According to the U.S. Federal Bureau of Investigation, cyberterrorism is any "premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents."
Unlike a nuisance virus or computer attack that results in a denial of service (DoS), the FBI defines a cyberterrorist attack as explicitly designed to cause physical harm to individuals. According to the U.S. Commission of Critical Infrastructure Protection, possible cyberterrorist targets include the banking industry, military installations, power plants, air traffic control centers and water systems. However, there is no current consensus between various governments and the information security community on what qualifies as an act of cyberterrorism.
While the FBI defines cyberterrorism narrowly, excluding all but the most egregious attacks, other organizations and experts suggest that many less harmful attacks can also be considered to be acts of cyberterrorism, as long as the attacks are intended to be disruptive or to further the attackers' political stance. In some cases, the differentiation between cyberterrorism attacks and more ordinary cybercrime activity lies in the intention: the primary motivation for cyberterrorism attacks is to disrupt or harm the victims, even if the attacks do not result in physical harm or cause extreme financial harm.
In other cases, the differentiation is tied to the outcome of a cyberattack; many infosec experts believe an incident should be considered a cyberterrorism attack if it results in physical harm or loss of life, either directly or indirectly through damage or disruption to critical infrastructure. However, others believe physical harm is not a prerequisite for classifying a cyberattack as a terrorist event. The North Atlantic Treaty Organization (NATO), for example, has defined cyberterrorism as "a cyberattack using or exploiting computer or communication networks to cause sufficient destruction or disruption to generate fear or to intimidate a society into an ideological goal."
Cyberterrorism is sometimes referred to as electronic terrorism.
Examples of cyberterrorism
Acts of cyberterrorism can be carried out over private computer servers, against devices and networks visible through the public internet as well as against secured government networks or other restricted networks. Hackers who break into computer systems can introduce viruses to vulnerable networks, deface websites, launch denial-of-service attacks and/or make terroristic threats electronically.
Examples of cyberterrorism include:
- Global terror networks disrupting major websites to create public nuisances/inconveniences or to stop traffic to websites that publish content the hackers disagree with.
- International cyberterrorists accessing and disabling or modifying the signals that control military technology.
- Cyberterrorists targeting critical infrastructure systems, for example, to disable a water treatment plant, cause a regional power outage, or disrupt a pipeline, oil refinery or fracking operation. This type of cyberattack could disrupt major cities, cause a public health crisis, endanger the public safety of millions of people as well as cause massive panic and fatalities.
Cyberespionage, as carried out by governments using hackers to spy on rival nations' intelligence communications to learn about the locations of troops or gain a tactical advantage at war, is not necessarily considered to be cyberterrorism unless the spying is carried out with the intent to execute a cyberterrorist attack.
Methods of cyberterrorism
Cyberterror operations can use many different attack methods, including:
- Advanced persistent threat (APT) actors may use sophisticated and concentrated network attacks in which they gain access to a network and stay there undetected for a long period of time with the intention of stealing data, rather than cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing and the financial industry.
- Viruses, computer worms and malware targeting control systems can affect water supplies, transportation systems, power grids, critical infrastructure and military systems and may be used to further cyberterrorist goals.
- DoS attacks, cybersecurity events that occur when attackers take action to prevent legitimate users from accessing targeted computer systems, devices or other network resources.
- Hacking and theft of critical data from institutions, governments and businesses.
- Ransomware that holds computer systems hostage until the victims pay ransom.
- Phishing attacks, attempts by cybercriminals to collect information from victims through email, which they can then use to access systems or steal the victims' identities.
Cyberterrorist attackers can use virtually any attack method used by cybercriminals to further their political or social goals.
Defense against cyberterrorism
The key to combating cyberterrorism is prevention. Therefore, the best way for organizations to prevent cyberterrorists from hacking into their networks is by installing reputable cybersecurity measures such as antivirus and antimalware software and updating them regularly. This offers a base defense system against cyberterrorists.
Businesses should also make certain that their internet of things devices are properly secured as well as avoid public access points. To protect against ransomware, organizations should keep complete and timely backups of their systems.
Companies should also develop IT policies to protect their business data, including what types of files employees can download as well as what to do in the event of a cyberattack. The National Cyber Security Alliance recommends training employees to adhere to restrictions on installing applications, good password policies and also how to detect the signs of a cyberattack.
To protect critical infrastructure, the Department of Homeland Security coordinates with other public sector agencies as well as private sector partners to share information about cyberthreats and vulnerabilities.
Biggest cyberterrorism attacks in history
Opinions about what types of cyberattacks constitute as acts of terrorism still differ between law enforcement agencies, infosec experts and technology companies. However, here are some of the largest attacks and incidents that some considered to be acts of cyberterrorism:
- The Russian government allegedly perpetrated a distributed denial-of-service attack in March 2014 that disrupted the internet in Ukraine and allowed pro-Russian rebels to take control of the Crimea.
- In December 2016, 225,000 customers in Ukraine experienced a blackout, the result of remote intrusions at three regional electric power distribution companies. The cyberterrorists blamed for the attack were thought to be from Russia. The cybercriminals flooded phone lines with a DoS attack and also used malware to attack and destroy data on hard drives.
- In 2016, the U.S. Department of Justice announced that Ardit Ferizi, a citizen of Kosovo, was convicted and sentenced to 20 years in prison "for providing material support to the Islamic State of Iraq and the Levant (ISIL), a designated foreign terrorist organization, and accessing a protected computer without authorization and obtaining information in order to provide material support to ISIL." John Carlin, then-assistant attorney general for national security, said: "This case represents the first time we have seen the very real and dangerous national security cyberthreat that results from the combination of terrorism and hacking."
- Three days before Ukraine's presidential election in May 2014, a hacking group based in Russia took down Ukraine's election commission's system, including the country's back-up system. The cybercriminals launched the attack to throw the proceedings into chaos, damage the nationalist candidate and to help the pro-Russian candidate, who ultimately lost the election. Officials were able to get the systems up and running before the election.
- Hackers affiliated with the North Korean government were thought to be responsible for the cyberattack on Sony Pictures Entertainment prior to Sony releasing the film The Interview, which depicted the death of North Korean leader Kim Jong-Un. The hacking group that claimed responsibility, known as the "Guardians of Peace," expressed anger at The Interview and made vague threats of violence in reference to the 9/11 terrorist attacks, which led to Sony cancelling the film's theatrical release. The FBI ultimately determined that the code, encryption algorithms, data deletion methods and compromised networks were similar to those previously used by North Korean hackers. Additionally, the FBI discovered that the hackers had used several IP addresses associated with North Korea.
- In 2015, cybercriminals attacked the German parliament, causing widespread disruption. The hackers infected 20,000 computers used by German politicians, support staff members and civil servants, stealing sensitive data and then demanding several million euros to clean up the damage. A group of Russian nationalists who wanted the government of Berlin to stop supporting Ukraine claimed responsibility, but members of the Russian intelligence were also thought to be involved.
- In May 2017, major companies, government offices and hospitals around the world were hit by a ransomware called WannaCry, which seized control of victims' computers until they paid ransom. Cybersecurity firm Avast identified more than 75,000 ransomware attacks in 99 countries, making it one of the largest and most damaging cyberattacks in history. Experts and government agencies agreed that the Lazarus Group, which was affiliated with the North Korean government, was responsible for releasing WannaCry.