Cyberterrorism: A Risk Assessment

Technological advances in communications, computing and computer networks are exposing new vulnerabilities that terrorist groups can exploit, making cyberterrorism a potential security concern. The media has extensively discussed this issue, invoking images of massive economic losses and even larger-scale loss of life from a cyberattack executed by a terrorist group. But just how real is the threat that cyberterrorism poses? Fortunately, the fear surrounding this issue outpaces the magnitude of the risk, and in this blog I will attempt to investigate.  

Is It Really Cyberterrorism?

It is vital to take the terrorism component of cyberterrorism critically. According to NATO, cyberterrorism is defined as a computer-based attack meant to coerce government or societies in pursuit of goals that are political, religious, or ideological. Moreover, to fall under the category of cyberterrorism, such actions should be significant enough to generate fear comparable to a physical act of terrorism.

Such a definition, however, will preclude many types of activities typically held by the public as a terrorist attack. One example will be the act of “hacktivism.” The act of hacktivism is understood as the act of breaking into a computer system for a politically motivated purpose. Hacktivists are focused on the use of malicious code to generate effects ranging from normal social activism to all the way up to civil disobedience. 

While hacktivism can result in low-level data pilfering and potential privacy loss, it does not amount to cyberterrorism, as such acts are not explicit acts of violence. Indeed, hacktivists seek to protest as well as disrupt – but not to maim or kill. An example of this will be the intrusion of the United States Central Command’s (CENTCOM) social media accounts in 2015 by actors claiming links to the Islamic State (IS). 

From the definition provided above, no major acts of cyberterrorism have occurred to date. This is because cyber terror attacks must express all the following characteristics: striking fear, violence, and a political motivation. While these definitions may be quite broad, it is essential for an incident to present all three aspects to be considered an act of cyberterrorism. Most cyber terror attacks these days will either have one or two elements but will often lack all three categories.

Capabilities

Gauging operational capabilities is an important factor in determining the risk from a terror group to launch a cyberattack. Given the current terrorism landscape, there is a wide consensus among security practitioners that the capabilities of terror groups to launch a large-scale cyber terror attack remain suspect. Efforts such as hacking, doxing (broadcasting private or identifying information about an individual or organization) and defacements – while noteworthy – cannot be considered a major cyberattack.

There are two reasons for this assessment. First, terrorism groups tend to be conservative in terms of weapon technology and development. Rather than using breakthrough technology, terror groups often find innovative uses of already existing technologies to orchestrate their attacks. One example is the weaponizing of hobbyist drones to have bomb dropping capabilities.

Second, the technological hurdle involved in perpetrating a mass cyber terror attack is still significant for a terrorist group to overcome. For a terrorist group to have the capabilities to successfully orchestrate a major cyberattack against a physical installation like an electrical power plant, the group would need to recruit an eclectic pool of people who not only are well versed in information technology and computer science techniques but potentially have the engineering expertise to cause a malfunction or explosion of the physical installation.   

Use of Cyberspace

Currently, terror groups are more likely to leverage the cyber realm as a tool to spread and disseminate their propaganda in order to garner more recruits rather than using it as a new theater to orchestrate attack operations. Many terror groups have leveraged several open Application Programming Interface (API) platforms to distribute their content. This trend appears to be increasing. In February 2019, as the IS Caliphate was crumbling and it lost almost all its territorial control in Syria, there was a significant upsurge in IS Telegram channels being posted by the IS network of supporters – in more than twenty languages.

Indeed, cyberspace has become essential for the propaganda and recruitment strategy of most terrorist groups. Encrypted messaging applications such as Telegram are now especially important for terror groups, who use them to communicate with each other and to meet potential recruits online.

Terrorist groups also tend not to use the cyber arena for their offensive operations. Instead, there has been a steadfast commitment in using cyberspace for defensive strategies to protect themselves from being discovered by the authorities. They spend considerable resources and energy on their operational security, and work assiduously on securing their online communications in cyberspace. Terror groups regularly release “best practices” messages on Telegram and other encrypted messaging software on how to share information on online security and encryption without getting their terror network exposed.

Conclusion

Cyberterrorism is often portrayed as a major security threat. The cyber activities of terrorist groups continue to garner substantial media attention and public concern. In turn, assessments of the capabilities of these actors overestimate technical skill and conflate multiple cyber activities. But in reality, very few terror groups can demonstrate advanced cyberterrorism attack capabilities. Instead, cyberspace is mainly used in projecting violent extremist propaganda and recruiting new personnel for their cause. 

Lacking the domain knowledge, resources, and ingenuity for complex computer network operations, most terror groups resort to acts of hacktivism or other simple cyberattacks. Indeed, the damage caused by these terror groups pales in comparison to those entities under state control or their auspices. Prominent cases include Stuxnet in Iran, the Saudi Aramco malware attack and the operations conducted by the Syrian Electronic Army under the auspices of the Ba’ath regime in Syria. Thus, despite attracting a great deal of attention, most security experts largely agree that most terrorist groups do not exhibit especially advanced cyberterrorism capabilities to launch major attacks. 

Director - Model Development
Weimeng Yeo is a Director within the Model Development team at Risk Management Solutions (RMS), and is a key member of the team responsible for the development of RMS' terrorism modeling solutions. Prior to his tenure at RMS, Weimeng worked at the International Center for Political Violence and Terrorism Research at the Institute of Defense and Strategic Studies in Singapore. He received his bachelor's degree in Political Science from Colby College in Maine and a Master's degree in International Affairs from Georgetown University in Washington DC at the School of Foreign Service.