The Atlantic Council’s Cyber Statecraft Initiative recently hosted a conference call to discuss the terrorist use of the Internet and how it has evolved in the ten years since 9/11.
The call featured Matt Devost of FusionX, Neal Pollard of PriceWaterhouseCooper and Rick Howard of VeriSign/iDefense – who have been tracking this and many other online threats for years. While this conversation was off the record, this blog attempts to capture the spirit.
Terms such as “cyber 9/11” and “cyber terrorism” have been used frequently to describe the security threats posed by terrorists online. Cyber technologies, like any other, enable terrorist groups to do their terrorizing more effectively and efficiently. In the past few years it is increasingly common for them to use the Internet for propaganda, fundraising, general support, and convergence. Videos and anonymous discussion forums allow for the dissemination of training information and the call to arms for more individuals to participate and join groups.
Importantly, the panelists agreed that these groups have not yet used cyber attack capabilities in any significant way to cause casualties or actually terrorize anyone. While Ibrahim Samudra or Irahabi 007 hacked to raise funds through credit-card fraud, this is a traditional support activity, not “cyber terror”. The US government was a relatively early advocate of a strict definition of cyber terrorism, as nearly a decade ago they were calling it as “a criminal act perpetrated through computers resulting in violence, death and/or destruction, and creating terror for the purpose of coercing a government to change its policies.” Not defacing a webpage, not flooding a website (even of the South Korean president) and not stealing credit card information.
Some terrorists groups may talk about waging an e-Jihad, but such talk remains, for now, aspirational blather. For decades, the rule of thumb for intelligence analysts has been that adversaries with motives for damaging cyber attacks do not have the capabilities, while those with the capabilities do not yet have the motives. A large-scale cyber attacks is more difficult than is generally believed and few adversaries have both the motive and capability.
Additionally, terrorist groups have many disincentives for pursing cyber capabilities. For example, their leadership tends to be conservative and they tend to stick with what they know will work – suicide bombers, road-side bombs, and kinetic assaults. These actually kill and terrorize people which, as yet, no cyber attack has accomplished. The Congressional Research Service summed this up as “lower risk, but less drama.”
One day, though, a terrorist group could overcome the barriers and their own reservations to innovate. It is unlikely to happen this week, or even this year. Skepticism, however, has been an excellent analytical tool for two decades and will remain a healthy response when anyone, whether your local newspaper or a religious extremist, blathers about cyber terrorism.
Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber cooperation, conflict and competition on his blog or on Twitter, @Jason_Healey.