According to the U.S. Federal Bureau of Investigation, cyberterrorism is any "premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents."
Unlike a nuisance virus or computer attack that results in a denial of service (DoS), the FBI defines a cyberterrorist attack as explicitly designed to cause physical harm to individuals. According to the U.S. Commission of Critical Infrastructure Protection, possible cyberterrorist targets include the banking industry, military installations, power plants, air traffic control centers and water systems. However, there is no current consensus between various governments and the information security community on what qualifies as an act of cyberterrorism.
While the FBI defines cyberterrorism narrowly, excluding all but the most egregious attacks, other organizations and experts suggest that many less harmful attacks can also be considered to be acts of cyberterrorism, as long as the attacks are intended to be disruptive or to further the attackers' political stance. In some cases, the differentiation between cyberterrorism attacks and more ordinary cybercrime activity lies in the intention: the primary motivation for cyberterrorism attacks is to disrupt or harm the victims, even if the attacks do not result in physical harm or cause extreme financial harm.
In other cases, the differentiation is tied to the outcome of a cyberattack; many infosec experts believe an incident should be considered a cyberterrorism attack if it results in physical harm or loss of life, either directly or indirectly through damage or disruption to critical infrastructure. However, others believe physical harm is not a prerequisite for classifying a cyberattack as a terrorist event. The North Atlantic Treaty Organization (NATO), for example, has defined cyberterrorism as "a cyberattack using or exploiting computer or communication networks to cause sufficient destruction or disruption to generate fear or to intimidate a society into an ideological goal."
Cyberterrorism is sometimes referred to as electronic terrorism.
Examples of cyberterrorism
Acts of cyberterrorism can be carried out over private computer servers, against devices and networks visible through the public internet as well as against secured government networks or other restricted networks. Hackers who break into computer systems can introduce viruses to vulnerable networks, deface websites, launch denial-of-service attacks and/or make terroristic threats electronically.
Examples of cyberterrorism include:
- Global terror networks disrupting major websites to create public nuisances/inconveniences or to stop traffic to websites that publish content the hackers disagree with.
- International cyberterrorists accessing and disabling or modifying the signals that control military technology.
- Cyberterrorists targeting critical infrastructure systems, for example, to disable a water treatment plant, cause a regional power outage, or disrupt a pipeline, oil refinery or fracking operation. This type of cyberattack could disrupt major cities, cause a public health crisis, endanger the public safety of millions of people as well as cause massive panic and fatalities.
Cyberespionage, as carried out by governments using hackers to spy on rival nations' intelligence communications to learn about the locations of troops or gain a tactical advantage at war, is not necessarily considered to be cyberterrorism unless the spying is carried out with the intent to execute a cyberterrorist attack.
Methods of cyberterrorism
Cyberterror operations can use many different attack methods, including:
- Advanced persistent threat (APT) actors may use sophisticated and concentrated network attacks in which they gain access to a network and stay there undetected for a long period of time with the intention of stealing data, rather than cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing and the financial industry.
- Viruses, computer worms and malware targeting control systems can affect water supplies, transportation systems, power grids, critical infrastructure and military systems and may be used to further cyberterrorist goals.
- DoS attacks, cybersecurity events that occur when attackers take action to prevent legitimate users from accessing targeted computer systems, devices or other network resources.
- Hacking and theft of critical data from institutions, governments and businesses.
- Ransomware that holds computer systems hostage until the victims pay ransom.
- Phishing attacks, attempts by cybercriminals to collect information from victims through email, which they can then use to access systems or steal the victims' identities.
Cyberterrorist attackers can use virtually any attack method used by cybercriminals to further their political or social goals.
Defense against cyberterrorism
The key to combating cyberterrorism is prevention. Therefore, the best way for organizations to prevent cyberterrorists from hacking into their networks is by installing reputable cybersecurity measures such as antivirus and antimalware software and updating them regularly. This offers a base defense system against cyberterrorists.
Businesses should also make certain that their internet of things devices are properly secured as well as avoid public access points. To protect against ransomware, organizations should keep complete and timely backups of their systems.
Companies should also develop IT policies to protect their business data, including what types of files employees can download as well as what to do in the event of a cyberattack. The National Cyber Security Alliance recommends training employees to adhere to restrictions on installing applications, good password policies and also how to detect the signs of a cyberattack.
To protect critical infrastructure, the Department of Homeland Security coordinates with other public sector agencies as well as private sector partners to share information about cyberthreats and vulnerabilities.
Cyberwarfare vs. cyberterrorism vs. cybercrime
While there is often overlap in cyberwarfare, cyberterrorism, and cybercrime, distinctions can be drawn between them, particularly by looking at the actors, their motives, and the responses they draw.
In broad terms, cyberwarfare is a military matter of state and non-state actors whose response is ostensibly governed by Geneva and Hague Conventions. In 2013, the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) published the Tallinn Manual on the International Law Applicable to Cyber Warfare to provide guidance to policy advisors and legal experts on the most severe cyber operations—that is, those that violate the prohibition of the use of force in international relations, entitle states to exercise the right of self-defense, and/or occur during armed conflict.
In 2017, the CCDCOE updated the manual with the publication of the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. The Tallinn Manual 2.0 “adds a legal analysis of the more common cyber incidents that states encounter on a day-to-day basis and that fall below the thresholds of the use of force or armed conflict,” says CCDCOE.
On May 4, 2018, U.S. Cyber Command (USCYBERCOM), located at Fort Meade, Maryland, became the nation's 10th Unified Combatant Command. USCYBERCOM directs, synchronizes, and coordinates cyberspace planning and operations in defense of the U.S. and its interests. Army Gen. Paul M. Nakasone is its commander. USCYBERCOM, has the mission “to direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests in collaboration with domestic and international partners.” Because of the often overlapping nature of cyberwarfare, cyberterrorism and cybercrime, USCYBERCOM’s scope will include not only state actors but “aggressive non-state actors like terrorists, criminals, and hacktivists.” “These malicious cyber actors frequently pose threats that law enforcement and diplomatic means cannot contain without military assistance,” USCYBERCOM notes in its vision statement.
Cybercrime is a judicial matter governed by domestic laws, guided in some cases by international tools, such as the United Nations Convention Against Transnational Organized Crime, the G7 24/7 Network Points of Contact, and the Convention on Cybercrime of the Council of Europe, better known as the Budapest Convention.
The Budapest Convention is the only binding international instrument on cybercrime. It serves as a guideline for countries developing national legislation against cybercrime and as a framework for international cooperation between signatories. The Budapest Convention is the first international treaty on crimes committed via the internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security.
Cyberterrorism, according to the U.S. Federal Bureau of Investigation, cyberterrorism is any “premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents.” In 2018, the Council of Europe stated in its Counter-Terrorism Strategy (2018-2022) said that it was working to produce a set of indicators for assessing the risk that a terrorist attack may be carried out by radicalized individuals, as well as compiling a set of best practices on preventing and countering terrorist public provocation, propaganda, radicalization, recruitment and training on the internet.
Significant cyberterrorism attacks in history
Opinions about what types of cyberattacks constitute as acts of terrorism still differ between law enforcement agencies, infosec experts and technology companies. Between January 2018 and February 2019, the Center for Strategic and International Studies (CSIS), in Washington, D.C., identified 90 cyber-attacks that targeted government agencies, defense and high-tech companies, or that were considered to be economic crimes with losses of more than $1 million.
Here is a small sample:
- State-sponsored hackers from China stole the personal and IT identification information of some employees of European aerospace company Airbus. Chinese hackers also attempted to steal trade secrets from Norwegian software firm Visma, according to CSIS.
- The U.S. Democratic National Committee revealed that it had been targeted by Russian hackers in the weeks after the 2018 midterm elections, and hackers associated with the Russian intelligence services were found to have targeted the Center for Strategic and International Studies.
- Reuters reports that former U.S. intelligence personnel were revealed to be working for the UAE to help the country hack into the phones of activists, diplomats, and foreign government officials.
- S. prosecutors in New York unsealed a 13-count indictment against China’s Huawei Technologies Co. Ltd., the world’s largest telecommunications equipment manufacturer, and its CFO Meng Wanzhou, alleging crimes ranging from wire and bank fraud to obstruction of justice and conspiracy to steal trade secrets. The indicted defendants include Huawei and two Huawei affiliates, Huawei Device USA Inc. and Skycom Tech Co. Ltd. Among other things, Huawei and Skycom are charged with bank fraud and conspiracy to commit bank fraud, wire fraud and conspiracy to commit wire fraud. Meng is charged with bank fraud, wire fraud, and conspiracies to commit bank and wire fraud.
- Marriott International acknowledges that its Starwood reservation system was hacked—allegedly by Chinese hackers—and personal data of up to 500 million guests was stolen.
- The S. Department of Justice indicted 12 Russian intelligence officers for carrying out large-scale cyber operations against the Democratic Party in advance of the 2016 Presidential election. According to the DOJ, “All twelve defendants are members of the GRU, a Russian Federation intelligence agency within the Main Intelligence Directorate of the Russian military. These GRU officers, in their official capacities, engaged in a sustained effort to hack into the computer networks of the Democratic Congressional Campaign Committee, the Democratic National Committee, and the presidential campaign of Hillary Clinton, and released that information on the internet under the names ‘DCLeaks’ and ‘Guccifer 2.0’ and through another entity.”
- Chinese government hackers compromised the networks of a U.S. Navy contractor, stealing 614 GB of data related to weapons, sensor, and communication systems under development for U.S. submarines.
- The US and UK blame Russia for the June 2017 NotPetya ransomware attack that caused billions of dollars in damages across the world.
Other large attacks and incidents that some considered to be acts of cyberterrorism, include:
- The Russian government allegedly perpetrated a distributed denial-of-service attack in March 2014 that disrupted the internet in Ukraine and allowed pro-Russian rebels to take control of the Crimea.
- In December 2016, 225,000 customers in Ukraine experienced a blackout, the result of remote intrusions at three regional electric power distribution companies. The cyberterrorists blamed for the attack were thought to be from Russia. The cybercriminals flooded phone lines with a DoS attack and also used malware to attack and destroy data on hard drives.
- In 2016, the U.S. Department of Justice announced that Ardit Ferizi, a citizen of Kosovo, was convicted and sentenced to 20 years in prison "for providing material support to the Islamic State of Iraq and the Levant (ISIL), a designated foreign terrorist organization, and accessing a protected computer without authorization and obtaining information in order to provide material support to ISIL." John Carlin, then-assistant attorney general for national security, said: "This case represents the first time we have seen the very real and dangerous national security cyberthreat that results from the combination of terrorism and hacking."
- Three days before Ukraine's presidential election in May 2014, a hacking group based in Russia took down Ukraine's election commission's system, including the country's back-up system. The cybercriminals launched the attack to throw the proceedings into chaos, damage the nationalist candidate and to help the pro-Russian candidate, who ultimately lost the election. Officials were able to get the systems up and running before the election.
- Hackers affiliated with the North Korean government were thought to be responsible for the cyberattack on Sony Pictures Entertainment prior to Sony releasing the film The Interview, which depicted the death of North Korean leader Kim Jong-Un. The hacking group that claimed responsibility, known as the "Guardians of Peace," expressed anger at The Interviewand made vague threats of violence in reference to the 9/11 terrorist attacks, which led to Sony cancelling the film's theatrical release. The FBI ultimately determined that the code, encryption algorithms, data deletion methods and compromised networks were similar to those previously used by North Korean hackers. Additionally, the FBI discovered that the hackers had used several IP addresses associated with North Korea.
- In 2015, cybercriminals attacked the German parliament, causing widespread disruption. The hackers infected 20,000 computers used by German politicians, support staff members and civil servants, stealing sensitive data and then demanding several million euros to clean up the damage. A group of Russian nationalists who wanted the government of Berlin to stop supporting Ukraine claimed responsibility, but members of the Russian intelligence were also thought to be involved.
- In May 2017, major companies, government offices and hospitals around the world were hit by a ransomware called WannaCry, which seized control of victims' computers until they paid ransom. Cybersecurity firm Avast identified more than 75,000 ransomware attacks in 99 countries, making it one of the largest and most damaging cyberattacks in history. Experts and government agencies agreed that the Lazarus Group, which was affiliated with the North Korean government, was responsible for releasing WannaCry.