At the recent Chinese World Internet Conference, held in early December 2017, one of the most notable issues discussed was China’s Internet control model, which falls under what President Xi Jinping’s administration has called “cyber sovereignty”. This policy revolves around internet regulations, which could curb cyber-terrorism, and has been garnering more and more popularity as technology continues to advance.
Though regulation of the internet to the level that is enforced in China would probably not work for the United States, there is a growing need for a policy shift to protect people and critical infrastructure from the ever-increasing threats emanating from new technologies, particularly in the cyber domain.
The fear of these threats has persisted and grown over the years to the present day. According to a Pew Research Center poll conducted in 2014, the threat of cyber-attacks was cited as the second most urgent threat to American security as per the American public, second only to the threat of Islamist extremist groups.
Additionally, the convergence of cyber and terrorism has become more prevalent in public discourse; over 31,300 magazine and journal articles examined the phenomenon of cyber-terrorism as of 2012. Not all of these articles are fear-mongering, of course; many are written by naysayers and skeptics who attempt to put people’s worries to rest by pointing out that no one has ever been killed by a cyber-terror attack and assuring people that a real cyber-terror event is as unlikely as being killed in a shark attack.
Still, recent years have demonstrated the kind of non-violent (though still harmful) damage that can be done through a computer, by way of classified leaks and thefts, compromising images of celebrities, and massive criminal acts. In May of 2017, a large scale cyber-hack known as WannaCry, infected approximately 200,000 computers across 150 countries, remotely locking users’ data, and only releasing control in exchange for various sums of the infamous online currency Bitcoin. If paid, it would have garnered well over $1 billion for the perpetrators.
Countries affected by the WannaCry ransomware attack
But accurate attribution of these activities remains a challenge; as with any illicit activity, its underground nature makes it particularly difficult to trace and measure its full scope. The origins of the WannaCry cyber-assault are thought to be that of the hacker group, the Shadow Brokers, along with U.S. claims of links to North Korean groups.
While these hackers are harmful, current U.S. policies would not call it terrorism. Most definitions of terrorist activity require violent acts against people or infrastructure to be counted as terrorism, and the Federal Bureau of Investigation has defined cyber-terrorism as “premeditated, politically motivated attack against information, computer systems, computer programs and data which results in violence against non-combatant targets by subnational groups or clandestine agents.”
Considered under these limitations, the U.S. has experienced near non-existent physical damage from cyber-terror attacks, and no one has been killed through a cyber-attack. However, scholars such as Dr. Steven Bucci claim that cyber and other technologically advanced attacks may very well reach bomb damage equivalent capabilities. Bucci explains that terrorists excel at innovation and are experts in many cyber areas, including communications, propaganda, fundraising, fund transfers, recruitment, intelligence, reconnaissance, planning, and distributed denial-of-service (DDoS).
In fact, research systems like the Global Terrorism Database (GTD) have already begun including cyber incidents in their records. While the GTD methodology includes suspect cases, and also incidents that blur the lines between extremism and terrorism, the attacks show an increased capability to inflict harm on people and infrastructure through technological means.
In 2008, a Turkish pipeline was electronically manipulated to explode, which Turkish authorities have attributed to the terrorist group, the Kurdistan Workers Party. However, a multinational team of investigators concluded that “only state actors would have had the ability to carry out a sophisticated cyber-attack.”
A section of the Baku-Tbilisi-Ceyhan Pipeline that was targeted
More recently, in the 2016 GTD dataset, Newsweek journalist Kurt Eichenwald was victim to what could arguably be called a cyber-terror attack. An anti-Semitic extremist used Twitter’s instant messaging capability to send an image of a strobe light to Eichenwald, who suffers from epilepsy. The image induced a seizure, but fortunately Eichenwald was not killed.
As technology becomes more readily available, it is doubtless that similar occurrences will become more frequent and endanger people and infrastructure.
Other incidents of advanced technology falling into the hands of terrorists include the rising usage of Unmanned Aerial Vehicles (UAV), also known as drones.
In January 2017, Islamic State affiliated terrorists used a drone to drop a bomb on an Iraqi army outpost. Several months later, the tactic was adapted by Mexican drug cartels, using a drone and some explosives as in a “kamikaze” style attack. This has created fears of terrorist capabilities with drones and other autonomous vehicles, such as self-driving cars.
All of these incidents prove it that it is becoming more possible to inflict physical harm against both people and infrastructure through technological means. To that end, while China is enhancing its internet regulations, in the U.S., scholars are still debating if cyber-terrorism actually exists.
Clearly there is a need then, for new eyes and new policies, to allow American defenses to evolve at the same rate as aggressors. Presently, there are a few measures the U.S. government can take to bolster defenses against these emerging technologies, namely in the National Security Agency (NSA) and Department of Homeland Security (DHS), which together lead the way in cyber defense.
But at the NSA, staff are suffering from reorganization fatigue, costing the agency “several hundred hackers, engineers and data scientists,” all of whom are vital to the nation’s cyber defenses. While reshuffling offices can be good for efficiency on paper, it can have a debilitating effect on morale. The Executive branch of the government needs to let the NSA stabilize so it can get a handle on defense rather than bureaucratic restructuring. Given a little breathing room, the NSA should be able to step up its hiring and fill its ranks with new Cyber Security officers.
With DHS however, a recent House Bill to restructure the National Protection and Programs Directorate (a leading cyber security office,) is a step in the right direction. The legislative branch needs to follow through with this policy shift, which would establish the Cybersecurity and Infrastructure Security Agency. According to the DHS Secretary Nielsen, this Agency would allow the Department’s approach to cyber security to evolve to properly meet the threat of nefarious actors such as terrorists. This type of reorganization could allow for new policies to be formulated and better recognize the capabilities of cyber and other advanced technologies that terrorists are using.
* * *
Justin H. Leopold-Cohen (@jleopoldcohen) is a graduate of the Johns Hopkins University MA program in Global Security Studies. His research has focused on terrorism and its convergence with other transnational threats. He currently lives in Washington D.C. and works on security policy. Any opinions expressed in his writing are solely his own, and do not speak for any institution or government.