53.2 F
Washington D.C.
Monday, December 9, 2024

COLUMN: Defining Cyberterrorism: How Different Approaches Shape Data Collection

Open-source data sources indicate a low number of cyberterrorism incidents, despite widespread concerns about its global prevalence. This raises questions about the true level of cyberterrorism threat—whether it is exaggerated or not. The answer may hinge on definitional approaches, criteria for including incidents, and methodologies used in data collection.

Cybersecurity has become a critical concern, receiving significant attention and ranking high among the top security priorities for governments worldwide. Cyber attacks are conducted by states, criminals, hackers, and terrorist groups, sparking debate over which poses the greatest threat. It is noteworthy that terrorism databases rarely document cyberterrorism incidents; for instance, the Global Terrorism and Trends Analysis Center (GTTAC) Records of Incidents Database (GRID) did not report any cyberterrorism cases from 2018 to 2023, largely due to varying definitions of terrorism, inclusion criteria, and data processing methodologies.

Many traditional crimes, including terrorism, have migrated to cyberspace, establishing it as a new arena of conflict with unique rules, strategies, and tactics. Cyberterrorism specifically refers to terrorist acts carried out in the digital realm, yet experts and scholars continue to debate its precise definition and scope.

Research on cyber-conflict, public opinion, and international security is rapidly expanding, yet the field encounters a significant challenge in achieving conceptual agreement on key terms. For example, whenever a cyberattack occurs, a public debate ensues regarding its classification as cyberterrorism. This debate holds significant consequences because categorizing an act as “terrorism” justifies the implementation of stringent counterterrorism measures and enhances public perception of the threat.

Amidst rising cyberattacks, there is a growing debate on whether these attacks should be deemed cyberterrorism. Following the 2021 Colonial Pipeline cyberattack, which caused gas shortages across the United States, there was considerable controversy over its classification. Some politicians criticized the Biden administration for categorizing it as a mere criminal act, arguing instead that it constituted cyberterrorism and necessitated a more forceful response. Each cyberattack and cyberterrorism incident typically follows a predictable pattern, with proponents emphasizing their impact while critics question the underlying political motivations. The decision to label a cyberattack as cyberterrorism carries significant implications.

The discourse surrounding cyberterrorism emerged in the late 1990s following multiple terrorist attacks aimed at the United States. In 1997, the U.S. Department of Defense conducted its first cybersecurity exercise to evaluate its systems. During the same year, the March Commission Report highlighted and incorporated the cyber threat landscape into the nation’s policy framework. A 2024 Gallup study identified cyberterrorism as the foremost threat to the U.S., ranking it higher than concerns regarding nuclear threats from Iran and North Korea, international terrorism, and the influx of illegal immigrants into the United States.

Early studies on cyberterrorism have focused on establishing its threat level, identifying participants, understanding its motivations, and evaluating how effective terrorist tactics are in cyberspace. Like defining traditional terrorism, the lack of a clear definition and comprehensive case studies confirming its existence make cyberterrorism an emerging concern. Researchers struggle to differentiate cyberterrorism from cybercrime, hacktivism, and military cyber operations, complicating efforts to define its scope accurately.

The terms information warfare, hacktivism, cybercrime, cyber warfare, and cyberterrorism are frequently misapplied due to semantic ambiguities. These terms are intricate and interrelated, spanning multiple dimensions. First, information warfare involves offensive and defensive actions against information systems and comprises six key components: Psychological operations shape enemy perceptions through propaganda and false news. Electronic warfare disrupts enemy information systems and intelligence gathering, utilized by terrorist groups, political hackers, and rival nations. Military deception misleads adversaries about military capabilities or intentions. Physical destruction physically attacks information systems. Security measures protect information systems from adversary attacks. Information attacks manipulate information directly without altering physical components.

Second, hacktivism is the use of hacking techniques for political or social causes, acting as a form of civil disobedience with digital tools for direct action or protest. It disrupts computer activities without causing significant financial harm, aiming to promote issues like freedom of speech, human rights, or information ethics. Methods include website defacement or denial-of-service (DoS) attacks to convey messages or disrupt targeted organizations. The ethical implications are debated, but hacktivism showcases how digital technologies influence activism.

Third, cybercrime encompasses illegal activities that use computers, networks, or digital devices either as tools or targets. It includes fraud, identity theft, financial data theft, corporate espionage, and other offenses. The term can be used interchangeably with terms like computer crime or electronic crime. Cyber criminals may be driven by different motives, including the destruction of information, unauthorized access to data, financial profit, and the illicit modification of information. They operate within the Deep Web, an internet segment that includes the Dark Web and is inaccessible to standard browsers. Accessed through tools like Tor, the Dark Web facilitates activities such as selling malware, laundering money digitally, and trafficking illicit goods.

Fourth, cyber warfare refers to state-sponsored actions aimed at attacking or disrupting another nation’s computer systems and information networks, resembling large-scale cyberterrorism. Such attacks typically involve computer viruses or denial-of-service tactics and aim to gather intelligence, test defenses, disrupt military communications and weapons systems, cause economic turmoil, and demonstrate political and military prowess. Countries like North Korea, China, Iran, and Russia are actively involved in cyber warfare, targeting neighboring nations, the U.S., and Europe. Each country employs sophisticated strategies: North Korea poses risks due to its nuclear capabilities; Russia utilizes a broad approach combining cyber operations with electronic warfare and psychological tactics; China integrates cyber warfare extensively into its military structure; and Iran’s aggressive cyber operations target U.S. and allied networks, focusing on critical infrastructure.

Since 2006, the Center for Strategic and International Studies (CSIS) has monitored notable cyber incidents. As of June 2024, their findings have recorded multiple instances of cyber warfare involving hackers from North Korea, Russia, China, and Iran. Below are some specific examples.

North Korea: In August 2023, North Korean hackers attempted to breach a joint U.S.-South Korean military exercise focused on countering nuclear threats by launching spear-phishing email attacks targeting the exercise’s war simulation center.

Russia: In December 2023, Russian hackers launched an attack on Kyivstar, Ukraine’s largest mobile phone provider, disrupting services for 24 million customers. The hackers claimed responsibility for damaging over 10,000 computers and 4,000 servers, including cloud storage and backup systems.

China: In March 2023, state-sponsored Chinese hackers infiltrated the email accounts of several high-profile U.S. government officials in the State Department and the Department of Commerce, exploiting a vulnerability in Microsoft’s email systems.

Iran: In April 2023, a group of hackers linked to the Iranian state conducted a series of attacks targeting critical infrastructure in the U.S. and other countries. They deployed a custom-made dropper malware that had not been previously identified. This hacking group has been actively engaged in espionage and social engineering operations aligned with Iranian government interests since at least 2014.

Fifth, cyberterrorism involves unlawfully damaging or disrupting digital assets to intimidate or coerce governments or societies for political, religious, or ideological purposes. This type of terrorism employs information as a weapon, method, or target to achieve its objectives and can occur both within cyberspace and beyond. It may entail physically harming any device, system, or process that stores digital information, which can be as fundamental as binary code.

Governmental and organizational definitions primarily aim to define cyberterrorism within the context of criminal law and national security. They emphasize the political motivations behind cyberattacks, typically defining cyberterrorism in terms of violence or harm inflicted on non-combatant targets. These definitions often use concise and legally focused language.

Scholars’ definitions offer broader and more nuanced perspectives on cyberterrorism, incorporating social, ideological, and religious motivations. Some definitions do not necessarily require violence, instead focusing on disruption or coercion. They frequently take into account the evolving nature of technology and its impact on terrorism, providing detailed and academically oriented frameworks for understanding cyberterrorism.

The classification of cyberterrorism involves various attributes including methods, targets, outcomes, agents (perpetrators), and motivations of attacks. Cyberterror attacks employ methods like malware, computer viruses, and Trojan horses, often through infected USB drives or malicious software installations. However, not all attacks involving tricking employees into sharing passwords qualify as cyberterrorism. Targets include any cyberattack on military facilities, government offices, power stations, or shopping malls. An outcome of an attack causing a minor or major explosion is categorized as cyberterrorism, but theft of sensitive data or embezzlement does not qualify. Perpetrators range from non-state actors, such as individuals (lone actors) and groups like far-right extremists or Salafi-jihadist groups. Additionally, ideologically motivated individual hackers could also be classified as cyberterrorists. Not all cyberattacks by terrorist organizations are cyberterrorism; actions like online propaganda or recruitment are considered information warfare. Motivations for cyberterrorism include attempts to influence public policy for political, social, or religious reasons, aiming to overthrow or change government policy or seek revenge against it.

Various scenarios illustrate how these attributes can serve as examples of cyberterrorism:

A far-right extremist group launches a cyberattack to influence governmental policies, deploying malicious software to target a power station. This action triggers a significant explosion.

A Salafi-jihadist group orchestrates a coordinated Distributed Denial of Service (DDoS) attack on multiple financial institutions, targeting banks and financial systems to destabilize the economy and instill fear among the population. This cyber assault cripples online banking services, causing widespread panic and economic turmoil in affected regions. Moreover, the group breaches a major bank’s security systems, deleting critical financial data and physically damaging servers.

A disgruntled former government employee, motivated by left-wing ideology, introduces ransomware onto government servers to seek revenge for perceived injustices. This disrupts government operations and incurs financial losses as crucial files are encrypted and rendered inaccessible, leading to significant disruption in public services. Furthermore, the malware triggers a power surge in government buildings, causing physical damage to equipment and infrastructure.

An individual influenced by white supremacist ideology spreads propaganda videos glorifying violent acts through compromised social media accounts. Targeting vulnerable individuals online, the individual aims to radicalize and recruit new members. The dissemination of extremist content contributes to an increase in radicalization, fostering acts of violence and societal instability. Additionally, the group executes a cyberattack on a major transportation hub, disrupting transportation networks and causing physical damage to vital infrastructure.

An environmental activist group breaches the systems of a multinational corporation known for its environmentally harmful practices to disrupt operations and draw attention to ecological concerns. This cyberattack disrupts production, resulting in significant financial losses and public scrutiny of the corporation’s environmental impact. Additionally, the group infiltrates control systems at a chemical plant, triggering a release of hazardous materials that cause environmental and community harm.

The literature review highlights a nuanced distinction between two types of activities in the realm of terrorism and cyber threats: cyber-enabled actions carried out by terrorist organizations, and direct terrorist activities targeting information and communication systems. Cyber-enabled activities involve terrorist groups using digital tools and technologies to advance their agendas or assist traditional terrorist operations. These actions encompass activities like propaganda dissemination, recruitment, fundraising, communication, and coordination of attacks via the internet and social media platforms. Terrorist groups exploit online system vulnerabilities for purposes such as spreading misinformation, conducting cyber espionage, launching attacks against opponents, or disrupting critical infrastructure.

Terrorist organizations utilize the internet for various strategic purposes: disseminating misinformation to undermine support and instill fear through psychological warfare; leveraging its broad reach for effective propaganda and ideological dissemination; gathering intelligence on targets through data mining; globally soliciting funds by propagating propaganda and seeking contributions; recruiting and mobilizing supporters using religious decrees and anti-Western rhetoric; facilitating seamless communication and coordination among individual cells and members through networking; sharing information on bomb-making, tactics, poisons, assassinations, and anti-surveillance methods; and extensively using online platforms for planning and coordinating terror attacks.

Various groups worldwide, spanning from extremist right-wing organizations to revolutionary movements, have employed websites as platforms to disseminate their ideologies. In the Middle East, groups such as ISIS, Hamas, Hezbollah, Al-Aqsa Martyrs Brigades, Fatah Tanzim, Popular Front for the Liberation of Palestine, and Palestinian Islamic Jihad have utilized the internet for their activities. In Europe, entities like the Basque ETA movement and the Corsican Army have also utilized online platforms. Latin American groups including Peru’s Tupac-Amaru (MRTA), the Shining Path, the Colombian National Liberation Army (ELN), and the Revolutionary Armed Forces of Colombia (FARC) have similarly engaged in online presence. In Asia, various organizations such as Al Qaeda, Aum Shinrikyo, Japanese Red Army, Tamil Tigers, Islamic Movement of Uzbekistan, Moro Islamic Liberation Front in the Philippines, and Lashkar-e-Tayyiba have also utilized the internet for their operations.

On the other hand, terrorist activities directed at information and communication systems involve deliberate actions where terrorists aim to attack or sabotage these systems directly. This includes launching cyberattacks with the primary objective of causing damage to networks, disrupting services, stealing sensitive information, or compromising the integrity of communication channels. Such attacks may target government networks, financial institutions, transportation systems, energy grids, or other critical infrastructure, with the intent to instill fear, disrupt societal functions, or inflict economic damage.

In another categorization, terrorist groups engage in enabling, disruptive, and destructive cyber activities. Enabling Cyber Militancyinvolves using the internet and modern communication technologies for recruitment, training, fundraising, planning, radicalization, and spreading propaganda. This enhances terrorist campaigns by exploiting technology. Disruptive Cyber Militancy disrupts computer systems, networks, and operations in sectors like finance and transportation, causing inconvenience and economic losses. Examples include defacing websites, denial-of-service attacks, ransomware deployments, and data breaches. Destructive Cyber Militancy intentionally damages digital and physical assets, using computer systems as weapons. These attacks can cause physical harm or significant economic damage, instilling fear. Examples include hacking aviation controls and compromising emergency systems.

The limited reporting of cyberterrorism incidents in open-source data from terrorism databases can be attributed to the methodologies used. For instance, GRID primarily focuses on cases of destructive cyber militancy, which involve acts of violence perpetrated by terrorist groups or lone actors driven by terrorist motives. GRID excludes state actors engaged in cyber warfare, as their activities fall outside the realm of cyberterrorism. Furthermore, GRID prioritizes incidents that result in physical violence as a defining criterion.

In conclusion, terrorists actively exploit the cyber domain for various activities such as fundraising, radicalization, and spreading their ideologies. They also engage in disruptive cyber operations, targeting computer systems to cause economic harm. However, since these activities generally do not involve physical violence, they often do not meet the criteria for inclusion as cyberterrorism in databases that track global terrorist incidents. While terrorism databases do include instances of destructive cyber operations, they may not fully capture the actions of terrorist groups with advanced cyber capabilities. Therefore, it is essential to establish a database that monitors the enabling, disruptive, and destructive cyber activities of terrorist groups, providing a more comprehensive view of global cyberterrorism capacity.

Mahmut Cengiz
Mahmut Cengiz
Dr. Mahmut Cengiz is an Associate Professor and Research Faculty with Terrorism, Transnational Crime and Corruption Center (TraCCC) and the Schar School of Policy and Government at George Mason University (GMU). Dr. Cengiz has international field experience where he has delivered capacity building and training assistance to international partners in the Middle East, Asia, and Europe. He has also been involved in research projects for the Brookings Institute, the European Union, and various U.S. agencies. Dr. Cengiz regularly publishes books, articles and Op-eds. He is the author of six books, many articles, and book chapters regarding terrorism, organized crime, smuggling, terrorist financing, and trafficking issues. His 2019 book, “The Illicit Economy in Turkey: How Criminals, Terrorists, and the Syrian Conflict Fuel Underground Economies,” analyzes the role of criminals, money launderers, and corrupt politicians and discusses the involvement of ISIS and al-Qaida-affiliated groups in the illicit economy. Since 2018, Dr. Cengiz has been working on the launch and development of the Global Terrorist Trends and Analysis Center (GTTAC) and currently serves as Academic Director and Co-Principal Investigator for the GMU component. He teaches Terrorism, American Security Policy, and Narco-Terrorism courses at George Mason University.

Related Articles

- Advertisement -

Latest Articles