National and international security

Cyberterrorism
By Peter Grabosky and Michael Stohl*

ew terms in contemporary conventional dis­

F course are used as loosely as ‘cyber’ and ‘ter­

rorism’. Not surprisingly, their use together is
hardly a guarantor of conceptual rigour. In this
brief contribution, we seek to spell out what
cyberterrorism is, and how it might be regulated.

To some, the term ‘cyber’ is synonymous with digital technology generally.

This is increasingly unhelpful given the pervasiveness of digital technology
in contemporary society. As kitchen appliances increasingly become
‘wired,’ almost everything will be digital. For present purposes, let us use
the term cyber to refer to those technologies commonly referred to as the
internet and the world wide web.

The term terrorism has been grossly abused, and means many things to
many people. To some, it has almost become synonymous with anything
evil. Since the cold war, the adage ‘one person’s terrorist is another’s free­
dom fighter’ has become hackneyed. The term terror was first used to
describe the systematic use of violence and the guillotine by the Jacobin
and Thermidorean regimes in France;1 that is, as an instrument of state
control. Subsequent use of terror was discussed as an element of totalitar­
ian dictatorships of the left and right.2 The systematic use of violence by
non-state actors over the past two centuries has led to a broadening of the
term. Today, the term is used to refer to an act or threat of violence to
create fear and/or compliant conduct in a victim or wider audience for the
purpose of achieving political ends.3

What, then, is cyberterrorism? For present purposes, let us accept

Dorothy Denning’s definition of cyberterrorism: “unlawful attacks against
computers, networks and the information stored therein when done to
intimidate or coerce a government or its people in furtherance of political
or social objectives.”4

Reform ssue 82 2003 Page 8

 National and international security

The key elements here are coercion and intimidation. One of the distinctive characteristics of internet and
One need only look to acts of ‘conventional’ terrorism web-based technologies are the tremendous capacities
to get a sense of what they entail. The September 11 they place in the hands of ordinary individuals. A
attacks, the Bali bombing, the Sarin gas attacks in the person with ordinary computer skills can now commu­
Tokyo subway, and the recent Palestinian suicide nicate with millions of others, instantaneously, and at
bombings in Israel all involved dramatic use of vio­ negligible cost. A teenager can halt commercial activ­
lence. Is there a cyber equivalent? ity, and manipulate the price of shares traded on the
stock exchange; the distributed denial of service
To be sure, cyberspace is full of ones and zeroes attacks discussed above were the work of a 15 year old
designed to harass and annoy. Some readers would Canadian who called himself ‘Mafiaboy’.
have seen examples of defaced websites of which the
CIA’s may be the most notorious example.5 But US In western industrial societies generally, and increas­
government websites are not unique targets of deface­ ingly around the world, much national infrastructure
ment. Pro-Pakistan defacements of Indian websites, is privately owned, which usually precludes centralised
and pro-Palestinian attacks on Israeli websites, are national control. Regardless of ownership, infrastruc-
not uncommon.6 But this is hardly terrorism.

Most readers will have experienced some inconve­

“One of the distinctive
nience as a result of the viruses such as ILOVEYOU,
Melissa, and Code Red, or would have heard about the
characteristics of internet and
distributed denial of service attacks against web-based technologies are the
Amazon.com, Yahoo, and other prominent e-commerce tremendous capacities they
sites in February 2000. These activities were more place in the hands of
than an inconvenience to some; collective losses to ordinary individuals. ”
businesses around the world exceeded hundreds of mil­
lions of dollars. But harassment and annoyance, or
indeed, financial loss, is not coercion and intimidation.
ture connected to the internet is potentially accessible
Can there be a cyber equivalent of the death and
to skilled hackers. What this means is that some sys­
destruction produced by acts of terrestrial terrorists?
tems that support essential services in advanced
industrial societies are vulnerable to attack. Although
such attacks have yet to occur on a sustained and
Attacks on critical
widespread basis, we have seen examples of significant
infrastructure
damage occasioned by isolated attacks. In addition to
the aforementioned viruses and distributed denial of

In the digital age, it has become trite to suggest that service attacks, the annals of cybercrime include vari­

everything depends on software. Much of the infra­ ous acts of electronic theft where financial institutions

structure on which modern societies depend, communi­ have been victimised.1 A Massachusetts teenager suc­

cations, electric power, water, transportation, financial ceeded in disabling communications to the air traffic

systems, depend on digital technology. control tower at Worcester Regional Airport in 1997.8

More and more commercial activity occurs online. The Not all attacks are the work of ‘outsiders’. Systems

increasing connectivity of computing and communica­ are also vulnerable to subversion by disgruntled
tions has increased our capacity to do good, and to employees, former employees, or contractors, for a
impose harm. While some elements of critical infra­ variety of motives. It is important to emphasise that
structure are connected to the internet, others are not. the CSI/FBI Computer Crime and Security Survey
To the extent that they are connected, they are more between 1996 and 2000 found that insiders topped the
vulnerable to attack. list of ‘likely sources’ of cyberattack with more than

ssue 82 2003 Page 9 Reform

National and Internationa security

80% of respondents citing them as Ancillary uses of occupants of these buildings are
a likely source. In the 2000 required to display photo identifi­
cyberspace in
survey, 71% of the respondents cation, and visitors usually must
reported insider unauthorised
furtherance of be escorted. Security is a design

access incidents.9 In 2001 a person terrorism feature of public (and many pri­

was convicted of hacking into the vate) buildings.

computerised waste management

While digital technology may not So it is with information systems.
system of Maroochy Shire, Queens­ be the primary instrument of ter­ Even those organisations that have
land, causing millions of litres of rorists, they do use it for ancillary a large public clientele (such as
raw sewage to spill out into local purposes. The internet is a won­ those in the business of e-com­
rivers and parks.10 Although the derful medium of communications, merce or electronic banking) are
individual in question appears to fast and cheap. It is available to well advised to safeguard systems,
have been acting alone, to the the vicious as well as to the virtu­ just as they would secure the front
extent that other ‘insiders’ are able ous. Terrorists can and do commu doors to the bank and the depart­
and willing to act in concert with nicate with each other with great ment store after business hours.

‘outsiders’ (potential terrorists or efficiency, and depending upon An ideal system has firewalls and
their ability to exploit the technol­ other filtering technologies to
otherwise), vulnerabilities may be
ogy, their communications may be render it less vulnerable to cyber­
greater.
very difficult to detect and trace. attack. It has audit routines to
If the potential to do harm in
cyberspace were harnessed, con­
certed and concentrated on the “The first line of defence against terrorism, whether
critical infrastructure of one
terrestrial or through cyberspace, is prevention
nation, one could envisage a sce­
nario the consequences of which
would approximate the effects of
terrorism. Risk assessments have In addition to communications assess vulnerabilities, alarms that
identified these contingencies as among themselves, terrorists can identify anomalous on-line behav­
plausible, but to date, such an use the internet and web-based iour, and systems administrators
event has not occurred. As Den­ technologies to disseminate mes­ to ‘mind the store’. An ideal
ning suggests, for the time being, sages about their objectives. This system for critical infrastructure
terrorists continue to prefer truck expression can be symbolic (as in and critical information also ‘air
bombs over logic bombs.11 the case of website defacement), or gaps’ the sensitive cybersystem by

it can be used in furtherance of physically disconnecting it from the

While attacks on critical infra­ internet, making it inaccessible to
propaganda, recruitment or fund
structure alone might not be outside hackers. Green argues
raising.
regarded as terrorism, they could, that the US Department of
when combined with traditional Defense, the CIA’s classified com­
tactics, enhance the overall intimi­ puters and the FBI’s entire com­
Prevention
dating and coercive effect of a ter­ puter system are all ‘air gapped’
rorist attack. For example, the and that the Federal Aviation
detonation of a bomb, combined The first line of defence against Administration receives high
with a disruption of electric power terrorism, whether terrestrial or marks for separating its adminis­
supplies, air traffic control sys­ through cyberspace, is prevention. trative and air traffic control sys­
tems, or telephone services, would In the early days of Australian tems and strictly air gaps the
highlight multiple vulnerabilities Federation, one could enter govern­ latter.12 A number of Australian
and thus appear more fearsome. ment buildings freely. Now the systems are similarly protected.

Reform Issue 82 2003 ~ Page I o

 National and international security

Information systems are also vul­ ing breaches of information secu­

nerable because of human factors. rity. Organisations in the private
Negligent or malicious use of an sector are often reluctant to share
organisation’s information system their experiences of cyberattacks,
by employees can contribute signif­ for fear of adverse publicity.
icantly to the organisation’s vul­
nerability. A comprehensive infor­ To overcome this understandable

mation security system will entail reluctance to report one’s vulnera­

careful staff selection and system­ bility, it has been suggested that
‘reporting’ communities be created
atic training, including such mun­
within industry sectors. These
dane matters as password manage­
‘communities of trust’ would
ment and unauthorised use of the
develop appropriate reporting rou­
organisation’s information systems.
tines, using software that makes
Systems vulnerability may also the ‘location’ of the attack anony­
arise from less than impregnable mous but immediately reports the
software, much of which is attack to the community security
designed for user-friendliness and managers who can provide immedi­
convenience rather than for secu­ ate warning to the IT security
rity. The common industry people at the other locations. The
response is for manufacturers to establishment of such a trusted
structure their license conditions to information-sharing network was
avoid potential liability, then to announced by the Australian Gov­

make ‘patches’ available as vulner­ ernment in 2002.15 There is still a

abilities become apparent later on. lot of trust-building to be done,

Whether market forces will eventu­ however, and legislation may be

ally drive the widespread develop­ required in order to overcome legal

ment of ‘bullet-proof software impediments to such cooperation

remains to be seen. within industry.

Even in those countries where

much infrastructure is privately
The adequacy of
owned, governments work hard to legal safeguards
encourage cybersecurity. In Aus­
tralia, the National Office for the
Is the law adequate to combat
Information Economy (NOIE) has
cyberterrorism? Most technologi­
developed an awareness program
cally advanced nations have now
for owners of critical infrastruc­
criminalised those categories of
ture.13 In the United States, the
conduct that would serve as the
President’s Critical Infrastructure
vehicle for a cyberterrorist attack.
Protection Board has developed a
In Australia, the Cybercrime Act
National Strategy to Secure Cyber­
2001 (Cth) created a number of
space.14 offences relating to computer sys­
tems, including:
Despite these safeguards, it is gen­
erally acknowledged that most • unauthorised access, modifica­
nations suffer from a lack of a com­ tion or impairment to commit a
prehensive knowledge base regard­ serious offence;

ssue 82 2003 Page Reform

National and international security

• unauthorised modification of data to cause impair­ established 24/7 contact points, where law enforcement
ment; specialists can obtain assistance from their counter­
parts in participating countries at any time of the day
• unauthorised impairment of electronic communica­
or night without having to go through formal (and very
tion;
time consuming) processes of mutual assistance. The

• unauthorised access to or modification of restricted problem is compounded when attacks are routed
data; through servers in a number of different nations.

• unauthorised impairment of data held in a com­ Whether these measures function imperfectly or not at
puter disk, credit card or other data storage device; all, some interesting legal issues exist. Assume a criti­
cal system is under attack. The attack apparently
• possession of data with intent to commit a com­
originates in a country whose authorities are (for
puter offence; and
whatever reason) not available to assist. To what

• production, supply or obtaining of data with intent extent can Australian authorities remotely access the
to commit a computer offence. computers in self-defence or in furtherance of an inves­
tigation? The legality of such arrangements may not
always be clear. To send a team of investigators with­
out authorisation to ‘Country B’ to conduct a criminal
“Most technologically advanced investigation or to interdict a criminal enterprise,
nations have now criminalised would constitute a violation of ‘Country B’s’ sover­

those categories of conduct that eignty. This principle would appear to apply to inves­
tigations in cyberspace no less than on the ground.
would serve as the vehicle for
a cyberterrorist attack. ” Government agencies are limited by law in their con­
duct of investigations. While the Australian Security
Intelligence Organisation (ASIO) has powers to
remotely access computers (under the authority of a
The law is sufficiently broad to embrace both ‘ordinary’
warrant signed by the Attorney-General of Australia),
cyber- criminality (such as hacking, the release of
the ASIO Act explicitly forbids deletion or alteration of
viruses, etc) and the more serious manifestations of
data, or “the doing of any thing, that interferes with,
crime that might attract the label of cyberterrorism.
interrupts or obstructs the lawful use of the target
Importantly, the Act extends jurisdiction to situations
computer by other persons, or that causes any loss or
where the conduct constituting the offence occurs
damage to other persons lawfully using the target com­
wholly or partly in Australia or on board an Australian
puter.”17
ship or aircraft, or where the result of the conduct con­
stituting the offence occurs wholly or partly in Aus­
Australian law nevertheless offers some protection to
tralia or on board an Australian ship or aircraft.
certain authorised investigators. The Cybercrime Act
2001 created a new section of the Criminal Code
In the United States, the National Information Infra­
structure Protection Act of 1996 protects the confiden­ (s 476.5(1)) under which a staff member of the Aus­

tiality, integrity, and availability of systems and infor­ tralian Secret Intelligence Service (ASIS) or the

mation. These amendments to The Computer Fraud Defence Signals Directorate (DSD) is not subject to

and Abuse Act, 18 U.S.C. § 1030 strengthened the law any civil or criminal liability for any computer related

prohibiting computer intrusion, trespass, communica­ act done outside Australia if the act is done in the
tion of threats, and occasioning damage.16 proper performance of a function of the agency.18

Whether procedural laws are in place that would In most jurisdictions, response by a private citizen to
permit expeditious real-time investigation of a cyber­ an attack by ‘counter-hacking’ is discouraged because
terrorist attack may he another matter. Australia, the the true originator of the attack may have masked his
nations of the G-8, and a few other countries have all or her identity or, indeed, assumed the identity of an

Reform Issue 82 2003 ~ Page 12

 National and international security

innocent third party. Counter-hacking, in other words, 8. CNN, ‘Teen hacker faces federal charges: Caused
risks substantial collateral damage. Nevertheless, one computer crash that disabled Massachusetts airport’ 18
imagines that considerable thought is being given to March 1998, <http://www.cnn.com/TECH/comput-
ing/9803/18/juvenile.hacker/>, 10 January 2003.
the use of digital technology in pre-emptive or ‘hot pur­
suit’ situations by authorised government agents. In 9. R Power, Tansled WEB: Tales of Dieital Crime from
February 2003. it was reported that President Bush the Shadows of Cyberspace. (2000), Indianapolis: Que,
had signed a secret order allowing the US government a division of Macmillan, USA, 179.
to develop guidelines for cyberattacks against foreign
10. L Tagg, ‘Aussie hacker jailed for sewage attacks’
computer systems.19
Iafrica.com, 1 November 2001,

The legality of remote, cross-border searches or retalia­ <http: / / cooltech.iafrica.com / technews / archive / novem­
ber/837110.htm>, 19 February 2003.
tory activity in response to apparent cyberterrorism, or
even in response to more conventional cybercrime, is 11. D Denning, ‘Cyberwarriors: Activists and Terrorists
an area of law that remains muddy. It will be fertile Turn to Cyberspace’ (2001) 23(2) Harvard International
ground for law reformers. Review 70-75.

* Professor Peter Grabosky is based at the 12. J Green, ‘The Myth of Cyberterrorism’ Washington
Research School of Social Sciences at the Aus­ Monthly Online. Jan/Feb 2003, <http://www.wash-
ingtonmonthly.com /features/2001 /0211.green.html>,
tralian National University. Professor Michael
19 February 2003.
Stohl is a professor of communications at the
University of California, Santa Barbara. 13. <http: / /www. noie.gov.au/projects /confidence/Pro­
tecting/index.htm>, 15 February 2003.

Endnotes1 14. <http://www. whitehouse.gov/pcipb/cyberspace_strat-

egy.pdf>, 15 February 2003.
1. M Stohl, “Demystifying Terrorism: The Myths and
Realities of Contemporary Political Terrorism” in M 15. D Williams and. R Alston, ‘Protecting Australia’s
Stohl (ed), The Politics of Terrorism. (3rd ed), (1988), Critical Infrastructure’ Media Release. 29 November
Marcel Decker, New York. 2002, <http://nationalsecurity.ag.gov.au/www/attor-
neygeneralHome. nsf/ Web+Pages / E078BAC9BA04FEB
2. C Friedrich and Z Brzezinski, Totalitarian Dictator­
CCA256C800012C461?OpenDocument>, 16 February
ship and Autocracy. (1965), Harvard University Press,
Cambridge MA. 2003.

3. M Stohl, ibid. 16. Computer Crime and Intellectual Property Section,

US Department of Justice, ‘Legislative Analysis of the
4. D Denning, ‘Cyberterrorism’ Testimony before the 1996 National Information Infrastructure Protection
Special Oversight Panel on Terrorism, Committee on Act’ (1997) 2 Electronic Information Policy & Law Rep
Armed Services, U.S. House of Representatives, 23 May 240, 240.
2000, Terrorism Research Center, <http://www.terror -
ism.com/documents/denning-testimony.shtml>, 7 Jan­ 17. Australian Security Intelligence Organisation Act
uary 2003, 10.
1979 (Cth), s 25A(5).

5. <http://www.unc.edu/courses/jomcl91/cia/cia.html>,
18. Department of the Parliamentary Library, ‘Intelli­
7 January 2003.
gence Services Bill 2001’ (2001), Bills Disest No.ll,
6. M Vatis, Cyber Attacks Purine the War on Terror­ 2001-02, <http:// www.aph.gov.au/library/pubs/bd/2001-
ism: A Predictive Analysis. (2001), Institute for Security 02/02bd01 l.pdf>, 17 February 2002.
Technology Studies, Dartmouth College, Hanover New
Hampshire. 19. Associated Press, ‘Bush order OKs attacks on foreign
computers: Defense Department cleared for cyber war’
7. P Grabosky, R Smith and G Dempsey, Electronic Knox News. 10 February 2003,
Theft: Unlawful Acquisition in Cyberspace (2001) Cam­ <http: / / www.knoxnews. com / kns/tech / article / 0,1406, K
bridge University Press, Cambridge UK. NS_8976_1733748,00.html>, 15 February 2003.

ssue 82 2003 Page i3 Reform