Cyber-Terrorism Copyright © 2014, VarioSecure Inc.

There are many computer-mediated or cybernetic threats, each with their own aims, perpetrators, methods, and countermeasures. This paper will consider the threat of cyber-terrorism and is a work in progress, to be updated as the situation evolves.

ROADMAP This document uses a working definition of cyber-terrorism (CT) as terrorist actions operationally realized through the agency of computers connected by wide-area networks. Cyber-terrorism is thus “terrorism by other means,” and the first requirement is to understand conventional terrorism: its frequency, potency, locations, ideologies, strategies, methods, attack cycle, and the groups and people who carry it out. These same groups are the ones most likely to pursue CT as a weapon, so familiarity with them is important in forging a CT response. No unambiguous example of CT has, to date, occurred anywhere in the world. It is a hypothetical threat, so the second requirement is to review the potential targets in order to provide some structure. These targets are presented by way of a five-layer schematic, from the lowest layer, T1 (network infrastructure) to the highest, T5 (people and physical property), with attack possibilities considered at each layer. Generally speaking T5 is likely to be the target of most CT, simply because lower-layer attacks are unable to meet terrorist requirements. Entities at T5 may be attacked using either hybrid or exploitative methods. Hybrid systems combine computer networks and hosts with ordinary destructive weapons and are inserted at the attack site by the terrorists to complete their mission. These are not considered in any detail. Exploitative attacks deceive or otherwise manipulate existing networks, computer systems, or even people, causing them (or those dependent upon them) to behave in ways that cause destruction or loss of life. Although the goals and end results pursued by CT are similar to those of conventional terrorism, there are significant differences between them that affect the methods, attack cycle, and the membership of terrorist groups, so the next task is to examine these differences, referring back to the discussion of conventional terrorism. Thus a picture develops of who cyber-terrorists are likely to be, and what they are likely to do. The document then concludes with a discussion of cyber-defense. Fortunately, many defenses against exploitative CT are essentially the same as those against other forms of cyber-attack. Unfortunately, such defense has proven difficult in practice. But there are a number of concrete steps that organizations can take to reduce their vulnerability and improve readiness, and this paper hopes to challenge and stimulate the imagination of engineers and otthers responsible for defending cyber-systems from attack.

DEFINITIONS We begin with a narrow description of cyber-terrorism (CT) as terrorist actions operationally realized through the agency of computers connected by wide-area networks, where the primary network under consideration is the global Internet. Although strictly speaking the cyber- prefix refers to any computer-mediated attack, network-based attacks are often seen as the “new frontier” due to the pervasiveness of, and dependence upon, the Internet, especially in developed countries, and the characteristics by which networks allow users (good and bad) to lower operational costs and transcend physical barriers. The requirement for operational realization is crucial because, like most modern organizations, terrorist groups may use computers and networks in a multitude of ways, including propaganda, recruitment, communication, accounting, procurement, intelligence gathering, and even target reconnaissance. But if, at the end of the day, their mode of attack is the traditional explosive device or assault team, then their operational methods are scarcely different from conventional terrorism and there is no need for a new term.1 The operational realization requirement separates terrorists' nonviolent use of networks from their use as means of attack, and avoids clouding the issue we need to investigate2. Later on this narrow definition will be relaxed to test different possibilities. Unfortunately even if CT is merely “terrorism by other means,” terrorism itself is a notoriously difficult term to reach consensus about, primarily due to the political agendas of those involved in the discussion, and it is common for books and articles to devote the early portion of their discussions to parsing and criticizing alternative definitions. Since they have already done that3, we won't do it here, and instead get down to work by defining terrorism as violent attacks upon civilians and civilian infrastructure intended to achieve a political objective. This does require some explanation, so we can unpack the different components as follows:

Violent attacks implies casualties or significant physical destruction. In this sense the immediate impact of cyber-terrorism is comparable to that of terrorism using kinetic weaponry except perhaps in the type of damage done. Violent is an important criterion because it excludes actions which merely annoy, such as the vandalism or non-destructive harassment that characterize many current forms of cyber-attack and cyber-crime. Civilians and civilian infrastructure distinguishes terrorist attacks from military ones. Of course, civilians and civilian (or dual-use) infrastructure suffer tremendously even in campaigns by military organizations, but military planners are primarily concerned with targets of tactical or strategic value, and the Law of War requires them to balance the military benefits of an attack against civilian costs. Terrorists attack civilians and civilian infrastructure deliberately, seeking to maximize civilian casualties and/or damage. Intended to achieve a political objective points to the unique psychological signature of terrorism. In a purely military attack, the target attacked and the object of the attack are one and the same: you destroy a building in order to destroy a building (or targets within it). In a terrorist attack, the building is destroyed not primarily for its own sake, but to influence those who witness the destruction, the survivors, the observers. The intent of the action is to send a message.

The motive for formulating definitions is to develop a clearer understanding of potential attackers: who they are, the objectives they seek, the methods they use, and what countermeasures might be effective. On the other hand, it is important to remember that the definition excludes many very real threats that any comprehensive security plan must address. This caveat is particularly important because, while cyber-terrorism remains, for the moment, a hypothetical threat, other forms of cyber-

attack, those with criminal or destructive intent devoid of political motives, cause real damage on a daily basis. Simply because an attack is not “terrorist” in nature does not mean that it can be ignored.

THE BIG PICTURE Since in first approximation the only difference between cyber- and conventional terrorism is the mode of attack, research on conventional terrorism can be of value in understanding the nature of the overall threat. Because it is vital to have an accurate view, the first things to be aware of, despite government and media bias, are that:

Most terrorist actions are carried out by governments, either against segments of their own populations or as an adjunct to warfare. By far the majority of lives lost to terrorism have been the result of government actions against domestic political rivals, dissenters, minorities, or against foreign adversaries.4

Over the period 1970-2011 approximately 1,900 non-state terrorist incidents occurred each

year worldwide, but the number has fluctuated considerably over time5:

The majority of these attacks were against private citizens/property (22%), businesses (20%), government offices (19%), , and police forces (12%).6

In the majority of these incidents there were no fatalities, however on average approximately 3,600 people have been killed in terrorist incidents worldwide each year. 89 out of the total 79,542 incidents in the 42 year period involved more than 100 deaths. The greatest number were the 2,996 people killed in al-Qa`ida's 9/11 attacks in the United States.7

Clearly the number of fatalities has risen since the 1990's, increasing to an average of 5,000 fatalities per year over the last two decades,8 though this is skewed by the 9/11 attacks and the extreme levels of violence that erupted during the invasions, occupations, and political restructuring of Iraq and Afghanistan.

To put these annual deaths due to terrorism in perspective, consider that, by recent figures, almost 6 million people die every year from the effects of tobacco smoke9 (129,000 each year in Japan alone10), and 1.24 million die every year in traffic accidents (4,914 in Japan)11. The average number of fatalities per terrorist attack has held relatively steady since 1980, however there has been a marked increase in high-casualty attacks since 2000. Statistically much of this is attributable to 9/11 and the response to the US invasion of Iraq, but it is ominous trend. The vast majority of attacks are anonymous, with no subsequent claim of responsibility. In unclaimed attacks it is not always clear if the incident meets the definition of terrorism unless this is implicit from the nature of the target and the context of an ongoing conflict. Some right-wing organizations have conducted attacks and then sought to blame left-wing groups in order to provoke a government reaction.12 Because terrorism is primarily a tool to force political change, it is usually localized,

employed against the particular government or group seen as the oppressor or enemy. The regional distribution of incidents fluctuates as political tensions rise and fall. Analyzing by five-year periods:

Regions making up the top half of the total reported incidents in a decade are highlighted. Terrorism is clearly not the product of any given region, nor is it confined to one, but seems almost to flow from region to region, following the path of greatest tension.13 Non-state terrorism is rarely effective. In a study of 450 groups that had initiated and then terminated terrorist campaigns, only 5% achieved all of their political goals, while an additional 13% were partially successful.14 Thus non-state terrorism has historically had less than a one-in-five chance of even partial success, and in the historical cases studied it is sometimes not clear if the ideological goals were achieved as a result of the terrorist activity or in spite of it. During the 42 year period, 1970-2011, Japan experienced a total of 348 incidents with a total of 43 fatalities, most notably the 22 people killed in 3 fatal attacks by Aum Shinrikyō during the 1994-1995 crisis.15

It is tempting to conclude from these statistics that, for all its horrors, non-state terrorism is, at least historically, a surprisingly minor danger, particularly for those living outside conflict regions. But the psychological effects of an attack carry weight exceeding what the numbers would suggest.16 In part this is precisely because terrorism is so rare. It has long been observed that human beings underestimate the dangers of common events, those under their control, and those due to natural causes, while overestimating the dangers of rare events, those not under their control, and which involve human agents. This is how terrorism terrorizes: not because of the intrinsic loss of life or destruction, but because of the specific ways in which we respond. It is our mental and emotional reactions which make terrorism appear as an alarming risk demanding swift and decisive action including the sacrifice of liberties that had survived full-scale wars, while statistically far greater dangers like tobacco smoke and traffic accidents are passively accepted. Other reasons for the extraordinary response are political: terrorism threatens the power of governments, while far more catastrophic risks like tobacco smoke do not. A call for proportionality would perhaps not be out of place.

Nevertheless there are risks and costs that historical statistics on terrorist incidents fail to capture. The first consideration is the increasing availability of ever more lethal arms. The world is awash with weapons, some produced locally while others are provided by developed countries to a range of governments and proxy insurgents, but which may then find their way to unregulated markets. In addition, the knowledge necessary to produce chemical, biological, and radiological weapons has become increasingly available.17 A US government commission reported in 2008 that:

... it is more likely than not that a weapon of mass destruction will be used in a terrorist attack somewhere in the world by the end of 2013.18

and indeed the increasing number of high-casualty attacks is likely due to proliferation of more effective weapons, particularly explosives. Another underrepresented risk is the danger that a terrorist incident or campaign may lead to full-scale war. It was, after all, a single terrorist attack in 1914 which sparked the chain reaction leading to World War I. Likewise the 9/11 attacks provided the rationale for the recent US intervention in Afghanistan as well as a false rationale for the disastrous 2003 invasion of Iraq. Clearly the risk of triggering war has not diminished with time. Finally one of the greatest risks concealed by the statistics is the effect of counter-terrrorism itself. Governments typically respond to attacks with repression, and the consequences to society can be enormous, far greater, in fact, than the costs or casualties of the terrorist attacks themselves. Policy changes leading to curtailment civil liberties, invasions of privacy, secrecy, a climate of fear and intimidation, even the arrest, torture, and executions of innocent (or merely accused) people, often prove politically difficult to undo despite incalculable damage done to the societies such measures are intended to defend.19 Thus the total risks inherent in terrorism are greater than the statistics suggest, although ultimately the latter two risks are, like the “terror” of terrorism itself, products of our own irrational reactions and political structures, rather than something forced upon us by terrorists.

STRATEGY Terrorists are driven by an ideology that defines the political change they seek to create. Borum (2011) describes ideologies amenable to terrorism as

a set of beliefs that guide and justify a series of behavioral mandates; those beliefs must be inviolable and must be neither questionable nor questioned; and the behaviors must be goal directed and seen as serving some cause or meaningful objective.20

History shows that terrorist ideologies cover the entire political spectrum, from pro-government to anti-government, from right wing to left wing, from those seeking to impose a fascist or militarist order to those seeking democracy and universally recognized human rights. Some seek to abolish political order itself. Drake (1998) lists nine ideological categories: Separatism Religion Liberalism Anarchism Communism Conservatism Fascism Single Issue Organized Crime Ideology is an important key to the analysis of individual groups because it guides target selection and in principle identifies changes that can undermine, or bring to an end, a terrorist campaign. But despite media stereotypes, no ideology appears uniquely prone to terrorism, and while millions of people may share a particular ideology, the number willing to employ terrorist tactics in pursuit of its goals, even in the face of harsh repression, is extremely small. Psychologists have devoted considerable effort toward understanding why only a small fraction of the people involved in a struggle would choose terrorism as a tactic,21 but no widely applicable model seems to have been found. Nelson Mandela describes the ANC choice for violence as a last resort:

The lesson I took away from the campaign was that in the end, we had no alternative to armed and violent resistance. Over and over again, we had used all the nonviolent weapons in our arsenal... all to no avail, for whatever we did was met by an iron hand. A freedom fighter learns the hard way that it is the oppressor who defines the nature of the struggle, and the oppressed is often left no recourse but to use methods that mirror those of the oppressor. At a certain point, one can only fight fire with fire.22

In this case violence was chosen through deliberate consideration of alternatives, taking a pathway that, following Smith,23 may be diagrammed as

Ideology (Goals) ➔ Analysis (Alternatives) ➔ Strategy (Violence)

Others appear predisposed to violence from the beginning, particularly when motivated by the desire to counter-attack against violence that has already occurred, and follow a sequence more like:

Ideology (Goals) ➔ Strategy (Violence) ➔ Justification

While in still other cases, such as some Marxist-Leninist groups who see violent class conflict as a fundamental precursor to the desired social change, or fascists seeking to provoke a crisis that will excuse a shift to more authoritarian rule, the choice for violence is in a sense part of the ideology from the very start, and so requires no justification:

Ideology (Goals) ➔ Strategy (Violence) Thus terrorism is a tactic employed in the process of achieving or defending an ideological goal. To those outside the mindset of a given conflict, the choice of terrorism as a tactic appears insane, and it would perhaps be comforting to learn that terrorists are mentally or emotionally unfit, or at least different from the rest of us. Yet the conclusion of much psychological investigation is that terrorists are essentially normal individuals24 in the sense of exhibiting no abnormal psychological traits. Members of terrorist movements do appear single-minded, however. Members of the Provisional Irish Republican Army (PIRA) were described as:

highly intelligent, extraordinarily motivated, relentlessly committed to their course of action, imbued with a puritanical obsession – you might even say a tyrannical obsession – with wanting to do right and to be seen doing right, which makes their actions all the more frightening.25

Likewise after much interaction with terrorists in Italy, Alison Jamieson reports finding:26

a person whose ideas are meticulously worked out through careful analysis and serious reflection, for whom everything is seen in terms of politics, someone who above all is “well prepared” ... [and characterized by] ... great intelligence, great openness and great generosity, with sometimes a bit of exhibitionism.

For such people, the path of violence may be difficult to set aside short of achieving their goals, especially once they become operational, are challenged by larger state security forces, and the cycle of attack and counterattack begins. Simply leading a clandestine life, in which the group becomes the boundary of an individual's world, can create an inward-looking environment where alternative ideologies and methods are not open to discussion. As Post (2003) found when interviewing convicted Middle-Eastern terrorists:27

An overarching sense of the collective consumes the individual. This fusion with the group seems to provide the necessary justification for their actions with an attendant loss of felt responsibility for the individual member – if the group says it is required and justified, then it is required and justified.

These factors can cause a shift over time toward more frequent, and more extreme forms of violence.

METHODS What do those “wanting to do right and to be seen doing right” aim to achieve by terrorist actions? Against the backdrop of a group's ideology, Drake28 condenses strategic objectives of terror attacks into seven categories, all of which must be understood in the context of a particular conflict. Threat elimination Compliance Disorientation Attrition Provocation Advertisement Endorsement The first two involve neutralizing or intimidating those who may interfere with the group's operations. The last two involve, for the most part, appeals to potential supporters or the “awakening” of a passive population. The central three aim at the opponents whose behavior the group seeks to influence. For example, during the US occupation of Iraq, sectarian militias attempted to disorient competing political/religious communities, employing random acts of violence to make everyday life impossible. In Ireland, the PIRA pursued a strategy of attrition, using continuous low-intensity attacks to raise the cost of British rule in Northern Ireland beyond a level that the British public, and therefore the British government, would be willing to sustain. In the United States, at least one aim of al-Qa`ida's 9/11 attacks appears to have been provoking the US government to destroy the civil liberties of its own citizens29, an objective no external group could have achieved on its own. Of course, the seven objectives listed above are not mutually exclusive, and any group, or even a single action, may have multiple strategic goals. The operational methods employed to achieve these objectives depend on the capabilities of the group, the available weapons, and the opportunities to use them. The Global Terrorism Database (GTD) uses the following scheme to categorize incidents regardless of scale:30 Assassination Hijacking Kidnapping Hostage-Taking Bombing Armed assault Unarmed assault Facility/Infrastructure attack Note that in this typology all except the bombings and facility/infrastructure attacks are attacks on people, attacks intended to cause or to threaten casualties. A different perspective can be gained by looking at the weapons used to carry out any of the above attack types, also from the GTD31: Biological Chemical Radiological Nuclear Firearms

Conventional explosives Fake weapons Incendiary Melee Vehicle Sabotage equipment Other The first four are often classified as weapons of mass destruction (WMD), although in practice some have also been used to target specific individuals.32 Of these chemical weapons are perhaps the greatest risk because any skilled chemist can synthesize range of toxic compounds from commercially available reagents following procedures available in open literature. Attempts to produce a biological, radiological, or nuclear weapon, by contrast, face significant hurdles in procuring uncommon materials or components, production, testing, and delivery, although some of these obstacles could be overcome through theft, purchase, or with the clandestine support of a willing government. The two aspects combine in the sense that a group must be capable of planning and carrying out one (or more) of the methods using the weapons available to them.

ATTACK CYCLE Attacks typically proceed through phases which may be more or less formalized. The most dangerous groups rely on a body of theory and doctrine that leverages past experience in what works and what does not. In asymmetric warfare a small group cannot survive a direct confrontation with a superior force, so the keys to success and survival are, therefore, patience and intelligence in planning, followed by stealth, speed, and surprise in execution. For example, when the Brigate Rosse (BR) kidnapped former Italian Prime Minister Aldo Moro in 1978, he was protected by five armed bodyguards in two cars. The BR were able to determine his schedule and route in advance, insert weapons and personnel without detection, and on the day of the incident, stop his convoy, kill all five bodyguards, move Moro (unharmed) to a getaway vehicle, and escape from the scene unchallenged. The entire operation lasted just 45 seconds. One way to analyze the terrorist attack cycle follows Drake33: Target selection Intelligence gathering Target reconnaissance Operational planning Insertion of weapons Insertion of operational team Execution Withdrawal of operational team Depending on the nature of the group and the target selected, these steps may or may not be carried out in detail, but it is useful to consider each of them.

Target selection is complex, involving a balancing of ideology, group capabilities, resources, the characteristics of potential targets, and other non-operational factors. Drake34 presents the process as a flowchart in which multiple feedback loops reveal the interplay between key factors and at least one model of how the decision process might unfold:

Intelligence gathering involves collecting information about the target and analyzing it to produce actionable data. Where in the past groups relied on libraries, press reports and other traditional media, Internet resources now offer a tremendous leap forward. Land and satellite imagery available through sources like Google Earth and StreetView provide details unimaginable just a short time ago, search engines can be used to trawl up all manner of information relevant to a potential attack. Target reconnaissance involves observing and (possibly) probing the target. Where the target is stationary, Internet technology, such as small WiFi-enabled cameras, may provide attackers with rich sources of information at low cost and minimal risk. Moving targets may still require physical surveillance, but technology such as tracking beacons or applications installed on cellular phones make this easier as well. The reconnaissance team may be withdrawn before the operation to avoid arousing suspicion or some presence may remain to aid in the attack. Operational planning includes decisions about all of the remaining phases: insertion of weapons and the operational team, execution of the actual attack, withdrawal of the team, as well as perhaps contingencies for unexpected events. Not all groups engage in detailed planning, and some forms of opportunistic attack may not require, or even allow for, fine detail, but planning is one characteristic that separates amateur attackers from professionals. Insertion of weapons involves possible pre-positioning of the resources needed by the operational team. Ideally attackers would bring their weapons to the site, but if the weapons chosen are illegal, merely carrying them creates a risk of discovery and apprehension. Some groups therefore use couriers of various kinds, sometimes unwitting, to deliver the weapons and matériel to the attack site in advance. Insertion of the operational team means getting the attackers in position to carry out the plan. Depending on the situation, this might require passing through or avoiding security checks or other obstacles to gain close proximity to the target. Stolen or forged documents, uniforms, or other deceptions may also be needed, as well as steps to prevent identification after the fact though video surveillance or other trace evidence. The speed with which video imagery was used to identify the Israeli agents who assassinated Mahmoud al-Mabhouh in Dubai in 2010, as well as the Tsamaev brothers in Boston in 2013, makes it unlikely that future attackers will ignore this risk. Execution of the attack must normally proceed quickly, particularly if the target is protected and/or an alarm will be raised. Once the attack commences, success or failure depends on the operational team's ability to act and react faster than their opponents, taking and retaining the initiative, keeping opponents off-balance until the operation is completed. This is where training and experience are of greatest value. Boyd (2010) describes the operational engagement cycle as an OODA (observe, orient, decide, act) loop35. In order to succeed, the attackers must have a faster engagement cycle than the defenders, allowing them to stay several steps ahead while the defenders are still reacting to the past. The operational team may be self-contained or may call on external resources for support and direction. During the 2008 Mumbai incident a support team in Pakistan used Internet and mass media sources to ensure that the attackers were constantly aware of all facets of the situation, including the arrival and location of a counter-terror unit, who were then ambushed.36 Withdrawal of the operational team is an obvious necessity for all except martyrdom operations, and must usually be completed quickly, before defenders or other reinforcements are able to seal off a perimeter around the site. Some attack types, such as hijackings and hostage-taking are planned from the start to establish and hold a defensible position until demands are met, but in most cases

the withdrawal, escape, and evasion phase commences immediately after the attack. In a tense, highly militarized environment such as Northern Ireland during the Troubles, attackers may only have two or three minutes to attack and withdraw safely.

GROUPS One way to analyze terrorist groups is simply to look at their size. Historically some have been quite large, involving not just operational teams but specialists in weapons, logistics, finance, propaganda, and other supporting roles. Others have been limited to a handful of individuals37 or even a single lone attacker. Size is important since it affects both capabilities and the long-term viability of the group. Jones and Libicki (2008) conclude that large groups, with more than 10,000 members, achieved their aims 25% of the time, far above the statistical average, while groups with less than 1,000 members were rarely successful. On the other hand, large groups are visible, while small groups and lone individuals are more difficult to detect, and are often cited as the greatest concern by counter-terrorism officials. Group organization presents another analytic dimension. Individuals and small groups, acting as isolated cells, may operate as informal teams or coalesce around strong leaders. Historically, large organizations such as the PIRA or ANC have divided into cells for security and effectiveness. This is particularly common when operating in multiple locations, yet the cells are still knit together by a command and control hierarchy similar to that of a military force, centered on a core leadership. The PIRA command structure, for example, was highly evolved, with specialized departments for intelligence, publicity, training, security, etc, and multilevel local brigades for operations.38 Command and control were achieved in principle by ensuring that weapons were stocked at a level above the operational units, who would request approval for an attack. In conventional terrorist organizations, pre-existing social ties appear to be the major influence driving recruiting, whether family relationships, friendships, or a group's overall presence within the community.39 At the other end of the organizational spectrum is the modern-day al-Qa`ida. Originally a hierarchical paramilitary group, it has transformed itself into an almost “virtual” network organization in which the leadership provides ideology and resources (as reflected in the name al-qāʿidah: “the base”) while exhorting individual cells to engage in the struggle (jihad) by whatever means available to them. By all accounts it is an effective strategy. In a discussion of al-Qa`ida's organization, Cronin writes:40

No previous terrorist organization has exhibited the complexity, agility, and global reach of al-Qa`ida, with its fluid operational style based increasingly on a common mission statement and objectives, rather than on standard operating procedures and an organizational structure.

The central focus of today's al-Qa`ida is thus communication, including communication with those whom the leadership have never met. This is carries out in many ways, including tapes, videos, press interviews, web sites, social media, and publications such as the extremist online magazine, Inspire. This last is of particular concern in the West because it is published in English and offers not only ideological motivation but detailed DIY weapons information to individuals and groups in Western countries. Concern over such uncontrolled “personal jihad” is echoed throughout much of the intelligence and counter-terrorism community. In an interview with CNN, former US Deputy Director of National Intelligence, John Miller stated:41

I think what actually keeps me up more at night is the much more likely scenario, perhaps less devastating (than an al-Qa'ida nuclear attack) of the effect of lowering the bar: having effective communicators, using social media and the web to reach out to the lone wolves and to say you can be alone or you can have the force of personality to gather just three or four people around you. And you

can do something that's low-tech and low-cost but high yield. [...] This is something that they have honed almost to an art. And when we talk to the people who are stopped in these plots and say what got you started; if its here on U.S. soil, inevitably it was a mouse and a computer screen.

A further dimension of terrorist groups measures their operational capabilities against the skill level of the police or military units they are likely to encounter.42 Amateur Experienced Professional Amateur groups typically have little or no experience with the weapons they choose or the planning and tactics required to carry out an operation. In fact, due to lapses in operational security, they are often apprehended before an attack can be realized. At other times, they may attempt the attack only to fail due to inadequate training. Psychologists have devoted considerable attention to the question of why people without a background for violence would “radicalize” and become involved in terrorism, but what seems most clear is that it is often a long and involved social process.43 Experienced groups have roughly the same level of training in weapons and tactics as defenders, and might be made up of current or former military or police personnel, or hardened veterans who have survived previous campaigns. They may have limited access to funding or advanced weapons yet have sufficient knowledge to improvise. Thus they know their weapons, proceed on the basis of a defined mission, and will plan both the operation itself and (unless seeking martyrdom) their withdrawal. Unlike amateurs, such groups are not intimidated by authorities and may fight rather than surrender when challenged. They may have links to a larger umbrella organization yet continue to operate autonomously. Although described as “groups” it is important to note that even some individual attackers fall into this category.44 Professional groups have deep experience and resources, able to field well-armed, disciplined teams with greater tactical and specialized experience than the military or law enforcement agencies responding to their attack. Members might be drawn from current or former special forces, elite law-enforcement organizations, or combat veterans. The original core of al-Qa`ida, including Usama bin Laden himself, for example, were veterans of the US-backed Mujahideen resistance against the Soviet occupation of Afghanistan. Non-combat participants with other specialized knowledge, such as professionals in science, engineering, medicine, and logistics may also play a role. In the vast majority of cases, the academic background of terrorists with higher education is engineering:45

Such groups may stand alone or be covertly backed by governments that provide them with weapons, training, resources, and safe havens. The effect of experience also needs to be considered on a broad scale. Some research has shown that as groups gain experience the frequency of their attacks tends to increase.46 Thus for example, plotting attacks per year by the ANC in South Africa and the Taliban in Afghanistan:47shows increased attacks almost every year until a peak is attained. In the case of the ANC, attacks dropped dramatically in 1988-1989 due to changes in the political environment and the release of Nelson Mandela from prison. For the Taliban the continued attack level may simply represent the limit of their capacity.

Group size and growth also play a role in attack frequency, since when cells operate autonomously or semi-autonomously, the more cells there are, the more attacks are possible. Both the ANC and the Taliban had/have thousands of members. But the same pattern of increased attack frequency can be seen even in the actions of smaller groups, such as RO-N1748, with only 20-30 people, where attacks ramped up through 1991 but then abated for reasons that are unclear.

Differences in strategy may also be observed in these data, where groups like the ANC, following a strategy of attrition, carry out large numbers of small scale attacks, while a group like RO-N17 or al-Qa`ida seem to seek a combination of strategic goals through small numbers of well-planned attacks. Fortunately the number of fatalities per attack does not seem to increase regardless of group experience. No doubt part of this is due to the uncertainties of armed conflict, but it may also be that, where the groups become better at carrying out a certain favored type of attack with certain favored weapons, target selection and weapons choice constrain their lethality.

These dynamics, as long-lived groups continue their struggles over time, suggest that successful attacks are likely to be followed by more, so a fast response is called for. On the other hand, most groups are not long-lived. Of the 2,592 groups represented in the GTD, more than 50% have only a

single attributed attack, while 80% of the groups claimed 5 or less. Thus it is clear that most terrorist groups do not engage in long-term campaigns, though a minority of groups (just over 3%, most likely those with considerable community support) manage hundreds or even thousands of attacks over their organizational lifetime. This concludes a brief overview of conventional terrorism but there is a significant body of research and literature available, and much has necessarily been left out. Further research would undoubtedly yield additional practical insights. It is important, however, to examine such literature, and even the available databases, with a critical eye. Terrorism and counter-terrorism are perhaps the most highly politically-charged subjects in existence. Bias, unexamined assumptions, and sometimes hidden agendas are common.

CYBER-TERRORISM The preceding discussion of conventional terrorism sets the stage for an analysis of the still hypothetical threat of cyber-terrorism, that is, terrorist actions operationally realized through the agency of computers connected by wide-area networks. Perhaps the best place to start is to look at the potential threats. Consider a layered, logical model of the type familiar to network engineers:

Data being sent travels downward to the network infrastructure layer, which forwards the encapsulated information across the network until it travels back upward to its ultimate destination. Network infrastructure is the delivery mechanism for a cyber-attack, which begins as mere electronic data: messages. It is the response of the other elements to those messages (at one or more layers) that elicits an effect, which, if it is a terrorist attack, consists of violence committed against civilians and civilian infrastructure intended to achieve a political objective. Naturally the layering diagram is schematic and it is possible for data, and therefore attacks, to take other paths, but this structure is a useful way to begin. Note that while cyber-attacks exist throughout, the degree to which attacks at the lower layers might, on their own, qualify as terrorism is questionable. To cause physical destruction or loss of life an attack must generally reach T5. Nevertheless there are some cases in which lower-level attacks could cause physical damage, or be used as part of a coordinated strategy to increase the effectiveness of other attacks. Military discussions of cyber-attacks often cite a “force multiplier effect” that cannot be discounted. T1 This layer consists of satellites, cables, transceivers, circuits, switches, routers, and other equipment managed by ISPs and NSPs to provide fundamental network services, as well as the communication protocols that run over this infrastructure, most notably TCP/IP. These protocols were designed for resiliency, to survive warfare or other scenarios in which circuits are cut and routing/switching facilities are lost. And indeed such component outages are common. A well-designed network will therefore have sufficient topological diversity to route traffic around obstacles. It is difficult to conceive of cyber-attacks at T1 which would, by themselves, qualify as terrorist actions due to the difficulty of causing physical destruction or loss of life. T1's function is to move data from A to B, so by impairing T1 all that could happen is that data is lost, delayed, or forged. To have a larger effect some higher layer entity must depend upon the data, and/or the timing of its transmission/reception. This illustrates the key concept that the risk associated with a given system is proportional to the value of what depends upon it. An attack on T1 could, however, be made part of a larger coordinated cyber-terror attack by isolating a chosen facility, or even a country, from the rest of the Internet.49 Software vulnerabilities could allow an attacker to shut down or overwhelm a router or switch, or to gain administrative access, and therefore access to all data flowing through the device.50 Sophisticated attacks might also inject false data giving network operators or higher level entities an incorrect view of reality.

T2 This layer consists of the end-nodes at the edges of the network, typically computers running a commercial operating system. The most familiar are, of course, laptop and desktop computers, servers, and (increasingly) network-enabled devices such as cellular telephones and other data terminal equipment. Virtual instances of such of devices, such as those offered by cloud services, may also exist as T2 hosts from a network point of view, with the physical server acting as both host and router. The key concept is that T2 nodes function as network-addressable end-points.51 Operating systems expose an interface to the hardware as well as libraries which provide the building blocks for T3. The OS may be a small embedded kernel dedicated to a particular purpose or a large, general purpose system. Both hardware and software may offer vulnerabilities to an attacker, but historically T2 has been a rich feeding ground for cyber-attacks due to large numbers of errors and unintended functionality exposed by operating systems, most notoriously Microsoft Windows. Vulnerabilities at T2 have allowed attackers to remotely crash systems, capture and/or erase data, or surreptitiously take control and use the system for their own purposes. Because the OS manages the barriers between users and processes, successful attacks on the OS can give an attacker unlimited access. Recent Microsoft analysis52 of the US National Vulnerability Database53 showed approximately 700 new OS-level vulnerabilities disclosed in 2012: two new vulnerabilities every day. These problems are exacerbated on modern multi-core systems, or in cloud architectures where multiple applications or system instances run simultaneously on the same hardware. Cyber-crime is common at T2 layer, and CT might use the same vulnerabilities as part of an attack, though there remains the question about whether attacks at T2 could constitute terrorism. Perhaps what can be said is that direct attacks on T2 would qualify as terrorism if they can trigger physical destruction of the system or destruction of data sufficient to result in real-world effects comparable to physical destruction. In the first case (physical destruction), some specialized systems incorporate mechanisms that can be triggered to render the system permanently inoperable. Others may expose an interface to environmental controls which could be used to shut down cooling fans or interfere with power distribution, causing a machine to overheat or to otherwise fail. If an attacker is able to access such functions, the system could be shut down, damaged, or destroyed. In the second case (destruction of data), the mechanism is far easier since functions to erase data, including overwriting disk sectors with random data to prevent recovery, may be provided by the OS. Disk encryption software offers another approach to make data unusable even while, in principle, it still exists. As with T1, indirect attacks on a T2 system can combine with other attacks to create a more serious event. A T2 host can be used to attack T1 or other T2 systems, for example, or in more sophisticated attacks data provided by the system may be modified to deceive higher layer entities so that they would take, or refrain from taking, some critical action. T3 This layer consists of applications which use the interfaces exposed by T2 to provide higher level functions to end users, and the data stored as a by-product of their use. These are familiar, and should need no explanation. Some applications, especially servers, will be network-addressable via mechanisms such as TCP or UDP port numbers or as the end-points of tunnel protocols. Attacks possible at this layer are similar to those at T2, but more numerous due to the vast range of applications in use and the exponentially larger number of interactions between them and with the underlying T2 operating system. Recent Microsoft analysis of the NVD54 showed approximately

3,300 newly disclosed application vulnerabilities in 2012, an average of nine new vulnerabilities every day. Of the total disclosed, 775 were given a “high” severity rating according to the standardized Common Vulnerability Scoring System,55 indicating very serious risks. On the other hand, more even than at T2, T3 entities operate mainly on data, therefore using T3 to effect a terrorist attack becomes difficult except to the degree that higher layer entities, including people, depend upon that data. T4 This layer consists of peripheral systems, the most familiar of which are displays, keyboards, and printers, but may includes all manner of devices, large and small. Some are passive, such as sensors which merely provide data. Others are active and affect the physical world. For example, modern automobiles use computers to control brakes, locks, lights, displays, security, and various power train functions. Buildings may use computers to control their internal environment, elevators, lighting, and security. Industrial and military sites use computers to control equipment, manage processes, recognize trouble, and to take remedial action. Classical peripheral devices themselves are usually not network-addressable but are instead managed by supervisory software or drivers running as T3 applications on host computers. In any modern office it is obvious that the physical lines between T2, T3 and T4 are blurred by devices like networked printers, copiers, etc, but the layers remain conceptually and functionally meaningful. At T4 we begin to contact the physical world and it is at this level that cyber-terrorism begins to look like a real possibility. For example: Research has shown that, given access to the computer network running within modern automobiles it is possible to: lock the doors, disable the brakes, selectively apply braking to individual wheels, or indeed control the car so that it completely ignores the driver.56 By gaining remote wireless control over multiple vehicles at the same time, a serious incident could be created in which lives are lost and property destroyed. In 2008 the FAA warned that the on-board network intended to provide passengers of the Boeing 787 Dreamliner with in-flight Internet access was directly connected to the aircraft's control, navigation, and communication network, offering a potential vulnerability.57 Industrial processes in real-time control of potentially dangerous functions often operate using SCADA (supervisory control and data acquisition) systems.58 Many such systems, including those used at nuclear power plants and other sensitive locations, were installed before the widespread adoption of Internet technology and so were designed without consideration for network security risks. A SCADA network is based upon a four-layered design:

The field devices interact directly with physical processes in real time and consist of programmable logic controllers (PLC) or remote terminal units (RTU). These units send information back to higher layers and receive control information back from them.

The Stuxnet worm discovered in 2010 was designed to locate and attack specific PLC units incorporated into the centrifuges used by Iran to enrich uranium for their controversial nuclear program. It exploited multiple errors in the Windows operating system (at the controller layer) to access connected field devices, looking for connections to the PLC units used in the centrifuges. If found, and several other checks were passed, the PLC code was modified so that the rotational frequency of the controlled device would cycle between high and low rates, eventually damaging it.59 In effect it was a military attack by other means, and has had serious repercussions both within industry and for Internet security as a whole. Researchers have demonstrated the ability to penetrate industrial systems to open dam floodgates, cause railroad accidents60, or in one dramatic experiment, cause an electrical generator to self-destruct61 (possibly an early demonstration of the mechanism seen in Stuxnet). In 2008 a CIA analyst revealed:

We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.62

As far back as 2002, the FBI reported that al-Qa`ida was collecting information about SCADA systems.63 A further, more subtle approach is to modify data presented to human beings so that, like the Iranian centrifuges, their behavior can be controlled or influenced. For example, as part of Israel's 2007 attack on the Syrian al-Kibar nuclear facility they reportedly penetrated the systems of Syrian air defense, causing displays to show normal skies with no threats even as Israeli jets crossed the border and attacked the facility. An alternative scenario would be to cause trusted systems to display false data which lead military or law enforcement personnel to attack a target site on the terrorists' behalf. This sort of deception has a long history64 but a cyber manifestation would offer new possibilities for tactical and strategic deception. Many of the actual and hypothetical examples above could cause sufficient damage to be considered a terrorist incident. The fact that the most of the examples have been state-sponsored changes little since the protocols are public knowledge and the same expertise is available outside of government. The rapid adoption by cyber-criminals of the exploits contained in Stuxnet is evidence of the speed with which such knowledge proliferates and attackers learn both from each other and from their adversaries. T5 This layer consists of the non-networked “real world” people, facilities, and infrastructure affected directly or indirectly by the peripheral systems at T4. Interestingly, at this time, it is not generally possible to mount a direct cyber-attack on T5 entities. But by controlling T4 systems it is possible to affect T5 in devastating ways, and this is the primary danger of cyber-terrorism. Much government emphasis at T5 has been devoted to the identification and protection of critical infrastructure, systems or assets, whether physical or virtual, that if incapacitated or destroyed would have a debilitating affect on security, health, or overall safety .65 In the US, the Office of Infrastructure Protection created a database of national assets which by 2006 numbered more than 76,000 entries. The distribution was:66

Later on, mission creep added thousands more locations, including over 4,000 shopping malls, 1,300 casinos, a company manufacturing elevators and another manufacturing burial caskets. Those assets which are truly critical in an acute sense are likely to form a more select list.67 On the other hand, although it is crucial for governments to protect critical infrastructure it is also vital to note that when confronted with hardened or heavily protected targets, committed terrorists may simply shift attention to softer, more vulnerable ones. No government has the resources to protect everything all the time, therefore businesses and agencies that do not receive taxpayer-funded protection are on their own, and must either develop defensive capabilities themselves or rely on trusted third parties to provide it.

CT IDEOLOGY/STRATEGY/METHODS Since no unambiguous instances of CT have yet occurred, there exists no data on the ideology, strategy, or groups that may employ it, however as a first approximation it seems likely that the ideologies and strategies employed of groups using cyber-terrorism would be the same as that of conventional terrorism, with CT seen as just an additional new weapon. Methodologically, however, there are some differences. Recalling the GTD categorization of terrorist incidents: Assassination Hijacking Kidnapping Hostage-Taking Bombing Armed assault Unarmed assault Facility/Infrastructure attack Some of these could conceivably be mediated by computers, while others seem less likely. The more probable are assassination, bombing, armed assault68, and facility/infrastructure attack. Two primary pathways exist: Take control of systems already in place, causing them to do harm or refrain from preventing it Install, or cause to be installed, network-accessible systems whose function is to control a conventional destructive weapon These could be used independently or in combination with other attack modes. An example of the first would be to subvert the control systems at a chemical plant, causing an explosion or the release of toxic chemicals. An example of the second would be a network-controlled weapon such as a sniper rifle69, rocket launcher, or explosive device. The first type may be termed exploitative in that it takes advantage of vulnerabilities in existing systems to control them, while the second is a hybrid of cyber and conventional kinetic weaponry. Although attacks using hybrid weapons will undoubtedly be encountered more frequently70, the remainder of this discussion will focus on the exploitative attacks because they are the type most commonly referred to in CT literature. Cyber-attacks on T5 are realized by attacking elements at T1 through T4. The common characteristic of these four layers is that they consist, for the most part, of computers and other digital systems. Attacks can proceed in several ways, including overt destruction of such systems, but exploitative attacks can be broadly analyzed along two dimensions, access and vulnerability.71 Access is measured by proximity, from local to remote. Remote attacks are perhaps the more classic form: attacking the system over the Internet from a distant location. Local attacks occur when the attacker has physical or close access. Access via a corporate or office LAN is the intermediate, or “near access” case. Hybrid attacks are also possible in which firmware or software from a remote site is installed on a system then waits to be triggered locally. Network-mediated methods to enable this, such as virus infections, cross-site scripting, or other application vulnerabilities are well known,72 but it is important to note that compromise can occur at any point in the life-cycle of a device, its procurement, or its operation. For example, throughout

2000-2007 more than 3,500 Chinese-made counterfeit Cisco routers73 were widely sold and installed in government and corporate offices the United States because third-party contractors saw the inexpensive substitutes as a way to lower costs and increase profits, not realizing that the devices were faulty and may have been produced with intentional vulnerabilities. Similarly modern computer systems are constructed from components produced by multiple manufacturers in multiple countries, often through a chain of subcontractors. If an attacker can cause a compromised component to be built into, or otherwise installed, on a target machine, that component can be used to penetrate the rest of the system. A network interface card, for example, is necessarily network-accessible.74 When such a card is constructed with a “back door,” allowing access via specially crafted frames, an attacker can take control of the computer's communication, and since interface firmware and drivers typically have access to the system at the hardware level, complete control of the system is possible. In 2007 researchers discovered that it is possible to do exactly this, remotely accessing certain commercial Ethernet interface cards to install code, and thereby gain access to the system as a whole75 Similar back doors could also be installed or built into unsuspected hardware such as smart phones, keyboards, printers, or copy machines, added to software, or even concealed within electronic documents.76 Such exploits can therefore be established locally, as a system is designed, built, transported, maintained, or simply left unattended,77 but then exploited remotely at a time of the attacker's choosing. The vulnerability dimension identifies objects and interfaces that are potentially open to attack. Lin (2009) lists seven broad categories:78 Software Hardware Seams between hardware and software Communication channels Configuration Users and operators Service providers Using these objects and interfaces as the basis of an attack typically involves exploitation of latent properties, recognition of which requires a degree of familiarity. However it is important to note that many devices and systems have craft interfaces with local (or sometimes even remote) access intended for maintenance and troubleshooting that can be exploited for other purposes. Further, many governments have demanded that hardware and software manufacturers, as well as service providers, create back doors for law enforcement, censorship, and monitoring of dissent. This is always done in the name of security, but the mere existence of such hidden functions makes systems inherently less secure. Knowing that such back doors exist, it is only a matter of finding and exploiting them, and attackers are patient.

CT ATTACK CYCLE Recall that the attack cycle described earlier proceeds through eight phases: Target selection Intelligence gathering Target reconnaissance Operational planning Insertion of weapons Insertion of operational team Execution Withdrawal of operational team Within the context of a cyber-attack the computer and network-mediated nature of CT distinguishes it from conventional forms. CT target selection must generally consider how to reach layer T5 through the network. The most likely way this would be done is to first choose potential attack targets capable of producing the desired psychological effect, and then work backwards using a mechanism such as attack trees79, first identifying the specific network-enabled devices that would permit the attack, then determining who or what has the credentials necessary to issue the required commands. Having identified the proper agent, the task of the attacker is to become, or to impersonate, that agent. Considerable knowledge and experience may be required at this point since what is often required is to make use of available system functions in ways that were not intended by the designers. Even simple system components have multiple properties, some of which were used to provide the original desired function, and some which remain latent. Attackers use these latent properties to subvert and control the system. Finding such vulnerabilities is difficult, but as history has shown, well within the ability of non-specialists. Successful cyber-attacks are mostly a matter of creativity, perseverance, and looking at a system from all angles, rather than just what it was designed to do. An alternative process might begin with the knowledge held by an insider who, either by deception or recruitment, offers the terrorist group a way to exploit the known destructive capabilities of facilities already under his or her control. CT intelligence gathering related to the network or system elements themselves may be as easy as searching for documents on the Internet, and in many cases the equipment required for testing can simply be purchased. One of the key differences between CT and conventional terrorism is that, very often, it will be possible to simulate the attack repeatedly on one's own equipment thereby avoiding any suspicion. Further, since the equipment used is generally off-the-shelf, there is no concern about being apprehended in the purchase or possession of illegal materials. Attackers could set up a test network modeling their target, then try alternatives, simulating attacks until they are confident of their chances for success. The other major thrust of intelligence gathering is collecting information about people inside the organization. This information could then be used for social engineering, to target individuals with E-mail, web pages, or other means of malware delivery, or even in efforts to recruit insiders, people who have access and can provide internal information, or possibly even take actions that would, in effect, “leave a window open” for the operational team. Naturally such people would be in danger of discovery, but it remains a time-honored tactic. The 2012 Shamoon malware attack on Saudi Aramco was reportedly aided by an insider with high-level access.80

CT target reconnaissance depends on the nature of the devices being attacked and is more tricky because attackers will have to avoid monitoring or other safeguards that would make their presence and interest known to defenders too soon. Stealth and surprise are paramount since analysis of log data could reveal attack methods, which could then be closed off, or network traffic could be traced back to the attackers, leading to possible arrest or attribution. Nevertheless some steps are required. Unless the team have inside information, they will need to map the target site's network, identify the systems are available, and determine their characteristics in order to recognize what vulnerabilities are available to exploit. A hybrid approach might use a virus or worm for this. Delivered by spear-phishing or some other method, once inside the target site's network, it could scan for systems with the desired properties/vulnerabilities, and once found, compromise them immediately and/or notify attackers by something as innocuous as an ICMP echo or DNS request. The question of how deeply to penetrate during target reconnaissance is delicate: the deeper one goes, the more information available but the greater the risk of detection. But the nature of the network means that reconnaissance (or the delivery of an automated reconnaissance tool) can be conducted from anywhere in the world and at the time of the attacker's choice. If it is conducted from another country, or uses anonymizing networks to conceal traffic origin, it will be much more difficult for defenders to trace. The effect of distance, both in reconnaissance and in operational execution, is another key advantage of CT methods. CT operational planning is streamlined because, in a pure cyber-attack, where the entire attack consists of nothing but digital data, there is no need to insert weapons or an operational team, and no need to withdraw them once the attack is completed or abandoned. In fact much of the planning may take place during the simulations that are part of intelligence gathering. Only when the attack is a hybrid, employing both cyber and conventional methods, are the other steps required. CT insertion of weapons may still be needed in some sense except that, rather than inserting the weapons at the target site they will be assembled at the operational location. Again, since the equipment used will probably not be illegal, this should be straightforward. The real weapon in a cyber-attack is knowledge, but computers, network links, and other ancillary gear will still be needed and can be traced, so care is needed in arranging equipment and network connections.81 CT insertion of the operational team may likewise involve assembling the team at one or more chosen locations. The nature of the attack will in most cases determine how the attackers organize, but because they will need to act and react quickly to stay ahead of defenders, the most likely scenario is a small, focused team of specialists who assemble at one location in order to carry out the attack. CT execution is likely to be fast and intense. The team must move quickly to accomplish their goal before they are detected. Simulation training and speedy communications will enhance their ability to move quickly and handle situations as they arise. Initially defenders are unlikely to move fast unless automated intrusion detection/prevention systems are already in place, but they will always have the option of “pulling the plug” on the network connection, either physically or by inserting firewall rules to stop an attack cold. But the truth is, for an ordinary private business, or even many government offices, attackers may have all night on a weekday, or even a whole (possibly extended holiday) weekend before administrators check logs. For an actively defended site, diversionary tactics and virtual smokescreens could be readied to keep defenders busy while the real attack proceeds. Alternatively, the attack could be aborted if it appears to have been detected or expected avenues have been closed. There are many possibilities but ultimately the aim is to break through, or to go around, defenses until achieving control of the target T4 processes that allow the T5 attack to proceed. In some cases the exploit could even be automated, allowing coordinated high-speed attacks on (as well as from) multiple hosts anywhere in the world.

CT withdrawal of the operational team is fairly straightforward if the team is nowhere near the target when the attack takes place. The main considerations will be to cover tracks, or better, handle all of the preparations so that no tracks are left in the first place. Comparison of CT with the conventional terrorist attack cycle therefore yields seven key differences: No illegal equipment needed No weapons training required Opportunity to simulate attacks for testing/training without arousing suspicion Voluminous information on target systems often available freely or for purchase No operational human presence required at the attack site Stealthy attacks, crossing borders and/or concealed by secure communication Automated attacks may occur faster than human beings can react Since many of the more dangerous phases of a conventional attack are eliminated or relocated to a safe distance, the attack cycle is compressed. Observation of IDART simulated attacks on US systems revealed the following cycle in practice:82

This is significantly simpler and less risky than the conventional process, which for defenders is not good news. The majority of time invested during the cycle is spent on intelligence gathering and reconnaissance, which may include attack simulations or other mission-specific training.

CT GROUPS As with ideology, it seems likely that groups engaging in CT will have many of the same characteristics as those engaged in conventional terrorism. The differences are in operational training and recruiting. Conventional terrorism is essentially paramilitary, and the effectiveness of a group is largely dependent on the previous combat experience of its planners and operational teams. CT opens the door to an entirely new group of participants who may have all of the other characteristics of terror group members (intelligence, determination, the “tyrannical obsession with wanting to do good and be seen doing good”), yet neither the training to fight with conventional weapons nor any interest in conventional warfare. CT operatives do require specialized skills, which may include network engineering, hardware and/or software engineering, reverse-engineering, operating system and application internals, industrial control systems, system administration, cryptography, persuasive communication skills in the target's language, software/hardware testing, etc, but training in such fields is widely available. The IDART study described the (presumed) cyber-terrorist83 as “professional, creative, and very clever. They will seek unorthodox and original methods to accomplish their goals.” To acquire the necessary skills, an existing paramilitary terrorist organization would have to either Develop the skills internally Recruit members who already have such abilities Acquire the temporary services of those offering such skills for hire Services could be purchased (perhaps behind a false front) either from ordinary commercial enterprises, from organized crime, or might even be donated by compatible groups, individuals, or governments. There is, for example, a thriving market in zero-day vulnerabilities, botnets, viruses, and other attack tools. Zorz (2012) provides the following menu of zero-day vulnerabilities, with prices depending on the application, OS and, of course, market supply and demand:

Such sums are well within the reach of large organizations or even some individuals, and attacks based on these vulnerabilities would not be recognized by IDS systems, so if deployed in a targeted way, and cleaned up afterwards, they could be reused, avoiding detection for a considerable time. The other possibility is that new groups will emerge whose expertise lies entirely within the realm of cyber-attack. An alliance between existing groups and such newcomers, perhaps along the lines of al-Qa`ida's virtual networked organization, presents another option. The Internet offers many new opportunities for organizing people and it is natural that groups will continue to innovate in this regard. For example, crowd-sourcing functions by inviting potentially like-minded individuals or groups to participate in a one-time event. Organizers of such an event may provide tools and other

resources, but ultimately have little or no control over participants. Well known hacktivist “groups” such as Anonymous function in this way, and the 2007 attacks on Estonia are reputed to have used the same model. A terrorist organization could temporarily enlist participants on a global scale, either overtly, on the basis of its ideology, or covertly, by deception. In any case, one key characteristic that dedicated CT groups will all likely share with conventional terrorists is that they will be risk-averse. A senior PIRA member once stated that nine out of ten planned operations were ultimately abandoned due to perceived risks from security forces.84 The IDART study concurred and makes five observations regarding CT and risk-aversion:85 Adversaries are effectively neutralized if they are discovered before they attack Quiet, stealthy, and passive techniques will be preferred Attacks will not proceed if the perceived risk exceeds the attacker's risk tolerance Since the risk of detection increases over time, risk tolerance decreases over time Despite the above, adversaries may still elect to mount an obvious attack on a system, but only at the time of their choosing The obvious operational consequence of this risk aversion is that such teams will prefer to go around defenses rather than confront them directly, and prefer softer targets to those that are hardened. Finally the alarming effect of government-sponsored offensive cyber-attack teams should be noted. A global arms race is in progress, with governments warning that any attack will be treated as an “act of war”86 while simultaneously developing and deploying their own offensive capabilities.87 Not only are the government-sponsored units themselves of increasing concern (recall that some of the most deadly terrorists have been former soldiers or government operatives), but history has shown that weapons developed and deployed by governments cannot be contained, and will fall into the hands of others.88 An unintended consequence of the Stuxnet worm, for example, has been that, once analyzed, the exploits it relied upon were immediately adopted by cyber-criminals. Thus a government-developed tool quickly became the source of the most widely seen Microsoft operating system exploit on the Internet, accounting for more than 85% of all attempts detected in 201289. The mere development of such capabilities induces other nations to do the same.

Given all this it is worth considering the question of why, despite its clear operational advantages, no instances of cyber-terrorism have ever occurred? One can only speculate, of course, but a small number of likely scenarios present themselves: Terrorists are not interested in cyber-attacks Terrorists are interested but have insufficient capabilities to pursue them Terrorists are interested and capable but...

Reconnaissance efforts were detected and either blocked or abandoned Successful reconnaissance yielded no appropriate targets Successful reconnaissance yielded no exploitable vulnerabilities Attempts were detected during execution and either blocked or abandoned Attempts were successful but have not been recognized or disclosed

That conventional paramilitary terrorist groups would not find cyber-attacks appealing is perhaps understandable since it would be outside their expertise and orientation toward violent physical action, but as discussed above, CT offers participation to a new breed of terrorist for whom such expertise and differing orientation might be a given. New specialized organizations or units within umbrella groups like al-Qa`ida might make use of such personnel, and indeed as was noted, al-Qa`ida engineers were pursuing knowledge of SCADA systems as early as 2002. So the interest is there, but compared to personnel available for paramilitary operations, both limited and specialized. It requires a different sort of vision and a different sort of terrorist. But terrorists are, by-and-large, young people, and those in their teens and 20's now have grown up in a digital world where the need for cyber-defense is widely recognized and discussed. Some will undoubtedly consider taking the opposite side. Further it has been noted that the most common academic background of apprehended terrorists is engineering, therefore among terrorists, lack of ability seems an unlikely barrier. The precise skills needed to penetrate and exploit system vulnerabilities are not taught at most universities,90 but any engineer with sufficient motivation could learn them, though talent and interest are, of course, less predictable. Some groups who have interest may not have the necessary resources, or may not wish to devote the resources they have to untested methods. But those individuals with the skills to attack at T5 could undoubtedly bootstrap their efforts through various forms of cyber-crime. Indeed it would be a useful training ground for them. So skill and resources seem unlikely barriers. And Stuxnet has provided an industrial attack blue-print. Perhaps one other consideration is that those with sufficient skills would likely find cyber-crime far more profitable than cyber-terrorism, and so a more attractive career. Alternatively, the revenue stream derived from cyber-crime might be of greater value to a conventional terrorist organization than cyber-attacks. They may make a strategic decision to focus their cyber talent on funding. In any case it seems likely that CT operations have been attempted, but either failed or were not recognized/disclosed. As to the latter, since the purpose of terrorism is communication, it would be implausible for a group to remain silent after its carefully orchestrated cyber-attack succeeded but the target organization said nothing, so the lack of claims seems to indicate that all attacks thus far have failed. The only exception would be if perpetrators were killed before they could make a claim, which seems unlikely. In the remaining four cases, then, two were failures because they were detected, and two were failures because a successful reconnaissance yielded no suitable targets. Both seem likely, with the bulk probably consisting of failure due to detection. If true the first would be good news: the defenses are working. The second is bad news: the attackers are getting in, and thus far the world

has simply been lucky that the systems sought were either unreachable or not vulnerable to the exploits in the attackers' tool kits. The conclusion is therefore that, up to now, we have simply been lucky in a game of numbers: Only a minority of terrorist groups have an interest in cyber-terrorism Of those, not all have the expertise or resources (and those that do might prefer crime) Most efforts to reconnoiter critical systems are probably detected Where reconnaissance has not been detected, no vulnerable systems were found. But eventually, as with Stuxnet, vulnerable systems will be found. For the attackers it is only a matter of time and perseverance, which means that, for defenders, now is the time to prepare.

RELAXING THE DEFINITIONS Before considering defenses it is worth revisiting the original definitions to identify gaps that exist due to their intentionally narrow construction. Thus far cyber-terrorism has been defined as

terrorist actions operationally realized through the agency of computers connected by wide-area networks

while terrorism itself was defined as

violent attacks upon civilians and civilian infrastructure intended to achieve a political objective

These definitions were chosen in order to keep discussion as concrete as possible while avoiding unnecessary overlap with other considerations, nevertheless before concluding it is important to consider several issues: Non-networked attack vectors. The description of CT relied on a five-layered schema in which layers interfaced only with those above and below. In reality, of course, threats can often be delivered directly to one layer without passing through others. For example, a host can be infected with malware through a removable storage device such as a USB drive,91 or by syncing with a mobile device like a smart phone or PDA. There is also a long-term and continuing trend toward collapsing layers T1-T4 into single devices, the Internet of Things which, while offering simplicity and convenience, also eliminates many points of control. Likewise tunneling protocols, though technically following the layered schema, allow the creation of virtual overlay networks that may bypass controls established for protocols on the wire. Finally the shared physical environments underlying cloud services have introduced direct host-to-host vulnerabilities in which one virtual host may compromise another through their common resources.92 Many vulnerabilities in cloud environments are traced to the use of software and drivers designed to run directly on hardware being used in the new virtual environment, which is has vastly different properties. Destruction of data. In the discussion of what constitutes terrorism, violence was largely defined in terms of physical destruction, but in the cyber world destruction of data must also be taken seriously. There are two aspects to this. One is modification of valid data in order to present, by stealth, an inaccurate view of reality. Those who then rely on the modified data may take real-world steps that either rise to the level of terrorist violence themselves or fail to avert violence when it does occur. The other aspect is data loss. Here the vulnerability is not so much a function of the intrinsic value of any specific data set (data with intrinsic value should obviously be covered by data backup and recovery plans), but the uncertainty that could arise among those dependent on the data. The fundamental differences between the “data world” and the “real world” have many implications for possible attacks. Unlike a physical host machine, for example, a virtual instance of such a system can be destroyed by typing a few characters; and while it seems unlikely that CT could ever be used to kidnap a person, analogous attacks on data, where the data is stolen or encrypted and then “held for ransom,” have already occurred.93 Other points at which the definitions could be relaxed, such as the civilian/military distinction or political objectives versus other types of strictly communicative motivation, do not appear to have operational consequences so are for the most part covered by existing discussion. But the two main points raised above should be kept in mind when considering CT defense.

CT DEFENSE The good news is that defense against cyber-terrorism is substantially the same as defense against cyber-attacks in general. The bad news is that the latter has proven surprisingly difficult, a rapidly moving target whose mitigation interferes with normal operations, increases counter-productive overhead, and requires an investment in time and technology that may show no immediate, tangible benefit. Like many precautionary steps that could be taken, the true value of such measures often goes unrecognized until after the damage is done. That said, the information presented thus far on terrorism in general and CT in particular can be used to craft defenses with the aim of eliminating or reducing the advantages that attackers might otherwise achieve through stealth, speed and surprise, and shifting the initiative back to defenders. For example, the principles of target selection suggest that terrorists will focus their attention on systems at T1-T4 capable of producing casualties or destruction at T5. Thus the first step for any organization is to inventory two distinct, but related, sets of resources: on the right, those T1-T4 assets under its control which might reasonably be capable of producing internal or external T5 casualties or destruction, and on the left, those T5 entities within its domain or operations that depend upon external T1-T4 assets (including data) in a way that makes them vulnerable to casualties or destruction.

If no such dependencies exist, then the organization is not a likely target of cyber-terrorism per se, though of course, they may still be vulnerable to other forms of cyber-attack and to conventional terrorism. Where such dependencies do exist, different strategies will be required but the overall method is similar.

The US Defense Critical Infrastructure Program94 outlines a five step process: where key systems – the “critical infrastructures” – are identified through analysis which looks first at the mission or responsibility of an organization (whether a government agency, company, or individual) and then identifies the resources without which that mission or responsibility could not be achieved. It is crucial to extend this analysis to include dependencies. Any subsystem upon which a critical system depends is itself critical. The cascading failures which dogged the initial response to the Fukushima nuclear accidents offer a cautionary example of how dependencies and single points of failure can lead to the edge of disaster.

Identification and assessments of vulnerabilities can be difficult without expert help. Over the past five years the NVD recorded an average of fourteen new disclosed vulnerabilities every day, creating a constantly changing landscape of threats within which organizations must operate. Furthermore, although engineers responsible for a system are very good at understanding how it functions in normal and in anticipated failure modes, they still work within the biased mindset of attempting to accomplish their mission. That is, they see the systems under their control as tools meant to accomplish a particular purpose. Attackers have a different purpose, a different goal, and will use the same tools (as well, perhaps, as some of their own) in unexpected ways to achieve it. It is therefore often useful for vulnerability assessment to take place in cooperation with outside investigators, or in some cases with the help of penetration testers and red teams, whose role is to simulate, as fully as possible, the role of determined attackers. Normalization involves taking previous assessments from multiple sources and scaling them so that the risks can be properly compared. Analysis and prioritization then follow an optimization process in which those vulnerabilities which present the greatest risks are remedied first. Nevertheless it is important, when dealing with truly critical systems, that all vulnerabilities be addressed. One function of analysis is therefore to ensure that each of the components involved is truly critical so that defensive resources are efficiently applied. Once vulnerabilities are identified and prioritized, protective steps can be proposed and implemented. Some vulnerabilities can be eliminated while others can only be defended. This is where differences based on internal and external control come to the forefront. T1-T4 systems under internal control can be modified, protected, and monitored.

Modification follows the principle that an asymmetric threat can be converted into a symmetric one by reducing the avenues of possible attack to a minimum, then focusing protective resources on those that remain. In all cases it should be noted that risk is proportional to dependency:

R ∝ D Eliminating dependency is the surest way to reduce risk. Dependency can be reduced in many ways, but perhaps the most important are simplified, task-specific designs and the elimination of single points of failure. Protection itself involves both self-protection and placing obstacles between the attacker and the resource they seek to control. Self-protection means ensuring that when a system fails, it fails in a way that is not harmful, while the most common obstacles used to protect cyber resources are authentication, authorization and access controls. Critical systems should be protected by multi-factor controls, including perhaps some which are digital and some which rely on physical means. No remote attacker can put a key in a lock and open it. Monitoring is required both to ensure that critical systems are behaving as expected, and as an additional layer of protection to recognize and alert operators to attacks from directions that previous defensive designs did not anticipate. For critical systems this should extend to the application domain, recognizing in real time whether system communication and behavior is valid within the limits established by the organization's anticipated use. The sensors used to verify such behavior must also be verifiable. Great care is needed in the design of monitoring systems in order to ensure that (a) coverage is complete, while at the same time (b) the resulting data are manageable in practice, able to deliver actionable intelligence in real time. Naturally such steps should be coordinated with other security modes, such as physical and electronic security, to capitalize on synergies and avoid gaps resulting from unclear lines of responsibility.

Modification, protection, and monitoring are facets of control, and much research has been done on the most effective controls that may be put in place to defend against cyber-attacks of all kinds. The Critical Controls for Effective Cyber Defense document95 lists twenty:

Additional very detailed standards are often published by government agencies such as the NIST Security and Privacy Controls for Federal information Systems and Organizations.96 In Japan the standards for each industrial sector appear to be developed by the ministry responsible for that sector, with the Network Information Security Center as coordinator.97 In cases where T5 entities are vulnerable to attack via T1-T4 systems under external control, a similar process can be undertaken, first reducing the number of dependencies to a minimum, and then employing protections and monitoring. In this case, however, where the devices depended upon are not under the organizations control, the protections must typically be in the form of additional processes and verification steps. This requirement can be at odds with the original purpose of a computerized system, since automation is frequently introduced precisely to eliminate “inefficient” human input and decision-making. Often the proper balance point can only be determined by the organization itself. Finally, protective programs must be tested using the same techniques previously applied to locate vulnerabilities. An iterative process ensues, in which

Systemk = Systemk-1 + Modificationsk-1 + Protectionsk-1 + Monitoringk-1

and at each step a new vulnerability assessment must be made of Systemk. It is in the second, and subsequent, iterations of this process that external penetration testing and red team exercises can be particularly valuable because they expose assumptions made by internal system designers and operators. Beyond this, change is constant in all organizations: people come and go, systems are added, updated, and removed, new vulnerabilities arise while old ones fade but then recur, and the

threats to cyber-security are constantly evolving. Organizations managing critical systems must strive to stay ahead of this curve. Next, recall that CT attackers expend the greatest part of their energy at the information gathering and reconnaissance phases, since these will determine their plan of attack. Defenders do not have to sit quietly by while this happens, but can intrude upon these phases through disinformation and deceptions that can confuse attackers, force them to waste precious time and resources, and all the while raise warnings about the their presence. For example, intelligence gathering can be subverted to an extent by placing false or misleading information in places where attackers are likely to look, such as the target organization's own web site, social media, even articles on resources like Wikipedia. A convenient on-line description of the defender's network, for example, might look like gold to an attacker but turn out to be something rather less. Or consider a falsified file, CyberSecurityPlan.pdf, left on the corporate web site, but not linked to any HTML page. Since the only way an outsider could access the file is by compromising the web server, if that file is accessed, it becomes a strong indicator of an attack. Such defenses can even be made active by crafting the PDF file so that it “phones home” each time the document is opened, revealing the reader's IP address. Similarly, false data regarding organizational structure, staff names and E-mail addresses, etc, can be planted to interfere with social engineering. If E-mail or a phone call for a certain fake staff member is received, defenders will know that someone has accessed the falsified information. The CT reconnaissance phase is also vulnerable and can be exploited by defenders to interfere with an attack. In the absence of inside information, for example, it will be necessary for attackers to probe the target network in order to learn what systems are there, and how they are related. This information asymmetry (defenders know more about their own network than the attackers) can be turned to advantage by tactics such as providing false information via internal DNS servers, using proxy ARP to create the appearance of more systems than are there, or inserting real or virtual decoy systems that mimic the most likely targets of a CT attack. Consider for example a site with SCADA controllers linked to PLCs controlling industrial devices. One way to make an attacker's reconnaissance task more difficult is to insert decoys with the same apparent functionality, yet not in control of any real physical processes:

From an attacker's point of view, the decoy controllers appear just like production systems, so if their operational requirement is to compromise the PLCs, the attacker will have to communicate with the controllers, and since no legitimate on-site system would connect to those systems, any inbound communication to the decoy systems should be treated as suspicious. An attempt to upload a software update to one of the decoy PLCs would be an even stronger indicator, and could be used to trigger automated defenses. Among other advantages, decoys provide a way to cut through the

“needle in a haystack” problem: instead of a painstaking analysis of bulk logs to recognize events after they occurred, decoys can generate unambiguous alarms in real time.98 This type of deception, as well as many others, could be used in different contexts to create the appearance of tempting targets whose only true functions are to alert defenders and force attackers to waste time and energy on worthless systems. Even automated attacks such as Stuxnet can be detected by such means, and if alarms from decoys are configured to trigger automatic evasive action throughout the network, they can also provide a layer of active defense. A vital aspect of defense is development of tools and procedures which can be activated on demand. Because it is crucial for defenders to recognize an attack, slow it down, and then seize the initiative, defensive mechanisms should put in place ahead of time, built-in and ready to activate. A hierarchy of options allows a layered defense, responding to attacks in a measured and proportional way that is decisive yet avoids unnecessary side-effects. These could include such options as network techniques to limit communication, rebooting key systems from read-only media, to a hard-wired “panic button” that forces a graceful shutdown of physical processes when automated controls appear compromised. Each of the methods must itself be analyzed to ensure that it cannot be abused to cause damage, otherwise the by-the-book response of a defense team may unwittingly become part of the terrorists' plan. Likewise despite the value of decoys and deceptions, the defense architecture should be designed under the assumption that attackers will have complete and accurate information about all defenses, and so have the capability to select the weakest point for their attacks. The defense team should be periodically challenged with both anticipated and unanticipated attacks as a way to hone their skills, recognize gaps, and maintain vigilance. A further consideration often discussed at the government level is offensive operations. That is, responding to attacks (whether ongoing or preemptively) by attacking the attackers. Such tactics present serious challenges and legal issues, particularly since the source of a cyber-attack is often unclear. A CT incident could be designed from the start to deceive defenders and lure them into attacking an innocent third party, particularly if defenders are already predisposed to see that party as a threat. For example, the South Korean government initially attributed the March 2013 attacks on its media and banking services North Korean and Chinese sources; the military even raised its alert level in response. Not until the next day was it recognized that the attacks had come from within South Korea itself.99 If offensive counter-attack operations had commenced immediately in response, this recognition would have occurred too late, and in the already tense political atmosphere such a situation could have spun out of control. For businesses the potential liability for offensive operations, given the problems of attribution, differing legal frameworks, and possible unintended consequences is is probably too high to make such operations a viable choice.

CONCLUSION In an effort to assess the risks of cyber-terrorism this document began with an overview of terrorism in its conventional form, trying to understand its scope and characteristics. That knowledge was then used as a base for a comparative examination of the the still hypothetical threat posed by CT. Similarities between CT and conventional terrorism, as well as CT and other forms of cyber-attack, reveal that many of the same defensive techniques are applicable, and should be effective if given sufficient care and resources. But there are also unique differences that defenders must take into account, some providing advantages to the attackers, and some to defense. In security and in counter-terrorism in particular is often remarked that defenders must be right every time, while attackers only one have to be right once. This is true, but it should not distract defenders from their own advantages and strengths, nor from the weaknesses of the attackers. Both can be exploited to make cyber-terrorism a more manageable threat. To do this, defenders must Learn to think like attackers Eliminate or reduce dependencies Protect and control vulnerable systems that remain Prepare and deploy layered defenses Neutralize the attacker's advantages in stealth, speed, and surprise Use frequent trials to uncover faulty assumptions and to test defenses Monitor to catch what gets through Train to respond and recover quickly when it does This can be done. At the same time it is vital not to get lost in the engineering and problem-solving process and forget why all this is being undertaken. The purpose of counter-terrorism is to defend the people, things and ideals that we consider most valuable. To the extent that peace, freedom, privacy, justice, honesty, honor and social harmony are among these, we must refuse any proposed “solution” that would damage them. Proportionality is needed. Seen in context, terrorism has historically been an exceedingly minor danger compared to other life risks, and it would be a tragedy to give up the values we cherish most in a misguided effort to defend ourselves from it. Attacks may occur and when they do they will hurt, but ultimately our best defense, as people, as a country, or even as a company, is to refuse to be terrorized; to stand up, face the danger, and refuse to sacrifice our principles out of fear. If we can manage to do that, then no matter what happens, the terrorists will never win, and we will never lose.

Abbreviations ANC African National Congress (South Africa) AQAP al-Qa`ida in the Arabian Peninsula (Yemen) BR Brigate Rosse (Italy) EOKA Ethniki Oganosis Kypriakou Agoniston (Cyprus) FAA Federal Aviation Administration (US) FERC Federal Energy Regulatory Commission (US) GTD Global Terrorism Database (see reference START (2012a)) IDART Information Design Assurance Red Team, Sandia National Laboratories (US) NISC Network Information Security Center (Japan) NVD National Vulnerability Database, NIST (US) PIRA Provisional Irish Republican Army (Ireland/UK) RO-N17 Revolutionary Organization November 17 (Greece) SCADA Supervisory Control and Data Acquisition SIR Security Intelligence Report (Microsoft) START National Consortium for the Study of Terrorism and Responses to Terrorism (US) WMD Weapons of Mass Destruction References AP (2013a) S Korea says Chinese IP behind cyber attack, 21 March 2013. http://www.aljazeera.com/news/asia-pacific/2013/03/20133206525580850.html AP (2013b) S Korea says China did not plan cyberattack, 22 March 2013. http://www.aljazeera.com/news/asia-pacific/2013/03/201332211157370266.html AQAP (2011) Inspire #8, Fall 2011. The document is freely available on the Internet but in some jurisdictions mere possession of the material is illegal, therefore no link is provided. Augusta Chronicle (2011) Only in Georgia: Internet-Controlled Shotguns Linked to Web Cams on Food Plot, 14 January 2011. http://chronicle.augusta.com/content/blog-post/rob-pavey/2011-01-14/only-georgia-internet-controlled-shotguns-linked-web-cams Bachmann, S.D. and H. Gunneriusson, (forthcoming) Terrorism and Cyber Attacks as Hybrid Threats: Defining a Comprehensive Approach for Countering 21st Century Threats to Global Risk and Security Bailey, D. and E. Wright (2003) Practical SCADA for Industry, Burlington: Newnes bin Laden, U. (2002) http://edition.cnn.com/2002/WORLD/asiapcf/south/02/05/binladen.transcript/index.html Borum, R. (2011) Understanding terrorist psychology, in The Psychology of Counter-Terrorism, A. Silke, ed., Abingdon: Routledge. British Broadcasting Corporation (2011) US Pentagon to treat cyber-attacks as 'acts of war', 1 June 2011. http://www.bbc.co.uk/news/world-us-canada-13614125 Cronin, A (2006) How al-Qaida Ends, International Security, vol. 31, no.1, pp 7-48.

Cronin, A (2009) How Terrorism Ends: Understanding the Decline and Demise of Terrorist Campaigns, Princeton: Princeton University Press. See also http://www.howterrorismends.com CVSS (2007) Common Vulnerability Scoring System, version 2. http://www.first.org/cvss/cvss-guide.html Danzig, R. and M. Sageman(2011) Aum Shinrikyo: Insights Into How Terrorists Develop Biological and Chemical Weapons, Washington: Center for a New American Security, July 2011. http://www.cnas.org/files/documents/publications/CNAS_AumShinrikyo_Danzig_1.pdf DCSINT (2006) Critical Infrastructure Threats and Terrorism, U. S. Army Training and Doctrine Command, Ft. Leavenworth, 10 August 2006 Drake, CJM. (1998) Terrorists' Target Selection, London: McMillan Press Federal Avaiation Administration (2008) Boeing Model 787-8 Airplane; Systems and Data Networks Security--Isolation or Protection From Unauthorized Passenger Domain Systems Access, 2 January 2008. http://cryptome.info/faa010208.htm Federal Bureau of Investigation (2002) Information Bulletin 02-001. Federal Bureau of Investigation (2008) FBI Criminal Investigation: Cisco Routers. Presentation by FBI Section Chief Raul Rodan. FERC (2008). Mandatory Reliability Standards for Critical Infrastructure Protection, Federal Energy Regulatory Commission, Order 706, 18 January 2008. http://www.ferc.gov/whats-new/comm-meet/2008/011708/E-2.pdf Finkle, J. (2012) Exclusive: Insiders suspected in Saudi cyber attack, Reuters, 7 September 2012. http://www.reuters.com/article/2012/09/07/net-us-saudi-aramco-hack-idUSBRE8860CR20120907 Gambetta, D. And S. Hertog (2007) Engineers of Jihad, University of Oxford, Sociology Working Papers 2007-10. http://www.nuff.ox.ac.uk/users/gambetta/Engineers%20of%20Jihad.pdf Horgan, J. (2003) The Search for the Terrorist Personality, in Terrorists, Victims and Society, Silke, A., ed., Chichester: John Wiley & Sons. Huang, C. (2010) With mounting anger at Israel over assassination, Dubai walks a fine line, The Christian Science Monitor, 17 February 2010. http://www.csmonitor.com/World/Middle-East/2010/0217/With-mounting-anger-at-Israel-over-assassination-Dubai-walks-a-fine-line Karlin, S. (2008) Extremist Engineers, IEEE Spectrum, September, 2008. http://spectrum.ieee.org/telecom/security/extremist-engineers Ikeda N, Inoue M, Iso H, Ikeda S, Satoh T, et al. (2012) Adult Mortality Attributable to Preventable Risk Factors for Non-Communicable Diseases and Injuries in Japan: A Comparative Risk Assessment. PLoS Med 9(1): e1001160. doi:10.1371/journal.pmed.1001160 Isikoff, M. and D. Corn (2006) Hubris. Interview on US National Public Radio, 7 September 2006. http://prairieweather.typepad.com/the_scribe/2006/09/9706_npr_michae.html

Jackson, R., Jarvis, L., Gunning, J., and M. Breen Smyth (2011) Terrorism A Critical Introduction, Houndmills: Palgrave Macmillan. Jones and Libicki (2008) How Terrorist Groups End: Lessons for Countering al Qa'ida, Santa Monica: RAND Corporation Koscher, C., Roesner, P. and Tadayoshi Kohno (2010) Experimental Security Analysis of a Modern Automobile, 2010 IEEE Symposium on Security and Privacy. Lam L. (2013) Edward Snowden: US government has been hacking Hong Kong and China for years, South China Morning Post, 13 June 2013. http://www.scmp.com/news/hong-kong/article/1259508/edward-snowden-us-government-has-been-hacking-hong-kong-and-china Lin, H. (2009) Lifting the Veil on Cyber Offense, IEEE Security & Privacy, July/August 2009, pp. 15-21. Mandela, N. (1994) Long Walk to Freedom, New York: Little, Brown and Company Microsoft Corporation (2013) Microsoft Security Intelligence Report, vol. 14, 2H 2012. http://www.microsoft.com/security/sir/default.aspx NISC (2007) Japanese Government's Efforts to Address Information Security Issues, November 2007. http://www.nisc.go.jp/eng/pdf/overview_eng.pdf NIST (2013) Security and Privacy Controls for Federal information Systems and Organizations, Revision 4, April, 2013. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf NVD (2013) National Vulnerability Database, National Institute of Standards and Technology, Department of Commerce. https://nvd.nist.gov/ NYU (2013) Master of Science, Cybersecurity. Polytechnic Institute of New York University. http://www.poly.edu/academics/programs/cybersecurity-ms Obama, B. (2012) Presidential Policy Directive 20. http://www.guardian.co.uk/world/interactive/2013/jun/07/obama-cyber-directive-full-text O'Malley, P (1990) Biting at the Grave: The Irish Hunger Strikes and the Politics of Despair, Belfast: Blackstaff Press Parks, R. and D. Duggan (2013) Principles of Cyberwarfare, IEEE Security & Privacy, September/October 2011, pg. 32. P.L.107-56 (2001) Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001, Government Printing Office, 26 October 2001. http://www.gpo.gov/fdsys/pkg/PLAW-107publ56/content-detail.html Post, Sprinzak, and Denny (2003) The Terrorists in Their Own Words: Interviews with 35 Incarcerated Middle Eastern Terrorists, Terrorism and Violence, vol. 15, no. 1, pp. 174-184 Raynal, F., Delugré, G. and D. Aumaitre (2008) Malicious PDF Origamis Strike Back, Presentation at PacSec 08, Tokyo. http://esec-lab.sogeti.com/dotclear/public/publications/09-hitbkl-origami.pdf

RIPE (2008) YouTube Hijacking: A RIPE NCC RIS case study, 17 March 2008. https://www.ripe.net/internet-coordination/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study SANS (2008) SANS FLASH: CIA Confirms Cyber Attack Caused Multi-City Power Outage. http://www.merit.edu/mail.archives/netsec/msg02500.html SANS (2013) Critical Controls for Effective Cyber Defense, Version 4.1. https://www.sans.org/critical-security-controls/ Schmid and Jongman (1988) Political Terrorism, New Brunswick: Transaction Publishers Schneier, B. (1999) Attack Trees, https://www.schneier.com/paper-attacktrees-ddj-ft.html Schneier, B. (2007) The Psychology of Security, Communications of the ACM, May 2007. https://www.schneier.com/essay-170.html Schneier, B. (2009) "Evil Maid" Attacks on Encrypted Hard Drives, 23 October 2009. https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html Schudel, G. and B. Wood (2000) Modeling Behavior of the Cyber-Terrorist, National Information Systems Security Conference. http://www.csl.sri.com/users/bjwood/cyber_terrorist_model_v4a.pdf Silke, A. (2003) Terrorists, Victims and Society, Chichester: John Wiley and Sons Silke, A. (2011) The Psychology of Counter-Terrorism: Abingdon: Routledge Sloan, S., and R. Bunker (2011) Red Teams and Counterterrorism Training, Norman: University of Oklahoma Press. Smith, M. (1995), Fighting for Ireland? The Military Strategy of the Irish Republican Movement, London: Routledge START (2012a) National Consortium for the Study of Terrorism and Responses to Terrorism, Global Terrorism Database. http://www.start.umd.edu/gtd/ START (2012b) National Consortium for the Study of Terrorism and Responses to Terrorism, Global Terrorism Database Codebook Stohl, M. (2008) Old Myths, New Fantasies and the Enduring Realities of Terrorism, Critical Studies on Terrorism, vol. 1, no. 1, April 2008, pp. 5-16. Triluzi, A. (2008) Project Maux Mk. II, Presented at PacSec 2008. http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-PACSEC08-Project-Maux-II.pdf World Health Organization (2009) Global Status Report on Road Safety World Health Organization (2011) WHO Report on the Global Tobacco Epidemic Zakaria, F. (2011) American Intelligence Capabilities are 'Stunning', CNN Interview with John Miller, 24 August 2011. http://globalpublicsquare.blogs.cnn.com/2011/08/24/american-intelligence-capabilities-are-stunning/

Zhang, Y., Reiter, M., Juels, A. and T. Ristenpart (2012) Cross-VM Side Channels and Their Use to Extract Private Keys , CCS'12, 16-18 October 2012. http://dx.doi.org/10.1145/2382196.2382230 Zorz, Z. (2012) How Much Does a 0-Day Vulnerability Cost? https://www.net-security.org/secworld.php?id=12652. JPY amounts presented in this document converted from dollars at US$1 = ¥100. Image Credits Chart of US critical infrastructure from DCSINT (2006). US government document approved for unlimited distribution. Authors assert public-interest non-commercial fair use under USC 17 § 107. Image of Earth incorporated into diagram modified from original royalty-free graphics produced by Graphics Factory CC, http://www.vectortemplates.com/raster/globes-023.png. Usage agreement available at http://www.vectortemplates.com/royalty-free.php. Chart of US critical infrastructure identification process from DCSINT (2006). US government document approved for unlimited distribution. Authors assert public-interest non-commercial fair use under USC 17 § 107. Router icon incorporated in diagram is royalty-free graphics produced by Cisco Systems, Inc. “Cisco icons are globally recognized and generally accepted as standard for network icon topologies. You may use them freely, but you may not alter them.” http://www.cisco.com/web/about/ac50/ac47/2.html 1After all, modern terrorist groups make extensive use of both automobiles and telephones, but the media rarely speak

of auto-terrorism or telephone-terrorism even when these technologies are used operationally. In some cases it seems that the cyber- prefix is deployed as a marketing tool by governments and the corporate counter-terrorism industry, sowing fear to obtain profits or political concessions. Ironically, this is the same psychological strategy employed by terrorists.

2This is not to say that nonviolent terrorist use of the Internet is unimportant. The Internet provides unprecedented communicative possibilities for all who use it, and terrorist organizations have not been slow to exploit these options to present their ideology, issue propaganda, deliver detailed technical tutorials, and attract recruits. Indeed the network is mediating the creation of entirely new forms of organization. At the same time, Internet use brings such groups out into the light in equally unprecedented ways, allowing “soft” counter-terror approaches that may challenge propaganda and ideological claims directly, undercutting support and recruiting efforts.

3See Schmid and Jongman (1988), pp. 1-32, and Jackson (2011), pp. 9-121. 4Stohl (2008), pg. 6. 5GTD. All results derived from the GTD in this document select only those incidents which meet all three of its

inclusion criteria: (1) the act must be aimed at attaining a political, economic, religious, or social goal, (2) there must be evidence of an intention to coerce, intimidate, or convey some other message to a larger audience (or audiences) than the immediate victims , and (3) the action must be outside the context of legitimate warfare activities. Note, however, that the GTD does not include instances of state terrorism.

6Ibid. 7Ibid. 8Ibid. 9World Health Organization (2011). 10Ikeda (2012). 11World Health Organization (2009). 12Drake (1998), pg. 42. 13No entry indicates < 0.5% of the total incidents for the period. Statistics for the Middle East include North Africa. In

2000-2011 the surge in the Middle East was a consequence of the invasion of Iraq, while that in South Asia were primarily consequences of the intervention in Afghanistan and increased tensions in India.

14Cronin (2009). Statistics derived from associated online data. http://www.howterrorismends.com 15GTD data modified to include updated figures for Aum Shinrikyō fatalities in listed attacks (Danzig (2011)). The

murder of Sakamoto Tsutsumi and his family appears to be missing from the GTD and is not included.

16The responses of the United States to the 9/11 attacks have, thus far, cost more than US$3 trillion, the lives of thousands of US and allied soldiers and hundreds of thousands of innocent people, violated human rights both within the US and abroad, led to serious breaches of international law, extraordinary increases in terrorist activity, and significantly damaged the country's reputation and moral fabric.

17Danzig and Sageman (2011) 18Commission on the Prevention of WMD Proliferation and Terrorism (2008). 19Schneier (2007) 20Borum (2011), pg. 25. 21See for example Silke (2003) 22Mandela (1994), pg 166. 23Smith (1995), pg. 140. 24Horgan (2003), pg. 16 25O'Malley (1990), pg. 285. 26Horgan (2003), pg. 17. 27Post (2003)., pg. 176. 28Drake (1998), pg. 39. 29bin Laden (2002) 30START (2012b), pp. 18-19. 31START (2012b), pp. 22-24. 32See for example the history of the use of chemical and biological weapons by Aum Shinrikyo in Danzig (2011), or the

use of radiological and chemical poisons by intelligence agencies. 33Drake (1998), pp. 54-72. 34Drake (1998), pg. 180. 35Boyd (2010) 36Bachmann (Forthcoming) 37Examples include US Army veterans Timothy McVeigh, Terry Nichols, and Michael Fortier, who killed 168 people in

1995. 38Drake (1998) See the organizational chart, pg. 166. 39Post, Spriznak, and Denny (2003) pp. 172-174. 40Cronin (2006) pg. 33. 41Zakaria (2011) It is instructive to note that, although Miller's statement was intended as a warning in the original

interview, Inspire magazine later quoted it as a motivational message to its readers (see AQAP (2011)) 42This analytical framework drawn from Sloan and Bunker (2011), pp. 88-90. 43See for example Silke (2011), pp. 34-47. 44Examples include former US Navy Lieutenant and Los Angeles police officer Christopher Dorner, who killed four

people in 2013, and US Army Major Nidal Malik Hasan, who killed 13 and wounded 29 in 2009. 45Karlin (2008). See Gambetta and Hertog (2007) for much greater detail. 46Clauset (2009) 47GTD 48Ibid. 49BGP has often been used, intentionally or not, to reroute traffic in bulk. See for example Pakistan's inadvertent

hijacking of YouTube traffic (RIPE (2008)). Likewise many governments have responded to the Arab Spring by restricting or even denying Internet access. The Syrian government took this an extra step by opening up access, then monitored usage in order to identify dissidents.

50According to former CIA and NSA operative Edward Snowden, the US National Security Agency does exactly this to monitor the communications of people around the world. See Lam (2013).

51Modulo some details such as network address translation, load balancing systems, etc. 52Microsoft (2013), pg. 23. 53NVD (2013) 54Microsoft (2013), pg. 23. 55CVSS (2007) 56Koscher, Czeskis, Roesner, Patel and Kohno (2010) 57FAA (2008) 58Bailey and Wright (2003) 59Collins (2010) 60Parks and Duggan (2011) 61CNN (2007) 62SANS (2008) 63Federal Bureau of Investigation (2002) 64Ahmed Chalabi, for example, a wanted criminal, deliberately provided false information to US intelligence agencies,

who then relied on his fabrications concerning, among other things, Iraqi WMD and links to al-Qa'ida, in their

rationale for the 2003 invasion of Iraq. See Isikoff (2006)

65Adapted from P.L.107-56 (2001) 66DCSINT (2006) 67Ibid. 68Technically in the GTD, assassination involves the targeted killing of specific individuals while armed assault consists

of attacks on less specific people using weapons (as distinguished from unarmed assault). See START (2012b), pg. 19.

69Augusta Chronicle (2011) describes an emplacement of Internet-controlled shotguns provided with network-enabled cameras and actuators to fire the weapons. So called “Internet Hunting” has been discussed (and also widely banned) in the US for many years.

70Indeed the use of a cellular telephone (really a computer packaged with a microphone, speaker, and a radio) as a remote detonator for explosives, such as in Boston, 2013, is effectively a hybrid cyber-attack. It is not normally thought of that way because the press and the public are accustomed to telephones (or think they are), while the attitude toward computer networks is dominated by a greater degree of uncertainty and apprehension.

71Lin (2009), pg. 20. 72See Microsoft (2013) for one classification framework and recent analysis. 73FBI (2008) 74Since canonical IPv6 unicast addresses are constructed from the MAC it becomes trivial to identify systems with

vulnerable cards, or even a single specific system, from anywhere on the Internet as long as some communication from that system is observable.

75Triulzi (2008) 76Raynal (2008) 77The so-called “evil maid” attack, referring to an attack carried out by hotel cleaning staff on a laptop computer left

unattended by a guest. See Schneier (2009) 78Lin (2009), pg. 20. 79Schneier (1999) 80Finkle, J. (2012) 81Many color printers, for example, record encrypted serial numbers and printing timestamps on pages using low-

contrast ink to avoid detection. Intel notoriously added software-readable unique serial numbers to its Pentium III processors in 1999 but later abandoned the feature in response to a boycott over privacy concerns.

82Schudel and Wood (2000). Diagram slightly modified for this presentation. 83Ibid. 84Drake (1998) pg. 123. 85Schudel and Wood (2000) 86BBC (2011) 87Obama (2012) 88The post-war proliferation of nuclear weapons technology, undoubtedly among the most closely-guarded military

secrets of all time, is but one cautionary example. 89Microsoft (2013), pg. 33. 90Such skills are taught at some universities as a part of the cyber-security curriculum, and training is also available

from commercial and government organizations. See for example NYU (2013) 91It is often speculated that Stuxnet infected Iranian SCADA controller systems not over the Internet but through

insertion of an infected USB memory device. 92See for example Zhang (2012) 93Know as ransomware, malicious software may for example encrypt the target's data and then demand payment for the

decryption key. More complex and potentially far-reaching forms of this attack also exist. 94DCSINT (2006) section III. 95SANS (2013) 96See for example NIST (2013) 97NISC (2007) 98Note, however, that care must be taken with the deployment of decoys to ensure that they do not themselves become

security risks. 99AP (2013a), AP (2013b)