When we hear the term cyber-terrorism, it conjures up visions of government computers and networks going black and information and assets surreptitiously disappearing due to clandestine breaches. But, as our world becomes more and more computerized, the concept of cyber-terrorism has broadened, with targets that can range from a country’s security sector and critical infrastructure to everyday facilities. Cyber-terrorism is becoming more of a mainstream security concern, as technology advances and malicious actors improve their knowledge and skills.
So how real is the threat of cyber-terrorism? As evidenced by the growing number of sophisticated cyber-attacks, malicious computer programs originating in more than 190 countries, and more than 60 percent of all the malicious code detected being introduced in 2008 alone, it’s as real as it gets. The overall probability may be low, but this is more than compensated by the potential severity and impact of any attack against unprotected systems, which can range from mere inconvenience to catastrophic consequences.
It was nearly twenty years ago that Barry C. Collin, a senior research fellow at the Institute for Security and Intelligence in California, described this potential threat as “the convergence of cybernetics and terrorism.” Not long after, it was elaborated into a working definition by FBI special agent Mark Pollitt, as “the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against non-combatant targets by sub national groups or clandestine agents.”
Considering this definition, is it truly terrorism? This exposes the issue many academics have with the term; terrorism infers the threat of, or actual violence, towards non-combatants to evoke terror and further a political, ethical, or ideological agenda. It’s easy to argue that a cyber-attack can potentially change human behaviour and activities. But whether true “terror” can be garnered through computer attacks remains under dispute. Certainly, if a terrorist group has the finances, resources, skills, and reasonable access to the target and its vulnerability, there is no doubt that anything run by a computer system – utilities, transit, food, and water health – could be at serious risk.
The Monterey Group for the Special Oversight Panel on Terrorism Committee of the U.S. House of Representatives adopts a three-level categorization for cyber-terror: simple-unstructured, advanced-structured, and complex-coordinated. A simple-unstructured attack requires very little target analysis, command and control, or learning capability. Usually planned within a matter of months, an example would be the Tamil guerrilla server attack that swamped Sri Lankan embassies with over 800 emails a day over a two-week period in 1998.
An advanced-structured attack requires elementary target analysis, command and control and learning capability, and a high degree planning, resulting in extended damage. A good example is the series of cyber-attacks exacted on Estonia over a three week period in 2007, which targeted the country’s government and financial/security sectors – including the presidency, parliament, government ministries, political parties, and key news organisations, banks, and communications firms. This sophisticated attack was critically planned and executed to cause as much disruption to the state as possible; if this was successfully executed on the United States or any other large Western nation, the consequences would have been global.
Complex-coordinated attacks take significant time, specialized skills, coordinated resources, highly capable target analysis, command and control, and learning capability, which make them an especially rare occurrence. Stuxnet, a massive malware attack against an Iranian uranium plant’s SCADA (supervisory control and data acquisition) systems, was catastrophic at the operational level and illustrates its potential gravity. It presumably took several years to develop the Stuxnet virus and its complexity was staggering – it exploited a commonly overlooked software vulnerability, utilized many computer systems to ensure its spread, and employed considerable specialized resources to successfully execute an unprecedented attack.
Understanding threats from a capabilities perspective better allows for a country’s financial and security sectors to develop necessary countermeasures; these need to be unified, integrated, and include legislation, regulations, standards, and tools capable of providing end-to-end safeguarding of systems. One example is Canada’s cyber-terrorism strategy, which offers a robust set of over-arching national legislation, strategies, and legal framework that addresses computer-related and computer-aided crimes and terrorism activities. It relies on coordinated efforts that utilize key elements of its domestic security sector, international alignment, and cooperative partnerships, such as the North Atlantic Treaty Organization, the European Police Office, and INTERPOL.
At the highest level, the Government of Canada addresses prevention, detection, response and interdiction of cyber-terrorism activities in border protection, intelligence and surveillance, immigration, finance, and transportation through multiple departments and agencies across its security sector, including the Canada Border Security Agency, the Royal Canadian Mounted Police, Canadian Security Intelligence Service, Citizens and Immigration Canada, the Financial Transactions and Reports Analysis Centre, Department of National Defence, among others. This cross-departmental approach also involves federal policing down to community policing, in addition to national security, critical infrastructure protection, and foreign policy.
Public Safety Canada is responsible for Canada’s national strategy, Building Resilience Against Terrorism: Canada’s Counter-terrorism Strategy, which addresses cyber-terrorismdirectly and cooperatively through the above-mentioned departments and partners under four areas of concentration: Prevention focuses on the motivations of individuals who engage in, or have the potential to engage in, terrorist activities at home and abroad. Detection examines both physical and cyber threats to system and critical infrastructure monitoring. Denying access helps develop and enhance resilience of vital assets and systems against terrorist attacks and identify risks to reduce security vulnerabilities. Lastly, Security Readiness and Response, exclusive of federal government information technology and information management systems, outlays the level of hardening of systems and the capabilities related to response and recovery.
Another underpinning of the overall Government of Canada strategic effort is Canada’s Cyber Security Strategy, which focuses on three key areas: securing government systems, partnering to secure vital systems outside the federal Government, and helping Canadians to be secure online. It recognises that cyber-attacks include intentional and unauthorized access, use, manipulation, interruption, or destruction of electronic information and the electronic and physical infrastructure used to process, communicate, and/or store that information.
Canada’s legal framework, the Criminal Code of Canada, addresses the criminalization and prosecution of computer related and computer-aided crime involving unauthorized use of computers, possession of devices to obtain computer or telecommunication facility or service, mischief in relation to data, interception of communications, computer falsifications and forgery, invasion of privacy, cyber espionage, and sabotage. In addition, the amended Anti-Terrorism Act holds new provisions for surveillance and intelligence gathering and preventative detainment related to terrorist activities.
Its clear the evolution of cyber-attack tools and techniques have grown exponentially in recent years. Therefore, understanding current and emerging technologies and cyber security, identifying and monitoring vulnerabilities in our critical systems, and continuously improving legislation, strategies and countermeasures are key factors to maintaining the safety of computerized systems and the criminalization and segmentation of cyber-terrorism. Terrorists look for two characteristics in target selection – terror-factor and exploitable vulnerabilities with zero failure being the goal. With this in mind, the systems that manage and deliver our consumables and necessities – a direct line to public health and safety – are without a doubt potential targets.