Cyber-Terrorism; Fact or Fiction: By Eric Flis - February 2009

In today’s high tech world society is more reliant than ever on computers, networks and the internet. This is true from the more mundane tasks such as shopping online through to complex IT infrastructures that control a countries power supply through to military IT systems.In this paper the author will explore whether there is a greater risk of a cyber- terrorist attack rather than a more traditional style attack such as a suicide bomber. More specifically the author will explore the above in the context of Islamic extremists and whether a cyber attack would be used by groups such as Al Qaeda over their more standard Methods of Operation (MO).

There is no doubt that Islamic extremist groups such as Al Qaeda use IT systems to further their causes. In fact Al Qaeda has a media wing that specializes in getting their message out to its followers around the world. But this is a ‘support’ function in the scheme of things, the real question is would groups such as Al Qaeda use a cyber attack over that of known Methods of Operation such a suicide bombers and car/truck bombs.

No one would argue that a major cyber attack on countries IT critical infrastructures could, if directed at the right infrastructures bring a country to its knees, but there would most likely be a quick recovery due to in built redundancies which will be discussed later in the paper. The argument this author will put forward however is that Islamic extremist groups such as Al Qaeda and their ilk would likely not use a cyber attack as a main form of attack. They may use a cyber attack as part of a wider attack plan but the main attack would still take the form of what we have come to know as their methods of operation such as suicide bombers, car/truck bombs and kidnap.

The main reason this author believes the above to be true is that Al Qaeda and other Islamic extremists groups that follow similar doctrines require the ‘blood and guts’ to spread the fear they require and to get the media attention to further spread that fear. Not to mention that if a terrorist group that requires the media to spread its message were to knock out things such as TV and radio networks with an attack on IT and other communications infrastructures then their message goes no where and defeats the purpose of an attack or at the very least lessons the impact on a nations psyche. Effecting a countries psyche to persuade them to change policy in favour of extremist views is after all one of their main goals, the successful attacks on the Madrid train system is a perfect example of this. Not only were the attacks carried out successfully but they lead to a positive out come for the terrorists; withdrawal of Spanish military troops from Iraq and also affected a change of government within Spain.

If one were to analyze the types of attacks used since September 11th 2001 and types of attack plans that have been interrupted, one would find they all fit within Islamic extremists Methods of Operation; such examples as those attacks foiled here in Australia and the successful and unsuccessful attacks in Britain. There have been zero cyber attacks by Islamic extremists either carried out or interrupted, at least not which have been made public knowledge or been recognized as such. Based on this one would have to deduce we will continue to see the same type of attacks or variations on these type of attacks. All have been ‘conventional’ style attacks.

As stated previously this author is arguing that a cyber attack would not comprise an attack by Islamic extremists as a whole, however a cyber attack could be used to form part of a bigger or more wide spread plan. For example an attack on a countries power grid and communication infrastructure could delay response of first responders (Emergency Services) in the event of a large scale terrorist attack. Likewise taking out a nation’s air traffic control network could result in deaths itself or further a plan similar to the September 11, 2001 attacks, where aircraft could not be tracked and therefore intercepted by Airforce jets responding to the threat.

While the above is possible this author believes it would still be an unlikely scenario given the history of these groups. Attacks need to be violent and bloody to spread the fear they so badly crave and generate the media headlines across the globe. It is more likely that IT networks and infrastructures such as the internet will be used in supporting roles to plan and carry out the more ‘traditional’ style attacks we have seen from Islamic extremist groups.

It is more likely that we will see IT used in support roles such as media, communications, and research and planning. It is also likely to continue to be used in the recruitment of members and indoctrination of potential members of these groups.

Further to the above regarding research and planning, the internet is a very useful tool in intelligence gathering when researching a potential target. With the advent of online high resolution satellite imagery, visiting a targeted site can be kept to a minimum lessening the chance of a plan being discovered. This capability is even further enhanced with free services such as Google Earth, no payment is required therefore again lessening the chance of being discovered. This has recently been taken to a new level with Google Street View, a very useful tool in rout planning prior to an attack.

There are other supporting uses as well. Take for example the ability to gain access to real flight simulators through online portals or software purchase, this could allow terrorists to carry out similar attacks to September 11, 2001 without the need to attend flight school. Again this makes it all the more difficult to detect a potential terrorist plot.

The recent explosion in identity theft makes it likely that terrorists will use the internet to steal identities to enable them to gain access to various countries and avoid any terrorist watch lists or other unwanted attention. Other types of e-crimes such as credit card fraud and various internet frauds will be used to fund terrorist operations.

All of the above mentioned scenarios are supporting roles however and are not a main attack in and of themselves nor are they a spear head attack. They are either used in the pre-planning stage or form part of a wider strategy. It is unlikely a cyber attack will be used by Islamic extremist groups as the main form of attack such as may be seen in cyber warfare used by countries against countries.

While a large scale coordinated cyber attack could cripple a country and its economy; most if not all western countries have built in redundancies to protect major IT critical infrastructures. These would take the form of Business Continuity and Disaster Plans. Redundancies such as back up sites/data centres etc. also form part of these plans. So it is unlikely such a coordinated attack would be successful as they would not just have to take out the principal system but any back up sites and systems, which would be difficult as these back up sites are not necessarily advertised and public knowledge. If one were to use a more simplified scenario it could be likened to a power outage and the back up generators kick in to provide power. There may be a slight delay but then it is all systems go. The same can be said of such an attack on a nation’s critical IT infrastructure, there may be a delay in services returning however it would return with all critical data recovered.

To conclude, it is unlikely that Islamic extremists would use a cyber attack as a ‘terrorist attack’ alone. By this the author means a cyber attack will not become the MO of these groups and take the place of suicide bombers and the like. The main reason the author believes this as it just would not grab the same media attention as something like the September 11, 2001 attacks, the Bali bombings or the Madrid and London train bombings. All of which were catastrophic and caused many deaths and many more injured. And as discussed earlier affected changes in the case of the Madrid train attacks.

Rather than be the main form of attack, cyber attacks will play a supporting role in the pre-planning and operational phases of a more conventional style attack. Terrorist cell members may communicate through email or real time online chat rooms, message boards or programs such as MS Messenger or Skype. They may also use Google Earth and Google Street View to gather intelligence on targets. As well, accessing real flight simulators or even ‘real time’ shooter games that allow users to program real sites (white house, a school etc.) and practice an attack virtually to prepare for the real plan.

The author is by no means suggesting we should not protect our IT critical infrastructures because we certainly should, we would be negligent and irresponsible if we do not.

However we should not take our eye off the real and present threat of Islamic terrorist groups continuing to carry out conventional type attacks such as suicide bombers and car/truck bombs. History has shown that they have continued to use these and in this authors opinion will continue to do so as their main form of attack.