140 likes | 152 Views
This article explores the debate surrounding cyber-terrorism, examining the differing perspectives on the threat level and the lack of empirical evidence. It also compares definitions of cyber-terrorism and delves into the puzzle of why countermeasures are in place despite a lack of real-world experience.
E N D
CENTER FOR SECURITY STUDIES Swiss Federal Institute of Technology (ETH Zurich) Cyber-Terror Looming Threat or Phantom Menace? New York, 28 June 2006 Myriam Dunn
What is the Problem? • “We are at risk. Increasingly, America depends on computers. [...] Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb” National Academy of Sciences, “Computers at Risk”, 1991 • “In my opinion, neither missile proliferation nor weapons of mass destruction are as serious as the threat [of cyberterrorism]" Curt Weldon (R-Pennsylvania), 1999 • "[Attacks against the US banking system] would devastate the United States more than a nuclear device let off over a major city" Robert Bennett (R-Utah) , 2001 • "Our nation is at grave risk of a cyberattack that could devastate the national psyche and economy more broadly than did the 9/11 attacks" Letter sent to President Bush by Richard Clarke and more than 50 top computer scientists, 2002
Hypers vs. De-hypers • “Hypers” assume vicious attacks that wreak havoc and paralyze whole nations to be imminent • “De-hypers” (usually more technically educated political advisors and journalists) • point to the practical difficulties of a serious cyber-attack, • question the assumption of critical infrastructure vulnerabilities, • point to unclear benefits of cyber-attacks for terrorist groups. • Despite this caution, however, even de-hypers contend that one “cannot afford to shrug off the threat” (Denning, 2001) • due to unclear and rapid future technological development • dynamic change of the capabilities of terrorism groups
Fact or Fiction? • Due to too many uncertainties, experts are unable to conclude whether cyber-terror is fact or fiction • Or, since they are unwilling to dismiss the threat completely, how long it is likely to remain fiction • There is no empirical evidence that would help to overcome this problem • Data on vulnerabilities is patchy • No consolidated statistics regarding computer-based threats or incident rates exist • Intrusion detection technology limited • Lack of baseline knowledge of normal activity on critical networked systems • Concrete intelligence data (which non-state actor is likely to employ cyber-tools as an offensive weapon at what point in time and for what reasons?) unavailable
Reality Check • Cyber-attacks and cyber-incidents • cause major inconveniences • have cost billions of dollars in lost intellectual property, maintenance and repair, lost revenue, and increased security • But: whether they constitute a national security threat is highly controversial! • Reason: All doomsday scenarios of cyber-attacks that result in massive deaths or injury remain largely the stuff of Hollywood scripts or conspiracy theory
Cyberterror – A Comparison of Definitions • Very little reflection on the implicit underlying notions of terrorism that influence the cyber-terror definitions • Two main areas in which clarification is frequently sought • To resolve the confusion between cyber-terrorism and cyber-crime • Lack of clear definitions of the two phenomena reflects a general confusion between the two terms • To make a clear distinction between • a) terrorist use of computers as a facilitator of their activities, and • b) terrorism involving computer technology as a weapon or target
Cyberterror – A Definition • To be labeled cyber-terrorism, cyber-incidents must • be mounted by sub-national terrorist groups, • be aimed at parts of the information infrastructure, • instill “terror” by effects that are sufficiently destructive or disruptive to generate fear, and • must have a political, religious, or ideological motivation. • According to this definition, none of the larger and smaller disruptive “cyber”-incidents that we have experienced in the last couple of years have been examples of cyber-terrorism!
The Puzzle • Despite the fact that cyber-terror has not truly manifested itself as a threat, it is treated as if it were • The US government (and other governments), considers • the threat to national security to be real, • has extensively studied various aspects of cyber-threats, and • spends considerable sums on various countermeasures • We observe the firm establishment, worldwide proliferation, and persistence of a “virtual” threat image on the national security agenda (truly society-threatening incidents remain mere scenarios) • Question: On what basis are countermeasures drafted if there is no real world experience? • What factors are decisive for making threats (potential) national security threats in the eyes of key actors?
Theory of Threat Politics I • Copenhagen School of Security: Issues become a security issue not necessarily because a real existential threat exists, but because the issue is successfully presented as such a threat by key actors in the political arena (=securitization) • Securitization studies aim to gain an understanding of who securitizes (the actor), on what issues (the threat subject), for whom (the referent object), why (the intentions and purposes), with what results (the outcome), and under what conditions (the structure/institutions) • Threat framing: process whereby particular agents develop specific interpretive schemas about what should be considered a threat or risk, how to respond to this threat, and who is responsible for it • Features of the threat frame are decisive for whether issues make it on the security agenda or take on societal prominence
Theory of Threat Politics II • When a condition turns into a problem that threatens national security in the eyes of professionals of security the first threat frame emerges • If an event changes beliefs or resources of professionals of security then a reframing of the threat frame is initiated • new discourse strands are interlinked or decoupled by referencing (seeking to establish linkages with existing terms • The broader the range of threat subjects in threat frame the more likely the threat frame will emerge as winning • The more the referent object is about domestic and social well-being the more likely the threat frame will emerge as winning • The more urgent the motivational call the more likely the threat frame will emerge as winning Threat Politics: The political process that a) moves threats onto the political agenda, b) removes threats from the agenda, or c) alters the face of threats on the political agenda
Policy Windows – Examples • Phase I: Securitization / Initial Threat Framing • Hacking, Phreaking, insecurity • Viruses and Worms (e.g. Morris) • „Cuckoo‘s Egg“ Incident (1987) • „Computers at Risk“ (1991) • Phase II: Re-framing • Oklahoma City Bombing • Afterwards: cyber-threats and critical infrastructures interlinked • “wake-up call”
Cyber-terror Threat Frame I • Cyber-threats constructed as a threat to society’s core values, especially national security, and to the economic and social well-being of a nation • Very broad and indeterminate framing of threat subject underscores a perspective of vulnerability, uncertainty, and insecurity • Image of cyber-terrorist and that of larger set of cyber-perpetrators are not separated in official statements (hacker=terrorist) • Introduction of numerous non-state enemies as threat subjects abolishes distinction between • internal and external threats • the private and public spheres of action • Characteristics imply that boundaries between civil and military spheres of action are dissolved
Cyber-terror Threat Frame II • Cyber-terror frame combines two of the great fears of the late 20th century • Fear of random, incomprehensible, and uncontrollable victimization • Distrust or outright fear of computer technology • Technology is feared because it is seen as complex, abstract, and arcane in its impact on individuals • Notion of technology being “out of control”, a recurring theme in political and philosophical thought • Strengthened by increase in “connectivity” that the information revolution brings
Conclusion • The main problem with the concept of cyber-terror is the terror suffix • Cyber-terror is not the main problem • Can be easily turned into profit engine • Should aim to “de-securitize” the issue to allow more leeway (interpretation and actual politics) • Focus on economic aspects of cyber-security • Help to overcome “free rider” problem • Help to create a market for cyber-security, which could reduce much of the insecurity of the information infrastructure