By Marina Cortés, Researcher at Talking About Terrorism.
“The impact of terrorism is currently far more limited by the failure or unwillingness of terrorists to exploit new technologies and
complex vulnerabilities than by the inherent difficulty
in conducting much more lethal attacks”
Increasing and varying challenges
Societies are undergoing a growing paradox for national security: the same technology that provides great achievements and advances can also become one of its main vulnerabilities. Year after year this paradox has intensified. One of the biggest challenges is that cyberspace is a strong equalizer—it allows small groups to compete on the same level as corporations and even governments.
Besides, the identification of actors in cyber terrorism is not an easy task, as offenders often act under the cover of botnets or proxies. However, for practical reasons actors are often classified on two groups: non-state actors (NSA) and state actors. Their modus operandi includes the manipulation of both human and technological factors in their advantage. In fact, it is considered that the most widely used cyberattack techniques involved exploiting human behavior (with deception in corporate emails, dating apps or similar).
These actors have, depending on the target and their operational and financial capabilities, two ways of organizing these cyberattacks: either hiring a hacker that follows instructions or creating their own department dedicated to cyberattacks. Once decided who is going to do the job, there are four different types of attacks also depending on the motivations, capabilities and the target, which are:
1. Serious disruption of information systems.
2. Alteration or theft of data.
3. Influence on political decisions.
4. In response of hostile actions.
Non State Actors as players in cyberspace
NSA (namely terrorist groups) have definitely evolved into more sophisticated players. They are usually interested in the alteration or theft or data, and no longer use the internet only for spreading fear, propaganda, recruiting or funding purposes - they are now developing more advanced capabilities to rival state actors. Al Qaeda for instance declared back in 2012 its intention to improve its cyber capabilities against the US and called for attacks against network-connected infrastructure in the country (power stations, refineries and communication systems). These threats were considered by the US administration as an early example of “cyber-jihadism”.
Later on, in 2017, Hamas provided a very clear example of the manipulation of the human factor with the use of dating apps to steal information from Israeli soldiers. The Israeli Defense Force confirmed that some of these fake apps, if downloaded, would give the terrorist group access to the user’s location and contact list. Moreover, the smartphone would be used as a spying device, and Hamas would be able to use it as a listening device and video camera.
Although Hamas posed a serious threat to data in this case, an escalation in the capabilities of terrorist groups was seen when the Islamic State managed to acquire and publish a list of 1,300 individuals from the US military and government officials so as to inspire lone wolves to attack them. This was considered by the US National Security Division as “the first time we have seen the very real and dangerous national security cyber threat that results from the combination of terrorism and hacking”.
However, terrorist groups can act as hybrid actors together with state support, which has been the case with Hezbollah, which established back in 2011 its own cyber department. They are considered to have financial and technical support by states like Iran to act as proxy actors. For example, in Israel and in other dozen countries a malware was found linked to Hezbollah and an Iranian hacker that apparently targeted both public and private entities: telecommunication companies, military suppliers and even some universities. The software was aimed at stealing sensitive data, and it took a long time to intercept it. Hezbollah has also been linked to some threats to US targets.
Despite the lack of a larger-scale attack by these kinds of groups at the moment, it should be taken into account that in the meantime the information and the wealth acquired by their use of the cyberspace can be used to inform battlefield strategies and fund physical attacks as well. Moreover, we should consider that over time the gap between their aspirations and their desired capabilities is quickly closing.
States as actors in cyberspace
States on the other hand are more discrete actors, although some of them are more notable than others. The use of the concept cyber terrorism is contested and polemic in this case, and some prefer to cautiously refer to the actions of state actors just as cyberattacks. Scholars on cyber security usually focus on the most popular cases (Iran or North Korea against the West), meaning that other regions such as the Asia-Pacific or Latin America are not being discussed as much, creating geographical blind spots on research. Unlike NSA, states do not focus on any of the four types of attacks.
In 2020 there were several examples of cyberattacks with an alleged state origin. After Iran attempted to infiltrate an Israeli water facility, Israel allegedly responded with a cyberattack that disrupted a major port in Iran. In July 2020 the US Justice Department accused China of sponsoring hackers who allegedly spied on US companies related to the research done on the COVID-19 vaccine. Other less recent examples include several cases between the UK and Russia or the 2007 attack in the Estonian banking system. Precisely Russia, despite numerous accusations from the west for different cyberattacks, has been nevertheless deficient in its own cybersecurity.
The case is that states, whether as victims or as foes, all want to increase their cyber capabilities. Similarly as the race for nuclear weapons, the most disadvantaged countries try to improve their capabilities to obtain another geopolitical balance of forces.
Policies to tackle cyberterrorism
Despite the known modus operandi and the increasing threat posed by cyber threats, states are failing at developing adequate policies in three aspects: technological, regulatory and capacity. States should reinforce their own technical capabilities to better protect against these threats and identify their true origin. The main objectives in the future will be the power grid and the supply chains that depend on it, as well as the transportation system and the overall economic-financial system. States thus should make these strategic and vulnerable targets more resilient.
The regulatory aspect is also far from being adequate. The cooperation among states should be critical on this topic, as cyberterrorism is mostly a transnational phenomenon. Nevertheless, there is a lack of consensus among states to create a coordinated deterrence strategy. There is also a lack of consensus on International Law that harms accountability of both state and non-state actors.
The final aspect, concerning capability, is being understood by governments as a longer-term “public good”. States are promoting the development of cyber defense capabilities of both public and private entities in the fields of training (employees and customers) and financial support in some cases, despite some failures. This strategy is not only seen as a long-term investment in data security, but also in financial security as well. However, much work has still to be done. In the case of the private sector in the USA, it is considered that there is a gap between the optimal spending on cyber security by private entities and the real spending.
The cyberspace will remain a strong equalizer.
Despite major attacks, current cyberattacks can still inform physical attacks.
The gap between ambitions and capabilities is closing over time.
States need to strive for technology development, regulation and capabilities.
Cooperation among countries is critical for better accountability and regulation.
The risk of an organized cyberattack should not be underestimated: if there are already examples of critical infrastructures attacked (water, port, banking system) allegedly done by state actors, what will happen if terrorist organizations reach a similar level of technical expertise and capabilities? The response for this threat is prevention, effective response and improved resilience.