The vulnerability of U.S. telecommunications and other infrastructure targets led to hearing before Congress, numerous reports and books, and grist for the "technothriller" novel industry. The relative weakness of U.S. infrastructure and information systems to terrorist attacks is a necessary, but not sufficient condition for information age terrorism, which this thesis has grouped into conventional terrorism, technoterrorism, and cyberterrorism. Conventional terrorism will continue to operate exclusively in the physical world. Technoterrorism will operate in the physical world to create a cyberspace disruption and cyberterrorism will operate exclusively in cyberspace. To address the level of threat posed by these types of terrorism, this thesis has examined some weaknesses in the system, and also the possible motivation for the use of information warfare by terrorism. While weaknesses and vulnerabilities may exist in the system, and the tools to exploit these weaknesses may be developed or purchased by terrorists in the future, the present concern over an "electronic Pearl Harbor" may be slightly off base.
Information warfare tactics do not create terror in the same way as conventional terrorist tactics. As such, a shift in the definition of terrorism is required to group cyberterrorism with conventional terrorism. Including cyberterrorism in the overall category of terrorism allows scholars and policy makes to place this new threat into a known framework that provides the foundation for further study and the development of prevention and response measures. Building on classic terrorism, cyberterrorism may shift toward a more "demassified" threat with shifting state sponsorship. The purpose of this new type of terrorism may be to send a very specific message via disruption of systems as opposed to destruction of property and the killing of citizens. New technology will expand the struggle between terrorists and counter-terrorist forces into cyberspace where "classic" offense, defense, and deterrence do not exist. Instead, both sides will be forced to deal with the new opportunities and drawbacks that exist in cyberspace. The experience of both the business community and the U.S. government is valuable in determining how to combat his new threat. An effective combination of this collective experience will provide the best solution to the problem of countering cyberterrorism.
An examination of the elements of terror and symbolic violence highlighted the value of physical violence in the creation of terror. While not as effective in inducing terror, information warfare tactics allow tomorrow's terrorist to cause great disruption without physical harm to individuals. The violence of the cyberterrorist exists exclusively in the virtual world of cyberspace. While conventional terrorism will still involve physical destruction of property and human life, cyberterrorism will utilize cyberviolence and "virtual" destruction of data in cyberspace. While directly causing no casualties, this action will still fulfill the goals of advertising, morale building, disorientation, and response provocation. Some cyberterror actions, such as attacking safety or control systems (avionics, air traffic control, etc.) have the potential to create cascading failures that will lead to loss of life. Cyberterrorists will in many cases, have the option of including destruction along with disruption to create terror and a more permanent result. While we have yet to see the combination of political motivation and criminal activity in cyberspace, we cannot disregard the potential of this type of terrorism.
Information warfare tactics allow a terrorist group to operate without the support of a large terrorist organization or a wealthy state sponsor. In addition, terrorists will utilize the emerging cryptography and global telecommunications system to climb out of the "dragonworld" of covert communications as described by J. Bowyer Bell and enhance their ability to communicate in a secure fashion with members scattered across the globe. These tactics may have several effects on future terrorist organizations.
First, terrorist groups may become more "demassified." In The Third Wave, Alvin Toffler describes how society is shifting away from large, centralized organizations to smaller, more distributed elements. The ability to steal $10 million electronically overnight, and the ability to exercise command and control utilizing "off the shelf" commercial technology may sound the death knell for state sponsored terrorism. Groups that formerly took direction and were controlled or supported by state actors, will now move into cyberspace, supporting themselves through criminal activities and removing the need for basing by becoming distributed organizations around the world. This lack of state control and funding will remove one of the key elements in present counter-terrorism planning-the punishment or coercion of the sponsoring state. The freedom from state imposed restraints will also allow terrorists to target all states in the future, not only those directed by the sponsor.
The lower level of support required to execute a cyberterrorist strategy may have the opposite effect, actually increasing state sponsorship. Poor states that did not have the means to support an international terrorist organization are now becoming connected to the world via the Internet and new telecommunications systems. Argentina, Iran, Peru, Egypt and the Philippines had the highest percentage growth in Internet connections from July to October of 1994. Each experienced growth ranging from 419% to 134%.120 All regions of the world do not match these numbers. Africa has 35 of the world's least developed states tin terms of telecommunications, an essential ingredient for connectivity with the rest of the world. Over the last 10 years, Africa has had the lowest growth in teledensity, the number of main telephone lines per 100 inhabitants. It was estimated to be .91 in 1991. States such as Sweden, with an index of 68, Switzerland, Canada, Denmark, Finland, and the United States, all with indexes in the 50s, lead the world in teledensity.121 The increasing numbers of connections from states that have sponsored terrorism in the past, such as Iran, as well as those that have not, is a new threat. These states may view cyberterrorism as an ideal tool with which to strike the information dependent first world. Cyberterrorism may also appeal to states as it has the added benefit of plausible deniability. There will be no large money, material, or communications "trail" to lead back to the sponsor state.
While the world (and terrorist groups) are demassifying, industry and business are pursuing more "targeted" production and advertising. This strategy attempts to focus the manufacturing and selling of products to a select audience. Technology is emerging to allow advertising to just those customers who are most likely to purchase a product. Terrorists in the information age may also mirror this trend, with new techniques and weapons that allow them to affect a target audience without resorting to violence against the general population. This technology also allows a terrorist message or action to affect many more people than was possible before. Thus, the "target" for terrorism can be as large or as small as the terrorist sees fit. The growing, worldwide, interconnectedness of individuals and organizations may change the role played by the media in past terrorist events. While terrorists have staged many events in the last 25 years to garner maximum worldwide media attention ('72 Olympics, World Trade Center bombing, Airplane hijackings), the exponential growth of the Internet and the introduction of Direct Broadcast Satellites with more than 500 channels and an 18" receive dish may allow terrorists to formulate, create, and distribute their own "news" to millions around the globe. The role of computers and fax machines in the Tiananmen square uprising is well documented. The Zapatista rebel organization in Mexico used the Internet and World Wide Wed extensively to promote their cause and get their "message" to sympathetic audiences around the world.
The final change that information warfare tactics may bring to terrorism is a shift in terrorism itself. In the future, terrorist organizations may move toward tactics that attempt to achieve the terrorist goals without physical violence. This corresponds to the current thinking about the future of warfare. John Arquilla and David Ronfeldt have stated:
Warfare is no longer primarily a function of who puts the most capital, labor, and technology on the battlefield, but of who has the best information about the battlefield. What distinguishes the victors is their grasp of information, not only from the mundane standpoint of knowing how to find the enemy while keeping it in the dark, but also in doctrinal and organizational terms.122
In the information age, shifting the definition of terrorism to include violence in cyberspace may be necessary, where electrons, not people are attacked, in the same manner as physical violence is presently included.
Despite these changes, many "classical" terrorist organizations motivated by "conventional" objectives will remain viable. Terrorist groups, regardless of their level of sophistication, will adhere to the logic of symbolic violence and the creation of terror. While it is likely that conventional terrorist groups will evolve into hybrid groups employing both violence and information warfare cyberviolence, we may see the creation of new and unique terrorist organizations unlike those of the past, where close personal ties and ideology were necessary to maintain security. The terrorist organization of the future may not have any "homeland" other than cyberspace. While it is difficult to track selected individuals in just one country or region, tracking a small number of individuals who could be anywhere on the globe, who can communicate in a secure and instantaneous fashion with each other, is likely to pose an order of magnitude increase in the problem.
The "information age" provides many tools to assist in countering conventional terrorism. It also presents a host of new problems associated with countering techno and cyberterrorism. The standard offense/defense and prevention/preemption/disruption dynamics of counter and anti-terrorism in the physical world do not have direct counterparts in cyberspace. In the virtual world, a small number of individuals, with the right information, are as powerful as large state actors. The "balance of power" in cyberspace can shift in a matter of seconds, with the insertion or deletion of several lines of code to a program, or the installation of a new security protocol. The lessons from past conventional counter and anti-terrorism tactics are only of limited value in understanding the effectiveness of offense and defense in cyberspace.
a. Offense and Defense in Cyberspace
The initiative in cyberspace does not necessarily rest with those pursuing an offensive strategy. In keeping with conventional terrorism, it is the terrorist group that normally attempts to seize the initiative by launching an offensive attack on a symbolic target. This attack is usually meant to undermine the belief that the government can protect its citizens. The government is then forced to reexamine and often change the way it attempts to maintain security. In cyberspace, no government has promised to guarantee "safety and security" as they have in the physical world. In the anarchic world of cyberspace, each individual serves as their own sovereign state. The government has addressed the security of individuals only in limited form, with passage of several laws concerning computer security. The commercial sector has attempted to defend the individual with the introduction of virus detection and encryption programs. Neither business nor government has advocated an offensive posture against computer hackers and potential cyberterrorists. The focus has, out of necessity, been directed toward defense. The use of offensive tactics would work well if the enemy could be unambiguously identified. A skilled cyberterrorist can make the identification of those responsible, a cornerstone of conventional U.S. counterterrorism policy, exponentially more difficult in cyberspace. Even if an attacker in cyberspace can be identified, the range of responses open to the defender is somewhat limited. In the case of an unsophisticated hacker or criminal, access to the network can be denied.
The problems posed by the emergence of cyberterrorism mirrors many of the problems presented by information warfare between states. What is the correct balance between U.S. government protection and commercial sector protection? The possible solutions run the gamut from a completely government to a completely commercial protection of information. The best solution will likely lie somewhere between these two poles.
The U.S. government, through a variety of agencies is responsible for the vast majority of counter and anti-terrorism activities and policies in the United States. Governments meet with other states to negotiate cooperative agreements concerning the prosecution of terrorists and their sponsor states. The U.S. military has been utilized on several occasions to respond to terrorism and signal the resolve of the United States to counter terrorism by force if necessary. This situation is not mirrored in cyberspace, where borders are meaningless and international standards are generally set by multinational technical committees with little government input. The nature of cyberspace creates several fundamental questions. While the government is committed to defending the rights of U.S. citizens in the physical world, with force if necessary, it has not made the same sweeping commitment to its citizens in cyberspace. The concept of being an "American" in cyberspace rapidly loses any meaning with the explosion of international connections to the Internet. While a computer may be physically located in the United States, the majority of its users may reside in another country. Should the U.S. government defend the rights of these individuals in cyberspace in the same manner as "official" U.S. citizens?
The actions taken by individuals and industry to combat the "hacker threat" are, at present, the best response to a portion of the terrorist information warfare threat. As we have seen, the confidentiality, integrity, and availability of data are critical in the information age. The growing ubiquity of encryption, with products such as Netscape offering 128 bit encryption of U.S. transactions raises the threshold to a level where it is not remotely cost effective to attempt to "brute force" decrypt a message for its contents. With the further introduction of smart cards and random password authentication, plus the addition of new communication protocols that prevent "spoofing" or fooling the network into thinking you are someone else, the confidentiality of data is becoming a reality. The new protocols, used with encryption and "digital signatures" will ensure the integrity of data as well. The availability of data remains a lucrative target for cyberterrorists at present. This target is rapidly disappearing with the growing redundancy of communications paths that are becoming available to data. The loss of one ATM network did not cause a shutdown of all the ATMs in the United States, rather, it only affected about 2% of ATM users. In several years, with the addition of global cellular communications equipment, the paths that data will have from point A to B will be redundant to a point where a terrorist could not disable all of them at once.
All of the above actions were driven by the commercial sector, not by the government. We have entered an age where the military and the government no longer have the capability to develop technology and give the "spin-offs" to the commercial sector. Rather, the commercial sector has taken the lead in innovation and development of technology and the government and military are constantly trying to "spin-on" this technology by adapting civilian products to military use. This has leveled the playing field in cyberspace, for a cyberterrorist has the same access to this technology as the government.
A composite Government/commercial response may be the most beneficial in protecting against a cyberterrorist threat. The networks of the United States can be viewed in much of the same manner as postal routes. There are laws that protect the individual from unauthorized tampering with mail while it is in transit to its recipient regardless of the carrier (U.S. Postal Service, Federal Express, United Parcel Post, etc.). Senders of an authorized package have every right to assume that the government will ensure that their package is delivered intact and unopened to its final destination. In extreme cases, such as letter bombs and illegal materials being sent, the government becomes involved in tracking and prosecuting those who abuse the system at the expense of public safety or in violation of the law. Materials that are detrimental to the national security of the United States naturally receive much attention from Federal authorities. It is up to the sender of each package to ensure that they properly wrap it for shipment. If it is information that is unimportant, they can send it on a postcard, with the writing openly visible to anyone who may see the card. The more sensitive the information, the more tightly wrapped the package becomes. Encryption serves as the "wrapping" on the message sent out via public networks. The more sensitive or important the information, the higher the level of encryption required to ensure that the message will be authentic and intact when it reaches its destination. While unencrypted E-mail may be adequate for some matters, other correspondence will require increasingly higher levels of classification for protection. With the diffusion of encryption technology, it will become increasingly easy to ensure confidentiality of all messages. In the postal analogy, the government does not guarantee service by all companies in the delivery service. Rather, it maintains a level of general safety in which all can operate. Thus, both public and private utilities and telecommunications carriers can expect the government to become involved when a major problem occurs. While each company is responsible for "low level" problems, such as routine security at warehouses and the collection of overdue bills, the government will assist in correcting "high level" problems where lives are at stake due to the content of the material being shipped. The government, in effect, protects the individual from the carrier and the carrier from the individual.
The difficulty in the age of information is determining what constitutes a cyberspace letter bomb and how it is different from a benign cyber-postcard. Where is the level between "low level" and "high level" problems to be drawn? The anarchic nature of cyberspace has prevented any attempts at close regulation abbey the government (witness the Clipper chip controversy). Every individual must take a certain level of responsibility for their own "safety" in cyberspace. While U.S. citizens have a reasonable expectation of security within the borders of the United States, the ability of the U.S. government to protect them decreases as they venture further abroad. The same is true in cyberspace, where a user in a closed network had a reasonable expectation of security. As soon as users connect that network to the Internet, it is open for attack by anyone. It is up to the user to prevent low level attacks by "locking his doors" and following good computer security practices. In so doing, a computer user can defeat all but the most advanced opponents in cyberspace. In cases where in the information is deemed to be sufficiently important, the government can be called in to assist in defense of that information and its associated network.
While the government may be called upon to assist in the defense of cyberspace, the doctrinal and organizational foundations have not yet been established to allow for this involvement. Further study of this problem is necessary to ensure that any government involvement is proportional and effective. While cyberspace can place individuals and states on equal footing, the state clearly retains an advantage in the physical world. This advantage may provide a useful tool in the prosecution of cyberterrorism. While the doctrine of asymmetric response was utilized during the Cold War to deter a nuclear exchange, a cyberspace equivalent of this doctrine may prove useful in the information age. If a state commits to defending cyberspace, the first course of action is likely to be the securing of systems to prevent unauthorized access. By raising the threshold of skill and technology required to penetrate a system, amateurs and unskilled cyberterrorists may be deterred from pursuing an offensive in cyberspace. By securing systems from "low level" attacks, the various government agencies involved in counter and anti-terrorism will be free to pursue the "high level" threats that are sure to exist in cyberspace. It remains to be seen if an offensive response, such as a military strike against a computer center or selected organizations, will be tolerated by the citizens of the United States. Will people be willing to launch an air strike against computer terrorists in the same fashion as they were launched against terrorists training bases in Libya? The implications of an offensive, asymmetric response to the terrorist problem must be explored, as a response that exists exclusively in cyberspace may not be sufficient to deter, or even slow down a cyberterrorist. At he dawn of the information age, the borders of the United States are no longer secure. We must recognize he potential threat and adjust our thinking to formulate an effective individual and state response.