of sophistication than merely using the same technology for communication or propaganda. Not only, must there be some level of expertise in translating the “raw” cyber technology into a weapon of destruction, there must be a recognition that the effectiveness of this alternative supersedes conventional options. Simply stated, a cyber attack against an opponent should produce similar or greater results22 for less effort than a conventional one.23 In other words we are asking if the cyber disruption of an air traffic control system (with the intent of endangering civilian air traffic) can be undertaken with less effort, the same chances of detection, produce the same results and have a greater likelihood of success than an attack on the same system by conventional means (armed attack, or bombing), or a conventional attack that bypasses the air traffic control system in favor of a direct attack on an airliner? When the answer is yes, there is room to believe that cyber terrorism would be a rational choice of terrorist groups. When the answer is no, terrorists would be more likely to remain tied to their traditional methods. Denning [9] argues Further, terrorists may be disinclined to try new methods unless they see their old ones as inadequate, particularly when the new methods require considerable knowledge and skill to use effectively. Terrorists generally stick with tried and true methods. Novelty and sophistication of attack may be much less important than assurance that a mission will be operationally successful. Indeed, the risk of operational failure could be a deterrent to terrorists. For now, the truck bomb poses a much greater threat than the logic bomb. 22 23 These can be thought of as a greater degree of terror or longer lasting fear on the part of the victim. Less effort is defined in terms of fewer resources, less manpower and quicker/easier planning, all of which should translate into reduced risk/greater likelihood of logistical success. M. Stohl The second consideration influencing the choice of cyber means is tied to its ability to effectively terrorize an opponent.24 Embar-Seddon ([11]:1038) argues As a terrorist tactic, cyber terrorism differs from the more traditional tactics, which entail a more direct threat of violence. However, the directness of the threat of violence does not correspond to the level of fear that an action creates, and it is the fear that a terrorist act engenders that is important. In this respect, cyber terrorism can be at least as terrifying as the more traditional terrorist tactics. The level of fear that would result from the threat of shutting down a large portion of the power grid would very likely be as great as, if not greater than, the level of fear that would result from the threat of downing an airliner. However, people react very differently to the downing of an airliner which often provides and easily conjures up images of death and destruction far different than the images of shutting down a power grid. We also have “real world” reactions to the shutting down of power grids that have occurred. The outpouring of emotions is very different than what occurs when for example an airliner crashes (regardless of the cause). The failure of the entire northeast power grid in 1965, for example, did not lead to widespread fear and anger. Nor did the Northeast blackout of 2003 despite the initial concern that it had been caused by terrorists.25 The same response occurred in 2003. Cyber terror was at first suspected in the 2003 Northeast blackout. The cause turned out to be incompetence and falling trees. The widespread blackout did not degrade U. S. military capabilities, did not damage the economy, and caused neither casualties nor terror [24]. From the audience perspective then the taking down of a power grid – what happens in a blackout – is not likely to cause the same type of immediate fear and emotion and conjures up very different images than does a plane crash or the bombing of buildings. Further we have evidence from experimental work that people react very differently to different types of events depending upon the types of emotions that these events instill in them. Nabi [25] argues “Results suggested that anger promotes deeper information 24 As Giacomello ([15]:391) argues Professional military around the world are used to judge the effectiveness of weapons systems according to the “break things, kill people” principle. Projectiles or germs, kinetic or chemical– biological agents are normally required to achieve a BTKP outcome. He then goes on to argue that Under certain circumstances, however, even employing bytes (the basic units of all CNO) may lead to the same results. If CNO target the critical application software of certain infrastructures, they may well yield a BTKP outcome.... If the main outcome of those attacks had been the SCADA (Supervisory Control and Data Acquisition) management systems of critical infrastructure, the potential physical damage would have been considerable. However, thus far, there is no conclusive evidence that this is indeed possible. 25 The 1965 blackout in fact led to a sense of community and was the subject of many humorous tales including the 1968 Hollywood film Where Were You When the Lights Went Out? Cyber terrorism processing than fear, and a main effect for reassurance certainty level, with uncertainty promoting deeper information processing.” And Lerner et al. [23] found that respondents exposed to a fear-inducing manipulation assigned, on average, a higher probability to five negative consequences of terror than did respondents exposed to an anger-inducing manipulation. The specter of the grid blowing up, bombs falling, etc., might create that fear but not the throwing of a switch. The effects would be the same but it would be a different type of act. With the growing interconnectedness of infrastructures relying on cyber technology, the targeting selection of cyber terrorism is likely to be significantly influenced by those targets that allow for a maximum level of disruption. The same, however, is not necessarily true with respect to the mode of attack. Cyber technology allows for an additional variable to be introduced into tactical equations, but clearly represents a single choice in terms of overall modes of operation. Furthermore, Denning [9] argues that Cyber terrorism also has its drawbacks. Systems are complex, so it may be harder to control an attack and achieve a desired level of damage than using physical weapons. Unless people are injured, there is also less drama and emotional appeal. Thus we must ask what else might be inhibiting terrorist groups from doing so beyond the simple cost benefit analysis. Part of the answer lies in their understanding of audience reactions. Many of these groups, such as Al Qaeda, are quite sophisticated in terms of their understanding of audience reactions and use their resources with great calculation.26 Conclusion: breaking point or without remorse? assessing the cyber terror threat Speaking to the Special Oversight Panel on Terrorism of the Committee on Armed Services of the U.S. House of Representatives Dorothy Denning [9] concluded: Thus, at this time, cyber terrorism does not seem to pose an imminent threat. This could change. For a terrorist, it would have some advantages over physical methods. It could be conducted remotely and anonymously, and it would not require the handling of explosives or a suicide mission. It would likely garner extensive media coverage, as journalists and the public alike are fascinated by practically any kind of computer attack. Indeed cyber terrorism could be immensely appealing precisely because of the tremendous attention given to it by the government and media. 26 This sophisticated audience analysis is seen in the letter sent in July 2005 by Ayman al-Zawahri, purportedly the number 2 in al Qaeda to Abu Musab al-Zarqawi, leader of the organization now named al Qaeda in Iraq. In the absence of this popular support, the Islamic mujahed movement would be crushed in the shadows, far from the masses who are distracted or fearful, and the struggle between the Jihadist elite and the arrogant authorities would be confined to prison dungeons far from the public and the light of day. This is precisely what the secular, apostate forces that are controlling our countries are striving for. These forces don't desire to wipe out the mujahed Islamic movement, rather they are stealthily striving to separate it from the misguided or frightened Muslim masses.....Therefore, the mujahed movement must avoid any action that the masses do not understand or approve, if there is no contravention of Sharia in such avoidance, and as long as there are other options to resort to, meaning we must not throw the masses-scant in knowledgeinto the sea before we teach them to swim. M. Stohl Thus far as indicated above, terrorists either continue to find the allure of cyber terrorism unappealing or they remain incapable of mounting significant attacks. Yet the fear of cyber terror remains and the willingness of the authorities and the private sector to use the fear of potential catastrophic harm.27 Part of the explanation lies in the continuing failure to distinguish between what Denning [8] referred to as hactivism and cyberterrorism. “Hacktivism,” describes the marriage of hacking with political activism. (“Hacking” is here understood to mean activities conducted online and covertly that seek to reveal, manipulate, or otherwise exploit vulnerabilities in computer operating systems and other software.) Hacktivists have four main weapons at their disposal: virtual sit-ins and blockades; automated e-mail bombs; web hacks and computer break-ins; and computer viruses and worms. Arquilla and Ronfeldt further muddy the waters with their concept of netwar, which they defined originally (1996: 5) as conflict and crimes at societal levels that are measures short of war or protagonists who rely on network forms of organization, doctrine, strategy and communication. Thus many then confuse more general organizational uses of digital technology with acts of terror. This confusion continues to this day as the following headline and introductory paragraph in the aftermath of the Danish cartoon controversy illustrates Cyber Terrorists Target Danish Websites Peter Diversi – Thursday, 9 February 2006 The cyber terrorists have defaced over 500 Danish Websites, however Danish Internet security companies say the Website owners are fighting back relatively easy. Cyberspace is a new front to attack; a form of protest by what a Danish Internet security expert called “scriptkiddies.” These scriptkiddies, who could be compared to the incensed rock-hurlers seen in real-life protests, attack Websites with weak security. Finally, the spectre of the digital Pearl Harbor remains. On the same day as the Danish cartoon story above, news stories across the United States, Australia, Canada and the U.K. reported the lead that the Department of Homeland Security had provided: – It had the makings of a “digital Pearl Harbor (my emphasis),” a potentially catastrophic computer attack that crossed oceans and continents to target governments, companies and the infrastructure that underpins them [19]. The debate will continue with respect to the degree of cyber threat that actually exists today, or in the near future. The confusion between cyber criminal activity and cyber terror 27 Schwarts, 2003 New vulnerabilities that could leave the way open to a cyberattack are being discovered all the time: according to Symantec, one of the world’s corporate leaders in the field of cyber security, the number of “software holes” (software security flaws that allow malicious hackers to exploit the system) reported in the nation’s computer networks grew by 80 percent in 2002. Still, the company says it has yet to record a single cyberterrorist attack – by its definition, one originating in a country on the State Department’s terror watch list. That could be because those inclined to commit terrorist acts do not yet have the know-how to inflict significant damage, or perhaps because hackers and adept viruswriters are not sympathetic to the goals of terrorist organizations. However, should the two groups find common ground, the results could be devastating. Cyber terrorism will also continue. Future events will determine the costs of this confusion. There is no doubt that cyber criminals will become more sophisticated and, in the absence of continuing investments in cyber security, will cause more damage. But in the meantime how we prepare, and how we talk about our preparations are important. Building defenses against criminals and terrorists are essential. But we must remember that generating an unwarranted fear of potential attack, even while preparing to defend against it, serves the cause of the terrorist even if the security precautions are ultimately successful. Unlike the criminal who simply wishes to succeed in their operations, the terrorist also wishes to undermine confidence in the political structure and create difficulty within the body politic. References 1. Altheide, D. (1997). The news media, the problem frame and the production of fear. The Sociological Quarterly, 38(4), 647–668. 2. Anti-Defamation League (1999). CyberTerrorism – Terrorism update. Retrieved March 1, 2006, from http://www.adl.org/terror/focus/16_focus_a.asp. 3. Arquilla, J., Ronfeldt, D., & Zanini, M. (1999). Networks, netwar and information-age terrorism. In Z. M. Khalilzhad & J. P. White (Eds.), The changing role of information in warfare. Santa Monica, CA: Rand. 4. Barnett, R. J. (1973). Roots of war: The men and institutions behind U.S. foreign policy. Baltimore: Penguin Books. 5. Conway, M. (2005). Terrorist “use” of the internet and fighting back. Paper prepared for presentation at the conference Cybersafety: Safety and security in a networked world: Balancing cyber-rights and responsibilities. Oxford Internet Institute (OII), Oxford University, UK, 8–10 September, 2005. Retrieved February 1, 2006, from http://www.oii.ox.ac.uk/research/cybersafety/extensions/pdfs/papers/ maura_conway.pdf. 6. Damphousse, K. R., & Smith, B. L. (1998). The internet: A terrorist medium for the 21st century. In H. W. Kushner (Ed.), The future of terrorism: Violence in the new millennium. Thousand Oaks, CA: SAGE. 7. Debrix, F. (2001). Cyberterror and Media-Incluced fears: The production of emergency culture, Strategies: Journal of Theory, Culture and Politics, 14(1), 149–168. 8. Denning, D. E. (1999). Activism, hacktivism, and cyber terrorism: The internet as a tool for influencing foreign policy.” Presented to “The Internet and International Systems:Information Technology and American Foreign Policy Decision Making,” The World Affairs Council, San Francisco, December 10, 1999. Retrieved February 1, 2006, from http://www.rand.org/pubs/monograph_reports/MR1382/ MR1382.ch8.pdf. 9. Denning, D. E. (2000). Cyberterrorism. Testimony before the Special Oversight Panel on Terrorism Committee on Armed Services U.S. House of Representatives, May 23, 2000. Retrieved February 1, 2006, from http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html. 10. Duvall, R. D., & Stohl, M. (1983). Governance by terror, chapter six. In M. Stohl (Ed.), The politics of terrorism (2nd ed., pp. 179–219). New York: Marcel Dekker. 11. Embar-Seddon, A. (2002). Cyber terrorism: Are we under siege? American Behavioral Scientist, 45(6), 1033–1043. 12. Flemming, P., & Stohl, M. (2001). Myths and realities of cyber terrorism. In A. P. Schmid (Ed.), Countering terrorism through international cooperation (pp. 70–105). Vienna, Austria: ISPAC (International Scientific and Professional Advisory Council of the United Nations Crime Prevention and Criminal Justice Program. 13. Gellman, B. (2002). Cyber-attacks by Al Qaeda feared: Terrorists at threshold of using internet as tool of bloodshed, experts say,” Washington Post June 27: A01. Retrieved December 1, 2005, from http://www. washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26. 14. Gerbner, G., & Gross, L. (1976). The scary world of tv’s heavy Viewer. Psychology Today, 89–91, April. 15. Giacomello, G. (2004). Bangs for the buck: A cost-benefit analysis of cyber terrorism. Studies in Conflict and Terrorism, 27, 387–408. 16. Glassner, B. (1999). The culture of fear: Why Americans are afraid of the wrong things. New York: Basic Books. 17. Grabosky, P. N., & Stohl, M. (2003). Cyberterrorism Reform 82, Autumn:8–13. Retrieved September 15, 2005 from http://www.alrc.gov.au/reform/summaries/82.htm. M. Stohl 18. Green, J. (2002). The myth of cyber terrorism. Washington Monthly, November. Retrieved February 1, 2006, from http://www.washingtonmonthly.com/features/2001/0211.green.html. 19. Hoffman, L. (2006). ‘Cyber Storm’ simulation aims to head off computer assault, February 9, 2006. Retrieved March 1, 2006, from http://shns.abc15.com/shns/story.cfm?pk=CYBERSTORM-02-0906&cat=WW. 20. Hundley, R. O., & Anderson, R. H. (1996). A qualitative methodology for the assessment of cyberspacerelated risks. Santa Monica: Rand. 21. Lemos, R., Borland, J., Bowman, L., & Junnarkar, S. (2002). E terrorism-threats. Have Digital Myths Diverted Attention from True Threats?” CNET News.com. Retrieved August 26, 2002, from http://news. com.com/E-terrorism+Digital+myth+or+true+threat/2009-1001_3-954728.html?tag=nl. 22. Lenzner, R., & Vardi, N. (2004). Cyber-nightmare. Forbes. Retrieved September 20, 2004, from http:// www.forbes.com/global/2004/0920/104_print.html. 23. Lerner, J. S., Gonzalez, R. M., Small, D. A., & Fischhoff, B. (2003). Emotion and perceived risks of terrorism: A national field experiment. Psychological Science, 14, 144–150. 24. Lewis, J. A. (2006). The war on hype: The deadly terror lurking around the corner may not be such a big, ominous threat after all. San Francisco Chronicle, February 19, 2006. Retrieved March 1, 2006, from http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/02/19/INGDDH8E2V1.DTL. 25 Nabi, R. L. (2002). Anger, fear, uncertainty, and attitudes: A test of the Cognitive-Functional Model. Communication Monographs, 69(3), 204–216. 26. National Commission on Terrorism. (1998). Countering the Changing Threat of International Terrorism. Report of the National Commission on Terrorism, http://www.fas.org/irp/threat/commission.html. 27. Rathmell, A. (1997). Cyber-terrorism: The shape of future conflict. Royal United Service Institute Journal. October, 40–46. Retrieved March 1, 2006, from http://www.kcl.ac.uk/orgs/icsa/Old/rusi.html. 28. Rollins, J., & Wilson, C. (2005). Terrorist capabilities for cyberattack: Overview and Policy Issues, Congressional Research Service, October 20, 2005. Retrieved February 1, 2006, from http://www.fas. org/sgp/crs/terror/RL33123.pdf. 29 Ryter J. C. (2004). Can we trust the guy who gave us Y2K?? Jon Christian Ryter March 27, 2004 NewsWithViews.com retrieved on February 1, 2006 from http://www.newswithviews.com/Ryter/jon28. htm. 30. Savas, A. (2006). IBM launches internal network protection. Computer weekly. Com, Monday, 27 February 2006. Retrieved March 1, 2006, from http://www.computerweekly.com/Articles/2006/02/27/ 214429/IBMlaunchesinternalnetworkprotection.htm. 31. Schwartz, J. (2003). Decoding computer intruders. The New York Times, April 24, 2003. Retrieved March 1, 2006, from http://tech2.nytimes.com/mem/technology/techreview.html?res=9C02E3D71F3A F937A15757C0A9659C8B63. 32. Simpson, P. (2005). Don’t fear e-terror hype Computer Weekly March 7. Retrieved February 1, 2006, from http://www.computerweekly.com/Articles/2005/04/26/209612/Don’tfeare-terrorhype.htm. 33. Squitieri, T. (2002). Cyberspace full of terror targets , USA Today, May 5, 2002. Retrieved February 1, 2006, from http://www.usatoday.com/tech/news/2002/05/06/cyber-terror.htm. 34. Stanton, J. J. (2002). Terror in cyberspace terrorists will exploit and widen the gap between governing structures and the public. American Behavioral Scientist, 45(6), 1017–1032. 35. Stohl, M. (1986). The superpowers and international terrorism. In M. Stohl & G. Lopez (Eds.), Government violence and repression: An agenda for research. Greenwood Press, 207–228. 36. Stohl, M. (1988a). Demystifying terrorism: The myths and realities of contemporary political terrorism. In M. Stohl (Ed.), The politics of terrorism (3rd ed.). New York: Marcel Decker. 37. Stohl, M. (2006). Knowledge claims and the study of terrorism. In S. Melnick & J. Victoroff (Eds.), Psychology and terrorism. Amsterdam, the Netherlands: Ios Press (forthcoming). 38. Stohl, C., & Stohl, M. (2007). Networks of terror: Theoretical assumptions and pragmatic consequences, Communication Theory. (forthcoming). 39. Thomas, T. L. (2003). Al Qaeda and the internet: The danger of “cyberplanning.” Parameters, 33(1), 112–23. Retrieved February 1, 2006, from Carlisle http://www.army.mil/usawc/Parameters/03spring/ thomas.pdf. 40. Warner, B. (2003). Intelligence experts comb web for terror clues. Reuters News Service, November 12. Retrieved March 1, 2006, from http://www.chron.com/disp/story.mp1/special/iraq/2218091.html. 41. US News and World Report. (1998). Terrorists on the web: Electronic ‘safe haven’ guerrillas use guns, bombs and home pages. 124(24), 46, June 22. 42. Weimann, G. (2005). Cyber terrorism: The sum of all fears? Studies in Conflict and Terrorism, 28, 129–149. 43. White, C., K., C. (1998). Cyber-terrorism: Modem mayhem. Carlisle Barracks, Pennsylvania: U.S. Army War College. Retrieved March 1, 2006, from http://stinet.dtic.mil/dticrev/a345705.pdf.