129

Studies in Conflict & Terrorism, 28:129–149, 2005Copyright Taylor & Francis Inc.ISSN: 1057-610X print / 1521-0731 onlineDOI: 10.1080/10576100590905110

Cyberterrorism: The Sum of All Fears?

GABRIEL WEIMANN

United States Institute of PeaceWashington, DC, USA

and

Department of CommunicationUniversity of HaifaHaifa, Israel

Cyberterrorism conjures up images of vicious terrorists unleashing catastrophic at-tacks against computer networks, wreaking havoc, and paralyzing nations. This is afrightening scenario, but how likely is it to occur? Could terrorists cripple criticalmilitary, financial, and service computer systems? This article charts the rise ofcyberangst and examines the evidence cited by those who predict imminent catastro-phe. Psychological, political, and economic forces have combined to promote thefear of cyberterrorism. From a psychological perspective, two of the greatest fearsof modern time are combined in the term “cyberterrorism.” The fear of random,violent victimization segues well with the distrust and outright fear of computertechnology. Many of these fears, the report contends, are exaggerated: not a singlecase of cyberterrorism has yet been recorded, hackers are regularly mistaken forterrorists, and cyberdefenses are more robust than is commonly supposed. Even so,the potential threat is undeniable and seems likely to increase, making it all themore important to address the danger without inflating or manipulating it.

Tomorrow’s terrorist may be able to do more damage with a keyboard thanwith a bomb.

—National Research Council1

For the foreseeable future, acts of cyberterrorism, such as the ones usuallyimagined, will be very difficult to perform, unreliable in their impact, andeasy to respond to in relatively short periods of time.

—Douglas Thomas, statement to the Subcommittee onGovernment Efficiency, Financial Management

and Intergovernmental Relations2

Received 14 June 2004; accepted 19 August 2004.This article is an updated and detailed version of a previous special report, Cyberterrorism:

How Real Is the Threat?, issued in May 2004 by USIP.Address correspondence to Gabriel Weimann, University of Haifa, Haifa 32905, Israel. E-

mail: weimann@soc.haifa.ac.il

130 G. Weimann

Our nation is at grave risk of a cyberattack that could devastate the na-tional psyche and economy more broadly than did the 9/11 attacks.

—Carnegie Mellon University computer scientist Roy Maxion in aletter to President G. Bush co-signed by 50 computer scientists

Terrorists are interested in creating bloodshed and terror. The Internet doesn’trise to this level of impact in a way that a truck bomb does.

—George Smith, Co-editor, vmyths.com

Introduction

Cyberterrorism is the use of computer network tools to harm or shut down critical nationalinfrastructures (such as energy, transportation, government operations). The premise ofcyberterrorism is that as nations and critical infrastructure became more dependent oncomputer networks for their operation, new vulnerabilities are created—“a massive elec-tronic Achilles’ heel.”3 Cyberterrorism is an attractive option for modern terrorists, whovalue its anonymity, its potential to inflict massive damage, its psychological impact, andits media appeal. The threat posed by cyberterrorism has grabbed the attention of the massmedia, the security community, and the information technology (IT) industry. Journalists,politicians, and experts in a variety of fields have popularized a scenario in which sophis-ticated cyber-terrorists electronically break into computers that control dams or air trafficcontrol systems, wreaking havoc and endangering not only millions of lives but nationalsecurity itself. And yet, despite all the gloomy predictions of a cyber-generated doomsday,no single instance of real cyberterrorism has been recorded.

Just how real is the threat that cyberterrorism poses? Because most critical infra-structure in Western societies is networked through computers, the potential threat fromcyberterrorism is, to be sure, very alarming. Hackers, although not motivated by thesame goals that inspire terrorists, have demonstrated that individuals can gain access tosensitive information and to the operation of crucial services. Terrorists, at least in theory,could thus follow the hackers’ lead, and then, having broken into government and pri-vate computer systems, could cripple or at least disable the military, financial, and ser-vice sectors of advanced economies. The growing dependence of our societies on infor-mation technology has created a new form of vulnerability, giving terrorists the chanceto approach targets that would otherwise be utterly unassailable, such as national de-fense systems and air traffic control systems. The more technologically developed acountry is, the more vulnerable it becomes to cyberattacks against its infrastructure.

Concern about the potential danger posed by cyberterrorism is thus well founded.That does not mean, however, that all the fears that have been voiced in the media, inCongress, and in other public forums are rational and reasonable. Some fears are simplyunjustified, whereas others are highly exaggerated. In addition, the distinction betweenthe potential and the actual damage inflicted by cyberterrorists has too often been ig-nored, and the relatively benign activities of most hackers have been conflated with thespecter of pure cyberterrorism.

This article examines the reality of the cyberterrorism threat, both present and future.It begins by outlining why cyberterrorism angst has gripped so many people, defineswhat qualifies as “cyberterrorism” and what does not, and charts cyberterrorism’s appealfor terrorists. The report then looks at the evidence both for and against Western society’svulnerability to cyberattacks, drawing on a variety of recent studies and publications to

Cyberterrorism 131

illustrate the kinds of fears that have been expressed in order to assess whether there is aneed to be so concerned. The conclusion looks to the future and argues that we mustremain alert to real dangers while not becoming victims of overblown fears.

Cyberterrorism Angst

The roots of the notion of cyberterrorism can be traced back to the early 1990s, when therapid growth in Internet use and the debate on the emerging “information society” sparkedseveral studies on the potential risks faced by the highly networked, high-tech dependentUnited States. As early as 1990, the National Academy of Sciences began a report oncomputer security with the words, “We are at risk. Increasingly, America depends oncomputers. . . . Tomorrow’s terrorist may be able to do more damage with a keyboard thanwith a bomb.” At the same time, the prototypical term “electronic Pearl Harbor” wascoined, linking the threat of a computer attack to an American historical trauma.

“It’s no surprise,” argues Green, “that cyberterrorism now ranks alongside otherweapons of mass destruction in the public consciousness . . . but there’s just one prob-lem: There is no such thing as cyberterrorism—no instance of anyone ever having beenkilled by a terrorist (or anyone else) using a computer. Nor is there compelling evidencethat al Qaeda or any other terrorist organization has resorted to computers for any sortof serious destructive activity.”4 It seems fair to say that the current threat posed bycyberterrorism has been exaggerated. No single instance of cyberterrorism has yet beenrecorded: there were politically motivated cyberattacks, as a form of protest, usuallyinvolving website defacements (with a political message) or some types of denial ofservice (DoS) attack.5 However, while the cyberattacks were politically motivated, fromthe outset the attacks were incapable of harming people or property or instilling fearinto the target population. Its impact was primarily designed to cause disruption and didnot have a serious impact on critical services or infrastructure. The vast majority ofcyberattacks are launched by hackers with few if any political goals and no desire tocause the mayhem and carnage of which terrorists dream. So, then, why has so muchconcern been expressed over a relatively minor threat?

The reasons for the popularity of cyberterrorism angst are many. Psychological,political, and economic forces have combined to promote the fear of cyberterrorism.First, from a psychological perspective, two of the greatest fears of modern time arecombined in the term “cyberterrorism.”6 The fear of random, violent victimization segueswell with the distrust and outright fear of computer technology. An unknown threat isperceived as more threatening than a known threat. Although cyberterrorism does notentail a direct threat of violence, its psychological impact on anxious societies can be aspowerful as the effect of terrorist bombs. Moreover, the most destructive forces workingagainst an understanding of the actual threat of cyberterrorism are a fear of the unknownand a lack of information or, worse, too much misinformation.

Second, the mass media have added their voice to the fearful chorus, trumpeting thethreat with front-page headlines such as the following, which appeared in The Washing-ton Post in June 2003: “Cyber-Attacks by Al Qaeda Feared, Terrorists at Threshold ofUsing Internet as Tool of Bloodshed, Experts Say.” Cyberterrorism, the media havediscovered, makes for eye-catching, dramatic copy. A typical report published in TheWashington Post represents hundreds of similar news items:

This situation is alarming when one considers that America has many thou-sands of dams, airports, chemical plants, federal reservoirs and of course

132 G. Weimann

power plants (of which 104 are nuclear), most of whose integral systems areoperated and controlled by sophisticated computer systems or other auto-mated controllers. These systems are now experiencing cyber attacks. In thesecond half of 2002 alone, 60 percent of power and energy companies expe-rienced at least one severe cyber attack. Fortunately, none incurred cata-strophic loss.7

Screenwriters and novelists have likewise seen the dramatic potential, with moviessuch as the 1995 James Bond feature, Goldeneye and 2002’s Code Hunter, the 2004television series The Grid, and novels such as Tom Clancy’s and Steve R. Pieczenik’sNetforce popularizing a wide range of cyberterrorist scenarios. The mass media fre-quently fail to distinguish between hacking and cyberterrorism and exaggerate the threatof the latter by reasoning from false analogies such as the following: “If a sixteen-year-old could do this, then what could a well-funded terrorist group do?” Thus, as Denninghas observed, “cyberterrorism and cyberattacks are sexy right now. . . . [Cyberterrorismis] novel, original, it captures people’s imagination.”8

Ignorance is a third factor. Cyberterrorism merges two spheres—terrorism and tech-nology—that many people, including most lawmakers and senior administration officials,do not fully understand and therefore tend to fear. Moreover, some groups are eager toexploit this ignorance: “Numerous technology companies, still reeling from the collapseof the tech bubble, have recast themselves as innovators crucial to national security andboosted their Washington presence in an effort to attract federal dollars.”9 Law enforce-ment and security consultants are likewise highly motivated to have everyone believethat the threat to the nation’s security is severe. As Ohio State University law professorPeter Swire argued, “Many companies that rode the dot-com boom need to find big newsources of income. One is direct sales to the federal government; another is federalmandates. If we have a big federal push for new security spending, that could prop upthe sagging market.”10

To study terrorism, on the Internet or elsewhere, a definition of what terrorism ismust be found. Even though most people can recognize terrorism when they see it,experts have had difficulty coming up with an ironclad definition. There are more thanone hundred different definitions offered by scholars.11 Thus, a more fruitful approachwould be to characterize terrorism; Mullins provides a starting point by highlighting“the terror of terrorism,” that is, the argument or pre-condition that “without the terrorinduced by the terrorist, there can be no terrorism.”12 Fear is a key element in terrorism,and it is “the fear evoked by the individuals or the small groups of individuals whosecapacity to constraint the behavior of others resides not in reason, in numerical prepon-derance, or in any legitimate exercise of authority, but only in their perception that theyare able and willing to use violence unless their demands are satisfied.”13 Hoffman de-fined terrorism as “Violence, or the threat of violence, used and directed in pursuit of,or in service of, a political aim.”14 The U.S. State Department defines terrorism as “pre-meditated, politically motivated violence perpetrated against noncombatant targets bysubnational groups or clandestine agents, usually intended to influence an audience.”These characteristics clearly leave most of the cyberattacks if not all of them outside thecyberterrorism category. There is also the confusion between cyberterrorism and cyber-crime.15 Such confusion is partly caused by the lack of clear definitions of the twophenomena. Cybercrime and cyberterrorism are not coterminous. Cyberspace attacksmust have a “terrorist” component in order to be labeled cyberterrorism. The attacksmust instill terror as commonly understood (that is, result in death and/or large-scale

Cyberterrorism 133

destruction), and they must have a political motivation. Moreover, regarding the distinc-tion between terrorist use of information technology and terrorism involving computertechnology as a weapon/target, only the latter may be defined as cyberterrorism. Terroristuse of computers as a facilitator of their activities, whether for propaganda, recruitment,datamining, communication, or other purposes, is simply not cyberterrorism.16 Terroristsincreasingly are using the Net to post messages, launch psychological campaigns, learnabout potential targets, coordinate their actions, raise funds, and even conduct virtualtraining, but all these activities belong to the conventional, instrumental category andnot to cyberattacks aimed at computer networks or the Internet itself.

A fourth reason is that some politicians, whether out of genuine conviction or outof a desire to stoke public anxiety about terrorism in order to advance their own agen-das, have played the role of prophets of doom. After 9/11, the security and terrorismdiscourse soon featured cyberterrorism prominently. Following an October 2001 meet-ing with high-tech executives, including several from the security firm Network Associ-ates, President Bush appointed Richard Clarke as his first special advisor on cyberspacesecurity. After 11 September, Clarke created for himself the position of cybersecurityczar and continued heralding the threat of cyberattack. Understanding that in Washing-ton attention leads to resources and power, Clarke quickly raised the issue’s profile.“Dick has an ability to scare the bejesus out of everybody and to make the bureaucracyjump,” says a former colleague.17

The government was also stepping up its efforts to share information on cyberterrorismthreats through public advisories. The National Infrastructure Protection Center (NIPC)has issued an advisory that warns website operators of the threat of DDoS (distributeddenial-of-service) attacks. The NIPC advisory stated that it has information that certaingroups “have indicated they are targeting websites of the U.S. Department of Defenseand organizations that support the critical infrastructure of the United States.” WhenTom Ridge, the director of the newly created Office of Homeland Security, announcedClarke’s appointment, he hammered home the fact that information technology nowpervades everyday life—from communications and emergency services to water andelectricity delivery. “Destroy the networks,” he said, “and you shut down America as weknow it and as we live it and as we experience it every day.”

A special congressional commission examining terrorism after the 11 Septemberattacks was very concerned that future attacks against the United States might occur inconjunction with a cyberattack that would maximize the destructive effects of physicalweapons such as bombs or chemical assaults. “There has been substantial concern [about]the potential consequences of cyberattacks,” said Virginia Gov. James Gilmore, chair-man of the commission examining the nation’s ability to respond to an attack involvinga weapon of mass destruction.18 Gilmore said the commission believes that a cyber-attack could take place in concert with a physical attack. In a National Public Radiointerview with NPR’s Bob Edward, senators Jon Kyl (R-AZ) and Dianne Feinstein (D-CA) expressed their fears about the threat of cyberterrorism. They both said the nation’scomputer systems are overly vulnerable to attack and need better security measures.19

This discourse was understandable, given that more nightmarish attacks were ex-pected and that cyberterrorism seemed to offer Al Qaeda opportunities to inflict enor-mous damage. But there was also a political dimension to the new focus on cyber-terrorism. Debates about national security, including the security of cyberspace, alwaysattract political actors with agendas that extend beyond the specific issue at hand—andthe debate over cyberterrorism was no exception to this pattern. For instance, YonahAlexander, a terrorism researcher at the Potomac Institute—a think tank with close links

134 G. Weimann

to the Pentagon—announced in December 2001, the existence of an “Iraq Net.” Thisnetwork supposedly consisted of more than one hundred websites set up across theworld by Iraq since the mid-1990s to launch denial-of-service or DoS attacks (DoSattacks render computer systems inaccessible, unusable, or inoperable) against U.S. com-panies. “Saddam Hussein would not hesitate to use the cyber tool he has. . . . It is not aquestion of if but when. The entire United States is the front line,” Alexander claimed.20

Whatever the intentions of its author, such a statement was clearly likely to supportarguments then being made for an aggressive U.S. policy toward Iraq like Saddam’sWMD stockpiles. No evidence of an Iraq Net has yet come to light.

Fifth, combating cyberterrorism has become not only a highly politicized issue butalso an economically rewarding one. As Green argues, “an entire industry has arisen tograpple with its ramifications—think tanks have launched new projects and issued whitepapers, experts have testified to its dangers before Congress, private companies havehastily deployed security consultants and software designed to protect public and privatetargets.”21 Following the 9/11 attacks, the federal government requested $4.5 billion forinfrastructure security, and the FBI now boasts more than one thousand “cyber investi-gators.” Spending on security-related technology is expected to increase over the nextcouple of years, leveling off at 5 percent to 8 percent of the Information Technologybudget of global companies, according to a survey.22 Security spending takes up from 3percent to 4 percent of IT budgets today but that amount, however, is expected to in-crease at a compound annual growth rate of between 8 percent and 10 percent through2006, before reaching a plateau.

Even before 11 September 2001, George W. Bush was calling attention to the dan-ger of an imminent attack on the United States by cyberterrorists. As a presidentialcandidate, he warned that “American forces are overused and underfunded preciselywhen they are confronted by a host of new threats and challenges—the spread of weap-ons of mass destruction, the rise of cyberterrorism, the proliferation of missile technol-ogy.” In the aftermath of 9/11, President Bush created the Office of Cyberspace Securityin the White House, and appointed his former counterterrorism coordinator, RichardClarke, to head it (Clarke has since resigned). Since then, the president, the vice presi-dent, and other officials have kept the issue before the public. “Terrorists can sit at onecomputer connected to one network and can create worldwide havoc,” cautioned TomRidge, director of the Department of Homeland Security, in a representative observationin April 2003. “[They] don’t necessarily need a bomb or explosives to cripple a sectorof the economy or shut down a power grid.” The message is hitting home. For instance,a survey of 725 cities conducted by the National League of Cities for the second anni-versary of the 9/11 attacks shows that cyberterrorism ranks alongside biological andchemical weapons at the top of a list of city officials’ fears.23

The net effect of all this attention has been to create a climate in which instances ofhacking into government websites, online thefts of proprietary data from companies, andoutbreaks of new computer viruses are all likely to be labeled by many including jour-nalists as suspected cases of “cyberterrorism.”24 Indeed, the term has been improperlyused and overused to such an extent that, if there is any hope of reaching a clear under-standing of the danger posed by cyberterrorism, it must be defined with some precision.

What Is Cyberterrorism?

There have been several stumbling blocks to creating a clear and consistent definition ofthe term “cyberterrorism.” First, as just noted, much of the discussion of cyberterrorism

Cyberterrorism 135

has been conducted in the popular media, where journalists typically strive for dramaand sensation rather than for good operational definitions of new terms. Second, it hasbeen especially common when dealing with computers to coin new words simply byplacing the words “cyber,” “computer,” or “information” before another word. Thus, anentire arsenal of words—cybercrime, cyberwar, infowar, netwar, cyberterrorism, cyberharassment, virtual-warfare, digital terrorism, cybertactics, computer warfare, informa-tion warfare, cyberattack, cyberwar, and cyber break-ins—is used to describe what somemilitary and political strategists describe as the “new terrorism” of these times.25

Fortunately, some effort has been made to introduce greater semantic precision.Most notably, Dorothy Denning, a professor of computer science, has put forward anadmirably unambiguous definition in numerous articles,26 and in her testimony on thesubject before the congressional House Armed Services Committee:

Cyberterrorism is the convergence of cyberspace and terrorism. It refers tounlawful attacks and threats of attacks against computers, networks and theinformation stored therein when done to intimidate or coerce a governmentor its people in furtherance of political or social objectives. Further, to qualifyas cyberterrorism, an attack should result in violence against persons or property,or at least cause enough harm to generate fear. Attacks that lead to death orbodily injury, explosions, or severe economic loss would be examples. Seri-ous attacks against critical infrastructures could be acts of cyberterrorism,depending on their impact. Attacks that disrupt nonessential services or thatare mainly a costly nuisance would not.

It is important to distinguish between cyberterrorism and “hacktivism,” a term coinedby Denning to describe the marriage of hacking with political activism. (“Hacking” ishere understood to mean activities conducted online and covertly that seek to reveal,manipulate, or otherwise exploit vulnerabilities in computer operating systems and othersoftware.)27 Hacktivists have four main weapons at their disposal: virtual sit-ins andblockades; automated e-mail bombs; web hacks and computer break-ins; and computerviruses and worms. A virtual sit-in or blockade is the cyberspace rendition of a physicalsit-in or blockade: political activists coordinate their visits to a website and attempt togenerate so much traffic toward the site that other users cannot reach it, thereby disrupt-ing normal operations while winning publicity—via media reports—for the protesters’cause. When large numbers of individuals simultaneously attack a designated site, theoperation is sometimes referred to as “swarming.” Swarming can also amplify the ef-fects of the hacktivists’ second weapon: e-mail bombing campaigns (bombarding targetswith thousands of messages at once, also know as “ping attacks”). In July 1997, forexample, an e-mail bombing was conducted against the Institute for Global Communica-tions (IGC), a San Francisco-based Internet Service Provider (ISP) that hosted the webpages of Euskal Herria (in English, the Basque Country Journal), a publication editedby supporters of the Basque separatist group Homeland and Liberty (ETA).28 The at-tackers wanted ETA’s site pulled from the Internet. To accomplish this they bombardedIGC with thousands of spurious e-mails routed through hundreds of different mail re-lays, spammed IGC staff and customer accounts, clogged IGC’s web page with boguscredit card orders, and threatened to employ the same tactics against other organizationsusing IGC services. IGC pulled the Euskal Herria site just a few days later.

Many cyberprotesters use the third weapon in the hacktivists’ arsenal: web hackingand computer break-ins, whereby they hack into computers to access stored information,

136 G. Weimann

communication facilities, financial information, and so on. For example, the ComputerEmergency Response Team Coordination Center (CERT/CC), a federally funded researchand development center operated by Carnegie Mellon University, reported 2,134 com-puter security incidents such as break-ins and hacks in 1997. This number rose to 21,756in 2000, and to almost 35,000 during the first three quarters of 2001 alone. In 2003,CERT/CC received more than half a million e-mail messages and more than nine hun-dred hotline calls reporting incidents or requesting information. In the same year, nofewer than 137,529 computer security incidents were reported. Considering that many,perhaps most, incidents are never reported to CERT/CC or any other third party, thesenumbers become even more significant. Further, each incident that is reported corre-sponds to an attack that can involve thousands of victims. In April 2002, for instance,hackers broke into the payroll database for the state of California and gained access tothe Social Security numbers, bank account information, and home addresses of 265,000state employees. This rise in computer-based attacks can be attributed to several factors,including the growth of the Internet and a corresponding increase in the number ofpotential attackers and targets; a seemingly limitless supply of vulnerabilities that, oncediscovered, are quickly exploited; and increasingly sophisticated software hacking toolsthat allow even those with modest skills to launch devastating attacks.

The fourth category of hacktivist weaponry comprises viruses and worms, both ofwhich are forms of malicious code that can infect computers and propagate over com-puter networks. Their impact can be enormous. The Code Red worm, for example, in-fected about a million servers in July 2001, and caused $2.6 billion in damage to com-puter hardware, software, and networks, and the I LOVE YOU virus unleashed in 2000affected more than twenty million Internet users and caused billions of dollars in dam-age. Although neither the Code Red worm nor the I LOVE YOU virus was spread withany political goals in mind, some computer viruses and worms have been used to propa-gate political messages and, in some cases, cause serious damage. During the NATOoperation to evict Serbian forces from Kosovo, businesses, public entities, and academicinstitutes in NATO member-states received virus-laden e-mails from a range of EasternEuropean countries. The e-mail messages, which had been poorly translated into En-glish, consisted chiefly of unsubtle denunciations of NATO for its unfair aggression anddefenses of Serbian rights. But the real threat was from the viruses. This was an instanceof cyberwarfare launched by Serbian hackers against the economic infrastructure of NATOcountries.

On Tuesday, 22 October 2002, the heart of the Internet network sustained its largestand most sophisticated attack ever: a distributed DoS attack struck the thirteen “rootservers” that provide the primary road map for almost all Internet communications world-wide. According to security experts, the incident probably consisted of multiple attack-ers concentrating the power of many computers against a single network to prevent itfrom operating. Ordinary Internet users experienced no slowdowns or outages becauseof safeguards built into the Internet’s architecture; however, a longer, more extensiveattack could have seriously damaged worldwide electronic communications. Little canbe done to insulate targets from such attacks. Indeed, some of the world’s most power-ful companies have been targeted. In February 2000, Amazon.com, e-Bay, Yahoo, and ahost of other big-name e-commerce sites came to a grinding halt for several hours dueto DoS attacks.

Hacktivism, although politically motivated, does not amount to cyberterrorism. Hack-tivists do want to protest and disrupt; they do not want to kill or maim or terrify. How-ever, hacktivism does highlight the threat of cyberterrorism, the potential that individuals

Cyberterrorism 137

with no moral restraint may use methods similar to those developed by hackers to wreakhavoc. Moreover, the line between cyberterrorism and hacktivism may sometimes blur,especially if terrorist groups are able to recruit or hire computer-savvy hacktivists or ifhacktivists decide to escalate their actions by attacking the systems that operate criticalelements of the national infrastructure, such as electric power networks and emergencyservices.

The Attraction of Cyberterrorism for Terrorists

Cyberterrorism is an attractive option for modern terrorists for several reasons:

• First, it is cheaper than traditional terrorist methods. All that the terrorist needs isa personal computer and an online connection. Terrorists do not need to buyweapons such as guns and explosives; instead, they can create and deliver com-puter viruses through a telephone line, a cable, or a wireless connection.

• Second, cyberterrorism is more anonymous than traditional terrorist methods. Likemany Internet surfers, terrorists use online nicknames—“screen names”—or logon to a website as an unidentified “guest user,” making it very hard for securityagencies and police forces to track down the terrorists’ real identity. And in cyberspacethere are no physical barriers such as checkpoints to navigate, no borders to cross,no customs agents to outsmart.

• Third, the variety and number of targets are enormous. The cyberterrorist couldtarget the computers and computer networks of governments, individuals, publicutilities, private airlines, and so on. The sheer number and complexity of potentialtargets guarantees that terrorists can find weaknesses and vulnerabilities to ex-ploit. Several studies have shown that critical infrastructures, such as electric powergrids and emergency services, are vulnerable to a cyberterrorist attack becausethe infrastructures and the computer systems that run them are highly complex,making it effectively impossible to eliminate all weaknesses.

• Fourth, cyberterrorism can be conducted remotely, a feature that is especiallyappealing to terrorists. Cyberterrorism requires less physical training, psychologi-cal investment, risk of mortality, and travel than conventional forms of terrorism,making it easier for terrorist organizations to recruit and retain followers.

• Fifth, as the I LOVE YOU virus showed, cyberterrorism has the potential to af-fect directly a larger number of people than traditional terrorist methods, therebygenerating greater media coverage, which is ultimately what terrorists want.

The Growing Vulnerabilities

In his vision of “The Future of Cyberterrorism,” Collin describes several scary scenarios:29

• A cyberterrorist will disrupt the banks, the international financial transactions, thestock exchanges. The key: the people of a country will lose all confidence in theeconomic system. Would a cyberterrorist attempt to gain entry to the FederalReserve building or equivalent? Unlikely, since arrest would be immediate. Fur-thermore, a large truck pulling along side the building would be noticed. How-ever, in the case of the cyberterrorist, the perpetrator is sitting on another conti-nent while a nation’s economic systems grind to a halt. Destabilization will beachieved.

138 G. Weimann

• A cyberterrorist will attack the next generation of air traffic control systems, andcollide two large civilian aircraft. This is a realistic scenario, since the cyberterroristwill also crack the aircraft’s in-cockpit sensors. Much of the same can be done tothe rail lines.

• A cyberterrorist will remotely alter the formulas of medication at pharmaceuticalmanufacturers. The potential loss of life is unfathomable.

• The cyberterrorist may then decide to remotely change the pressure in the gaslines, causing a valve failure, and a block of a sleepy suburb detonates and burns.Likewise, the electrical grid is becoming steadily more vulnerable.

In 1997, the National Security Agency (NSA) conducted an exercise code-named“Eligible Receiver.”30 The results were chilling. The exercise began when NSA officialsbriefed a thirty-five person “Red Team” of NSA computer hackers on the ground rules.They were told that they were to attempt to hack into and disrupt U.S. national securitysystems. Their primary target was to be the U.S. Pacific Command in Hawaii, which isresponsible for all military contingencies and operations conducted in the Pacific the-ater, including the tension-wracked Korean peninsula. Members of the Red Team wereallowed to use only software tools and other hacking utilities that could be downloadedfreely from the Internet through any one of the hundreds, and possibly thousands, ofhacker websites. The Pentagon’s own arsenal of secret offensive information warfaretools was off limits to the hackers. Although they were allowed to penetrate variousPentagon networks, the Red Team was prohibited from breaking any U.S. laws.

Posing as hackers hired by the North Korean intelligence service, the Red Teamdispersed around the country and began digging their way into military networks. Theynavigated through cyberspace with ease, mapping networks and logging passwords gainedthrough “brute-force cracking” (a trial-and-error method of decoding encrypted data suchas passwords or encryption keys by trying all possible combinations) and the more subtletactic of social engineering—sometimes it was just easier to call somebody on the tele-phone, pretend to be a technician or high-ranking official, and ask for the password. Theteam gained unfettered access to dozens of critical Pentagon computer systems. Withthat level of access, they were free to create legitimate user accounts for other hackers,delete accounts belonging to authorized officials, reformat server hard drives and scramblethe data, or simply shut systems down. They were able to break through network de-fenses with ease, after which they could conduct DoS attacks, read or make minor changesto sensitive e-mail messages, and disrupt telephone services. They did so without beingtraced or identified.

The results of the exercise stunned all who were involved. Using hacking tools thatwere available to anybody on the Internet, the Red Team could have crippled the U.S.military’s command-and-control system for the entire Pacific theater of operations. Froma military perspective, that alone was appalling. But it soon became clear that the exer-cise had revealed much broader vulnerabilities. During the course of analyzing what theRed Team had accomplished, NSA officials discovered that much of the private-sectorinfrastructure in the United States, such as the telecommunications and electric powergrids, could easily be sent into a tailspin using the same tools and techniques.

The vulnerability of the energy industry is at the heart of Black Ice: The InvisibleThreat of Cyberterror, a book published in 2003 and written by Computerworld journal-ist and former intelligence officer Dan Verton.31 Verton argues that America’s energysector would be the first domino to fall in a strategic cyberterrorist attack against theUnited States. The book explores in frightening detail how the impact of such an attack

Cyberterrorism 139

could rival, or even exceed, the consequences of a more traditional, physical attack.Verton claims that during any given year, the average large utility company experiencesabout one million cyberintrusions that require investigation to ensure that critical systemcomponents have not been compromised. Data collected by Riptech, Inc.—a Virginia-based company specializing in the security of online information and financial systems—on cyberattacks during the six months following the 9/11 attacks showed that companiesin the energy industry suffered intrusions at twice the rate of other industries, with thenumber of severe or critical attacks requiring immediate intervention averaging 12.5 percompany.32

Deregulation and the increased focus on profitability have forced utilities and othercompanies to move more and more of their operations to the Internet as a means ofimproving efficiency and reducing costs. The energy industry and many other industrialsectors have opened their enterprises to a vast array of cyberdisruptions by creatinginadvertent Internet links (both physical and wireless) between their corporate networksand the digital crown jewels of most industrial processes: the supervisory control anddata acquisition (SCADA) systems. These systems manage the actual flow of electricityand natural gas and perform other critical functions in various industrial control settings,such as chemical processing plants, water purification and delivery systems, wastewatermanagement facilities, and a host of manufacturing firms. A terrorist’s ability to control,disrupt, or alter the command and monitoring functions performed by these systemscould threaten regional and possibly national security.

New vulnerabilities that could leave the way open to a cyberattack are being dis-covered all the time: according to Symantec, one of the world’s corporate leaders in thefield of cybersecurity, the number of “software holes” (software security flaws that al-low malicious hackers to exploit the system) reported in the nation’s computer networksgrew by 80 percent in 2002. Still, the company says it has yet to record a single cyberterroristattack—by its definition, one originating in a country on the State Department’s terrorwatch list. That could be because those inclined to commit terrorist acts do not yet havethe know-how to inflict significant damage, or perhaps because hackers and adept viruswriters are not sympathetic to the goals of terrorist organizations. However, should thetwo groups find common ground, the results could be devastating.

Equally alarming is the prospect of terrorists themselves designing computer soft-ware for government agencies. Remarkably, at least one instance of such a situation isknown to have occurred, as reported by Denning.33 In March 2000, Japan’s Metropoli-tan Police Department announced that a software system it had procured to track 150police vehicles, including unmarked cars, had been developed by the Aum Shinrykocult, the same group that gassed the Tokyo subway in 1995, killing twelve people andinjuring six thousand more. Additionally, members of this cult had developed softwarefor at least eighty Japanese firms and ten government agencies. They had worked assubcontractors to other firms, making it almost impossible for the end users to knowwho had developed the software they purchased. As subcontractors, Denning argues, thecult could have installed Trojan horses to launch or facilitate

Despite stepped-up security measures in the wake of 9/11, an Ipsos Public Affairssurvey of 395 IT professionals, conducted on behalf of the Business Software Allianceduring June 2002, revealed a lack of confidence in the government’s ability to defenditself against a cyberattack. Almost half (49 percent) felt than an attack is likely, andmore than half (55 percent) said the risk of a major cyberattack on the United Stateshas increased since 9/11. The figure jumped to 59 percent among individuals responsiblefor their company’s computer and Internet security. Almost three-quarters (72 percent)

140 G. Weimann

believed there is a gap between the threat of a major cyberattack and the government’sability to defend against it, with the figure increasing to 84 percent among those respon-dents who are most knowledgeable about security. Furthermore, 86 percent thought theU.S. government should devote more time and resources to defending against cyber-attacks than it did to addressing Y2K issues, and 96 percent stressed the importance ofsecuring sensitive information so that hackers will not be able to access it even if theybreak into the government’s computer system. Those surveyed were concerned aboutattacks not only on the government but on other likely targets as well. Almost three-quarters (74 percent) believed that national financial institutions, such as Wall Street orbig national banks, would be likely targets within the next year, and around two-thirdsbelieved that attacks were likely to be launched within the next twelve months againstthe computer systems that run communications networks (e.g., telephones and the Internet),transportation infrastructure (e.g., air traffic control computer systems), and utilities (e.g.,water stations, dams, and power plants).

A study released in December 2003 appeared to confirm the IT professionals’ skep-ticism about the ability of the government to defend itself against cyberattacks.34 Con-ducted by the House Government Reform Subcommittee on Technology, the study ex-amined computer security in federal agencies over the course of a year and awardedgrades. Scores were based on numerous criteria, including how well an agency trainedits employees in security and the extent to which it met established security proceduressuch as limiting access to privileged data and eliminating easily guessed passwords.More than half the federal agencies surveyed received a grade of D or F. The Depart-ment of Homeland Security, which has a division devoted to monitoring cybersecurity,received the lowest overall score of the twenty-four agencies surveyed. Also earning anF was the Justice Department, the agency charged with investigating and prosecutingcases of hacking and other forms of cybercrime. Thirteen agencies improved their scoresslightly compared with the previous year, nudging the overall government grade froman F up to a D. Commenting on these results, Rep. Adam H. Putnam (R-FL), chairmanof the House Government Reform Subcommittee on Technology, declared that “the threatof cyberattack is real. . . . The damage that could be inflicted both in terms of financialloss and, potentially, loss of life is considerable.”35

Such studies, together with the enormous media interest in the subject, have fueledpopular fears about cyberterrorism. A study by the Pew Internet and American LifeProject found in 2003 that nearly half of the one thousand Americans surveyed wereworried that terrorists could launch attacks through the networks connecting home com-puters and power utilities. The Pew study, based on telephone interviews with 1,000adults, found that 11 percent of respondents were “very worried” and 38 percent were“somewhat worried” about an attack launched through computer networks. The surveywas taken in early August, before the major blackout struck the Northeast and beforeseveral damaging new viruses afflicted computers throughout the country. Because ofthose events, the level of awareness concerning cyberterrorism might be even highertoday, said Lee Rainie, director of the project.36

Former National Security Advisor Anthony Lake, in his book Six Nightmares, ar-gues, “Millions of computer-savvy individuals could wreak havoc against the UnitedStates.”37 Lake, whose chapter “e-Terror, e-Crime” is a veritable case study in cyberattackalarmism, worries that cyberattackers could crash planes; tamper with food or medicinesto poison populations; or disrupt the economy by shutting down electrical and commu-nication systems. “The genie is well outside the bottle,” he claims, now that attackershave jammed 911 lines in Miami, overwhelmed the e-mail system at one Air Force

Cyberterrorism 141

base, and infiltrated an unclassified Pentagon computer. However, Lake and otheralarmists do not distinguish between hackers and terrorists. They also fail to ask anobvious question: If there are so many malicious hackers at work (19 million, by Lake’scount), why have their attacks been, by and large, fairly innocuous?

Confusing Hackers with Terrorists

Despite significant investment in technology and infrastructure to protect against attacks,cyberterrorism represents one of the greatest challenges in present and future terrorism.In the 2002 research study conducted by the Computer Crime Research Center, 90 per-cent of respondents detected computer security breaches within the last 12 months. Inanother more recent study conducted by CIO Online, 92 percent of companies haveexperienced computer attacks and/or breaches in the last 12 months.38 But there arevarious actors involved in cyberattacks and most of them are not terrorists. According toMichael Vatis, head of the Institute for Security Technology Studies at Dartmouth Col-lege (and previously the head of the FBI’s cyberterrorism unit), the potential attackersare grouped in four categories:39

• Terrorists: To date, few terrorist groups have used cyberattacks as a weapon.However, terrorists are known to be extensively interested in the Internet as aweapon and as a target. Although it is unclear whether Osama bin Laden’s AlQaeda organization has developed cyber attack capabilities, members of this net-work use information technology to formulate plans for cyberattacks. “Thus,”argues Vatis, “trends seem clearly to point to the possibility of terrorists usinginformation technology as a weapon against critical infrastructure targets.

• Nation-States: Several nation-states, including supporters of terrorism, such asSyria, North Korea, Iran, Sudan, and Libya, may develop information warfarecapabilities that could be turned against the United States and its allies. China,Cuba, and Russia, among others, are also believed to be developing cyberwarfarecapabilities.

• Terrorist Sympathizers: This category contains those actors probably most likelyto engage in attacks. If the American campaign against terrorism is perceived as a“crusade” against people of the Muslim faith, a variety of pro-Muslim hackergroups could launch cyberattacks against the United States and its allies. Otherswith anti-U.S. or anti-allied sentiments, such as members of the anti-capitalismand anti-globalization movements, or Chinese hackers still upset about the 2001surveillance plane incident or the 1999 accidental NATO bombing of the ChineseEmbassy in Belgrade, could join in such attacks.

• Thrill Seekers (or “cyberjoyriders”): There are many hackers and “script kiddies”who simply want to gain notoriety through high profile attacks. However, suchindividuals can still have significant disruptive impact, as evidenced by the Feb-ruary 2000 DoS attacks and recent destructive worms.

Although the first three categories are certainly related to terrorism, the last onemay not be engaged in cyberterrorism. For now, the most damaging attacks and intru-sions, experts say, are typically carried out either by disgruntled corporate insiders intenton embezzlement or sabotage, or by individual hackers—typically young and male—seeking thrills and notoriety. According to a report issued in 2002 by the IBM GlobalSecurity Analysis Lab, 90 percent of hackers are amateurs with limited technical profi-

142 G. Weimann

ciency, 9 percent are more skilled at gaining unauthorized access but do not damage thefiles they read, and only 1 percent are highly skilled and intent on copying files ordamaging programs and systems. Most hackers, it should be noted, concentrate on writ-ing programs that expose security flaws in computer software, mainly in the operatingsystems produced by Microsoft. Their efforts in this direction have sometimes embar-rassed corporations but have also been responsible for alerting the public and securityprofessionals to major security flaws in software. Moreover, although there are hackerswith the ability to damage systems, disrupt e-commerce, and force websites offline, thevast majority of hackers do not have the necessary skills and knowledge. The ones whodo generally do not seek to wreak havoc. Douglas Thomas, a professor at the Universityof Southern California, spent seven years studying computer hackers in an effort tounderstand better who they are and what motivates them.40 Thomas interviewed hun-dreds of hackers and explored their “literature.” In testimony on 24 July 2002, beforethe House Subcommittee on Government Efficiency, Financial Management and Inter-governmental Relations, Thomas argued that “with the vast majority of hackers, I wouldsay 99 percent of them, the risk [of cyberterrorism] is negligible for the simple reasonthat those hackers do not have the skill or ability to organize or execute an attack thatwould be anything more than a minor inconvenience.” His judgment was echoed inAssessing the Risks of Cybertwrrorism, Cyber War, and Other Cyber Threats, a 2002report for the Center for Strategic and International Studies, written by Jim Lewis, asixteen-year veteran of the State and Commerce Departments.41 “The idea that hackersare going to bring the nation to its knees is too far-fetched a scenario to be taken seri-ously,” Lewis argued. “Nations are more robust than the early analysts of cyberterrorismand cyberwarfare give them credit for. Infastructure systems [are] more flexible andresponsive in restoring service than the early analysts realized, in part because they haveto deal with failure on a routine basis.”42

Why are hackers seen as threatening and why are quick associations made betweenhacker activity and terrorist activity? Most of what hackers do is write programs thatexpose security flaws in computer software, mainly in the operating systems produced byMicrosoft. That process of hacking has been responsible, particularly over the past decade,for alerting the public and security professionals to major security flaws in software.Hackers force computer software manufacturers to pay attention to security. They findsecurity flaws, and when they point them out, hackers tend to be associated with the flaws,blaming the messengers. Thus, what hackers see as a public service, pointing out danger-ous and troubling security risks, many people see as criminal activity. And while there arehackers who can do damage to systems, disrupt e-commerce, or even force websitesoffline, the vast majority of them cannot. The ones who can, generally do not.

Hackers tend to exaggerate their own abilities out of a sense of bravado. “Hackingstories make good copy,” argues Thomas, “but they are very rarely accurate, tending toexaggerate threats and downplay the realities of the event.”43 There is a big difference,he claims in the testimony, between hacking into NASA’s central control system (whichhas not happened) and hacking into the server that hosts their web page (which hashappened repeatedly). Most media reports fail to distinguish between the two (or toexplain that hacking a web page is essentially the same as spray painting a billboard,posing very little actual risk). The media, moreover, tends to exaggerate threats, particu-larly by reasoning from false analogies between hacking and virus spread and cyber-terrorism. But the media are just one factor; law enforcement, security consultants, andeven software corporations are all highly motivated to embrace similar outlooks. It is totheir advantage to have everyone believe that the threat to the nation’s security is severe.

Cyberterrorism 143

However, even the distinction between hackers and terrorists is becoming less lucid.In February 2004, Gen. John Gordon, Assistant Secretary for Intelligence at DHS whoalso serves as chairman of the Homeland Security Council, spoke at the RSA Confer-ence in San Francisco.44 Gordon said that terrorists and so-called cyberterrorists—peoplethat use the Internet to wreak havoc on the everyday lives of American citizens—havesome key similarities in their tactics. “The al Qaeda enemy fights from the shadows,”Gordon said. “This is similar to the cyberterrorist community.”45 Both types of attackersalso can carry out their plans on limited resources and can make multiple attempts tosucceed in mounting an attack, he said. Gordon said that whether someone detonates abomb that causes bodily harm to innocent people or hacks into a web-based IT systemin a way that could, for instance, take a power grid offline and result in a blackout, theresult is ostensibly the same; both are acts of terrorism. “The damage will be the samewhether the attacker was a bored teenager, an organized criminal or a [hostile] nation orstate. We need to focus on the vulnerabilities—and not get too hung up on who theattacker will be.” Because of the level of threat cyberterrorists pose, implementing cybersecuritytechnology is paramount among the aims of the Homeland Security Council, Gordonsaid.

How Real is the Threat of Cyberterror?

Amid all the dire warnings and alarming statistics that the subject of cyberterrorismgenerates, it is important to remember one simple statistic: so far, there has been norecorded instance of a terrorist cyberattack on U.S. public facilities, transportation sys-tems, nuclear power plants, power grids, or other key components of the national infra-structure. Cyberattacks are common, but terrorists have not conducted them and theyhave not sought to inflict the kind of damage that would qualify them as cyberterrorism.

As Green reported, when U.S. troops recovered Al Qaeda laptops in Afghanistan,officials were surprised to find its members more technologically adept than previouslybelieved.46 They discovered structural and engineering software, electronic models of adam, and information on computerized water systems, nuclear power plants, and U.S.and European stadiums. But, Green argued, the evidence did not suggest that Al Qaedaoperatives were planning cyberattacks, only that they were using the Internet to commu-nicate and coordinate physical attacks.47 Neither Al Qaeda nor any other terrorist organi-zation appears to have tried to stage a serious cyberattack.

Many computer security experts do not believe that it is possible to use the Internetto inflict death on a large scale. Some pointed out that the resilience of computer sys-tems to attack is the result of significant investments of time, money, and expertise. AsGreen described, nuclear weapons and other sensitive military systems enjoy the mostbasic form of Internet security.48 He argued that they are “air-gapped,” meaning thatthey are not physically connected to the Internet and are therefore inaccessible to out-side hackers. The Defense Department has developed various measures to protect keysystems by isolating them from the Internet and even from the Pentagon’s internal com-puter network. Moreover, as a defensive measure, all new software must be submitted tothe National Security Agency for security check and approval.

The 9/11 events led to a growing awareness of airliners’ vulnerability to cyber-terrorism. For example, in 2002, Senator Charles Schumer (D-NY) described “the abso-lute havoc and devastation that would result if cyberterrorists suddenly shut down ourair traffic control system, with thousands of planes in mid-flight.” However, arguesGreen, cybersecurity experts give some of their highest marks to the Federal Aviation

144 G. Weimann

Authority, which separates its administrative and air traffic control systems. Thus, heclaims, it is impossible to hijack a plane remotely, which eliminates the possibility of ahigh-tech 9/11 scenario in which planes are used as weapons.

Another source of concern are secondary targets such as power grids, oil pipelines,and dams that might be attacked to inflict other forms of mass destruction. Becausemost of these systems are in the private sector, they tend to be less secure than govern-ment systems. In addition, as Green notes, companies increasingly use the Internet tomanage SCADA systems that control such processes as regulating the flow of oil inpipelines and the level of water in dams. To illustrate the threat of such attack, a story inThe Washington Post in June 2003 on Al Qaeda cyberterrorism related an anecdoteabout a teenager hacker who allegedly broke into the SCADA system at Arizona’s Theo-dore Roosevelt Dam in 1998 and could, according to the article, unleash millions ofgallons of water and thus threaten the neighboring communities. However, a subsequentprobe by the tech-news site CNet.com revealed the story to be largely exaggerated; thehacker could not have gained control of the dam and no lives or property were really atrisk.

To assess the potential threat of cyberterrorism, experts such as Denning suggest thattwo questions be asked: Are there targets that are vulnerable to cyberattacks? And arethere actors with the capability and motivation to carry out such attacks? The answer tothe first question is yes: critical infrastructure systems are complex and therefore boundto contain weaknesses that might be exploited, and even systems that seem “hardened” tooutside manipulation might be accessed by insiders, acting alone or in concert withterrorists, to cause considerable harm. But what of the second question?

According to Green, only a few people besides a company’s own employees pos-sess the specific technical know-how required to run a specialized SCADA system. InApril 2002, an Australian man used an Internet connection to release a million gallonsof raw sewage along Queensland’s Sunshine Coast after being turned down for a gov-ernment job. When police arrested him, they discovered that he had worked for thecompany that designed the sewage treatment plant’s control software. It is possible, ofcourse, that such disgruntled employees might be recruited by terrorist groups, but evenif the terrorists did enlist inside help, the degree of damage they could cause would stillbe limited. As Green argued, the employees of companies that handle power grids, oiland gas utilities, and communications are well rehearsed in dealing with the fallout fromhurricanes, floods, tornadoes, and other natural disasters. They are also equally adept atcontaining and remedying problems that stem from human action.

Denning draws attention to a report published in August 1999 by the Center for theStudy of Terrorism and Irregular Warfare at the Naval Postgraduate School (NPS) inMonterey, California titled Cyber-Terror: Prospects and Implications.49 The report, arguesDenning, shows that terrorists generally lack the wherewithal and human capital neededto mount attacks that involve more than annoying but relatively harmless hacks. Thestudy examined five types of terrorist groups: religious, New Age, ethnonationalist sepa-ratist, revolutionary, and far-right extremists. Of these, only the religious groups werejudged likely to seek the capacity to inflict massive damage. Hacker groups, the studydetermined, are psychologically and organizationally ill suited to cyberterrorism, andany massive disruption of the information infrastructure would run counter to their self-interest.

A year later, in October 2000, the NPS group issued a second report, this oneexamining the decision-making process by which substate groups engaged in armed

Cyberterrorism 145

resistance develop new operational methods, including cyberterrorism. Denning claimsthis report also shows that although substate groups may find cyberterror attractive as anonlethal weapon, terrorists have not yet integrated information technology into theirstrategy and tactics and that significant barriers between hackers and terrorists may pre-vent their integration into one group.

Another illustration of the limited likelihood of terrorists launching a highly damagingcyberattack comes from a simulation sponsored by the U.S. Naval War College. Thecollege contracted with a research group to simulate a massive cyberattack on the nation’sinformation infrastructure. Government hackers and security analysts gathered in July2002, in Newport, R.I., for a war game dubbed “Digital Pearl Harbor.” The results werefar from devastating: the hackers failed to crash the Internet, although they did causeserious sporadic damage. According to a CNet.com report on the exercise published inAugust 2002, officials concluded that terrorists hoping to stage such an attack “wouldrequire a syndicate with significant resources, including $200 million, country-level intel-ligence and five years of preparation time.”50

In May 2004 cyberterrorism expert Andy Cutts of Dartmouth’s Institute for Secu-rity Technology Studies reported on Operation Livewire, a recent nationwide cyberterrorsimulation that tested America’s preparedness in the event of a major cyberattack.51

Cutts spoke specifically about the possibility of a sustained, campaign-level attack onU.S. computing networks, such as banking, law enforcement, energy and emergencyresponse networks, by an unknown adversary. Because of the anonymous nature of cyber-terrorism, he said, such an attack could come from virtually any source, including anenemy state or a small terrorist group. “There have been examples of cyber attacks thathave gone on for years, and the National Security Agency still does not know who isperpetrating them,” Cutts said. “There are hundreds of thousands of computers in thiscountry that are compromised.”52 When asked if there was any idea of who was control-ling these computers, Cutts said there was not. He added that through Operation Livewire,the federally funded ISTS learned valuable lessons about how various agencies andentities respond to such attacks and that this information would help ISTS and othergroups to correct the nation’s vulnerabilities. The simulation involved an East Coaststate and city, a West Coast state and city, as well as various corporations in the tele-communications, trading, banking, and energy sectors. Because participants were waryof sharing their networks and security vulnerabilities with an outside organization, Cuttssaid, allaying their security concerns was of the utmost importance. Cutts was optimisticabout the improvements in America’s cyber security that can result from simulationssuch as Operation Livewire, although he acknowledged that the nation has a long wayto go in preparing itself for cyberterrorism.

Concern over cyberterrorism is particularly acute in the United States; an entireindustry has emerged to grapple with the threat—think tanks have launched new projectsand issued white papers, experts have testified to its dangers before Congress, privatecompanies have hastily deployed security consultants and software designed to protectpublic and private targets, and the media have trumpeted the threat with such front-pageheadlines as this one, in The Washington Post in June 2003: “Cyber-Attacks by AlQaeda Feared, Terrorists at Threshold of Using Internet as Tool of Bloodshed, ExpertsSay.” The federal government has requested $4.5 billion for infrastructure security; theFBI boasts more than 1,000 “cyber investigators”; President Bush and Vice PresidentCheney keep the issue before the public; and in response to 11 September, Bush createdthe office of cybersecurity in the White House.

146 G. Weimann

Conclusion

As Denning concludes, “At least for now, hijacked vehicles, truck bombs, and biologi-cal weapons seem to pose a greater threat than cyber terrorism. However, just as theevents of September 11 caught us by surprise, so could a major cyber assault. We can-not afford to shrug off the threat.”53 There is alarming evidence that modern terroristsconsider seriously adding cyberterrorism to their arsenal. “While bin Laden may havehis finger on the trigger, his grandchildren may have their fingers on the computermouse,” remarked Frank Cilluffo, the Associate Vice President for Homeland Securityat George Washington University in a statement that has been widely cited. Verton, forexample, argues that “al Qaeda [has] shown itself to have an incessant appetite formodern technology,” and provides numerous citations from bin Laden and other AlQaeda leaders to show their recognition of this new cyberweapon.54 In the wake of the11 September attacks, bin Laden reportedly gave a statement to an editor of an Arabnewspaper indicating that “hundreds of Muslim scientists were with him who would usetheir knowledge . . . ranging from computers to electronics against the infidels.”55 Andindeed, in the caves in Afghanistan, American troops found plans for Al Qaeda to attackcomputer systems while some of Al Qaeda’s recruits were sent to train in high-techsystems. One of them was L’Houssaine Kherchtou, a 36-year-old Moroccan who joinedAl Qaeda in 1991 and was sent to learn high-tech methods of surveillance from AbuMohamed al-Ameriki (“the American”).56 He joined other trainees in using electronicdatabases to learn about potential targets such as bridges and major sports stadiums.After his basic training, Kherchtou joined Al Qaeda’s electronic workshop in Hyatabadin Peshawar, Pakistan, the center of Al Qaeda’s research and development for forgingelectronic documents, message encoding and decoding, encryption techniques, and methodsof breaking encryption.57

Future terrorists may indeed see greater potential for cyberterrorism than do theterrorists of today. Furthermore, the next generation of terrorists are now growing up ina digital world, one in which hacking tools are sure to become more powerful, moresimple to use, and easier to access. Cyberterrorism may also become more attractive asthe real and virtual worlds become more closely coupled. For instance, a terrorist groupmight simultaneously explode a bomb at a train station and launch a cyberattack on thecommunications infrastructure, thus magnifying the impact of the event. Unless thesesystems are carefully secured, conducting an online operation that physically harms someonemay be as easy tomorrow as penetrating a website is today. Paradoxically, success in“the war on terror” is likely to make terrorists turn increasingly to unconventional weap-ons such as cyberterrorism. The challenge is to assess what needs to be done to addressthis ambiguous but potential threat of cyberterrorism—but do so without inflating itsreal significance and manipulating the fear it inspires.

In conclusion, the bulk of the evidence to date shows that terrorist groups are mak-ing widespread use of the Internet, but so far they have not resorted to cyberterrorism.The threat of cyberterrorism may be exaggerated and manipulated, but it can be neitherdenied nor ignored: Verton, in Black Ice: The Invisible Threat of Cyber-Terror, warnsthat “the terrorist organizations are moving toward cyberterrorism,” and, “I urge you tothink differently about the future before the disaster occurs.”58

Notes

1. National Research Council. Computers at Risk (Washington, DC: National AcademyPress, 1991).

Cyberterrorism 147

2. D. Thomas. “Cyber Terrorism and Critical Infrastructure Protection.” Statement to thesubcommittee on Government Efficiency, Financial Management and Intergovernmental Rela-tions, 24 July 2002.

3. J. Lewis. “Assessing the Risks of Cybertwrrorism, Cyber War, and Other Cyber Threats.”Report submitted to the Center for Strategic and International Studies (CSIS), Washington, DC,2002), p. 1.

4. J. Green. 2002. “The Myth of Cyberterrorism.” Washington Monthly, November, alsoavailable at (www.washingtonmonthly.com/features/2001/0211/green/html).

5. For example, the downing of a U.S. spy plane in Chinese airspace (April 2001) resultedin an increase in attacks from both Chinese and U.S. hackers (mostly web site defacements).Another example occurred in 1997 when a group aligned with the Liberation Tigers of TamilElam (LTTE) reportedly swamped Sri Lankan embassies with 800 e-mails a day over a two-weekperiod.

6. A. Embar-Seddon. “Cyberterrorism.” The American Behavioral Scientist 45 (2002), pp.1033–1043.

7. R. White and S. Sclavos. “Targeting our Computers.” The Washington Post, 15 August2003, p. A27.

8. D. Denning. “Is Cyber Terror Next?” New York: U.S. Social Science Research Council,available at (http://www.ssrc.org/sept11/essays/denning.htm.2001).

9. Green, “The Myth of Cyberterrorism.”10. Cited by Green, ibid.11. G. Weimann and C. Winn. The theater of terror (New York: Longman Publication,

1994), p. 20.12. Mullins, W. A Sourcebook on Domestic and International Terrorism, 2nd edition (Springfield,

Illinois: Charles Thomas Publisher, 1997), p. 9.13. Smart, I. “The Power of Terror,” in Contemporary Terrorism: Selected Readings, edited

by J. D. Elliot and L. K. Gibson (Gaithersburg, MD: IACP, 1978).14. B. Hoffman. Inside Terrorism (New York: Columbia University Press, 1998).15. M. Conway. “What is Cyberterrorism? The Story so Far.” Journal of Information War-

fare, 2(2) (2003), pp. 33–42; M. Conway. “Reality Bytes: Cyberterrorism and Terrorist ‘Use’ ofthe Internet.” First Monday, 7(11) (2002), available at (http://www.firstmonday.org/issues/issue7_11/conway/index.html).

16. On the use of the Internet for “conventional” purposes by modern terrorists, see Y.Tzfati and G. Weimann. “WWW.Terrorism.com: Terror on the Internet.” Studies in Conflict andTerrorism 25(5) (2002), pp. 317–332; G. Weimann. “WWW.Terror.Net: How Modern TerrorismUses the Internet.” Special Report, 116 (Washington DC: United States Institute of Peace, 2004).

17. Cited by Green, ibid.18. Cited in P. Thibodeau. “US commission eyes cyberterrorism threat ahead,” Computerworld,

17 September 2001, available at (http://www.computerworld.com/securitytopics/security/story/0,10801,63965,00.html).

19. From NPR’s Bob Edwards talk with senators Jon Kyl and Dianne Feinstein, 18 March2004.

20. Cited in R. Bendrath. “The American Cyber-Angst and the Real World.” In RobertLatham (Ed.): Bombs and Bandwidth: The Emerging Relationship between IT and Security (NewYork: The New Press, 2003), pp. 49–73.

21. Green, 2002.22. A. Gonsalves. “Security Expected to Take a Larger Bite of IT Budgets.” TechWeb News,

8 June 2004, available at (http://www.crime-research.org/news/08.06.2004/414).23. Green, 2002.24. To illustrate the supposed ease with which our enemies could subvert a dam, The Wash-

ington Post’s June story on Al Qaeda cyberterrorism related an anecdote about a 12-year-old whohacked into the SCADA system at Arizona’s Theodore Roosevelt Dam in 1998, and was, thearticle intimated, within mere keystrokes of unleashing millions of gallons of water on helplessdownstream communities. But a subsequent investigation by the tech-news site CNet.com re-

148 G. Weimann

vealed the tale to be largely apocryphal—the incident occurred in 1994, the hacker was 27, and,most importantly, investigators concluded that he could not have gained control of the dam andthat no lives or property were ever at risk.

25. D. Ronfeldt and J. Arquilla. “Networks, Netwars, and the Fight for the Future.” FirstMonday 6(10) (2001); J. Arquilla and D. Ronfeldt. “The Advent of Netwar” (revisited) (2001). InNetworks and Netwars, edited by J. Arquilla and D. Ronfeldt (Santa Monica: RAND Corpora-tion), pp. 1–25).

26. D. Denning. 1999. Activism, Hacktivism, and Cyberterrorism: The Internet as a Toolfor Influencing Foreign Policy (Washington, DC: Nautilus, 1999), available at (http://www.nautilus.org/info-policy/workshop/papers/denning.html); D. Denning. 2000a. Testimony before the Special OversightPanel on Terrorism, U.S. House of Representatives, Committee on Armed Services 23 May 2000a,available at (http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html); D. Denning. 2000b.“Cyberterrorism.” Global Dialogue (Autumn), (2000b), available at (http://www.cs.georgetown.edu/~denning/infosec/cyberterror-GD.doc); Denning, op. cit.

27. Ibid.28. C. Nicol. (not dated). “Internet Censorship Case Study: Euskal Herria Journal,” The

APC European Internet Rights Project, available at (http://europe.rights.apc.org/cases/ehj.html).29. B. Collin. 1997. “The Future of Cyberterrorism.” Crime and Justice International (March

issue, 1997), pp. 15–18, available at (http://afgen.com/terrorism1.html).30. See “Realizing the Potential of C4I: Fundamental Challenges,” a report prepared by the

Committee to Review DOD C4I Plans and Programs, Commission on Physical Sciences, Math-ematics, and Applications, National Research Council, 1999. Available at (http://www.nap.edu/catalog/6457.html).

31. D. Verton. Black Ice: The Invisible Threat of Cyberterrorism (New York: McGraw-HillOsborne Media, 2003a).

32. Reported at (http://www.computerworld.com/securitytopics/security/story/).33. D., Denning. 2001.“Is Cyber Terror Next?,” op. cit..34. Reported by B. Krebs. 2003. “Feds Building Internet Monitoring Center.” The Washing-

ton Post Online, January 31, at: http://www.washingtonpost.com/ac2/wp-dyn/A3409-2003Jan30.35. Cited in Krebs, ibid.36. Cited in The Washington Post, 3 September 2003.37. A. Lake. Six Nightmares (New York: Little, Brown and Company, 2000).38. K. Coleman. 2003. “Cyber Terrorism.” Directions Magazine, 10 October 2003, avail-

able at (http://www.directionsmag.com/article.php?article_id=432).39. M. A. Vatis.. “Cyber Attacks During the War on Terrorism: A Predictive Analysis,”

2001. Special Report, Institute for Security and Technology Studies, available at(http://www.ists.dartmouth.edu/ISTS/counterterrorism/cyber_attacks.htm).40. Thomas, op. cit.41. Lewis, op. cit.42. Cited in N. Shachtman. 2002. “Terrorists on the Net? Who cares?” Wired News, 20

December 2002, available at (http://www.wired.com/news/infostructure/0,1377,56935,00.html).43. Op. cit.44. See (http://2004.rsaconference.com/).45. Cited in E. Montalbano. 2004. “Homeland Security Chair likens ‘Cyber Terrorists’ to

Al Qaeda.” CRN News, available at (http://www.crn.com/sections/BreakingNews/dailyarchives.asp?ArticleID=48215).

46. Green, 2002.47. Green, op. cit.48. Ibid.49. Denning, op. cit.50. Cited in Green, op. cit.51. T. Spellman. 2004. “Expert: U.S. At Risk of Cyberterrorism.” The Dartmouth Online,

19 April 2004, available at (http://www.thedartmouth.com/article.php?aid=2004041901010k/).52. Cited in Spellman, ibid.

Cyberterrorism 149

53. Ibid.54. Verton, 2003a, op. cit., p. 93.55. Hamid Mir, editor of Ausaf newspaper, cited in Verton 2003a, op. cit., p. 108.56. Court transcript, U.S. vs. Osama bin Laden, 21 February 2002.57. Ibid.58. D. Verton. Cyberterrorism & security: New definitions for new realities, paper pre-

sented at the Cato Institute Book Forum, 12 November 2003b, Washington, DC.