IT Law Journal

administrator May 16th, 2004

Is there such a thing as WMD?
The Web as a Means of Destruction: The Supposed Threat of Cyberterrorism
by Michael Vernon M. Guerrero

Cyberterrorism

Cyberterrorism, as a compound word, simply suggests the convergence of cyberspace and terrorism. Cyberspace is the non-physical terrain created by computer systems,¹ or that it is the “virtual world,” i.e. the “symbolic – true, false, binary, metaphoric representations of information – that place in which computer programs function and data moves.”² Terrorism, on the other hand, is the unlawful use or threatened use of force or violence by a person or an organized group against people or property with the intention of intimidating or coercing societies or governments, often for ideological or political reasons,³ or simply as the systematic use of violence as a means to intimidate or coerce societies or governments.⁴ Construing the term cyberterrorism in a manner similar to the simple arithmetic of one plus one may mislead people to think that making a terrorist organization active on the Internet, through website postings and chatroom recruitments, would already constitute cyberterrorism. The term must be distinguished from mere activism in the manner the latter is being pursued over the Internet.

Cyberterrorism is generally understood as the unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives.⁵ Emphasis is made on the phrase “to intimidate or coerce,” a degree further than to merely “influence” a government or its people, however subtle the difference may be in certain cases. This distinction is important in differentiating cyberterrorism from the growing phenomenon of hacktivism.

It has been likewise suggested that the definition of cyberterrorism is that of “the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against non-combatant targets by sub-national groups or clandestine agents.”⁶ This narrow definition is premised on the definition of terrorism provided by the United States Department of State,⁷ and aims to differentiate itself from other computer abuses such as economic espionage and information warfare, which are deemed “legitimate” offensive and defensive functions of governments.

In sum, whether or not governments are excluded from the definition of cyberterrorism, what is apparent is that for an attack to qualify as that pertaining to cyberterrorism, it should result in violence against persons or property, or at least cause enough harm to generate fear.⁸ Attacks involving computer systems that lead to physical injury or death, massive disruption of public utilities, or severe economic loss would constitute cyberterrorism. On the other hand, expensive nuisance or disruption of non-essential services will not qualify as cyberterrorism.

Who is a terrorist anyway

A terrorist is one that engages in acts or an act of terrorism,⁹ or a radical who employs terror as a political weapon.¹⁰ The term, however, is so indiscriminately used that one who possesses firearms or explosives, and having an adverse political opinion, would easily qualify as a terrorist. The prevalent situation, wherein governments are the ones active in labeling organizations and individuals as terrorists, subtly suggests that governments and their agents are excluded as actors of terrorism, and which, of course, is erroneous as governments themselves are capable of intimidating or coercing societies.¹¹ An accurate definition of terrorism and terrorists has remained debatable, as the circumstances involving it are extremely complex and highly political. It is not unusual thus that, for example, a Palestinian organization such as the Hamas is considered a terrorist organization by Israel and the United States for deploying suicide bombers against the Israeli population, while Palestinians consider Israel as a terrorist state for committing alleged atrocities against their people and assassinating key militant leaders such as the late Hamas leader Abdel Aziz Rantisi.¹²

Further, the statement “One man’s terrorist is another man’s freedom fighter” reflects genuine doubt about the contemporary, else the state-suggested, understanding of the term “terrorist.” Strong disagreements, as to the labeling of the Jewish group “Irgun Zeva’i Le’umi” (abbreviated as Etzel; Palestine, 1940s), the Viet Cong (South Vietnam, 1950s), the Provisional IRA (Northern Ireland, 1960s), and the African National Congress (South Africa, 1980s) as terrorist organizations, have been made in the past. As the matter relates to the Philippines, the Abu Sayyaf Group (ASG) and the Communist Party of Philippines/New People’s Army (CPP/NPA) are listed as terrorist organizations by the United States Department of State.¹³ A Philippine communist guerilla would insist, of course, on the validity of his struggle.

What CyberTerrorism is not

Internet-aided Activism. This is the normal, non-disruptive use of the Internet in support of an agenda or cause, and in fact, utilizes the Internet as a tool to communicate and coordinate action. Activists may be able to locate official policy statements, analyses, discussions, and other documents and items related to their mission. They can publish information, and disinformation, posted in their website or in newsgroups, or distributed in emails. They may participate in dialogue and debate on policy issues through e-mail, newsgroups, web forums, and chat. They may use the Internet to coordinate action among members and with other organizations and individuals. They may also pursue direct lobbying of decision makers. It is, however, observed that the Internet is not currently an adequate tool for public political movement as the more successful organizations are those who utilize traditional advocacy methods, including the use of the more expensive broadcasting media to reach the public.

Terrorists groups likewise pursue the activities of cyberactivism, as their activities are in fact an activism of the extreme kind. They put up their websites to air their propaganda, recruit supporters, communicate and coordinate action. Their use of the Internet is ancillary only to their usual, if not violent, activities. To note:

1. The Hizbullah operates its own website (www.hizbollah.org)
2. In 1996, Bin Laden’s headquarters in Afghanistan was equipped with computers and communication equipment.
3. Hamas activists have been said to use chat rooms and emails to plan operations and coordinate activities.

Hacktivism. It is the marriage of Hacking (or aptly Cracking) and Activism. Hacktivism is, in essence, electronic civil disobedience, which methods includes virtual sit-ins and blockades, automated e-mail bombs, web hacks and computer break-ins, and computer viruses and worms. A virtual sit-in or blockade is made possible by the use of “hacking tools” by a sizable number of individuals against a particular website, such as by saturating the target server with network packets, among others, for the purpose of calling attention to the cause of the protesters by disrupting normal operations and blocking access to facilities. E-mail bombing is done by bombarding a recipient with thousands of messages at once, distributed with the aid of automated tools. Web hacks or Computer break-ins, which are rather common, are done by gaining access to websites and replacing some of the content with their own, or by tampering with the Domain Name Service so that the site’s domain name resolves to the IP address of another site. Lastly, computer viruses and worms have been used to spread protest message and/or cause serious damage to target computer systems.

Hacktivism methods such as web hack and email bombing were used extensively during the Kosovo conflicts by both Serbs and Americans citizens, with Chinese nationals following suit attacking American websites after the accidental bombing of the Chinese embassy in Belgrade at that time. Chinese and Taiwanese hackers exchange web hack attacks in 1999 following Taiwan’s president statement that China must deal with Taiwan on a “state-to-state” basis. The use of hacktivism methods, however, are not exclusive to unarmed individuals and organizations. It must be noted that:

1. In 1998, the ethnic Tamil guerillas swamped Sri Lankan embassies with emails with messages that read “We are the Internet Black Tigers and we’re doing this to disrupt your communications.” The volume of the emails sent was 800 emails a day for a period of two weeks.
2. A file transfer protocol site operated by the Arkansas Highway and Transportation Department was turned into a repository of Osama bin Laden videos, jihadist songs and terrorist incident videos in July 2004. Links to those files then were posted at al Ansar, a radical Islamist Web site.

The Supposed Threat of CyberTerrorism

Some security experts believe that CyberTerrorism is an unsettling reality due to the convergence of the physical world and the virtual world. Barry C. Collin of the institute of Security for Security and Intelligence (Stanford University) outlined the various possibilities in which a cyberterrorist may attack: (1) a cyberterrorist will remotely access the processing control systems of a cereal manufacturer, change the levels of iron supplement, and sicken and kill the children of a nation enjoying their food; (2) a cyberterrorist will place a number of computerized bombs around a city, all simultaneously transmitting unique numeric patterns, each bomb receiving each other’s pattern; (3) a cyberterrorist will disrupt the banks, the international financial transactions, and the stock exchanges; (4) a cyberterrorist will attack the next generation of air traffic control systems, and collide two large civilian aircraft; (5) a cyberterrorist will remotely alter the formulas of medication at pharmaceutical manufacturers; and (6) a cyberterrorist may decide to remotely change the pressure in gas lines, causing a valve failure, and a block of sleepy suburb detonates and burns.¹⁴ Mark M. Pollitt of the FBI Laboratory challenges the plausibility of Collin’s scenarios inasmuch as there is sufficient human involvement in the control processes used today. In the cereal plant scenario, the quantity of iron that would be required for the cereals to be toxic is substantial that assembly line workers would notice in as much as the assembly line would run out of iron sooner or later. In the air traffic control scenario, pilots are trained to be aware of the situation and operate even without the assistance of air traffic controllers at all.¹⁵ Further, in the computerized bomb scenario, there is doubt for terrorists to deploy sophisticated bombs, which are dependent on complex systems and other technical considerations, to replace crude homemade bombs, which are easier to deploy. On the other hand, the gas lines scenario may be an apparent threat, inasmuch as there are unconfirmed reports of an instance where hackers, in collaboration with an insider, were said to have a used a Trojan horse to gain control of the central switchboard of Gazprom, the Russian state-run gas monopoly and the largest natural gas producer and largest gas supplier to Western Europe, which controls gas flows in pipelines.¹⁶ Notwithstanding this isolated instance, most critical utilities and sensitive military systems enjoy the most basic form of Internet security, i.e. that they are “air-gapped” or in other words are not physically connected to the Internet and are therefore inaccessible to outside hackers. It would be a leap of imagination to consider the immediate possibility of a hacker to control computers that would launch nuclear weapons, or to hijack satellite systems or other high-consequence assets. It would also be a leap of imagination to consider the contamination of water supply and explosion of chemical factories, tasks which are harder to do physically, can be made instantly just because of the prominence of the Internet.¹⁷

The bottom line remains that there has been no instance of anyone ever having been killed by a terrorist using a computer. There has been no evidence that any terrorist organization has resorted to direct use of computers and computer networks for any sort of serious destructive activity. At this time, the concept of cyberterrorism as a reality is in the same level of the phantom of weapons of mass destruction that are supposed to be developed and stashed in Iraq. Cyberterrorism is not an immediate reality.

Focusing on the real threats

Dismissing the immediate threat of cyberterrorism, however, does not warrant complacency. Terrorism is as real as computer crimes are. Although they are experienced independently, these problems need to be addressed. Citizens have to be protected, economic loss should be prevented, and negligence should be abated.

The protection of critical utilities or infrastructure – telecommunications, banking and finance, electrical power, oil and gas distribution and storage, water supply and sewage, transportation, emergency services, and government services – for one, must be protected from attacks, whether the source of such attacks has a political agenda or not.

In the past, there have been prominent computer-aided attacks on critical utilities, some of which are:

1. Water supply and sewage. In April 2000, a disgruntled consultant-turned-hacker in Maroochy Shire, Australia compromised a waste management control system and loosed millions of gallons of raw sewage on the town. The former insider tried to unleash the waste in 46 tries, with the personnel managing the infrastructure failing to detect the first 45 tries.
2. Transportation. In 1997, a hacker shut down the control tower services as the Worcester, Massachusetts airport. Although it did not cause any accidents, services were affected.
3. Emergency services. In the United States, in 1997, a Swedish hacker jammed the 911 emergency telephone system throughout west-central Florida. A Louisiana man made a similar act in 2002 by tricking a handful of MSN TV users into running a malicious e-mail attachment that reprogrammed their set-top boxes to dial 911 emergency response. He was arrested February 2004 and was charged with CyberTerrorism.
4. Government services. In 1998, several government and university websites received “denial of service” attacks, preventing servers from answering network connections and crashing computers. This has been a common occurrence in the past years. On the other hand, also in 1998, the US Defense Department’s unclassified networks were penetrated, allowing hackers to access personnel and payroll information.

It is thus necessary that computer asset managers should be aware which systems should be “air-gapped” from other networks to prevent the risk of intrusions by unauthorized personnel, if not crackers, or loosely, hackers. Precaution should be taken as to issues of security vis-à-vis new technology that may deployed, including those pertaining to wireless technology. Public policy should be clear as to the minimum standards required in the maintenance of computer systems in relation with the critical utility that they are designed to support, as a means to minimize negligence on the matter, and prevent potential disasters as a result thereof. Pollitt made an apt reminder on this matter. He said, “As we build more and more technology into our civilization, we must ensure that there is sufficient human oversight and intervention to safeguard those whom technology serves.”¹⁸

On the other hand, critical data must likewise be protected. The Government should provide the ample protection through the enactment of laws for stiffer penalties against e-mail bombing or flooding, denial of service attacks, and computer break-ins. The government and industries must find solutions to increase the quality of system security, mass-market computer products, and emergency technical response. The economic consequence of crashed or unusable systems and corrupted data is clear. In the end, anything that would threaten economic viability may appear to be greater than the threat of physical harm, for eventually what is worse than the death that we fear is the reality of borderline existence that we have to endure.

1. What is Cyber? A word definition from the Webopedia Computer Dictionary. Retrieved 4 May 2004. http://www.webopedia.com/TERM/c/cyber.html. http://www.webopedia.com/. Copyright, 2004 Jupitermedia. All rights reserved. Reprinted with permission from http://www.internet.com. [↩]
2. Collin, Barry C., “The Future of CyberTerrorism,” Proceedings of 11th Annual International Symposium on Criminal Justice Issues, The University of Illinois at Chicago, 1996 http://www.acsp.uic.edu/OICJ/CONFS/ terror02.htm [↩]
3. The American Heritage® Dictionary of the English Language, Fourth Edition Copyright © 2000 by Houghton Mifflin Company. Published by Houghton Mifflin Company. All rights reserved. [↩]
4. WordNet ® 1.6, © 1997 Princeton University. [↩]
5. Denning, Dorothy E.. “Testimony before the Special Oversight Panel on Terrorism Committee on Armed Services US House of Representatives.” Georgetown University, 23 May 2000. Retrieved 4 May 2004. http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html [↩]
6. Pollitt, Mark M. “CyberTerrorism: Fact or Fancy?” Retrieved 4 May 2004. http://www.cs.georgetown.edu/~denning/infosec/pollitt.html [↩]
7. “The term ‘Terrorism’ means premeditated, politically motivated violence perpetuated against non-combatant targets by sub-national groups or clandestine agents.” United States Department of State, “Patterns of Global Terrorism,” Washington DC, 1996 [↩]
8. Denning, Dorothy E. http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html, supra. [↩]
9. The American Heritage®, supra. [↩]
10. WordNet ® 1.6, supra. [↩]
11. The word “terrorism” entered into European languages in the wake of the French revolution of 1789 when the government in Paris tried to impose its radical new order on a reluctant citizenry. As a result, the first meaning of the word “terrorism,” as recorded by the Académie Française in 1798, was “system or rule of terror,” a reminder that terror is often at its bloodiest when used by dictatorial governments against their own citizens. See BBC, History, The Changing Faces of Terrorism. http://www.bbc.co.uk/history/war/sept_11/changing_faces_01.shtml [↩]
12. CNN.com – Hamas leader killed in air strike – Apr 17, 2004. Retrieved 4 May 2004. http://edition.cnn.com/2004/WORLD/meast/04/17/ mideast.violence/index.html. See also CNN.com - Ambassador: Hamas leader was ‘doctor of death’ – Apr 19, 2004. Retrieved 4 May 2004. http://edition.cnn.com/2004/WORLD/meast/04/19/ un.rantisi/index.html [↩]
13. Appendix B - Background Information on Designated Foreign Terrorist Organizations. Retrieved 4 May 2004. http://www.globalsecurity.org/security/library/report/2004/ pgt_2003/pgt_2003_31711pf.htm [↩]
14. Collin, Barry C., “11th Annual International Symposium on Criminal Justice: The Future of Cyberterrorism, where the physical and virtual worlds converge.” Retrieved on 4 May 2004. http://afgen.com/terrorism1.html [↩]
15. Pollitt, Mark M., “Cyberterrorism: Fact or Fancy?” Retrieved 4 May 2004 http://www.cs.georgetown.edu/~denning/infosec/pollitt.html [↩]
16. Denning, Dorothy E. http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html, supra. [↩]
17. Green, Joshua. “The Myth of Cyberterrorism.” Retrieved 4 May 2004. http://www.washingtonmonthly.com/features/2001/0211.green.html [↩]
18. Pollitt, Mark M., “Cyberterrorism: Fact or Fancy?” supra. [↩]

• ITLJ 1-2
• Comments(1)