Content note: This article contains discussions of violence and terrorism.
Terrorists, unfortunately, are often at the forefront of innovative warfare. The asymmetrical nature of a global insurgency, where attacks are usually carried out by individuals without access to traditional or military-grade weapons, means that those individuals are always looking for new ways to do damage.
Their methods include bombings and mass shootings, as well as the weaponization of vehicles (most famously during the 9/11 attacks, and more recently with a rash of truck attacks throughout Europe) and are unique in that they allow a small force to inflict disproportionate amounts of damage. This damage can be either physical or emotional (terror), as well as influence the political sphere.
Of course, these crimes all require the perpetrator to be present at the scene for some period of time and often constitute a significant financial burden to the group; the total cost of 9/11 for Al-Qaeda was between $400,000 and $500,000. While this wouldn’t be much more than a drop in the ocean for the American military budget, for a group of terrorists (who were at the time living in a sparsely furnished cave system and only receiving intermittent funding from various Saudis) the cost is staggering.
The “ultimate” terror attack would be one that is cheap as hell and doesn’t put the person who carries it out in immediate danger – while also causing significant financial, materiel, or personnel cost to the targeted group.
A cyber-attack is a “deliberate exploitation of computer systems, technology-dependent enterprises and networks.” They are becoming an unsettling fact of the world we live in. These attacks target devices that we have come to depend on for work and recreation, undermining the already shaky trust we place in those devices to regulate the rhythms of our lives and broaden our intellectual horizons. Cyber-warfare is the use of these attacks within the paradigm of state conflict, with cyber-terrorism being exactly what it sounds like.
In the same way that nuclear proliferation fuelled fears that terrorist groups might try to acquire WMDs, the recent WannaCry ransomware fiasco and the existence of digital weapons like Stuxnet (a piece of malicious software that crippled an Iranian nuclear plant in 2010) has governments around the world examining the potential consequences of a cyber-terror attack. For ISIS – unique in that it has held significant territory and has multiple documented sources of income – the creation of digital weapons is hardly a pipe dream. They’ve certainly got the money and the motivation. So why aren’t more terrorist groups pursuing this hot new method of causing fear.
Even if price wasn’t an issue (and it’s becoming less of one) the personnel you need to build a digital weapon are hard to come by. Stuxnet (a digital weapon often described as cyber-warfare’s “Manhattan Project” in terms of complexity, cost, and size) was created by a joint Israeli-American program over the course of several years. You don’t find that kind of experience on SEEK, and you probably aren’t going to find it in the heart of Mosul either – if there was any of it left.
Building such a weapon is hard, but deploying would be even harder. In much the same way that the effective use of conventional weapons relies on understanding the lay of the land and enemy positions, bringing a cyber-weapon to bear requires extensive knowledge of the target. The Stuxnet attack on Iran’s Natanz nuclear enrichment facility was preceded by an effort to create an “electrical blueprint” of the site directories and computer systems. The actual weapon then needed to physically be inserted into the plant due to the fact that the Natanz computer network was isolated from the public internet as well as local area networks. This entailed placing it on the flash drive of an unsuspecting employee and hoping that he would then plug that flash drive into one of the plant computers.
In addition to all this, Stuxnet was used to achieve a goal that doesn’t align with those of most modern terrorist organisations. It induced catastrophic failure in the plant’s nuclear centrifuges, crippling Iran’s ability to enrich uranium for potential weapons applications. Most terrorists would just blow the plant up, if it even crossed their minds to target it. That’s because they want people to be terrorised – destroying nuclear centrifuges is not the most effective means of doing that. Cutting somebody’s head off on Facebook Live or bombing a stadium full of teenage girls is more effective in creating fear, for obvious reasons. In short, cyber-terrorism is not worth it.
A cyber-attack “outstrips the intellectual, organizational and personnel capacities of even the most well-funded and well-organized terrorist organization.” In addition to this, a cyber-attack would need to cause actual physical harm or intimidation to qualify as true cyber-terrorism.
Which isn’t to say that cyber-terrorism is impossible. A simulation run by Idaho National Lab revealed that “remotely changing the operating cycle of a power generator could make it catch fire.” But there is a huge difference in the amount of effort required to manipulate complex computer systems in order to make a generator catch fire, and the amount of effort required to gather materials for a bomb.
Should we be afraid of cyber-terrorism? No – but we should be alert to it. In a world that is becoming increasingly interconnected and where exceptional digital literacy goes hand-in-hand with growing up, it would be surprising if the future didn’t hold some kind of cyber-terror threat. What form that threat might take is uncertain; it might be a “digital Pearl Harbour” or something more insidious. An attack is in no way imminent, but there may come a time when we must think more about the dangers of booting up our laptop than the dangers of going to a festival; when we fear the hacker, not the gunman. Keep your software up-to-date, and be careful out there.