Policy

Cyberterror: Who Cares?

|

Peter W. Singer at the Brookings Institution site has some calming words about "cyberterror":

About 31,300. That is roughly the number of magazine and journal articles written so far that discuss the phenomenon of cyber terrorism.

Zero. That is the number of people that who been hurt or killed by cyber terrorism at the time this went to press.

…Taking down hydroelectric generators, or designing malware like Stuxnet [a product of governments, not stateless terrorists] that causes nuclear centrifuges to spin out of sequence doesn't just require the skills and means to get into a computer system. It's also knowing what to do once you are in. To cause true damage requires an understanding of the devices themselves and how they run, the engineering and physics behind the target.

The Stuxnet case, for example, involved not just cyber experts well beyond a few wearing flip-flops, but also experts in areas that ranged from intelligence and surveillance to nuclear physics to the engineering of a specific kind of Siemens-brand industrial equipment….

As George R. Lucas Jr., a professor at the U.S. Naval Academy, put it, conducting a truly mass-scale action using cyber means "simply outstrips the intellectual, organizational and personnel capacities of even the most well-funded and well-organized terrorist organization, as well as those of even the most sophisticated international criminal enterprises."

With the usual hemming and hawing about how, well, they are certainly malign people and who the hell knows what cyberdamage our phantom enemies might cause, Singer notes:

But so far, what terrorists have accomplished in the cyber realm doesn't match our fears, their dreams or even what they have managed through traditional means.

The only publicly documented case of an actual al-Qaida attempt at a cyber attack wouldn't have even met the FBI definition. Under questioning at Guantanamo Bay, Mohmedou Ould Slahi confessed to trying to knock offline the Israeli prime minister's public website. The same goes for the September denial-of-service attacks on five U.S. banking firms, for which the Islamist group "Izz ad-Din al-Qassam Cyber Fighters" claimed responsibility. (Some experts believe the group was merely stealing credit for someone else's work.) The attacks, which prevented customers from accessing the sites for a few hours, were the equivalent of a crowd standing in your lobby blocking access or a gang of neighborhood kids constantly doing "ring and runs" at your front doorbell. It's annoying, to be sure, but nothing that would make the terrorism threat matrix if you removed the word "cyber." And while it may make for good headlines, it is certainly not in the vein of a "cyber 9/11" or "digital Pearl Harbor."

Still, such phantom fears of that digi-Pearl Harbor help push bad laws like the Cyber Intelligence Sharing and Protection Act (CISPA) through the House of Representatives earlier this year.