Cyber. Terrorism. Cyber terrorism.
Recently, Danny Moore asked a question about cyber terrorism. His post, and the discussion, is on Mastodon here:
Danny Moore: "Because I was triggered by something - have you e…" - Infosec Exchange
Because I was triggered by something - have you ever seen an actual instance of cyber-terrorism? Note - not recruitment, comms, or propaganda. No state actors either. I mean an actual successful attack carried out by a terror org.
The question is: has anyone seen an actual successful attack that could unequivocally be called “cyber terrorism.”
In short: no.
Thank you for coming to my TED talk.
Ha, like I’ll skip an opportunity to discuss cyber and terrorism at length!
To begin with, we need to discuss “what is terrorism” and what cyber terrorism could or would look like. There are a number of cases that I think illuminate the blurred lines around what “cyber terrorism” will be. And of course, there are psychological issues that have an outsized impact on cyber — because terrorism is an inherently psychological form of warfare.
Terrorism is what you make of it
Terrorism is a vibe.
Terrorism is notoriously difficult to define. There is a lot of academic literature that creates a definition and then runs with it. The issue is, really, that terrorism is a subvariant of war. But “war” is a label reserved for normative interstate violence.
War is violence between two (or more) groups of people waged for a higher purpose. That is, it is violence for a political (or religious, or ideological, or whatever) purpose. Something other than the violence itself or, like, stealing or whatever.
It starts to get complicated when separating terrorism from war. Is it targeting civilians? Well, strategic bombing theory during World War II treated civilians as legitimate military targets. And the Provisional IRA killed more British soldiers than civilians.
Defining terrorism is tricky. For example, robbing banks is a popular tactic for terrorists. Does the IRA robbing a post office to fund IRA activities count as terrorism? Not really; it’s just fund-raising. But, hopefully, the complexities involved are apparent.
What about the state aligned/connected angle?
I think any attempt to define terrorism based on some sort of state-aligned/connected angle is doomed to failure. Looking at the Global War on Terrorism it seems simple to separate states and terrorist groups. But this is false. There are many examples where terrorist groups have some degree of state capture.
Further, there are groups that are so closely tied to a state that they’re practically a state organization. For example, Hezbollah confuses everything. So does Hamas. The Provisional IRA and Sinn Fein are another very very grey area. The National Liberation Front of Vietnam won the war and now rules the country. Mao used terrorism for a while.
It isn’t useful to fixate on the state as the defining feature of “terrorists.” Let’s just agree that “state organisations (probably) don’t count.”
Summary
So I think the main issue with trying to decide if cyberterrorism is a thing is that we’re talking about cyberwar by proxy. Using an even more obscure and less clearly defined ontological concept.
Most people will agree that fundamentally terrorism is warfare, usually waged by non-state actors, frequently using unconventional means, typically against non military targets. But not always.
What is cyber terrorism?
Is terrorism using cyber even possible?
“Cyber attacks are not attacks” — Lukasz Olejnik
Right now, maybe. In the future, almost certainly. Has it happened yet? Not that I’m aware of.
On cyber terrorism: firstly, it won’t look anything like what the pundits think. They have an appalling track record of predicting what cyber will look like, why it is used, and what it can/can’t do. Secondly, transporting kinetic realm concepts directly into cyber doesn’t work.
Having a website isn’t the same as having a book, even though they both have text, pictures, and information. The internet isn’t (just) a new phone system. A word processor is more than just a typewriter with a delete key. Cyber is qualitatively different from the real world that it supposedly mimics. Reasoning about cyber by analogy is the path to failure.
Note: cyber terrorism as the pundits imagine could very well take place. A terrorist group could attack critical national infrastructure and cause loss of life. I believe there will be cyberterrorism that is uniquely enabled or enhanced by the cyber domain.
Case Studies
Cyber enhanced exploitation (?)
On November 23rd there were two bombs at Jerusalem bus stops. One of them was captured on a CCTV camera, and the video was released as a propaganda piece. The CCTV had been compromised before, almost a year ago. If the target was chosen with the intention of being captured on a known compromised CCTV so that it could be turned into a video, I believe that is hybrid cyber terrorism. A mix of cyber and kinetic to create a more powerful effect.
אתה לא רואה שלום יותר
زندگی تاریک؛ شما تاوان خونی که ریخته شده را خواهید پرداخت. در سرزمین های اشغالی فلسطین آرامش و آسایش نخواهید داشت؛ ما پایان شما را تعیین خواهیم کرد. علاوه بر این هارد دوربین ها را برای شما فرمت کردیم!
