www.css.ethz.ch

New York, 28 June 2006

Myriam Dunn

CENTER FOR SECURITY STUDIES

Swiss Federal Institute of Technology (ETH Zurich)

Cyber-Terror Looming Threat or Phantom Menace?

www.css.ethz.ch

What is the Problem?

“We are at risk. Increasingly, America depends on computers. [...] Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb”

National Academy of Sciences, “Computers at Risk”, 1991

“In my opinion, neither missile proliferation nor weapons of mass destruction are as serious as the threat [of cyberterrorism]"

Curt Weldon (R-Pennsylvania), 1999

"[Attacks against the US banking system] would devastate the United States more than a nuclear device let off over a major city"

Robert Bennett (R-Utah) , 2001

"Our nation is at grave risk of a cyberattack that could devastate the national psyche and economy more broadly than did the 9/11 attacks"

Letter sent to President Bush by Richard Clarke and

more than 50 top computer scientists, 2002

www.css.ethz.ch

Hypers vs. De-hypers

“Hypers” assume vicious attacks that wreak havoc and paralyze whole nations to be imminent

“De-hypers” (usually more technically educated political advisors and journalists)

point to the practical difficulties of a serious cyber-attack, question the assumption of critical infrastructure vulnerabilities, point to unclear benefits of cyber-attacks for terrorist groups.

Despite this caution, however, even de-hypers contend that one “cannot afford to shrug off the threat” (Denning, 2001)

due to unclear and rapid future technological development dynamic change of the capabilities of terrorism groups

www.css.ethz.ch

Fact or Fiction?

Due to too many uncertainties, experts are unable to conclude whether cyber-terror is fact or fiction

Or, since they are unwilling to dismiss the threat completely, how long it is likely to remain fiction

There is no empirical evidence that would help to overcome this problem

Data on vulnerabilities is patchy No consolidated statistics regarding computer-based threats or incident rates existIntrusion detection technology limitedLack of baseline knowledge of normal activity on critical networked systemsConcrete intelligence data (which non-state actor is likely to employ cyber-tools as an offensive weapon at what point in time and for what reasons?) unavailable

www.css.ethz.ch

Reality Check

Cyber-attacks and cyber-incidents

cause major inconvenienceshave cost billions of dollars in lost intellectual property, maintenance and repair, lost revenue, and increased security

But: whether they constitute a national security threat is highly controversial!

Reason: All doomsday scenarios of cyber-attacks that result in massive deaths or injury remain largely the stuff of Hollywood scripts or conspiracy theory

www.css.ethz.ch

Cyberterror – A Comparison of Definitions

Very little reflection on the implicit underlying notions of terrorism that influence the cyber-terror definitions

Two main areas in which clarification is frequently sought

To resolve the confusion between cyber-terrorism and cyber-crime

Lack of clear definitions of the two phenomena reflects a general confusion between the two terms

To make a clear distinction between a) terrorist use of computers as a facilitator of their activities, and b) terrorism involving computer technology as a weapon or target

www.css.ethz.ch

Cyberterror – A Definition

To be labeled cyber-terrorism, cyber-incidents must

be mounted by sub-national terrorist groups, be aimed at parts of the information infrastructure, instill “terror” by effects that are sufficiently destructive or disruptive to generate fear, and must have a political, religious, or ideological motivation.

According to this definition, none of the larger and smaller disruptive “cyber”-incidents that we have experienced in the last couple of years have been examples of cyber-terrorism!

www.css.ethz.ch

The Puzzle

Despite the fact that cyber-terror has not truly manifested itself as a threat, it is treated as if it were

The US government (and other governments), considers

the threat to national security to be real, has extensively studied various aspects of cyber-threats, and spends considerable sums on various countermeasures

We observe the firm establishment, worldwide proliferation, and persistence of a “virtual” threat image on the national security agenda (truly society-threatening incidents remain mere scenarios)

Question: On what basis are countermeasures drafted if there is no real world experience?

What factors are decisive for making threats (potential) national security threats in the eyes of key actors?

www.css.ethz.ch

Theory of Threat Politics I

Copenhagen School of Security: Issues become a security issue not necessarily because a real existential threat exists, but because the issue is successfully presented as such a threat by key actors in the political arena (=securitization)

Securitization studies aim to gain an understanding of who securitizes (the actor), on what issues (the threat subject), for whom (the referent object), why (the intentions and purposes), with what results (the outcome), and under what conditions (the structure/institutions)

Threat framing: process whereby particular agents develop specific interpretive schemas about what should be considered a threat or risk, how to respond to this threat, and who is responsible for it

Features of the threat frame are decisive for whether issues make it on the security agenda or take on societal prominence

www.css.ethz.ch

Theory of Threat Politics II

Threat Politics: The political process that a) moves threats onto the political agenda, b) removes threats from the agenda, or c) alters the face of threats on the political agenda

When a condition turns into a problem that threatens national security in the eyes of professionals of security the first threat frame emerges If an event changes beliefs or resources of professionals of security then a reframing of the threat frame is initiated new discourse strands are interlinked or decoupled by referencing (seeking to establish linkages with existing terms

The broader the range of threat subjects in threat frame the more likely the threat frame will emerge as winning

The more the referent object is about domestic and social well-being the more likely the threat frame will emerge as winning

The more urgent the motivational call the more likely the threat frame will emerge as winning

www.css.ethz.ch

Policy Windows – Examples

Phase I: Securitization / Initial Threat Framing

Hacking, Phreaking, insecurityViruses and Worms (e.g. Morris)„Cuckoo‘s Egg“ Incident (1987)„Computers at Risk“ (1991)

Phase II: Re-framing

Oklahoma City BombingAfterwards: cyber-threats and critical infrastructures interlinked“wake-up call”

www.css.ethz.ch

Cyber-terror Threat Frame I

Cyber-threats constructed as a threat to society’s core values, especially national security, and to the economic and social well-being of a nation

Very broad and indeterminate framing of threat subject underscores a perspective of vulnerability, uncertainty, and insecurity

Image of cyber-terrorist and that of larger set of cyber-perpetrators are not separated in official statements (hacker=terrorist)

Introduction of numerous non-state enemies as threat subjects abolishes distinction between

internal and external threats the private and public spheres of action

Characteristics imply that boundaries between civil and military spheres of action are dissolved

www.css.ethz.ch

Cyber-terror Threat Frame II

Cyber-terror frame combines two of the great fears of the late 20th century

Fear of random, incomprehensible, and uncontrollable victimizationDistrust or outright fear of computer technology

Technology is feared because it is seen as complex, abstract, and arcane in its impact on individuals

Notion of technology being “out of control”, a recurring theme in political and philosophical thoughtStrengthened by increase in “connectivity” that the information revolution brings

www.css.ethz.ch

Conclusion

The main problem with the concept of cyber-terror is the terror suffix

Cyber-terror is not the main problemCan be easily turned into profit engine

Should aim to “de-securitize” the issue to allow more leeway (interpretation and actual politics)

Focus on economic aspects of cyber-security

Help to overcome “free rider” problemHelp to create a market for cyber-security, which could reduce much of the insecurity of the information infrastructure