Defining Cyberterrorism: Capturing a Broad Range of Activities in Cyberspace
August 23, 2012
A 1999 study prepared for the Defense Intelligence Agency and produced at the Naval Postgraduate School began with a disclaimer stating, “cyberterror is not a threat. At least not yet, and not for a while.” Nevertheless, the authors warned, “cyberterror is indeed coming.” Around the same time, Richard Clarke, who at that time was the White House special adviser for cyberspace security, preferred use of the term “infowarfare” instead of cyberterrorism. More than a decade later, he still rejected the word cyberterrorism on the basis that it is a red herring that “conjure[s] up images of Bin Ladin waging war from his cave”; he did, however, caution that there may be such a term as cyberterrorism in the future.
Barry Collin first introduced the term cyberterrorism in the 1980s, although just as experts have not formed a consensus definition of terrorism, there is still no unifying definition of cyberterrorism. Cyberterrorism is an even more opaque term than terrorism, adding another layer to an already contentious concept. Cyber events in general are often misunderstood by the public and erroneously reported by the media. People tend to use the terms cyberwar, cyberterrorism, cybercrime, and hacktivism interchangeably, although there are important, sometimes subtle, differences.
The purpose of this article is to propose a comprehensive definition of cyberterrorism that captures the full range of how terrorists have used the internet in the past and how they will likely use more robust cyber capabilities in the future. This article will first look at clusters of cyberterrorism graphed according to methods and targets; it will then describe the clusters in more detail and provide examples. Finally, the article will offer a new definition of cyberterrorism incorporating these clusters.
Three Clusters of Cyberterrorism
Figure 1 (see PDF version) depicts the activities associated with the various cyberterrorism terms as described in the literature: online jihad, virtual jihad, electronic jihad, and pure cyberterrorism. While the chart is not a quantitative plotting of the activities, it is a qualitative approximation based on an understanding of the concepts along the x (targets) and y (methods) axes. Also, since terrorists are motivated by the pursuit of political goals, this two-dimensional graph intersects a “motivation” plane characterized by the pursuit of political goals. Some of these same activities may be carried out by other actors with different motivations, but they would appear in a different plane.
The x-axis represents the targets of cyberspace operations, spanning the cognitive, virtual, and physical domains. Cognitive targets are human minds—the cognitive faculties that enable thinking, reasoning, and judgment. Virtual targets are cyber manifestations of physical objects, such as organizations or people. This includes individual and organizational websites, which allow virtual interactions. Finally, the physical domain consists of what exists in the natural, physical world (as opposed to the man-made, virtual world).
The y-axis in Figure 1 (see PDF version) represents the methods of cyber activity: enabling, disruptive, and destructive. The range of the methods variable is similarly described by General Keith Alexander, National Security Agency director and commander of U.S. Cyber Command, who remarked that cyber attacks against U.S. information networks started as exploitative before becoming disruptive, but now such attacks are moving into the realm of destructive.
The activities in Figure 1 (see PDF version) form three clusters that represent different types of cyber militancy at the intersection of cyberspace and terrorism.
Enabling Cyber Militancy
The bottom-left grouping represents activities that are not directly associated with operational acts of traditional terrorism; however, they play a key supporting role in facilitating attacks in the cognitive and virtual domains. Enabling cyber militancy (ECM) activities include recruiting, inciting, radicalizing, financing, training, planning, and communicating. Research on terrorist use of the internet, often described as online jihad or virtual jihad, has revealed the many (similar) benefits that al-Qa`ida and other terrorists seek to achieve through the virtual world, including recruiting, radicalizing, financing, targeting, operational planning, and communicating.
There are several definitions in the literature that broadly include these activities as acts of cyberterrorism, and some courts agree with this characterization. A key operative associated with al-Qa`ida in the Islamic Maghreb (AQIM) conducted ECM-like activities in France in 2008 and 2009, leading to his conviction in 2012. Court documents described how Adlene Hicheur provided intellectual and logistical support to AQIM through the internet. His support included uploading pro-jihadist materials online, distributing encryption software to facilitate covert electronic communications, moderating a pro-jihadist website, and establishing virtual payment processes to finance AQIM operations.
Actors committing ECM do not have to be motivated by religious ideals, although to fit in this category they must seek political change. ECM activities may enable terrorists to achieve their goals via traditional means—knives, guns, and bombs—or through cyber means, although they are not disruptive or destructive acts themselves that leverage the full potential of the cyberspace domain.
Disruptive Cyber Militancy
The center cluster includes exposing, defacing, and denying. Disruptive cyber militancy (DiCM) is similar to electronic jihad, a cyberterrorism term described as jihadist hacking designed to take down websites and disrupt the normal (cyber-dependent) lifestyle of Westerners, which relies on critical infrastructure supporting medical, utility, transportation, and especially financial systems. Like ECM, electronic jihad also includes less nefarious, more nuisance-minded activities such as web defacement, denial of service attacks, and unauthorized access and disclosure of confidential (and oftentimes embarrassing) information.
At the outbreak of Syrian unrest in early 2012, Abu Hafs al-Sunni al-Sunni, a senior writer for jihadist websites and supporter of al-Qa`ida and mujahidin everywhere, proposed DiCM acts against the Syrian regime. In a detailed article posted online in February, al-Sunni enumerated several ways the mujahidin could attack the Bashar al-Assad regime. He called on “skilled hackers like Red Virus, Omar OX, and other jihadi hackers” to conduct electronic jihad against the Syrian regime. These hackers have also been active in cyber attacks between Palestinian and Israeli supporters that have disrupted financial, transportation, and other business websites.
Destructive Cyber Militancy
The goal of terrorists using destructive cyber militancy (DeCM) is to manipulate computer code and corrupt information system functions to damage or destroy virtual and physical assets. Manipulating or corrupting information may, at a minimum, provide misinformation and induce confusion and loss of confidence in critical systems. In the worst case, DeCM may cause catastrophic effects on critical infrastructure, possibly resulting in death and destruction. DeCM activities are often described in the literature as pure cyberterrorism, which is the direct use of cyber hardware, software, and networks to create kinetic effects on par with traditional acts of terrorism, as opposed to merely using information communication technology in support of organizational communication and traditional terrorism. Most experts in the field narrowly define cyberterrorism to include only the direct use of cyber capabilities, as opposed to ECM-like activities in support of terrorism.
Although there have been no destructive cyberterrorism attacks to date, terrorists may engage in DeCM to cause massive physical damage and economic disruption to critical infrastructure such as the power grid, fuel distribution and storage systems, public water sanitation systems, air traffic control systems, and financial systems (especially ATM networks). Many of these critical systems are either directly connected to the internet or indirectly accessible via removable media and out-of-band channels. A 2011 al-Qa`ida video called upon cyber-savvy mujahidin to attack U.S. critical information systems by conducting an “information raid in the manner of the raids of September 11.” The video included translated interviews of cyber experts in the United States discussing how DeCM-like attacks may cause extensive damage to life-sustaining critical infrastructure. One example of a possible DeCM event would be the destruction of a key natural gas pipeline, the flow of which is regulated by electronic industrial control systems (ICS). These systems are vulnerable to hacking exploits, which could allow the manipulation of ICS functions such as a sudden increase in pipeline pressure, resulting in a large kinetic explosion.
A New Definition of Cyberterrorism
Bruce Hoffman defines terrorism as “the deliberate creation and exploitation of fear through violence or the threat of violence in the pursuit of political change.” If one assumes for a moment that this was the accepted definition of terrorism, then the addition of cyber to this term results in a simple, though circular definition: cyberterrorism is the use of cyber to commit terrorism. Given the range of cyberterrorism activities described in the literature and depicted in the clusters shown in Figure 1 (see PDF version), this simple definition can be expanded to: cyberterrorism is the use of cyber capabilities to conduct enabling, disruptive, and destructive militant operations in cyberspace to create and exploit fear through violence or the threat of violence in the pursuit of political change.
Current definitions for cyberterrorism range from narrow to broad, although most experts subscribe to the narrow definition of pure cyberterrorism. The definition proposed here includes three shades of cyberterrorism to capture the full range of cyber activities terrorists use or wish to employ in the pursuit of political goals. Such a definition in the hands of practitioners and academics may engender more granular research, debate, and potentially strategies to counter the threat stemming from the three different shades of cyberterrorism.
More work is needed to understand and assess the risk associated with cyberterrorism—threats, vulnerabilities, and consequences. Computer security experts routinely expose vulnerabilities in cyberspace; however, there is a paucity of research on cyberterrorism threats and potential consequences. The cyberterrorism definition proposed here is broad enough to give researchers a wider lens to study the cyber capabilities of terrorists across the full spectrum of cyberspace.
Lieutenant Colonel Jonalan Brickey is an Information Systems Officer and the Army Cyber Command Fellow at the Combating Terrorism Center, West Point. He holds a B.S. in American Political Studies from the United States Military Academy, an M.S. in Information Technology Management from the Naval Postgraduate School, and a Ph.D. in Computer Science and Information Systems from the University of Colorado Denver. He has held leadership positions in cyber-related programs at the National Security Agency, U.S. Northern Command, and U.S. Army Central Command.
 Bill Nelson, Rodney Choi, Michael Iacobucci, Mark Mitchell, and Greg Gagnon, Cyberterror: Prospects and Implications (Monterey, CA: Center for Study of Terrorism and Irregular Warfare, 1999).
 Richard Clarke and Robert Knake, Cyber War: The Next Threat to National Security and What to Do About It (New York: HarperCollins, 2010).
 Barry Collin, “The Future of CyberTerrorism,” Proceedings of the 11th Annual International Symposium on Criminal Justice Issues, The University of Illinois at Chicago, 1996.
 The term cyber is commonly used as a synonym for computer, but it could also include other information communication technologies, people, and anything with the ability to interpret and act upon code.
 The specific types of cyber attacks vary based on the motivation and affiliation of that attacker, as well as the type of target and attack techniques. For example, cyberwar is warfare conducted in the cyberspace domain between nation-states; cybercrime is crime committed by individuals or organizations via cyber tools; and hacktivism is the use of cyber by activists to voice dissent and support for a cause.
 For example, cybercriminals may communicate with each other and plan operations, but that activity would appear along another plane represented by the motivation to pursue financial gain.
 Cyberspace is defined in a draft U.S. military document (Joint Publication 3-12) as a global domain within the information environment consisting of the interdependent network of information technology infrastructures and associated data, including the internet, telecommunications networks, computer systems, and embedded processors and controllers.
 John T. Bennett, “NSA General on Cyberattacks: ‘Probability for a Crisis Is Mounting,’” U.S. News and World Report, July 9, 2012.
 Gabriel Weimann, Terror on the Internet: The New Arena, the New Challenges (Washington, D.C.: U.S. Institute of Peace Press, 2006); Bruce Hoffman, “Using the Web as a Weapon: The Internet as a Tool for Violent Radicalization and Homegrown Terrorism,” testimony before the U.S. House of Representatives Committee on Homeland Security, Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment, November 6, 2007; Sajjan M. Gohel, “The Internet and its Role in Terrorist Recruitment and Operational Planning,” CTC Sentinel 2:12 (2009).
 “Judgment of 4 May 2012, Case No. 0926639036 of the Tribunal de Grande Instance de Paris (14th Chamber/2),” Paris, France, 2012.
 A denial of service (DoS) attack prevents the exchange of legitimate network data by overwhelming target computers with messages; a DoS attack may cause users to experience loss of connectivity to the internet and other network services.
 Abu Hafs al-Sunni al-Sunni, “The Electronic Arm of al-Qa’ida Should Work to Topple Bashar,” Shumukh al-Islam Network, February 16, 2012.
 Sarah Gordon and Richard Ford, “Cyberterrorism?” Computers and Security 21:7 (2002): pp. 636-647.
 Removable media, such as flash drives, enable automatic transfer of computer code from one network to another as users plug devices into computers physically connected to those networks, oftentimes inadvertently creating an electronic link between otherwise disconnected systems. An out-of-band channel is a network connection that is not typically used for routine communications; for example, system administrators may establish an out-of-band channel by using a dial-up telephone connection to conduct off-site maintenance.
 “Electronic Jihad Video,” al-Shabab, 2011, available at www.hsgac.senate.gov/download/?id=483eca14-3c0e-4a30-9038-f4bf4a1fad60.
 Bruce Hoffman, Inside Terrorism (New York: Columbia University Press, 2006), p. 40.