Terrorist Use of Cyberspace

Overview
Terrorist use of cyberspace is growing both in terms of reliance for supporting organizational activities and for gaining expertise to achieve operational goals. While no publicly accessible report has been published regarding a confirmed cyberterrorist attack against the United States, the possibility of one exists. Tighter physical and border security may encourage terrorists and extremists to try to use novel weapons to attack the United States. Persistent Internet and computer security vulnerabilities, which have been widely publicized, may gradually encourage terrorists to continue to enhance their computer skills, or develop alliances with criminal organizations and consider attempting a cyberattack against U.S. critical infrastructure, facilities, and activities that support global security interests.

Cyberterrorists are state-sponsored and non-state actors who engage in cyberattacks to pursue their objectives. Transnational terrorist organizations have used the Internet as a tool for planning attacks, radicalization and recruitment, a method of propaganda distribution, as a means of communication, and for disruptive purposes.

The vulnerability of critical life-sustaining control systems being accessed and destroyed via the Internet has been demonstrated. In 2009, the Department of Homeland Security (DHS) conducted an experiment that revealed some of the vulnerabilities to the nation’s control systems that manage electric power generators and grids. The experiment, known as the Aurora Project, entailed a computer-based attack on a power generator’s control system that caused operations to cease and the equipment to be destroyed. Cyberterrorists may be seeking a destructive capability to exploit these types of vulnerabilities in critical infrastructure but progress toward this goal is uncertain. As noted in March 2017 by then-Federal Bureau of Investigation (FBI) Director James Comey, “terrorists have not yet figured out how to use the Internet as an instrument of destruction ... eventually these knuckleheads will.”14 There is no consensus definition of what constitutes cyberterrorism. The closest in law is found in the USA PATRIOT Act statute governing “acts of terrorism transcending national boundaries,” which includes in its definition of a “federal crime of terrorism” some violations of the Computer Fraud and Abuse Act (CFAA).15 One portion of the CFAA referenced by the USA PATRIOT Act makes it illegal for an entity to:

"knowingly [access] a computer without authorization or exceeding authorized access, and by means of such conduct ... [obtain] information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data ... with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation....16"

The other CFAA provision referenced in the USA PATRIOT Act prohibits transmitting "a program, information, code, or command" to certain computers (including all government computers and most private ones) and thereby intentionally causing unauthorized damage.17

Some cyberwarfare experts define cyberterrorism as “the premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives, or to intimidate any person in furtherance of such objectives.”18 The USA PATRIOT Act’s definition of “federal crime of terrorism,” with its inclusion of certain CFAA violations as predicate acts, has some similarities to this definition, though the statute is limited to only those attacks with political objectives.19 However, these provisions are also criminal statutes and generally refer to individuals or organizations rather than state actors. Naval Post Graduate School Defense analyst Dorothy Denning’s definition of cyberterrorism focuses on the distinction between destructive and disruptive action. Terrorism generates fear comparable to that of physical attack, and is not just a “costly nuisance.” Though a DDOS attack itself does not yield this kind of fear or destruction, the broader issue is the potential for second- or third-order effects. For example, if telecommunications and emergency services were completely dismantled in a time of crisis, the effects of that sort of infrastructure attack could potentially be catastrophic. If an attack on the emergency services system were to coincide with a planned real-world event, then cyberterror may be an appropriate metaphor. However, in this case, the emergency service system itself would most likely not be a target, but rather the result of collateral damage to a vulnerable telecommunications network.

There are a number of reasons that may explain why the term “cyberterrorism” has not been statutorily defined, including the difficulty in identifying applicable activities, whether articulating clear red lines would demand a response for lower-level incidents, and wretaining strategic maneuverability so as not to bind future U.S. activities in cyberspace.