Terrorism (n): the systematic use of violence as a means to intimidate or coerce societies or governments.
Just as the term ‘terrorism’ is appearing with greater frequency in daily news, so we are seeing a rise in the mention of “cyberterrorism.” In the ‘real’ world, terrorism is indeed a very immediate threat, and not one to be taken lightly, but the alarmist attention seeking needs to be moderated with discretion and restraint. Otherwise we may be asking for trouble later.
As someone who grew up in the U.K. during the IRA years, and lived in South Africa during the last years of apartheid, I remember the specter of terrorism all too well. And terrifying it was. But in today’s media, when every street-corner stabbing is described as terrorism, it becomes a mundane topic. And when it becomes mundane, people relax. When people are reading newspapers and grumbling about “oh, just more terrorism,” that’s a dangerous sign. Æsop’s fable about the boy who cried “wolf!” was never more pertinent.
The same applies to cyberterrorism. Despite the more hysterical alerts coming from some corners of the industry, there is precious little evidence of any real terrorism activity online. Oh, sure, terrorists do probably use the internet and email. But that doesn’t make them cyberterrorists, any more than their use of telephones makes them telecom-terrorists.
Despite a bumper year for viruses and hackers in 2002, Symantec’s Internet Threat Report says there were “no verifiable cases of ‘cyberterrorism’ discovered over the past six months – countries on the Cyber Terrorist Watch List were responsible for less than 1 percent of attacks.”
If I spray paint political graffiti, no matter how inflammatory or subversive, on a public wall, I am not a terrorist. A vandal, yes, and a criminal, but not a terrorist. Not even if I do it on every wall I can find, and not even if I damage the walls in the process.
I can only conclude that defacing web sites is not cyberterrorism. That is, after all, what the term ‘hackivism’ was coined to describe, before ‘terrorism’ became the scapegoat of the day for everything from rail delays to poor stock performance. Cyberterrorism similarly does not cover releasing a worm, or sending spam, or conducting a denial-of-service attack.
Or does it? Just as we should be wary of crying “wolf,” we should be equally wary of becoming overly dismissive. Both lead to complacency and then to vulnerability.
What forms could cyberterrorism take? Certainly there is the possibility of cyberwarfare – the governments of most developed countries are actively investigating ways to use the internet and telecom networks to attack enemy infrastructure, and ways to defend their own. It seems reasonable to expect that these same techniques could be used to further terrorist goals.
The recent Slammer worm did a great deal of indirect damage to the internet. Fortunately, it carried no malicious payload: there’s only so much you can do with 376 bytes, and its tiny size was a central factor in its efficiency. It was also lucky that the outbreak occurred on a weekend and was largely contained before trading resumed on the Monday.
It is not a vast stretch of the imagination to get from Slammer to cyberterrorism. Picture a more dangerous version, using better propagation techniques (Slammer was effective but clumsy) and carrying some sort of payload, being deliberately distributed on a Monday, crippling businesses, services and internet trading. The impact on Asian stock markets in particular would have been heavy, with South Korea virtually disappearing off the internet at the peak of Slammer’s activities.
Should that occur, followed by threats of repeat incidents should some political agenda not be met, then it could well be an instance of cyberterrorism. The success of the worm is unlikely to have gone unnoticed by real-world terrorists.
However, we need to keep our perspective. The real-world impact of cyberterrorism is limited. ATMs off-line? That’s annoying, not terrifying. So the internet’s slow. So what? No one died, right?
Real-world terrorists have no shortage of vulnerable targets where physical mayhem will get them much more exposure than some vague electronic threat, and these targets, terrorism experts hasten to point out, are much more tempting to a guerrilla than annoying web users.
eWeek quotes Marcus Sachs, director of communications infrastructure protection in the Office of Cyberspace Security in Washington, as saying “We’d rather characterize terrorism as something that physically kills people. There was no lasting damage done to the infrastructure [by Slammer]. We’d like to see the term cyberterror dropped.”
On the other hand, we have a steady rise in organized crime using the internet to conduct their activities, and there’s no shortage of existing online crime, including child pornography, fraud, identity theft and regular hacking.
Obviously, whether it’s terrorism or not, getting hacked is a serious matter. Vigilance should never be relaxed. It would be tragic if hype and scare-mongering leads the world to believe that cyberterrorism is simply a reinflation of the Y2K balloon, and relax safeguards just in time for a real tragedy.
Jon Tullett is U.K and online editor for SC Magazine ( www.scmagazine.com).