From Thinking Outside The Boxe’s Sydney Correspondent: If there is one word that has been misused more than most over the past decade it is “terrorist”. After all one man’s terrorist is another’s freedom fighter. Large scale and devastating terrorist attacks such as the one that occurred on 9/11 and high profile terrorists such as Osama Bin Laden have caused us to attach more baggage to the word terrorist than it deserves.
Terrorism does not necessarily equal large scale attacks that lead to the deaths of hundreds or thousands of people. More often the victims number under 50. We need to remember that the root of the word terrorist is ‘terror’. Terrorism is designed to incite a psychological reaction in people. An obvious way this can be achieved is through physical attacks that maim or kill but we can argue that terrorists succeed if we merely are fearful of an act of terror. Cyberterrorism is the inevitable result of the divergence of technology and terrorism. It is a means of using technology (most often the internet) to conduct terrorist activities. The easiest way of approaching the question of which form of terrorism poses the threat is to examine the threat from each form separately.
The idea of cyberterrorism is something that most people are extremely frightened of because of how reliant our society has become on technology and how large agencies, from the military to utilities such as water and energy, are also seemingly exposed to threats that might be executed via the internet. In March 2012 the Director of the FBI Robert Mueller III discussed cyberterrorism at a cyber security conference in San Francisco. Mueller mentioned that the individuals who planned the Times Square bombing in 2010 used public web reconnaissance and file sharing sites to share operational details. Importantly, Mueller pointed out that up to now (early 2012), and at the time of writing this article (late 2012) no terrorists have used the internet to launch a full scale terrorist attack. However, it is interesting to consider the example of the Aum Shinryko cult and their terrorist attack on the Tokyo subway where their 1995 gas attack killed 12 people and injured another 6000. The cult also developed a software system enabling it to track 150 police vehicles. This example exposes the threat that terrorist groups can pose and their intent.
Gabriel Weimann, writing for the United States Institute of Peace, correctly identifies the fact that ‘hacktivism’ is often confused with cyberterrorism. Hacktivists use their hacking skills to advance their political activism. While not a threat in the same sense that terrorism is a threat, hacktivists expose flaws and holes in security that cyberterrorists could also potentially exploit. An exercise code named “Eligible Receiver” that was conducted by the National Security Agency in 1997 proves this point. In this exercise a team of 35 hackers were asked to try to hack into and disrupt U.S. National security systems. The ease with which the hackers achieved their goal shocked the organizers of the exercise. “Eligible Receiver” revealed how easily private sector infrastructure such as telecommunications and the energy grid could be accessed. Speaking in late November 2011 Eugene Kaspersky warned that a cyber terrorist attack with potentially devastating consequences could be very close. However, despite the success of the “Eligible Receiver” hackers it is difficult to believe that Kaspersky could be correct. Weimann notes that many critical computer systems are far more resilient than most people believe. The FBI, the Pentagon, and the CIA’s computer systems are all ‘air gapped’. This means for example that nuclear weapons systems are not connected to the internet or any other open computer network. It is worth noting that experts consider the Federal Aviation Authority’s computer systems the most secure of all the mentioned systems due to the fact that administrative and air traffic control systems are separate and that the latter is air gapped.
What about the possibility of terrorists gaining access to these systems by becoming employees? Weimann argues that there are few people in any organization with the technical know how to wreak any substantial level of damage. He also points out that employees trained to handle the difficulties and threats posed by natural disaster are also likely to be able to handle any man made incident.
Biological weapons covers a large range of biochemicals ranging from very lethal through to ones which would more likely lead to incapacitation rather than death. Malcolm Dando, writing in in a Carnegie Endowment report, notes that in assessing the threat of biological weapons it is important to consider how easily the biological agent can spread from person to person. There is also the fact that it can be very difficult to handle and prepare a biological agent. Dando reveals the little known fact that the Aum Shinryko cult, mentioned above, had unsuccessfully attempted to poison their fellow citizens using anthrax before their attack with sarin in the subway. Dando points out that experts have suggested that the cult failed to succeed with the anthrax because they did not have access to a lethal strain. The available literature also confirms that there are a number of reasons why it is very difficult to effectively distribute a biological weapon that would cause a massive number of deaths. This is possible when the effort is state sponsored but it is very difficult for smaller terrorist groups to achieve this aim. As the Aum Shinryko and US Mail anthrax attacks in 2001 show, it is possible for these small terrorist groups to carry out attacks that can kill or incapacitate a relatively small amount of the population. Dando quotes former US Navy Secretary Richard Danzig who stated that the most potent threat would be a series of attacks that would gradually diminish the resources of the Government and cause widespread terror. It is possible that any resulting panic might lead to a breakdown of law and order.
Two authors of a Congressional Research Service paper have pointed out that many experts, both in and outside the Government have pointed out systemic difficulties and failings that have made it difficult for security agencies and doctors to detect or recognize low level biological pathogens. This is alarming given that most of these attacks are likely to affect a relatively small number of people, and therefore may not initially be very obvious. If physicians are unable to recognize the symptoms associated with these pathogens then there is obviously a gaping hole in our biosurveillance system. Obviously the health of the population also relies on early detection and treatment following such an attack. The authors of this paper are also critical of the fact that the Government has not engaged more proactively with the private sector in an attempt to manufacture effective countermeasures against such attacks. Obviously the Government does manufacture and stockpile a large amount of countermeasures, however greater levels of production are needed in case the nation does suffer a large scale biological attack. The authors also suggest that the Government’s approach to various agencies established to deal with such emergencies has been ad hoc. However they do acknowledge the difficulties the Government faces given its fiscal position. But as they point out, the economic consequences of a large scale attack would far outweigh the cost of adequately funding these agencies.
Clearly terrorists recognize the fact that the internet provides them with a new way in which to terrorize the population. However due to effective measures such as air gapping it seems very unlikely that any cyberterrorist would be able to wreak any large scale destruction. In this case it is the general population who are fearful simply because we are worried about how much society depends on technology. And to this point there have been no successful cyberterrorism attacks. On the other hand there are examples of successful biological attacks and although the likelihood of widespread death or incapacitation is not significant the threat of small scale attacks is very real.