Recent cyberattacks and hacks in America and Ukraine have exposed the vulnerability of some of the world’s most sophisticated cybersecurity networks. But what do we know about cyberterrorism, and how real is the threat to Australia?
The public imagination has been captured by the idea of terrorists potentially causing a massive loss of life, worldwide economic chaos or devastating environmental damage by hacking into critical infrastructure systems. Air traffic control centres, nuclear power stations, electricity grids, hospitals and stock markets are all seen as potential targets for acts of cyberterrorism.
The idea is not necessarily that a new breed of cyberterrorists will emerge; rather that Islamic State, al-Qaeda or another known terrorist group might develop the capacity to launch a devastating cyberattack. “In today’s world”, according to former US President Barack Obama, “acts of terror could come not only from a few extremists in suicide vests but from a few key strokes on the computer—a weapon of mass disruption.”
Weapons of mass disruption certainly sound like the next instalment of the global terrorist threat. However, the trend in recent terrorist attacks has been towards increasingly low-tech methods. We have seen acts of terror involving hostage situations, public shootings and vehicles driven into crowds of innocent holidaymakers. There is little to suggest that terrorist groups have the inclination, let alone the capability, to launch a major cyberattack.
So what do we know about cyberterrorism and how real is the threat to Australia?
What is cyberterrorism?
There is no universally agreed upon definition of cyberterrorism, but the term generally refers to an attack which uses electronic means (such as a computer worm, virus or malware) to penetrate and seriously interfere with critical infrastructure. Critical infrastructure means the facilities, services and networks which, if taken offline for an extended period, would create a serious risk to public health, the economy, the environment or national security.
Under Australian law, the definition of cyberterrorism is much wider. While we do not have a definition of cyberterrorism per se, we do have a legal definition of a terrorist act. Under this definition, a cyberattack would not actually need to interfere with critical infrastructure or cause serious harm for it to constitute an act of terrorism. Rather, seriously interfering with any electronic system for a political motive and to intimidate a government or the public would be sufficient. This differs from other countries’ legal definitions of terrorism, like Canada’s, which requires an attack to be against an essential service, facility or system.
Are terrorists likely to cyberattack?
The major threat of terrorism in Western countries is from individuals connected with or inspired by Islamic State (IS), the terrorist organisation which continues to control significant territory in Syria and Iraq. Recent attacks inspired by IS have employed brutal low-tech methods, including attacks with knives, machetes, guns and vehicles. Many attempted and planned attacks suggest a similar pattern.
In the twisted logic of terrorism, cheap and brutal methods make sense—why would a terrorist group spend potentially hundreds of thousands of dollars developing a computer worm to hack into an air traffic control system, when it can create sheer, widespread terror by stabbing an innocent person on a city street? In the insensitive though sadly accurate words of former Prime Minister Tony Abbott, all that is needed for an IS-style attack in Australia is “a knife, iPhone and a victim”.
Aside from the significant costs involved, a sophisticated cyberattack would also operate largely behind the scenes and could be more easily denied or explained away by government agencies. When publicity is a major aim of terrorist groups, planning a major cyberattack is an uncertain investment.
Given this, it is doubtful for the time being that cyberterrorism poses a significant threat to Australian interests. The Australian Cyber Security Centre (ACSC)—a joint initiative of Australia’s intelligence and cybersecurity agencies—wrote as much in its 2016 Threat Report. The ACSC reported that terrorist groups “currently pose a low cyber threat” and that their “cyber capabilities generally remain rudimentary”.
What we do know, on the other hand, is that terrorist organisations use the internet on a daily basis for a range of activities including propaganda, recruitment and communication. Islamic State has shown particular prowess in using social media to inspire vulnerable individuals around the world to join its cause. These uses of technology by terrorist groups pose major challenges and should remain the focus of cybersecurity efforts in counter-terrorism.
Sources of concern
Fears surrounding cyberterrorism are partly the result of media hype and popular culture—think of the cyber-doomsday scenarios in Die Hard 4.0, James Bond’s Skyfall, and many other recent films and TV shows. But they also reflect serious and realistic concerns about repeated cyberattacks by foreign interests.
In 2015, the secure networks of Australia’s Bureau of Meteorology and the Reserve Bank of Australia were compromised by cyberattacks from overseas. (China and Indonesia respectively were identified as the most likely culprits.) The 2016 census debacle was also caused by denial of service attacks from overseas, though those attacks did not compromise any sensitive data.
Cyberattacks which compromise secure government networks pose a serious and sophisticated threat. They may represent early attempts by foreign intelligence services to access sensitive data held by Australian government agencies and disrupt their services or at least embarrass them publicly. But they are not examples of cyberterrorism and to conflate these attacks with the threat posed by terrorist groups confuses two very different issues.
In a recent media article, these cyberattacks against Australian agencies were discussed alongside other diverse examples of hacking, including the targeting of Sony Entertainment by North Korea and the release of customer data from extramarital affairs websites. These were all discussed under the heading that terrorists would soon have the capacity to “wreak havoc” on Australian government networks. Such irresponsible reporting contributes to fears that terrorists are aiming to bring about ‘cyber-geddon’.
The possibility that terrorist groups could develop the capacity to launch a major cyberattack against critical infrastructure should be taken seriously. For the time being, this threat thankfully remains more hypothetical than real. What is needed in the meantime is a considered discussion and realistic appraisal of the diverse threats to Australia’s cybersecurity.
Keiran Hardy is a lecturer in the School of Criminology and Criminal Justice at Griffith University and a Member of the Griffith Criminology Institute.
This article is published under a Creative Commons Licence and may be republished with attribution.