After the 9/11 attacks a decade ago, it seemed that threats were waiting for us around every border, hiding in every cave, and ready to pounce from everywhere, including cyberspace. To be sure, some of those threats did in fact materialize against the United States, our allies and interests.
NIMDA, a very significant virus, spread wildly beginning on 18 September, just a week after 9/11, leading to inaccurate speculation that al Qaeda was switching to cyber attacks. Thus far, however, terrorists have not embraced cyber attacks compared to traditional operations that provide more bang and bloodshed.
The major predictive analysis after 9/11 was published just eleven days after the attack. “Cyber Attacks During the War on Terrorism,” from the Institute for Security Technology Studies (ISTS) at Dartmouth College. This appears to be the only significant unclassified report that was published and has been called “representative” of the classified work done by the intelligence agencies. That the report reflects the official opinion is no surprise, as it was overseen by Michael Vatis, the founding director of the FBI’s National Infrastructure Protection Center. Accordingly, the ISTS report was able to use government-style predictive warning without being bound by government-style bureaucracy in what they were able to say or by restrictions on the release of the report.
Vatis and his team predicted that “[w]hen the United States and its allies launch their retaliatory action, there is a strong possibility of cyber attacks from hostile groups” including terrorist groups, terrorist sympathizers and anti-US hackers, nation states, and thrill seekers.
The section below looks at the ISTS predictions for each group along with an analysis of how these developed over the past decade. In general these predictions were well thought through though, fortunately, none of the worst came to pass.
Terrorists: While “few terrorist groups have used cyber attacks as a weapon” they “are known to be extensively using information technology and the Internet to formulate plans, raise funds, spread propaganda, and communicate securely.” Accordingly, “trends seem clearly to point to the possibility of terrorist using information technology as a weapon against critical infrastructure targets.”
Analysis: Since 9/11 there have been no notable incidents of “cyber terrorism” where terrorists used cyber capabilities to conduct major disruptive attacks. Terrorist groups, as noted by ISTS, continue to use cyber capabilities for support operations – including stealing and selling credit card and other personal information to fund terrorist operations (such as Irhabi 007 and Ibrahim Samudra). Overall, though, an assessment made in mid-2002 by Matt Devost and Neal Pollard (then of the Terrorism Research Center) still holds true: “It is unlikely that a terrorist organization like al Qaeda currently possess the capability for sustained cyberterrorism attack against critical infrastructures. The ability to launch a sustained attack with national strategic implications requires extensive planning and expertise that would take years to acquire.”
Nation-States: Countries (like Iraq and Libya, thought to be developing cyber capabilities) “may employ information warfare against the United States and its allies if attacked” and other nations may take advantage of the opportunity to launch attacks “under the guise of another country that is the focus of the war on terrorism”.
Analysis: There have not been any noteworthy attacks from nation-states in retaliation for the Global War on Terrorism.
Terrorist Sympathizers and Anti-US Hackers: Attacks by those with “general anti-US and anti-allied sentiments are more likely than attacks by the terrorist themselves or by nation-states.” ISTS also predicted a real danger of a “wider polarization” of a “large and diverse hostile coalition” including “religious fanatics, anti-capitalists, those opposing US support for Israel, and Chinese hackers, among others.”
Analysis: The ISTS team was correct with the straightforward prediction that attacks by sympathizers were more likely than by terrorists but, as it turns out, any such attacks (even those associated with the 2003 invasion of Iraq) have been entirely forgettable. Even the recent NATO operations over Libya did not draw any significant online response. As for the wider hostile coalition, this was always a long shot and didn’t come to pass, but congratulations to ISTS for identifying the possibility.
Thrill Seekers: “Any conflict that plays out in cyberspace will invariably attract a huge number of hackers … who simply want to gain notoriety through high-profile attacks.” These attackers would have low sophistication and skill and “are not highly motivated and could lose interest if the conflict drags on.”
Analysis: Thrill seekers have been a thorn in the sides of defenders in the United States and its allies, but have not notably been part of the larger terrorism conflict.
So, malicious cyber incidents relating to 9/11 or the American responses have not been a defining characteristic of the past ten years of cyber conflict. Instead, these ten years have been dominated more by large-scale cyber espionage, connected to nation-states, along with overwhelming cyber crime. In fact, the only notable disruptions of critical infrastructure were against Estonia and Georgia in incidents tied to Great Power realpolitik rather than global terrorism.
The ISTS predictions were generally both well-reasoned and reasonable. It turns out, though, that terrorists have not embraced cyber attacks compared to traditional operations that provide more bang and bloodshed. And while nations and non-state groups have been active the resulting attacks have not been driven in large part by 9/11 or our reaction to it.
Warnings of “cyber terror” are fortunately still just words and have not yet become reality.
Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey. This is a part of an occasional series on cyber conflict history.