‘Cyber terrorism’ is a catchy term, and appears to have resonated publicly because of the headline appeal and the fear factor. To slap the word ‘terrorism’ on anything ratchets up the hyperbole and disproportionately escalates the sense of threat-related consequences. But is an ‘e-bomb’ really terrorism or is it just hacking?
It’s certainly nothing new. Computer hacking has been happening since the early 1980s—since the widespread advent of computers. A teenager can hack an email account or a database but that doesn’t make them a terrorist.
Terrorists use whatever means available to generate fear. As a largely cyber-dependent society, it’s only natural to assume that cyberspace will be used to achieve that aim in the future.
It’s apposite to explore the potential consequences of a terrorist action initiated within the cyber domain.
At the recent ARPC–OECD Global Terrorism Risk Insurance Conference in Canberra, Lloyds presented a case study, conducted in conjunction with Cambridge University, based on a catastrophic cyber-attack on the US power grid—a highly vulnerable 40 year-old critical infrastructure system. An attack on infrastructure isn’t nearly as visible as a bomb blast and may not result in instant fatalities, but modelling predicts the second- and third-order effects would be devastating. The Lloyds–Cambridge study estimates a cyber-attack targeting the US power grid would result in a bill exceeding $US1 trillion in the most extreme case.
Such an attack is unlikely in the short-term but possible in the future. The 2016 Threat Report (PDF) recently released by the Australian Cyber Security Centre (ACSC) judges that we’re still two or three years away from an attack that could be classed as ‘cyber terrorism’. Although it remains unclear how ACSC arrived at that time-frame, large-scale cyber-attacks against infrastructure are a realistic threat down the line.
The main advantage of a cyber-attack is the absence of international borders. State and non-state actors can operate more covertly in the cyber domain and it can be a more favourable environment for an asymmetric actor. On the other hand, public attention is more important to terrorist organisations than technical complexity. Therefore, terrorists are less likely to expend precious resources on conducting a major attack in the non-physical domain.
IS has proven highly adept at engaging with the cyber domain to inspire individuals, recruit foreign fighters and raise funds, but attacking a digital network is a whole different proposition.
Although it could be assumed that global terrorist organisations have the intent to wage warfare via the cyber domain it seems they don’t currently have the expertise or capability to do so. Hence why the cyber report predicts a two-to-three year timeframe.
Lessons abound for Australian policy makers. When assessing future national security threats, it would be foolish to discount a large-scale cyber-attack with catastrophic consequences. It would be most dangerous if a cyber-attack targeting critical infrastructure or financial systems was conducted in conjunction with a physical attack using other capabilities. This combination of complex attacks would cause the government significant embarrassment, potentially paralyse strategic decision-making and result in a huge propaganda victory for the perpetrators.
State actors are currently more likely to have the necessary intent, expertise and resources to conduct a cyber-attack of the magnitude alluded to in the ACSC report. We’ve seen both China and Russia demonstrate such capability in recent times. But their preference has been for hacking rather than terrorism.
In response to major cyber breaches on the Federal Parliament and Bureau of Meteorology, earlier this year Prime Minister Turnbull pledged $230 million over four years to support the cyber security strategy (PDF). That’s an appropriate and responsible investment for the future but it needs to be just the beginning.
Some of Australia’s critical infrastructure is exposed, to include electricity, water and sewerage, as well as financial systems. We can’t continue to bury our heads in the sand. Thorough risk assessments using a forward looking, systems-thinking approach are needed to secure our nation against future cyber contingencies.
Information infrastructure needs to be further hardened and protected, and closer cyber security collaboration is required between government and the private sector.
On balance, it seems pretty clear that we’re not faced with a brand new threat under the banner of ‘cyber terrorism’. It’s just terrorism executed via the cyber domain, the next phase of an evolving threat. So let’s call it what it is, instead of walking a sensationalist road to nowhere.