The adoption of digital technologies has created opportunities for society which were unthinkable when the internet was founded, even by its creators. Today, most developed countries depend on cyber space to conduct their daily task online such as banking, education, security and communication. Cyber is an emerging domain and the threat is growing as it has also opened opportunities for perpetrators for criminal, espionage and other disruptive crimes.
One such area is cyber terrorism, however the definition itself is polarising as the academic world is divided on what is cyber terrorism. While an act of terrorism is well defined, the combination of cyber space and terrorism has been often misused and misunderstood.
In this essay the definition and act of cyber terrorism is explored along with other disruptions related to cyber, such as espionage, war and sabotage and then review the distinctiveness of cyber terrorism when compared to the other elements. In addition, the potential impact of cyber terrorism on future technical trends, such as Artificial Intelligence and Robotic is briefly explored.
To contextualise cyber terrorism, we need to understand the reasons and aim of terrorists. Their aim is to strike terror, fear and disruption to the daily environment of governments and public and the act can either involve an individual or a group. The reasons can be many, including propaganda or retaliation for an act by a government, typically against a country and its citizens. Some terrorist groups are well co-ordinated and execute their plans involving several individuals and others operate almost in military precision with strategy and planning followed by a well-executed plan. While terrorism doesn’t cause most number of deaths (vehicle accidents outnumber terrorist related deaths significantly), what it does do is cause fear and grief (Ruby, 2002). An example of this is the September 11, 2001 attack in which a well-co-ordinated group hijacked several aircraft operating in the United States (US). Their plan was to take control of several aircraft and perform a controlled crash into the World Trade Centre Twin Towers in New York, the pentagon and possibly the White house. The hijackers succeeded in their goal to crash aircraft into the Twin towers and the Pentagon and the result was wide spread panic, not only in the US but throughout the world. The actions of the terrorist caused a global reaction in protecting air travel with every major airport increasing their security process and airlines taking steps to restrict access to the cockpit of commercial passenger planes. While the aim of the hijackers, and the group they represented, was to make a point against the US government, what they achieved was far beyond. The effect of their actions was global panic amongst governments and the public. That was in 2001 and even today the airline industry has security procedures in place due to the actions which took place then (Hoffman, 2002). Similarly, when bombs exploded at the Boston Marathon on April 15, 2013 with the main culprits being two brothers. Their act caused deaths, injuries and panic and their motive was related to extremist Islamic beliefs, however they were not linked with any terrorist groups (Thomas M. Chen, Lee Jarvis, 2014a).
When the internet was invented by a group of researchers in the 1970’s, their intention was to share information between peers within confined segments. They never dreamt that their invention would one day interconnect the globe where major economies depend on its availability and their invention will be used by up to 50 billion devices connected to the internet by 2020. The Internet was meant to be a platform for freedom, but it’s evolved to a vehicle of surveillance (KUROSE, 2017).
The concept of ‘cyber terrorism’ was conceived in the 1980’s and it was defined as “the intentional abuse of digital information system, network, or component toward an end that supports or facilitates a terrorist campaign or action” (Thomas M. Chen, Lee Jarvis, 2014b). It wasn’t until 1988 when the threat of external interference to digital systems was executed with the Morris worm indicating the potential misuse available from ICT resources (Schmidt and Darby, 2001).
The definition of Cyber Terrorism is somewhat unclear as there is no clear legal definition internationally. According to Lewis, cyber terrorism is “the use of computer network tools to shut down critical national infrastructures (such as energy, transportation, government operations) or to coerce or intimidate a government or civilian population” (Lewis, 2002). In addition, when these attacks create fear, loss of life, explosions, aircraft crashes, significant disruption to critical infrastructure or significant financial loss, are also considered acts of cyber terrorism.
There are four elements considered to be necessary for an act to qualify as cyber terrorism.
- Computer Generation
- Political Motivation
- Physical Violence
- Psychological coercion(Kenney, 2015).
To understand cyber terrorism and its appeal for terrorist, we need to explore the adoption of digitisation, its reliance on interconnectivity and internet for enablement. The trend of moving major services to the internet is an on-going process with many countries using the internet as the backbone for major services. The internet has enabled those countries to perform tasks online rather than the historic way of manual processing. Globally, cyberspace is becoming integral for communication and economic activity. Taking into consideration, for a highly connected country, the cost related to a shutdown of cyber space is around US$23.6 million for every 10 million people (GNI, 2018).
In the modern society the internet has become deeply embedded in economics and political environment and is used for education, healthcare, transport, banking and law and order. This means the society is ever increasing its dependency with devices connected to the internet. Any infrastructure or network that connects to the internet is susceptible to an attack. This makes the services extremely vulnerable and therefore attractive for fraud, attacks and disruptions. As the world embraces the digital age using the internet for social and economic benefit, it has also become a gateway for criminals as offensive capabilities are improving and defence is becoming harder (Akhgar and Brewster, 2016a). As an example, the Commonwealth bank’s smart ATM network may have allowed terrorist to transact millions of dollars without detection between November 2012 and September 2015. As the banks migrates many of its services to automation, a vulnerability was identified that allowed transactions of over $10,000 without reporting to AUSTRAC for assessment (Ryan, 2017). Ironically, India in 2016, used terrorist funding using cash as one of the reasons to demonetarise notes of large value and digitised financial services and payments to track those transaction (NORONHA, 2018).
The internet is being used by many for political purposes by activists, governments and others to achieve political goals which have little or nothing to do with the internet (Conway, 2006). The growth in digital platforms allows creation of terrorist support networks. The cost of enablement is low and relatively easy without the user requiring technical skills which are typical of a hacker. The potential of disruption to digital infrastructure is as broad as the legitimate benefit from digitisation.
While the world recognises cyber terrorism as an act and terrorist are using the internet as an enabler to achieve their goals, to date there is no evidence of a non-state terrorist act that has been executed using the cyber channel. The capabilities of the terrorist are growing with access to tools which allow them to perform tasks to prepare and execute their goals. For example, terrorist use elements of cyberspace for radicalization, recruitment, fundraising, espionage, disruptions and armed attacks (Thomas M. Chen, Lee Jarvis, 2014c). Terrorist groups can use the internet for recruitment of personnel to then perform an act of terrorism using traditional methods. Those recruits can also be used for other tasks, including fighting wars, for groups such as ISIS. The ISIS group is known to use online tools, such as You Tube videos with reports suggesting 40% of charged individuals did not grow up following the Muslim faith (ABC Nighline, 2017). The online tools also help the group spread their propaganda and ideology to online sympathisers with ease and a diverse segment, regardless of their location or religious upbringing (Awan, 2017).
The same online tools provide possibilities for terrorists which are not traditional and allows the actors to experiment with technology which may provide them with an edge. Using traditional methods, a message by actors can be distributed to hundreds, for example a gathering of a group in a private setting. By using Social media tools, the actors have access to millions of people and the message can be distributed simultaneously. Social media tools such as You Tube has over 1 billion users (You Tube, 2018), Twitter has over 400 million tweets every day (Twitter, 2018) and Facebook has over 2 billion active users every month (Statista, 2018). This level of audience provides the actors with so many opportunities and therefore becoming the preferred method for not only recruiting, but an enabler for their terrorist acts using those online tools.
In the 2008 attack in Mumbai, India, the terrorist used a combination of social media tools to enhance their activities and used the information, such as live telecast, to keep the entire terrorist group informed. Smartphones were used for communication between the handlers (based remotely) and the terrorist who were on the ground conducting the attacks. In the attack, the terrorists also used conventional weapons (guns, hand grenades, etc) alongside modern technologies to execute their goals (Bachmann and Gunneriusson, 2014).
The media, both electronic and paper, has provided much of the exposure to cyberterrorism by exaggerating and using the term for acts which are anything but terrorism related (Thomas M. Chen, Lee Jarvis, 2014d). After Stuxnet, a state sponsored attack, there has been fear in the public that a cyber terrorist event is imminent and often a cyber event that creates disruption such as a hack or a phishing attack is portrayed by the media as an act of cyber terrorism (Kenney, 2015). Such as in 2018, a teenage hacker was sentenced for obtaining emails and phone details of senior US officials and he was classified a terrorist (BBC, 2018).
As technology and its importance around the globe increases, with virtually every government, defence and infrastructure depending heavily on computers and the internet. The probability of a Cyber terrorism event has also increased dramatically. This has been stated since the 1980’s however, we are yet to experience an event that can be attributed to terrorist using cyber as the medium to execute their plans.
A terrorist is considered to execute their terroristic plans for political reasons. As such a cyber terrorist is a someone who will use their technical ability to achieve terroristic ends. Their motivation, regardless of if it’s a suicide bomber or a cyber terrorist, is a willingness to create fear and destruction.
At the turn of the century the technical facilities and the skills may not have been as sophisticated as they are today, we can argue that in today’s environment it is possible to explode a bomb remotely. However, those who have the skills are not motivated by causing physical harm that terrorist wish for and those who have the intentions currently don’t have the capabilities, however it’s difficult to say what skills terrorist may acquire in the coming years (Droit, 2013). In their search for Al Qaeda, American troops discovered plans for attacking digital systems and details of their recruits who were sent for training on high-tech systems (Weimann, 2005).
Obtaining technical skillset by the terrorist is possible, however for a successful outcome there is a requirement of deep understanding of the target’s environment. In the Stuxnet attack, there was high level of understanding of the how the centrifuges operated, and key information was sourced to ensure a particular spin rate was achieved to cause destruction. The timeframe for the Stuxnet attack (which is believed to be an attack by the US and Israel) was lengthy and expensive most likely involving a combination of spear phishing and human saboteurs manually loading the malware (Lindsay, 2013).
In comparison, a terrorist group can arm suicide bombers or vehicle-borne improvised explosive device (VBIED) inexpensively and in a short timeframe. The aim of terrorist is to cause fear and physical harm and get attention based on the act they have performed. Terrorist like attention as this helps them achieve their goals. For example, in the 2002 Bali bombing left 202 people dead, caused panic amongst locals and tourist traveling to Bali. And the events of 9/11 media coverage provided the terrorist with a visual event that is still used today. According to Schmid, the terrorist do the striking and the media does the educating and a single act educates hundreds (Schmid and Graaf, 1983).
If the same terrorist performed an act of cyber terrorism, say against a power utility, the result may have been disgruntled people inconvenienced due to lack of power, however the effect wouldn’t have caused the same level of panic as the bombing and the air crashes achieved. There is also a level of confidence of achieving their goals when terrorist use traditional weapons. The Irish Republic Army, prior to the Northern Ireland peace process, were known to have the technical ability to remotely attack critical infrastructure. But their preferred method of attack was with physical weapons due to their preference and trust in them (Conway, 2003).
The terrorist groups are known to seek attention for their cause. It’s like any commercial assessment with a Return on Investment (ROI). The impact of Stuxnet and the Boston bombing provide some indication on the ROI. The Stuxnet worm caused significant damage to Iran’s Nuclear facility and possibly costing tens of millions of dollars and manpower and skillset. The damage was to a system, not to any humans. In comparison, the Boston Marathon bombs cost hundreds of dollars and caused destruction of lives and property damage in the hundreds of millions. The media coverage the Boston Bombing received was almost triple to that of Stuxnet and the cost and the ROI – from media and destruction – using traditional methods delivered more value for terrorist than cyber terrorism (Thomas M. Chen, Lee Jarvis, 2014e).
Cyberspace has been formally recognised by The North Atlantic Treaty Organization (NATO) as a new frontier in defence, along with land, air and sea, meaning battles could henceforth be waged on computer networks. In the armed forces, Cyber Space is part of the military’s fifth domain and NATO has a threat score and likelihood of occurring scores related to cyber-attacks. In NATO’s scoring of likelihood of occurrence of a cyber-attack, it uses a risk factor associated with a particular kind of cyber-attack and it is estimated using the simple formula shown below:
Risk=Threatscore × LikelihoodofOccurrencescore × Vulnerabilityscore (Albahar, 2016)
As stated earlier, since there is lack of data in relation to evaluating the risk factor from an attack linked to cyber terrorism, the digital environment needs to be protected for unforeseen events. According to Pollitt, there are many concerns and risks to digital systems and three key risk factors are: Confidentiality, Integrity and Accessibility. Additionally he states “most risks can be managed, it is the unmanageable risk that we fear” (Pollitt, 1998).
The US and other major Western nations view cyber terrorism as an event that is imminent, therefore high risk. According to Michael Stohl, while each superpower prefers their adversaries to refrain from using terrorism, they themselves can employ and support terrorism by themselves. The doomsday scenarios presented since 1991, such as Electronic Pearl Harbour and digital Armageddon, digital 9/11 or al Qaeda cyber-attacks to date have yet to occur. While the threat of cyber terrorism exists, an event has still not actually occurred. However these terms are frequently used as it resonates with policymakers (Thomas M. Chen, Lee Jarvis, 2014f).
The US has developed capabilities and is investing heavily to defend itself from cyber threats by militarising cyber space. The importance of cyber space is highlighted In the Navy Cyber Power 2020 report which states “In a future security environment characterized by complexity and uncertainty, U.S. maritime power will be inextricably linked with our ability to operate effectively in cyberspace” (US Navy, 2012). In recent years countries such as Russia, China, North Korea and the US have all been implicated in one form or another for cyber behaviours. China has been accused of espionage and Russia of interference in the US presidential campaign in 2016 (Tomz, West and Hall, 2018).
In Australia currently, the risk of cyber terrorism is considered to be low with terrorist activities limited to disrupting social media platforms, DDoS, defacing of websites, hacking for the purpose of gaining personal information and penetrating poorly secured services. At this stage the belief is that the terrorist are unlikely to perform a significant act in the short term (2 to 3 years) (ACSC, 2017a).
There are no clear criteria whether a cyberattack is criminal, act of terrorism, hacktivism or a state sponsored actor using cyber for a military type attack. International law is also unclear on regulation related to cyberspace (Theohary and Rollins, 2015).
Moreover, cyber is a truly global phenomenon. It doesn’t live in a country or in a region. Cyber is practically everywhere and virtually borderless. From a legal perspective, that creates a Pandora’s box of potentially difficult issues, since different countries have different laws governing the use, ownership, transmission, and storage of data. A fully functioning Internet of Things (IoT) would spawn a far-flung network encompassing millions of organizations and billions of individual users (Barlow, 2016).
Several countries recognise the risk associated with cyber terrorism as one of the highest priority risks. However, as stated earlier, academics continue to be divided on whether terrorists are likely to use computer technology to launch an attack like an explosive device or a suicide bomber. The attacks, or acts of protests seen so far have been related to defacing of government websites, distributed denial of service (DDoS) against private and public services, such as the disruption to the Australian Census in 2016 and disruption to Amazon and Twitter services (Behal and Kumar, 2017).
Considering the ease of access to cyber space, expertise and development of skills the terrorists acquire, the risks associated with possible cyber-attacks causing destruction and harm is a real possibility. While there is no statutory definition of cyber terrorism, this tends to fall under the terrorism acts of several nations. In the Commonwealth nations of United Kingdom, Australia, Canada and New Zealand, criminal offence related to computer technology exists, however there is no offence of ‘cyber terrorism’ in any of these nations (Thomas M. Chen, Lee Jarvis, 2014g).
In Australia, if a person is attacked in the physical world, they can defend themselves and there is regulation in place to protect the victim in the event they cause harm while defending themselves. In extreme cases a deliberate act of shooting would not amount to murder as you can kill a person lawfully in self-defence (Arenson, 2014). In the digital world, the act of cyber-attacks is a criminal activity and the law only allows an individual or an organisation to protect its environment. The environment can be protected using firewalls, passwords and security products (software and hardware) which will protect the computing environment of the individual or organisations (Phair, 2017).
While governments around the world use cyber terrorism as one of the reasons to increase the country’s cyber security capabilities. However, based on research there has been lack of evidence related to a true cyber terrorist event to date.
Most likely the lack of data in relation to cyber-attacks encountered has been limited as reporting of a breach has been on a voluntary basis. This will change as in Australia, information in relation to the number of attacks is expected to increase, as there will be more data available due to mandatory reporting of data breaches (The Parliament of and Australia, 2017). Similarly, General Data Protection Regulation (GDPR) that applies to any company that stores information about European Union (EU) citizens, regardless of their location (Nadeau, 2017). To explore how the insurance sector scores the risk, who use actuarial data to asses their risk when insuring businesses against cyber-attacks, have increased their premiums due to the number of high profile cyber-attacks (Young et al., 2016). One of the area insurance sector doesn’t provide cover when it comes to cyber-attacks, is when the attack is motivated by terrorism. In the report by ARPC it states “Major terrorism pools globally have not yet expanded their coverage to include cyber terrorism. And, although insurance coverage for cyber risk is an emerging market, there are no terrorism risk insurance pools that explicitly cover cyber-attacks. In the US, the Terrorism Risk Insurance Act which provides for a post-event funded scheme, does not specifically address the issue either as covered or excluded” (ARPC, 2016).
Since the term cyber terrorism is not well defined, it’s important to understand and differentiate from other cyber threats and the section bellow details some of those threats such as cybercrime, cyber war, cyber espionage, cyber sabotage and future trends which are likely targets of cyber terrorism.
As individuals and businesses embrace digital technologies, their risk of a cybercriminal threat has also increased. An attack using the internet is becoming easier and cheap to execute. Majority of the criminal activity using cyber is for financial gain. One of the popular cybercriminal activities is ransomware. The growth of ransomware in recent years has been significant with reports claiming ransomware to be one of the top 5 malware activities identified. The reason for this is primarily due to the hackers locking access to important files and being able to take advantage of the payment method using Bitcoin (Verizon, 2017). In 2016 24 per cent of Australian businesses experienced ransomware incidents (Berin & Neil, 2017) and similarly 26 percent of Asian businesses experienced ransomware incidents which impacted their business. The activity is growing year on year and the costs related to ransomware is believed to be around $1 Billion in 2016 (DeNisco, 2017) and the number of attacks and ransom demands is expected to grow significantly in 2018. Recent attacks such as WannaCry, that impacted over 150 countries globally, are examples of ransomware criminal activity (ACSC, 2017b).
Some of the other growing trends with cybercrime are related to phishing criminal activity which uses social engineering techniques. The goal of an internet scammer involves luring individuals and stealing the target parties confidential information for financial gain (APWG, 2004). ,
Historically scammers were known to send letters, such as the Nigerian scam letters offering a slice of inheritance. Their tactic, while successful with many innocent people was to harvest money from those victims, could only target a limited number of individuals. In the modern era, similar “letters” are sent via mass email distribution using bots and the target audience is significantly large. The aim of the perpetrators is to scam the recipient for financial gain rather than cause physical harm. The growth in internet has facilitated the spread of cybercrime (Isacenkova et al., 2014).
Over the past several years, hackers have become more organised and are continually developing new techniques to penetrate networks to deceive users into submitting their personal data. The criminals of the modern era don’t need to be physically present to conduct their activity. They can be sitting far away from the scene of the crime using phishing and ransomware techniques to achieve their goals. This means profit seeking criminals are shifting from crime that required physical presence to online techniques. The reasons are many including their target audience is large (using bots, phishing emails, etc) and the risk of getting caught are much lower. Typically, the criminal activity is performed by a highly organised group of individuals rather than a single individual (Armerding, 2015) and there are instances of government agencies becoming targets of hacktivist using phishing email scams to access sensitive government infrastructure (Ostrowski, 2016). It is estimated over 146 billion records will be exposed between 2018 and 2023 through cyber-criminal activity using automation to execute their objectives such as bots (Juniper, 2018).
When considering warfare, first things that come to mind are army, air force and naval attacks. Traditionally land, air, sea and apace have been the four key elements of the military domain. These physical domains now have cyber as the fifth element in warfare (Hubman, 2015).
Much of the cyber element is still used for espionage and are often conducted by state actors. The actions include, but are not limited to, sabotage, intelligence gathering and strategic influence. In applying cyber to defence realm, cyber war is linked with Nation State or Non-state actors, such as terrorist (Joiner and Sitnikova, 2017).
The US, in its Department of Defence (DoD) Cyber Strategic 2018, identifies the internet to provide knowledge, business opportunities and services to enrich American lives. The open, decentralised and transnational environment of the internet is vulnerable to sabotage and theft of confidential information, disruption to government and businesses and threats to critical infrastructure (US DOD, 2018).
The DoD goes further in that it considers Russia and China to be as its long-term strategic competitors in the cyber space domain. The possibilities of these countries of using cyber to conduct reconnaissance, disruption, confusion, etc. Russia has also been singled out to have caused interference in the democratic process of the US and its population. In the US Cyber Strategy document, it states “We must assertively defend our interests in cyberspace below the level of armed conflict and ensure the readiness of our cyberspace operators to support the Joint Force in crisis and conflict” (US DOD, 2018).
One of famous state-based attack on a country was on Estonia in 2007 that lasted almost three weeks. The attacks seemed to be in retaliation by Russia for the Estonian Government to defy Russian threats in relation to the removal of a Bronze Soldiers monument, which was a memorial of Soviet liberation of Estonia in World war II. While the protest started on a state level, patriotic hackers waged a cyber-attack on Estonia crippling its critical infrastructure such as telecommunications and electronic infrastructure. Estonia has relied on the digital infrastructure since the 1990’s and the attacks caused major disruption to the public administration and economy leading to financial systems adversely effected and an impact to national security (Pipyros et al., 2016).
While there have been cyber-attacks on other nations, such as against Kazakhstan in 2009, Ukraine in 2014 and South Korea in 2013, the international community is divided on whether cyber-attacks on nations is something of a new threat requiring new legal framework or to apply traditional international law rules. Countries such as Russia and China are in favour of an international treaty, similar to those agreed for chemical weapons whereas US and EU favour an update to existing international law (O’Connell, 2012).
Traditional surveillance is a practice of using spies, typically by government to obtain political or military information. The method of spying has been used by nations since the beginning of conventional warfare. Instead of traditional surveillance and espionage, has now transformed into cyber spying. In the digital world, as states and enterprises work on securing their networks, others work on stealing sensitive information. In the twenty first century governments, military, law, hackers, criminals and terrorist are all looking to steal valuable data which belongs to others. Some of the activities are for the purpose of national security, for example monitoring communication and activities of a terrorist cell based in another nation. However, other activities include surveillance and theft of economic matters and intellectual property. (Banks, 2017).
Cyber espionage provides the actors (state and non-state) the same level of anonymity as cyber criminals. The act can be performed from a location outside of the targeted cyber network. In the US, their defence report names China as one of the countries performing cyber espionage and in some cases supporting the objectives and development of People’s Liberation Army (Ellis, 2015). Other examples of Chinese cyber espionage activity are occurring frequently and have been given code names such as Titan Rain, ByZantine Haydes and Shady RAT (SHILLING, 2016).
While cyber espionage is to steal secrets, the information can be used for damage to a business or for military competitiveness. An alarming thought is of government agencies influencing the private sector to develop software code for intelligence gathering. A recent report by Bloomberg states that Chinese spies have infiltrated 30 major US companies including Amazon and Apple by planting a microchip in the motherboard of servers. The microchip allowed attackers a gateway to the networks operated by those companies (Robertson and Riley, 2018). While Amazon and Apple have disputed the report, if the report is correct, the access can potentially have major ramifications for national security and possible an attack on CI as many enterprises rely on Amazon for their cloud computing requirements.
This act is linked to typically internal threats, such as disgruntled employees engaging in deliberate steps against their co-workers or supervisors. There has been an increase in workers exacting their revenge on their employers by causing disruption or destruction to valuable digital assets. Cases have been noted of current and former employees with knowledge of vulnerabilities or access to secure areas and causing damage. One such breach on the SCADA system occurred in Maroochy River, Queensland causing problems with the wastewater systems. A disgruntled former employee stole propriety equipment from Hunter WaterTech and used it for months to release over 100’s of thousands of gallons of raw sewage into the public waterways. While this may be a rather simple attack, it reinforces how easy it can be for insiders with the knowledge to conduct successful sabotage against critical infrastructure (Slay and Miller, 2007).
The future of cyber threats is unknown, for example the potential impact to Artificial Intelligence (AI) and IoT. Yet, identifying the origin of the state-actors is difficult (Zegart, 2015).
The current trend of AI and Robotics in self-driving cars and Unmanned Aerial Vehicles will start appearing in different context, including domestic use, healthcare and care for the elderly. While there are many opportunities with Autonomic technologies, they also pose new threats and potential for internal or external attack controlled by a remote operator (Jonathan Petit and Shladover, 2015). We have already seen cars remotely hacked by criminals. An example of this was in 2015 with a car manufactured by Jeep when a remote hack was performed to demonstrate the vulnerabilities with connected vehicles (Reindl, 2018).
While there have been many examples exposed to impact of cyber criminals with IoT and the potential of terrorist act against them, a futuristic trend is with people with many implants on or inside the human body. The trend to have pacemakers and cochlear implants via RFID, people will become physically vulnerable to cyber-attacks. While those attacks may be used for criminal activity – for example holding someone to ransom by controlling their pacemaker – the fear of a terrorist attack has the potential to cause panic amongst the recipients of such devices (Akhgar and Brewster, 2016b).
The internet has allowed for the society to experience and achieve results which were unthinkable even at the turn of the century. As the internet usage grows to the benefit of society, threats originating from the cyber world have also increased dramatically. The threats using cyber are unique in their nature with many aimed for financial gains of the perpetrators to cyber sabotage and governments using cyber for espionage and to support their war efforts.
In the 198o’s while computers and the internet were readily available, many tasks required the devices to be physically connected to a network whereas the current trend with IoT, we can conduct many activities from any location using wireless technology. The independence and convenience have been revolutionary and while there are enormous benefits, there are also threats which have been developed and experienced over the years.
The criminal element has also evolved from a lone hacker exposing security flaws in computer software to highly co-ordinated espionage and attacks such as Stuxnet. The attraction for the criminal is that they are not limited by borders as their target can be anywhere. For an activist, they can perform protests with a sense of anonymity and the target audience can be in the millions, instead of hundreds.
Similarly, the internet has also provided opportunities for terrorists to conduct their acts, however there are no known terrorists related cybers attacks to date. While the technology and the internet has been used to support terrorist activity, such as recruiting, fund raising and training, the actual act of terrorism has been linked to a serious cyber-attack. So far traditional terrorist activities such as VBIED, explosions and hijacking are of greater threat than cyber terrorism. This doesn’t translate into cyber terrorism is not possible as future terrorist may be savvier technically and use their knowledge and use cyber as the channel for their terrorist act. Just as the events of September 11 were unthinkable, cyber terrorism could be executed similarly. The person or groups conducting illegal activity, whether it’s criminal, nation based or for terrorism purpose, the goals can be achieved with anonymity and their reach is global (Ritsko, 2015).
While cyber terrorism is linked to causing fear and destruction, and other cyber related acts (war, crime, etc), there are similarities in each of these acts. The similarity is that the perpetrators are using cyber as the channel to cause harm to another party (or business, government, CI, etc) and therefore separating them is difficult. The act of cybercrime, such as the punishment of the teenager in the US for obtaining emails and phone details of senior US officials, or he could have just been snooping and playing with vulnerabilities that existed without any real intent of a terrorist activity. As the world continues its progress of connecting devices at a rapid pace, the possibility of cyber threats also increases. However, in evaluating the possibility, we need to understand the type of threats which are possible. Focusing on Cyber War and Cyber Crime, since cyber war is an act in which states are involved, these matters are best handled by governments and fall under international law treaty. Cyber Crime, which is typically related to financial gain, these acts should be covered by the law as a criminal act.
In relation to cyber terrorism, the question of whether targets exist which could be compromised by terrorist groups. The answer is yes as CI is complex and therefore prone to vulnerabilities. However, those vulnerabilities will typically be known to employees. The possibility of that internal knowledge exists and can cause some damage as it did in 2002, when a disgruntled ex-employee of Maroochy River, Queensland causing problems with the wastewater systems and releasing millions of gallons of raw sewage (Slay and Miller, 2007).
Finally, based on the developments on how the cyber space is used today and the possibilities which exist for the future – such as with AI and Robotics, the lack of evidence suggests the threat of cyber terrorism may be exaggerated, however it’s not something we can ignore.
ABC Nighline (2017) ‘A look at how ISIS is recruiting young Americans through the internet’, ABC News. Available at: https://www.youtube.com/watch?v=PCztXEfNJLM (Accessed: 6 October 2018).
ACSC (2017a) Threat Report 2017.
ACSC (2017b) Threat Report 2017. Available at: https://www.acsc.gov.au/publications/ACSC_Threat_Report_2017.pdf (Accessed: 7 October 2018).
Akhgar, B. and Brewster, B. (2016a) ‘Megatrends and Grand Challanges of Cybercrime and Cyberterrorism Policy and Research’, in Combatting Cybercrime and Cyberterrorism : Challenges, Trends and Priorities. Springer, p. 4. Available at: https://ebookcentral-proquest-com.wwwproxy1.library.unsw.edu.au/lib/unsw/reader.action?docID=4533808&ppg=13 (Accessed: 4 October 2018).
Akhgar, B. and Brewster, B. (2016b) ‘Megatrends and Grand Challanges of Cybercrime and Cyberterrorism Policy and Research’, in Combatting Cybercrime and Cyberterrorism : Challenges, Trends and Priorities. Springer, p. 7. Available at: https://ebookcentral-proquest-com.wwwproxy1.library.unsw.edu.au/lib/unsw/reader.action?docID=4533808&ppg=13 (Accessed: 6 October 2018).
Albahar, M. (2016) ‘The Proposed Risk Estimation Model’, in Cyber Attacks and Terrorism: A Twenty-First Century Conundrum, pp. 1–14. Available at: https://link-springer-com.wwwproxy1.library.unsw.edu.au/article/10.1007/s11948-016-9864-0 (Accessed: 7 October 2018).
APWG (2004) word_phish @ docs.apwg.org. Available at: http://docs.apwg.org/word_phish.html (Accessed: 7 April 2017).
Arenson, K. J. (2014) ‘Australian Criminal Laws in Common Law Jurisdictions : Cases and Materials’, in Australian Criminal Laws in Common Law Jurisdictions : Cases and Materials, p. 113. Available at: https://ebookcentral-proquest-com.wwwproxy1.library.unsw.edu.au/lib/unsw/reader.action?docID=4191373#.
Armerding, T. (2015) cybercrime-much-more-organized @ www.csoonline.com. Available at: http://www.csoonline.com/article/2938529/cyber-attacks-espionage/cybercrime-much-more-organized.html (Accessed: 10 April 2017).
ARPC (2016) ‘Cyber Terrorism and Australia’s Terrorism Insurance Scheme: Physically destructive cyber terrorism is a gap in current insurance coverage’, (March). Available at: www.arpc.gov.au (Accessed: 14 October 2018).
Awan, I. (2017) ‘Cyber-Extremism: Isis and the Power of Social Media’, Society, 54(2), pp. 138–149. Available at: https://link-springer-com.wwwproxy1.library.unsw.edu.au/article/10.1007/s12115-017-0114-0 (Accessed: 6 October 2018).
Bachmann, S.-D. and Gunneriusson, H. (2014) ‘The Journal on Terrorism and Security Analysis’, pp. 31–32. Available at: https://poseidon01.ssrn.com/delivery.php?ID=4380940710861190710040100860870961230240200300320380220770851030180940290901111050091200361231040500340530990890310080981070991090400020330540660640650851260131271000270350510080190980910990921270250850980151040 (Accessed: 1 August 2018).
Banks, W. C. (2017) ‘Cyber Espionage and Electronic Surveillance: Beyond the media coverage’, Emory Law Journal, 66(3), pp. 513–525. Available at: https://search-proquest-com.ezproxy2.apus.edu/docview/1883488006/fulltextPDF/55CAB192C1424DB3PQ/1?accountid=8289 (Accessed: 14 October 2018).
Barlow, M. (2016) ‘Governing the Internet of Things’, in Governing the IoT. O’Reilly Media, Inc, pp. 1–12. Available at: https://ciodoc.com/wp-content/uploads/2017/07/管理物联网.pdf (Accessed: 6 October 2018).
BBC (2018) ‘Two years for teen “cyber terrorist” who targeted US officials’, BBC News. Available at: https://www.bbc.com/news/uk-england-leicestershire-43840075 (Accessed: 16 October 2018).
Behal, S. and Kumar, K. (2017) ‘Detection of DDoS attacks and flash events using information theory metrics–An empirical investigation’, Computer Communications, 103, pp. 18–28. Available at: https://www-sciencedirect-com.wwwproxy1.library.unsw.edu.au/science/article/pii/S0140366417301718 (Accessed: 7 October 2018).
Berin, L. and Neil, C. (2017) Telstra Cyber Security Report. Available at: http://www.telstra.com.au/business-enterprise/download/document/telstra-cyber-security-report-2014.pdf.
Conway, M. (2003) ‘Hackers as terrorists? why it doesn’t compute’, Computer Fraud & Security, 2003(12), pp. 10–13. Available at: https://www-sciencedirect-com.wwwproxy1.library.unsw.edu.au/science/article/pii/S1361372303000071 (Accessed: 13 October 2018).
Conway, M. (2006) ‘Terrorism and the Internet: New Media—New Threat?’, Parliamentary Affairs, 59(2), pp. 283–298. Available at: https://academic-oup-com.wwwproxy1.library.unsw.edu.au/pa/article/59/2/283/1555986 (Accessed: 6 October 2018).
DeNisco, A. (2017) 56bc3f56b67c47d1d4536f3f5d339bd0d81a32b2 @ www.techrepublic.com. Available at: http://www.techrepublic.com/article/report-ransomware-attacks-grew-600-in-2016-costing-businesses-1b/ (Accessed: 6 May 2017).
Droit, K.-G. G. de (2013) ‘login @ www-jinfowar-com.wwwproxy1.library.unsw.edu.au’, Journal of Information Warfare, 12(1), p. 29. Available at: https://www-jinfowar-com.wwwproxy1.library.unsw.edu.au/subscribers/journal/volume-12-issue-1/volume-12-issue-1-journal-information-warfare (Accessed: 7 October 2018).
Ellis, J. M. (2015) CHINESE CYBER ESPIONAGE: A COMPLEMENTARY METHOD TO AID PLA MODERNIZATION. Available at: http://www.dtic.mil/dtic/tr/fulltext/u2/a632209.pdf (Accessed: 14 October 2018).
GNI (2018) ‘Global Networks Intiative’. Available at: https://globalnetworkinitiative.org/new-report-reveals-the-economic-costs-of-internet-shutdowns/ (Accessed: 22 August 2018).
Hoffman, B. (2002) ‘Rethinking Terrorism and Counterterrorism Since 9/11’, in Studies in Conflict and Terrorism, pp. 303–316. Available at: https://www-tandfonline-com.wwwproxy1.library.unsw.edu.au/doi/abs/10.1080/105761002901223#aHR0cHM6Ly93d3ctdGFuZGZvbmxpbmUtY29tLnd3d3Byb3h5MS5saWJyYXJ5LnVuc3cuZWR1LmF1L2RvaS9wZGYvMTAuMTA4MC8xMDU3NjEwMDI5MDEyMjM/bmVlZEFjY2Vzcz10cnVlQEBAMA== (Accessed: 6 October 2018).
Hubman, J. M. et al. (2015) ‘Ethical Consideration in the Cyber Domain’, in Evolution of Cyber Technologies and Operations to 2035, p. 168. Available at: https://ebookcentral-proquest-com.wwwproxy1.library.unsw.edu.au/lib/unsw/reader.action?docID=4218485&ppg=45 (Accessed: 6 October 2018).
Isacenkova, J. et al. (2014) ‘Inside the scam jungle: a closer look at 419 scam email operations’, EURASIP Journal on Information Security, 2014(4). Available at: https://link.springer.com/article/10.1186/1687-417X-2014-4 (Accessed: 13 October 2018).
Joiner, D. K. and Sitnikova, D. E. (2017) Cyber Defence.
Jonathan Petit and Shladover, S. E. (2015) ‘Potential Cyberattacks on Automated Vehicles’, IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, 16(2), p. 548. Available at: https://ieeexplore-ieee-org.wwwproxy1.library.unsw.edu.au/stamp/stamp.jsp?tp=&arnumber=6899663 (Accessed: 6 October 2018).
Juniper (2018) Cybercrime and Internet of Threats.
Kenney, M. (2015) ‘Cyber-terrorism in a post-stuxnet world’, Orbis, 59(1), pp. 111–128.
KUROSE, J. (2017) ‘The Internet of Things’, Turing Award, 60(5), p. 19. Available at: http://delivery.acm.org.wwwproxy1.library.unsw.edu.au/10.1145/3070000/3061359/p18-staff.pdf?ip=220.127.116.11&id=3061359&acc=ACTIVE SERVICE&key=65D80644F295BC0D.B811333C2AA88C82.4D4702B0C3E38B35.4D4702B0C3E38B35&__acm__=1539228407_513d351e5da987e7cc49c5c4 (Accessed: 30 September 2018).
Lewis, J. A. (2002) ‘Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats’, Center for Strategic and International Studies, (December), pp. 1–12. Available at: https://pdfs.semanticscholar.org/92b8/85caa26cef54a7519a114898373fa53ec159.pdf (Accessed: 4 October 2018).
Lindsay, J. R. (2013) ‘Stuxnet and the Limits of Cyber Warfare’, Security Studies, 22(3), pp. 365–404. Available at: https://www-tandfonline-com.wwwproxy1.library.unsw.edu.au/doi/abs/10.1080/09636412.2013.816122#aHR0cHM6Ly93d3ctdGFuZGZvbmxpbmUtY29tLnd3d3Byb3h5MS5saWJyYXJ5LnVuc3cuZWR1LmF1L2RvaS9wZGYvMTAuMTA4MC8wOTYzNjQxMi4yMDEzLjgxNjEyMj9uZWVkQWNjZXNzPXRydWVAQEAw (Accessed: 16 October 2018).
Nadeau, M. (2017) general-data-protection-regulation-gdpr-requirements-deadlines-and-facts @ www.csoonline.com, CSO. Available at: http://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html (Accessed: 2 September 2017).
NORONHA, N. (2018) Follow the Money: India Should Become an International Leader in Financial Intelligence. Available at: https://carnegieindia.org/2018/07/16/follow-money-india-should-become-international-leader-in-financial-intelligence-pub-76819 (Accessed: 17 October 2018).
O’Connell, M. E. (2012) ‘Cyber Security without Cyber War’, Journal of Conflict & Security Law, 17(2), pp. 187–209.
Ostrowski, A. (2016) 2b7f621d1a77d9f3988a3c19a7ad4adc0b08ba98 @ www.agari.com. Available at: https://www.agari.com/phishing-federal-agencies-why-government-bodies-are-prime-targets/ (Accessed: 10 April 2017).
Phair, N. (2017) Technology for Company Directors.
Pipyros, K. et al. (2016) ‘Cyberoperations and international humanitarian law’, Information & Computer Security, 24(1), pp. 38–52. Available at: https://www-emeraldinsight-com.wwwproxy1.library.unsw.edu.au/doi/pdfplus/10.1108/ICS-12-2014-0081 (Accessed: 14 October 2018).
Pollitt, M. M. (1998) Cyberterrorism – Fact or Fancy, Computer Fraud & Security1.
Reindl, J. (2018) Car hacking remains a very real threat as autos become ever more loaded with tech, USA Today. Available at: https://www.usatoday.com/story/money/2018/01/14/car-hacking-remains-very-real-threat-autos-become-ever-more-loaded-tech/1032951001/ (Accessed: 6 October 2018).
Ritsko, A. (2015) ‘Cyberwar Threat’. Available at: https://edutv-informit-com-au.wwwproxy1.library.unsw.edu.au/watch-screen.php?videoID=1347603 (Accessed: 30 September 2018).
Robertson, J. and Riley, M. (2018) The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies. Available at: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies (Accessed: 18 October 2018).
Ruby, C. L. (2002) ‘The Definition of Terrorism’, in Analyses of Social Issues and Public Policy, pp. 9–14. Available at: https://spssi-onlinelibrary-wiley-com.wwwproxy1.library.unsw.edu.au/doi/epdf/10.1111/j.1530-2415.2002.00021.x (Accessed: 6 October 2018).
Ryan, P. (2017) CBA risks massive fines over anti-money laundering, terrorism financing law breaches, ABC News. Available at: http://www.abc.net.au/news/2017-08-03/cba-risks-massive-fines-over-law-breaches/8770992 (Accessed: 6 October 2018).
Schmid and Graaf, J. de (1983) ‘Communication. Insurgent Terrorism and the Western News Media’, Current Research on Peace and Violence, 6(1), pp. 68–73. Available at: https://www-jstor-org.wwwproxy1.library.unsw.edu.au/stable/40724955?Search=yes&resultItemClick=true&searchText=no:1&searchText=AND&searchText=sn:03567893&searchText=AND&searchText=sp:68&searchText=AND&searchText=vo:6&searchText=AND&searchText=year:1983&se (Accessed: 7 October 2018).
Schmidt, C. and Darby, T. (2001) ‘The What, Why, and How of the 1988 Internet Worm’. Available at: https://snowplow.org/tom/worm/worm.html (Accessed: 16 October 2018).
SHILLING, E. (2016) From ‘Byzantine Hades’ to ‘Titan Rain’, Cyber Attack Code Names are Sci-Fi Poetry, Atlas Obscura. Available at: https://www.atlasobscura.com/articles/from-byzantine-hades-to-titan-rain-cyber-attack-code-names-are-scifi-poetry (Accessed: 17 October 2018).
Slay, J. and Miller, M. (2007) ‘Lessons Learned from the Maroochy Water Breach’, in Critical Infrastructure Protection, pp. 73–82.
Statista (2018) Number of monthly active Facebook users worldwide as of 2nd quarter 2018 (in millions), Statista. Available at: https://www.statista.com/statistics/264810/number-of-monthly-active-facebook-users-worldwide/ (Accessed: 6 October 2018).
The Parliament of and Australia, C. of (2017) Privacy Amendment (Notifiable Data Breaches) Bill 2017. Available at: http://parlinfo.aph.gov.au/parlInfo/download/legislation/bills/r5747_aspassed/toc_pdf/16158b01.pdf;fileType=application%2Fpdf.
Theohary, C. A. and Rollins, J. W. (2015) ‘Cyberwarfare and Cyberterrorism: In Brief’, Congressional Research Service, pp. 1–15. Available at: papers3://publication/uuid/F4C68E9F-5A04-4D5D-A4D8-0FE87699F347 (Accessed: 7 October 2018).
Thomas M. Chen, Lee Jarvis, S. M. (2014a) ‘Cyberterrorism – Understanding, Assessment, and Response’, in Cyberterrorism – Understanding, Assessment, and Response, p. 117. Available at: https://books.google.com.au/books?hl=en&lr=&id=IInkAwAAQBAJ&oi=fnd&pg=PR5&dq=Contextualise+and+explore+the+distinctiveness+of+cyber+terrorism+&ots=78QK7zD6uc&sig=nHOAtdflpEicXIuTzoNnmYgiAGw#v=onepage&q=Contextualise and explore the distinctiveness of cybe (Accessed: 6 October 2018).
Thomas M. Chen, Lee Jarvis, S. M. (2014b) ‘Cyberterrorism – Understanding, Assessment, and Response’, in Cyberterrorism – Understanding, Assessment, and Response, p. 87. Available at: https://books.google.com.au/books?hl=en&lr=&id=IInkAwAAQBAJ&oi=fnd&pg=PR5&dq=Contextualise+and+explore+the+distinctiveness+of+cyber+terrorism+&ots=78QK7zD6uc&sig=nHOAtdflpEicXIuTzoNnmYgiAGw#v=onepage&q=Contextualise and explore the distinctiveness of cybe (Accessed: 7 October 2018).
Thomas M. Chen, Lee Jarvis, S. M. (2014c) ‘Cyberterrorism – Understanding, Assessment, and Response’, in Cyberterrorism – Understanding, Assessment, and Response, p. 46. Available at: https://books.google.com.au/books?hl=en&lr=&id=IInkAwAAQBAJ&oi=fnd&pg=PR5&dq=Contextualise+and+explore+the+distinctiveness+of+cyber+terrorism+&ots=78QK7zD6uc&sig=nHOAtdflpEicXIuTzoNnmYgiAGw#v=onepage&q=Contextualise and explore the distinctiveness of cybe (Accessed: 6 August 2018).
Thomas M. Chen, Lee Jarvis, S. M. (2014d) ‘Cyberterrorism – Understanding, Assessment, and Response’, in Cyberterrorism – Understanding, Assessment, and Response, p. 26. Available at: https://books.google.com.au/books?hl=en&lr=&id=IInkAwAAQBAJ&oi=fnd&pg=PR5&dq=Contextualise+and+explore+the+distinctiveness+of+cyber+terrorism+&ots=78QK7zD6uc&sig=nHOAtdflpEicXIuTzoNnmYgiAGw#v=onepage&q=Contextualise and explore the distinctiveness of cybe (Accessed: 13 October 2018).
Thomas M. Chen, Lee Jarvis, S. M. (2014e) ‘Cyberterrorism – Understanding, Assessment, and Response’, in Cyberterrorism – Understanding, Assessment, and Response, pp. 103–121. Available at: https://books.google.com.au/books?hl=en&lr=&id=IInkAwAAQBAJ&oi=fnd&pg=PR5&dq=Contextualise+and+explore+the+distinctiveness+of+cyber+terrorism+&ots=78QK7zD6uc&sig=nHOAtdflpEicXIuTzoNnmYgiAGw#v=onepage&q=Contextualise and explore the distinctiveness of cybe (Accessed: 7 October 2018).
Thomas M. Chen, Lee Jarvis, S. M. (2014f) ‘Cyberterrorism – Understanding, Assessment, and Response’, in Cyberterrorism – Understanding, Assessment, and Response, pp. 86–89. Available at: https://books.google.com.au/books?hl=en&lr=&id=IInkAwAAQBAJ&oi=fnd&pg=PR5&dq=Contextualise+and+explore+the+distinctiveness+of+cyber+terrorism+&ots=78QK7zD6uc&sig=nHOAtdflpEicXIuTzoNnmYgiAGw#v=onepage&q=Contextualise and explore the distinctiveness of cybe (Accessed: 7 October 2018).
Thomas M. Chen, Lee Jarvis, S. M. (2014g) ‘Cyberterrorism – Understanding, Assessment, and Response’, in Cyberterrorism – Understanding, Assessment, and Response, pp. 1–23. Available at: https://books.google.com.au/books?hl=en&lr=&id=IInkAwAAQBAJ&oi=fnd&pg=PR5&dq=Contextualise+and+explore+the+distinctiveness+of+cyber+terrorism+&ots=78QK7zD6uc&sig=nHOAtdflpEicXIuTzoNnmYgiAGw#v=onepage&q=Contextualise and explore the distinctiveness of cybe (Accessed: 7 October 2018).
Tomz, M., West, E. H. and Hall, N. (2018) Public Opinion and Foreign Electoral Intervention. Available at: https://web.stanford.edu/~tomz/working/TomzWeeks-ElectoralIntervention-2018-08-24.pdf (Accessed: 7 October 2018).
Twitter (2018) ‘http://www.internetlivestats.com/twitter-statistics/’. Available at: http://www.internetlivestats.com/twitter-statistics/ (Accessed: 6 October 2018).
US DOD (2018) Summary, DOD Cyber Strategy. Available at: https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF (Accessed: 6 October 2018).
US Navy (2012) ‘Sustaining U.S. Global Leadership: Priorities For 21st Century Defence’, Military Technology, (November), pp. 1–16. Available at: https://www.public.navy.mil/fcc-c10f/Strategies/Navy_Cyber_Power_2020.pdf (Accessed: 7 October 2018).
Verizon (2017) 2017 Data Breach Investigations Report. Available at: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/.
Weimann, G. (2005) ‘Cyberterrorism: The Sum of All Fears’, Studies in Conflict & Terrorism, 28, pp. 129–149.
You Tube (2018) https://www.youtube.com/intl/en-GB/yt/about/press/, You Tube. Available at: https://www.youtube.com/intl/en-GB/yt/about/press/ (Accessed: 6 October 2018).
Young, D. et al. (2016) ‘A framework for incorporating insurance in critical infrastructure cyber risk strategies’, International Journal of Critical Infrastructure Protection, 14, pp. 43–57. Available at: https://www-sciencedirect-com.wwwproxy1.library.unsw.edu.au/science/article/pii/S1874548216300439 (Accessed: 22 September 2018).
Zegart, A. (2015) watch @ www.youtube.com. Available at: https://www.youtube.com/watch?v=JSWPoeBLFyQ (Accessed: 23 August 2018).