Shortly after the September 11 terrorist attack against the United States, hackers took to the Internet to voice their rage. A group called the Dispatchers announced they would destroy Web servers and Internet access in Afghanistan and target nations that support terrorists. Led by a 21-year-old security worker “Hackah Jak” from Ohio, the group of 60 people worldwide defaced hundreds of Web sites and launched denial of service attacks against such targets as the Iranian Ministry of Interior, the Presidential Palace of Afghanistan, and Palestinian ISPs. Another group, called Young Intelligent Hackers Against Terror (YIHAT), claimed they penetrated the systems of two Arabic banks with ties to Osama bin Laden, although officials from the banks denied any security breaches occurred. The group, whose stated mission is to stop the money sources of terrorism, issued a plea on their Web site for corporations to make their networks available to group members for the purpose of providing the “electronic equivalent to terrorist training camps.” Later, they took down their public Web site, apparently in response to attacks from other hackers.

One group of Muslim hackers attacking the YIHAT site said they stood by bin Laden, even as they condemned the attacks of September 11. “Osama bin Laden is a holy fighter, and whatever he says makes sense,” GForce Pakistan wrote on a Web site it defaced. The modified Web page warned that the group planned to hit major US military and British Web sites and proclaimed an “Al-Qaeda Alliance Online.” Another GForce defacement contained similar messages along with images of badly mutilated children who had been killed by Israeli soldiers.

The cyberattacks arising from the events of September 11 reflect a growing use of the Internet as a digital battleground. It is not at all unusual for a regional conflict to have a cyber dimension, where the battles are fought by self-appointed hackers operating under their own rules of engagement. A rash of cyberattacks has accompanied the conflict between Israel and the Palestinians, the conflict over Kashmir, and the Kosovo conflict, among others. According to iDefense, over 40 hackers from 23 countries participated in the Israeli-Palestinian cyber conflict during the period October 2000, when the cyber battles erupted, to January 2001. They also reported that two of the pro-Palestinian attackers had connections to terrorist organizations. One of these was UNITY, a Muslim extremist group with ties to Hezbollah. The hackers launched a coordinated, multi-phased denial of service attack, first against official Israeli government sites, second against Israeli financial sites, third against Israeli ISPs, and fourth, against “Zionist E-Commerce” sites. The other group, al-Muhajiroun, was said to have ties with a number of Muslim terrorist organizations as well as bin Laden. The London-based group directed their members to a Web page, where at the click of a mouse members could join an automated flooding attack against Israeli sites.

Cyber protests have emerged in a climate where computer network attacks have become a serious and growing threat. The Computer Emergency Response Team Coordination Center (CERT/CC), for example, reported 2,134 incidents in 1997. This number rose to 21,756 in 2000 and to almost 35,000 during the first three quarters of 2001 alone. Considering that many, perhaps most, incidents are never reported to CERT/CC or indeed to any third party, the numbers become even more significant. Further, each incident that is reported corresponds to an attack that can involve thousands of victims. The Code Red worm, which infected about a million servers in July and August and caused $2.6 billion in damages, was a single incident.

The rise in computer-based attacks can be attributed to several factors, including general growth of the Internet, with a corresponding increase in the number of potential attackers and targets; a never-ending supply of vulnerabilities that, once discovered, are quickly exploited; and increasingly sophisticated hacking tools that allow even those with modest skills to launch devastating attacks. The tools used to launch massive denial of service assaults, for example, have advanced command and control capabilities. The attacker runs client software to direct and coordinate the actions of server software running on potentially thousands of previously compromised “zombie” computers. Computer worms like Code Red can be used to find potential zombies and automatically install the attack software.

Although cyberattacks have caused billions of dollars in damage and affected the lives of millions, few if any can be characterized as acts of terrorism: fraud, theft, sabotage, vandalism, and extortion—yes, but terrorism—no. Their effect, while serious and not to be taken lightly, pales in comparison to the horror we witnessed on September 11.

But is cyber terrorism coming? Given that at least some hackers sympathetic to bin Laden are engaging in cyber protests, will they or terrorists specifically trained in cyber methods conduct future operations using nothing more than a keyboard and mouse? And if they do, will their cyber bombs target critical infrastructures or cause death and destruction comparable to that from physical weapons? Or, will they use cyber terrorism as an ancillary tool to amplify the impact of a physical attack, for example, by jamming 911 services or shutting down electricity or telecommunications after blowing up a building or releasing toxic gases?

Before addressing these questions, it is important to understand what is meant by cyber terrorism. The term is generally understood to mean a computer-based attack or threat of attack intended to intimidate or coerce governments or societies in pursuit of goals that are political, religious, or ideological. The attack should be sufficiently destructive or disruptive to generate fear comparable to that from physical acts of terrorism. Attacks that lead to death or bodily injury, extended power outages, plane crashes, water contamination, or major economic losses would be examples. Depending on their impact, attacks against critical infrastructures such as electric power or emergency services could be acts of cyber terrorism. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not.

To assess the potential threat of cyber terrorism, two factors must be considered: first, whether there are targets that are vulnerable to attack that could lead to severe harm, and second, whether there are actors with the capability and motivation to carry them out.

Looking first at vulnerabilities, several studies have shown that critical infrastructures are potentially vulnerable to a cyber-terrorist attack This is not surprising, because systems are complex, making it effectively impossible to eliminate all weaknesses. New vulnerabilities are continually uncovered, and systems are configured or used in ways that make them open to attack. Even if the technology is adequately hardened, insiders, acting alone or in concert with other terrorists, may be able to exploit their access capabilities to wreak considerable harm.

Consultants and contractors are frequently in a position where they could cause grave harm. In March 2000, Japan’s Metropolitan Police Department reported that a software system they had procured to track 150 police vehicles, including unmarked cars, had been developed by the Aum Shinrikyo cult, the same group that gassed the Tokyo subway in 1995, killing 12 people and injuring 6,000 more. At the time of the discovery, the cult had received classified tracking data on 115 vehicles. Further, the cult had developed software for at least 80 Japanese firms and 10 government agencies. They had worked as subcontractors to other firms, making it almost impossible for the organizations to know who was developing the software. As subcontractors, the cult could have installed Trojan horses to launch or facilitate cyber-terrorist attacks at a later date.

If we take as given that critical infrastructures are vulnerable to a cyber-terrorist attack, then the question becomes whether there are actors with the capability and motivation to carry out such an operation. While many hackers have the knowledge, skills, and tools to attack computer systems, they generally lack the motivation to cause violence or severe economic or social harm. Conversely, terrorists who are motivated to cause violence seem to lack the capability to cause that degree of damage in cyberspace. The methods of cyber terrorism are not, to the best of my knowledge, taught in the terrorist training camps of Afghanistan.

In August 1999, the Center for the Study of Terrorism and Irregular Warfare at the Naval Postgraduate School (NPS) in Monterey, California, issued a report entitled “Cyberterror: Prospects and Implications.” Their objective was to assess the prospects of terrorist organizations pursuing cyber terrorism. They concluded that the barrier to entry for anything beyond annoying hacks is quite high and that terrorists generally lack the wherewithal and human capital needed to mount a meaningful operation. Cyber terrorism, they argued, was a thing of the future, although it might be pursued as an ancillary tool.

The NPS study examined five types of terrorist groups: religious, New Age, ethno-nationalist separatist, revolutionary, and far-right extremist. Of these, only the religious groups were thought likely to seek the most damaging capability level, as it would be consistent with their indiscriminate application of violence.

In October 2000, the NPS group issued a second report following a conference aimed at examining the decision-making process that leads sub-state groups engaged in armed resistance to develop new operational methods. They were particularly interested in learning whether such groups would engage in cyber-terrorism. In addition to academics and a member of the United Nations, the participants included a hacker and five practitioners with experience in violent sub-state groups. The latter included the PLO, the Liberation Tigers of Tamil Eelam (LTTE), the Basque Fatherland and Liberty-Political/Military (ETA-PM), and the Revolutionary Armed Forces of Colombia (FARC). The participants engaged in a simulation exercise based on the situation in Chechnya.

Only one cyber attack was authorized during the simulation, and that was against the Russian Stock Exchange. The attack was justified on the grounds that the exchange was an elite activity and thus disrupting it would not affect most Russians. Indeed, it might appeal to the average Russian. The group ruled out mass disruptions impacting e-commerce as being too indiscriminate and risking a backlash.

The findings from the meeting were generally consistent with the earlier study. Recognizing that their conclusions were based on a small sample, they concluded that terrorists have not yet integrated information technology into their strategy and tactics; that sub-state groups may find cyber terror attractive as a non-lethal weapon; that significant barriers between hackers and terrorists may prevent their integration into one group; and that politically motivated terrorists had reasons to target selectively and limit the effects of their operations, although they might find themselves in a situation where a mass casualty attack was a rational choice.

The NPS group also concluded that the information and communication revolution may lessen the need for violence by making it easier for sub-state groups to get their message out. Unfortunately, this conclusion does not seem to be supported by recent events. Many of the people in bin Laden’s network, including the suicide hijackers, have used the Internet but nevertheless engage in horrendous acts of violence. Groups that foster hate and aggression thrive on the Internet alongside those that promote tolerance and peace.

Although cyber terrorism is certainly a real possibility, for a terrorist, digital attacks have several drawbacks. Systems are complex, so controlling an attack and achieving a desired level of damage may be harder than using physical weapons. Unless people are killed or badly injured, there is also less drama and emotional appeal.

In assessing the threat of cyber terrorism, it is also important to look beyond the traditional terrorist groups and to the computer geeks who already possess considerable hacking skills. As noted at the beginning of this essay, some of these folks are aligning themselves with terrorists like bin Laden. While the vast majority of hackers may be disinclined towards violence, it would only take a few to turn cyber terrorism into reality.

Further, the next generation of terrorists will grow up in a digital world, with ever more powerful and easy-to-use hacking tools at their disposal. They might see greater potential for cyber terrorism than do the terrorists of today, and their level of knowledge and skill relating to hacking will be greater. Cyber terrorism could also become more attractive as the real and virtual worlds become more closely coupled, with automobiles, appliances, and other devices attached to the Internet. Unless these systems are carefully secured, conducting an operation that physically harms someone may be as easy as penetrating a Web site is today.

At least for now, hijacked vehicles, truck bombs, and biological weapons seem to pose a greater threat than cyber terrorism. However, just as the events of September 11 caught us by surprise, so could a major cyber assault. We cannot afford to shrug off the threat.

November 1, 2001

Dorothy E. Denning is the Patricia and Patrick Callahan Family Professor of Computer Science and Director of the Georgetown Institute for Information Assurance at Georgetown University. She has written extensively on information warfare and testified before Congress on cyberterrorism.