Studies in Conflict & Terrorism, 28:129149, 2005

Copyright Taylor & Francis Inc.

ISSN: 1057-610X print / 1521-0731 online
DOI: 10.1080/10576100590905110

Cyberterrorism: The Sum of All Fears?

GABRIEL WEIMANN
United States Institute of Peace
Washington, DC, USA
and
Department of Communication
University of Haifa
Haifa, Israel
Cyberterrorism conjures up images of vicious terrorists unleashing catastrophic attacks against computer networks, wreaking havoc, and paralyzing nations. This is a
frightening scenario, but how likely is it to occur? Could terrorists cripple critical
military, financial, and service computer systems? This article charts the rise of
cyberangst and examines the evidence cited by those who predict imminent catastrophe. Psychological, political, and economic forces have combined to promote the
fear of cyberterrorism. From a psychological perspective, two of the greatest fears
of modern time are combined in the term cyberterrorism. The fear of random,
violent victimization segues well with the distrust and outright fear of computer
technology. Many of these fears, the report contends, are exaggerated: not a single
case of cyberterrorism has yet been recorded, hackers are regularly mistaken for
terrorists, and cyberdefenses are more robust than is commonly supposed. Even so,
the potential threat is undeniable and seems likely to increase, making it all the
more important to address the danger without inflating or manipulating it.

Tomorrows terrorist may be able to do more damage with a keyboard than

with a bomb.
National Research Council1
For the foreseeable future, acts of cyberterrorism, such as the ones usually
imagined, will be very difficult to perform, unreliable in their impact, and
easy to respond to in relatively short periods of time.
Douglas Thomas, statement to the Subcommittee on
Government Efficiency, Financial Management
and Intergovernmental Relations2

Received 14 June 2004; accepted 19 August 2004.

This article is an updated and detailed version of a previous special report, Cyberterrorism:
How Real Is the Threat?, issued in May 2004 by USIP.
Address correspondence to Gabriel Weimann, University of Haifa, Haifa 32905, Israel. Email: weimann@soc.haifa.ac.il

129

130

G. Weimann
Our nation is at grave risk of a cyberattack that could devastate the national psyche and economy more broadly than did the 9/11 attacks.
Carnegie Mellon University computer scientist Roy Maxion in a
letter to President G. Bush co-signed by 50 computer scientists
Terrorists are interested in creating bloodshed and terror. The Internet doesnt
rise to this level of impact in a way that a truck bomb does.
George Smith, Co-editor, vmyths.com

Introduction
Cyberterrorism is the use of computer network tools to harm or shut down critical national
infrastructures (such as energy, transportation, government operations). The premise of
cyberterrorism is that as nations and critical infrastructure became more dependent on
computer networks for their operation, new vulnerabilities are createda massive electronic Achilles heel.3 Cyberterrorism is an attractive option for modern terrorists, who
value its anonymity, its potential to inflict massive damage, its psychological impact, and
its media appeal. The threat posed by cyberterrorism has grabbed the attention of the mass
media, the security community, and the information technology (IT) industry. Journalists,
politicians, and experts in a variety of fields have popularized a scenario in which sophisticated cyber-terrorists electronically break into computers that control dams or air traffic
control systems, wreaking havoc and endangering not only millions of lives but national
security itself. And yet, despite all the gloomy predictions of a cyber-generated doomsday,
no single instance of real cyberterrorism has been recorded.
Just how real is the threat that cyberterrorism poses? Because most critical infrastructure in Western societies is networked through computers, the potential threat from
cyberterrorism is, to be sure, very alarming. Hackers, although not motivated by the
same goals that inspire terrorists, have demonstrated that individuals can gain access to
sensitive information and to the operation of crucial services. Terrorists, at least in theory,
could thus follow the hackers lead, and then, having broken into government and private computer systems, could cripple or at least disable the military, financial, and service sectors of advanced economies. The growing dependence of our societies on information technology has created a new form of vulnerability, giving terrorists the chance
to approach targets that would otherwise be utterly unassailable, such as national defense systems and air traffic control systems. The more technologically developed a
country is, the more vulnerable it becomes to cyberattacks against its infrastructure.
Concern about the potential danger posed by cyberterrorism is thus well founded.
That does not mean, however, that all the fears that have been voiced in the media, in
Congress, and in other public forums are rational and reasonable. Some fears are simply
unjustified, whereas others are highly exaggerated. In addition, the distinction between
the potential and the actual damage inflicted by cyberterrorists has too often been ignored, and the relatively benign activities of most hackers have been conflated with the
specter of pure cyberterrorism.
This article examines the reality of the cyberterrorism threat, both present and future.
It begins by outlining why cyberterrorism angst has gripped so many people, defines
what qualifies as cyberterrorism and what does not, and charts cyberterrorisms appeal
for terrorists. The report then looks at the evidence both for and against Western societys
vulnerability to cyberattacks, drawing on a variety of recent studies and publications to

Cyberterrorism

131

illustrate the kinds of fears that have been expressed in order to assess whether there is a
need to be so concerned. The conclusion looks to the future and argues that we must
remain alert to real dangers while not becoming victims of overblown fears.

Cyberterrorism Angst
The roots of the notion of cyberterrorism can be traced back to the early 1990s, when the
rapid growth in Internet use and the debate on the emerging information society sparked
several studies on the potential risks faced by the highly networked, high-tech dependent
United States. As early as 1990, the National Academy of Sciences began a report on
computer security with the words, We are at risk. Increasingly, America depends on
computers. . . . Tomorrows terrorist may be able to do more damage with a keyboard than
with a bomb. At the same time, the prototypical term electronic Pearl Harbor was
coined, linking the threat of a computer attack to an American historical trauma.
Its no surprise, argues Green, that cyberterrorism now ranks alongside other
weapons of mass destruction in the public consciousness . . . but theres just one problem: There is no such thing as cyberterrorismno instance of anyone ever having been
killed by a terrorist (or anyone else) using a computer. Nor is there compelling evidence
that al Qaeda or any other terrorist organization has resorted to computers for any sort
of serious destructive activity.4 It seems fair to say that the current threat posed by
cyberterrorism has been exaggerated. No single instance of cyberterrorism has yet been
recorded: there were politically motivated cyberattacks, as a form of protest, usually
involving website defacements (with a political message) or some types of denial of
service (DoS) attack.5 However, while the cyberattacks were politically motivated, from
the outset the attacks were incapable of harming people or property or instilling fear
into the target population. Its impact was primarily designed to cause disruption and did
not have a serious impact on critical services or infrastructure. The vast majority of
cyberattacks are launched by hackers with few if any political goals and no desire to
cause the mayhem and carnage of which terrorists dream. So, then, why has so much
concern been expressed over a relatively minor threat?
The reasons for the popularity of cyberterrorism angst are many. Psychological,
political, and economic forces have combined to promote the fear of cyberterrorism.
First, from a psychological perspective, two of the greatest fears of modern time are
combined in the term cyberterrorism.6 The fear of random, violent victimization segues
well with the distrust and outright fear of computer technology. An unknown threat is
perceived as more threatening than a known threat. Although cyberterrorism does not
entail a direct threat of violence, its psychological impact on anxious societies can be as
powerful as the effect of terrorist bombs. Moreover, the most destructive forces working
against an understanding of the actual threat of cyberterrorism are a fear of the unknown
and a lack of information or, worse, too much misinformation.
Second, the mass media have added their voice to the fearful chorus, trumpeting the
threat with front-page headlines such as the following, which appeared in The Washington Post in June 2003: Cyber-Attacks by Al Qaeda Feared, Terrorists at Threshold of
Using Internet as Tool of Bloodshed, Experts Say. Cyberterrorism, the media have
discovered, makes for eye-catching, dramatic copy. A typical report published in The
Washington Post represents hundreds of similar news items:
This situation is alarming when one considers that America has many thousands of dams, airports, chemical plants, federal reservoirs and of course

132

G. Weimann
power plants (of which 104 are nuclear), most of whose integral systems are
operated and controlled by sophisticated computer systems or other automated controllers. These systems are now experiencing cyber attacks. In the
second half of 2002 alone, 60 percent of power and energy companies experienced at least one severe cyber attack. Fortunately, none incurred catastrophic loss.7

Screenwriters and novelists have likewise seen the dramatic potential, with movies
such as the 1995 James Bond feature, Goldeneye and 2002s Code Hunter, the 2004
television series The Grid, and novels such as Tom Clancys and Steve R. Pieczeniks
Netforce popularizing a wide range of cyberterrorist scenarios. The mass media frequently fail to distinguish between hacking and cyberterrorism and exaggerate the threat
of the latter by reasoning from false analogies such as the following: If a sixteen-yearold could do this, then what could a well-funded terrorist group do? Thus, as Denning
has observed, cyberterrorism and cyberattacks are sexy right now. . . . [Cyberterrorism
is] novel, original, it captures peoples imagination.8
Ignorance is a third factor. Cyberterrorism merges two spheresterrorism and technologythat many people, including most lawmakers and senior administration officials,
do not fully understand and therefore tend to fear. Moreover, some groups are eager to
exploit this ignorance: Numerous technology companies, still reeling from the collapse
of the tech bubble, have recast themselves as innovators crucial to national security and
boosted their Washington presence in an effort to attract federal dollars.9 Law enforcement and security consultants are likewise highly motivated to have everyone believe
that the threat to the nations security is severe. As Ohio State University law professor
Peter Swire argued, Many companies that rode the dot-com boom need to find big new
sources of income. One is direct sales to the federal government; another is federal
mandates. If we have a big federal push for new security spending, that could prop up
the sagging market.10
To study terrorism, on the Internet or elsewhere, a definition of what terrorism is
must be found. Even though most people can recognize terrorism when they see it,
experts have had difficulty coming up with an ironclad definition. There are more than
one hundred different definitions offered by scholars.11 Thus, a more fruitful approach
would be to characterize terrorism; Mullins provides a starting point by highlighting
the terror of terrorism, that is, the argument or pre-condition that without the terror
induced by the terrorist, there can be no terrorism.12 Fear is a key element in terrorism,
and it is the fear evoked by the individuals or the small groups of individuals whose
capacity to constraint the behavior of others resides not in reason, in numerical preponderance, or in any legitimate exercise of authority, but only in their perception that they
are able and willing to use violence unless their demands are satisfied.13 Hoffman defined terrorism as Violence, or the threat of violence, used and directed in pursuit of,
or in service of, a political aim.14 The U.S. State Department defines terrorism as premeditated, politically motivated violence perpetrated against noncombatant targets by
subnational groups or clandestine agents, usually intended to influence an audience.
These characteristics clearly leave most of the cyberattacks if not all of them outside the
cyberterrorism category. There is also the confusion between cyberterrorism and cybercrime.15 Such confusion is partly caused by the lack of clear definitions of the two
phenomena. Cybercrime and cyberterrorism are not coterminous. Cyberspace attacks
must have a terrorist component in order to be labeled cyberterrorism. The attacks
must instill terror as commonly understood (that is, result in death and/or large-scale

Cyberterrorism

133

destruction), and they must have a political motivation. Moreover, regarding the distinction between terrorist use of information technology and terrorism involving computer
technology as a weapon/target, only the latter may be defined as cyberterrorism. Terrorist
use of computers as a facilitator of their activities, whether for propaganda, recruitment,
datamining, communication, or other purposes, is simply not cyberterrorism.16 Terrorists
increasingly are using the Net to post messages, launch psychological campaigns, learn
about potential targets, coordinate their actions, raise funds, and even conduct virtual
training, but all these activities belong to the conventional, instrumental category and
not to cyberattacks aimed at computer networks or the Internet itself.
A fourth reason is that some politicians, whether out of genuine conviction or out
of a desire to stoke public anxiety about terrorism in order to advance their own agendas, have played the role of prophets of doom. After 9/11, the security and terrorism
discourse soon featured cyberterrorism prominently. Following an October 2001 meeting with high-tech executives, including several from the security firm Network Associates, President Bush appointed Richard Clarke as his first special advisor on cyberspace
security. After 11 September, Clarke created for himself the position of cybersecurity
czar and continued heralding the threat of cyberattack. Understanding that in Washington attention leads to resources and power, Clarke quickly raised the issues profile.
Dick has an ability to scare the bejesus out of everybody and to make the bureaucracy
jump, says a former colleague.17
The government was also stepping up its efforts to share information on cyberterrorism
threats through public advisories. The National Infrastructure Protection Center (NIPC)
has issued an advisory that warns website operators of the threat of DDoS (distributed
denial-of-service) attacks. The NIPC advisory stated that it has information that certain
groups have indicated they are targeting websites of the U.S. Department of Defense
and organizations that support the critical infrastructure of the United States. When
Tom Ridge, the director of the newly created Office of Homeland Security, announced
Clarkes appointment, he hammered home the fact that information technology now
pervades everyday lifefrom communications and emergency services to water and
electricity delivery. Destroy the networks, he said, and you shut down America as we
know it and as we live it and as we experience it every day.
A special congressional commission examining terrorism after the 11 September
attacks was very concerned that future attacks against the United States might occur in
conjunction with a cyberattack that would maximize the destructive effects of physical
weapons such as bombs or chemical assaults. There has been substantial concern [about]
the potential consequences of cyberattacks, said Virginia Gov. James Gilmore, chairman of the commission examining the nations ability to respond to an attack involving
a weapon of mass destruction.18 Gilmore said the commission believes that a cyberattack could take place in concert with a physical attack. In a National Public Radio
interview with NPRs Bob Edward, senators Jon Kyl (R-AZ) and Dianne Feinstein (DCA) expressed their fears about the threat of cyberterrorism. They both said the nations
computer systems are overly vulnerable to attack and need better security measures.19
This discourse was understandable, given that more nightmarish attacks were expected and that cyberterrorism seemed to offer Al Qaeda opportunities to inflict enormous damage. But there was also a political dimension to the new focus on cyberterrorism. Debates about national security, including the security of cyberspace, always
attract political actors with agendas that extend beyond the specific issue at handand
the debate over cyberterrorism was no exception to this pattern. For instance, Yonah
Alexander, a terrorism researcher at the Potomac Institutea think tank with close links

134

G. Weimann

to the Pentagonannounced in December 2001, the existence of an Iraq Net. This

network supposedly consisted of more than one hundred websites set up across the
world by Iraq since the mid-1990s to launch denial-of-service or DoS attacks (DoS
attacks render computer systems inaccessible, unusable, or inoperable) against U.S. companies. Saddam Hussein would not hesitate to use the cyber tool he has. . . . It is not a
question of if but when. The entire United States is the front line, Alexander claimed.20
Whatever the intentions of its author, such a statement was clearly likely to support
arguments then being made for an aggressive U.S. policy toward Iraq like Saddams
WMD stockpiles. No evidence of an Iraq Net has yet come to light.
Fifth, combating cyberterrorism has become not only a highly politicized issue but
also an economically rewarding one. As Green argues, an entire industry has arisen to
grapple with its ramificationsthink tanks have launched new projects and issued white
papers, experts have testified to its dangers before Congress, private companies have
hastily deployed security consultants and software designed to protect public and private
targets.21 Following the 9/11 attacks, the federal government requested $4.5 billion for
infrastructure security, and the FBI now boasts more than one thousand cyber investigators. Spending on security-related technology is expected to increase over the next
couple of years, leveling off at 5 percent to 8 percent of the Information Technology
budget of global companies, according to a survey.22 Security spending takes up from 3
percent to 4 percent of IT budgets today but that amount, however, is expected to increase at a compound annual growth rate of between 8 percent and 10 percent through
2006, before reaching a plateau.
Even before 11 September 2001, George W. Bush was calling attention to the danger of an imminent attack on the United States by cyberterrorists. As a presidential
candidate, he warned that American forces are overused and underfunded precisely
when they are confronted by a host of new threats and challengesthe spread of weapons of mass destruction, the rise of cyberterrorism, the proliferation of missile technology. In the aftermath of 9/11, President Bush created the Office of Cyberspace Security
in the White House, and appointed his former counterterrorism coordinator, Richard
Clarke, to head it (Clarke has since resigned). Since then, the president, the vice president, and other officials have kept the issue before the public. Terrorists can sit at one
computer connected to one network and can create worldwide havoc, cautioned Tom
Ridge, director of the Department of Homeland Security, in a representative observation
in April 2003. [They] dont necessarily need a bomb or explosives to cripple a sector
of the economy or shut down a power grid. The message is hitting home. For instance,
a survey of 725 cities conducted by the National League of Cities for the second anniversary of the 9/11 attacks shows that cyberterrorism ranks alongside biological and
chemical weapons at the top of a list of city officials fears.23
The net effect of all this attention has been to create a climate in which instances of
hacking into government websites, online thefts of proprietary data from companies, and
outbreaks of new computer viruses are all likely to be labeled by many including journalists as suspected cases of cyberterrorism.24 Indeed, the term has been improperly
used and overused to such an extent that, if there is any hope of reaching a clear understanding of the danger posed by cyberterrorism, it must be defined with some precision.

What Is Cyberterrorism?
There have been several stumbling blocks to creating a clear and consistent definition of
the term cyberterrorism. First, as just noted, much of the discussion of cyberterrorism

Cyberterrorism

135

has been conducted in the popular media, where journalists typically strive for drama
and sensation rather than for good operational definitions of new terms. Second, it has
been especially common when dealing with computers to coin new words simply by
placing the words cyber, computer, or information before another word. Thus, an
entire arsenal of wordscybercrime, cyberwar, infowar, netwar, cyberterrorism, cyber
harassment, virtual-warfare, digital terrorism, cybertactics, computer warfare, information warfare, cyberattack, cyberwar, and cyber break-insis used to describe what some
military and political strategists describe as the new terrorism of these times.25
Fortunately, some effort has been made to introduce greater semantic precision.
Most notably, Dorothy Denning, a professor of computer science, has put forward an
admirably unambiguous definition in numerous articles,26 and in her testimony on the
subject before the congressional House Armed Services Committee:
Cyberterrorism is the convergence of cyberspace and terrorism. It refers to
unlawful attacks and threats of attacks against computers, networks and the
information stored therein when done to intimidate or coerce a government
or its people in furtherance of political or social objectives. Further, to qualify
as cyberterrorism, an attack should result in violence against persons or property,
or at least cause enough harm to generate fear. Attacks that lead to death or
bodily injury, explosions, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism,
depending on their impact. Attacks that disrupt nonessential services or that
are mainly a costly nuisance would not.
It is important to distinguish between cyberterrorism and hacktivism, a term coined
by Denning to describe the marriage of hacking with political activism. (Hacking is
here understood to mean activities conducted online and covertly that seek to reveal,
manipulate, or otherwise exploit vulnerabilities in computer operating systems and other
software.)27 Hacktivists have four main weapons at their disposal: virtual sit-ins and
blockades; automated e-mail bombs; web hacks and computer break-ins; and computer
viruses and worms. A virtual sit-in or blockade is the cyberspace rendition of a physical
sit-in or blockade: political activists coordinate their visits to a website and attempt to
generate so much traffic toward the site that other users cannot reach it, thereby disrupting normal operations while winning publicityvia media reportsfor the protesters
cause. When large numbers of individuals simultaneously attack a designated site, the
operation is sometimes referred to as swarming. Swarming can also amplify the effects of the hacktivists second weapon: e-mail bombing campaigns (bombarding targets
with thousands of messages at once, also know as ping attacks). In July 1997, for
example, an e-mail bombing was conducted against the Institute for Global Communications (IGC), a San Francisco-based Internet Service Provider (ISP) that hosted the web
pages of Euskal Herria (in English, the Basque Country Journal), a publication edited
by supporters of the Basque separatist group Homeland and Liberty (ETA).28 The attackers wanted ETAs site pulled from the Internet. To accomplish this they bombarded
IGC with thousands of spurious e-mails routed through hundreds of different mail relays, spammed IGC staff and customer accounts, clogged IGCs web page with bogus
credit card orders, and threatened to employ the same tactics against other organizations
using IGC services. IGC pulled the Euskal Herria site just a few days later.
Many cyberprotesters use the third weapon in the hacktivists arsenal: web hacking
and computer break-ins, whereby they hack into computers to access stored information,

136

G. Weimann

communication facilities, financial information, and so on. For example, the Computer
Emergency Response Team Coordination Center (CERT/CC), a federally funded research
and development center operated by Carnegie Mellon University, reported 2,134 computer security incidents such as break-ins and hacks in 1997. This number rose to 21,756
in 2000, and to almost 35,000 during the first three quarters of 2001 alone. In 2003,
CERT/CC received more than half a million e-mail messages and more than nine hundred hotline calls reporting incidents or requesting information. In the same year, no
fewer than 137,529 computer security incidents were reported. Considering that many,
perhaps most, incidents are never reported to CERT/CC or any other third party, these
numbers become even more significant. Further, each incident that is reported corresponds to an attack that can involve thousands of victims. In April 2002, for instance,
hackers broke into the payroll database for the state of California and gained access to
the Social Security numbers, bank account information, and home addresses of 265,000
state employees. This rise in computer-based attacks can be attributed to several factors,
including the growth of the Internet and a corresponding increase in the number of
potential attackers and targets; a seemingly limitless supply of vulnerabilities that, once
discovered, are quickly exploited; and increasingly sophisticated software hacking tools
that allow even those with modest skills to launch devastating attacks.
The fourth category of hacktivist weaponry comprises viruses and worms, both of
which are forms of malicious code that can infect computers and propagate over computer networks. Their impact can be enormous. The Code Red worm, for example, infected about a million servers in July 2001, and caused $2.6 billion in damage to computer hardware, software, and networks, and the I LOVE YOU virus unleashed in 2000
affected more than twenty million Internet users and caused billions of dollars in damage. Although neither the Code Red worm nor the I LOVE YOU virus was spread with
any political goals in mind, some computer viruses and worms have been used to propagate political messages and, in some cases, cause serious damage. During the NATO
operation to evict Serbian forces from Kosovo, businesses, public entities, and academic
institutes in NATO member-states received virus-laden e-mails from a range of Eastern
European countries. The e-mail messages, which had been poorly translated into English, consisted chiefly of unsubtle denunciations of NATO for its unfair aggression and
defenses of Serbian rights. But the real threat was from the viruses. This was an instance
of cyberwarfare launched by Serbian hackers against the economic infrastructure of NATO
countries.
On Tuesday, 22 October 2002, the heart of the Internet network sustained its largest
and most sophisticated attack ever: a distributed DoS attack struck the thirteen root
servers that provide the primary road map for almost all Internet communications worldwide. According to security experts, the incident probably consisted of multiple attackers concentrating the power of many computers against a single network to prevent it
from operating. Ordinary Internet users experienced no slowdowns or outages because
of safeguards built into the Internets architecture; however, a longer, more extensive
attack could have seriously damaged worldwide electronic communications. Little can
be done to insulate targets from such attacks. Indeed, some of the worlds most powerful companies have been targeted. In February 2000, Amazon.com, e-Bay, Yahoo, and a
host of other big-name e-commerce sites came to a grinding halt for several hours due
to DoS attacks.
Hacktivism, although politically motivated, does not amount to cyberterrorism. Hacktivists do want to protest and disrupt; they do not want to kill or maim or terrify. However, hacktivism does highlight the threat of cyberterrorism, the potential that individuals

Cyberterrorism

137

with no moral restraint may use methods similar to those developed by hackers to wreak
havoc. Moreover, the line between cyberterrorism and hacktivism may sometimes blur,
especially if terrorist groups are able to recruit or hire computer-savvy hacktivists or if
hacktivists decide to escalate their actions by attacking the systems that operate critical
elements of the national infrastructure, such as electric power networks and emergency
services.

The Attraction of Cyberterrorism for Terrorists

Cyberterrorism is an attractive option for modern terrorists for several reasons:
First, it is cheaper than traditional terrorist methods. All that the terrorist needs is
a personal computer and an online connection. Terrorists do not need to buy
weapons such as guns and explosives; instead, they can create and deliver computer viruses through a telephone line, a cable, or a wireless connection.
Second, cyberterrorism is more anonymous than traditional terrorist methods. Like
many Internet surfers, terrorists use online nicknamesscreen namesor log
on to a website as an unidentified guest user, making it very hard for security
agencies and police forces to track down the terrorists real identity. And in cyberspace
there are no physical barriers such as checkpoints to navigate, no borders to cross,
no customs agents to outsmart.
Third, the variety and number of targets are enormous. The cyberterrorist could
target the computers and computer networks of governments, individuals, public
utilities, private airlines, and so on. The sheer number and complexity of potential
targets guarantees that terrorists can find weaknesses and vulnerabilities to exploit. Several studies have shown that critical infrastructures, such as electric power
grids and emergency services, are vulnerable to a cyberterrorist attack because
the infrastructures and the computer systems that run them are highly complex,
making it effectively impossible to eliminate all weaknesses.
Fourth, cyberterrorism can be conducted remotely, a feature that is especially
appealing to terrorists. Cyberterrorism requires less physical training, psychological investment, risk of mortality, and travel than conventional forms of terrorism,
making it easier for terrorist organizations to recruit and retain followers.
Fifth, as the I LOVE YOU virus showed, cyberterrorism has the potential to affect directly a larger number of people than traditional terrorist methods, thereby
generating greater media coverage, which is ultimately what terrorists want.

The Growing Vulnerabilities

In his vision of The Future of Cyberterrorism, Collin describes several scary scenarios:29
A cyberterrorist will disrupt the banks, the international financial transactions, the
stock exchanges. The key: the people of a country will lose all confidence in the
economic system. Would a cyberterrorist attempt to gain entry to the Federal
Reserve building or equivalent? Unlikely, since arrest would be immediate. Furthermore, a large truck pulling along side the building would be noticed. However, in the case of the cyberterrorist, the perpetrator is sitting on another continent while a nations economic systems grind to a halt. Destabilization will be
achieved.

138

G. Weimann
A cyberterrorist will attack the next generation of air traffic control systems, and
collide two large civilian aircraft. This is a realistic scenario, since the cyberterrorist
will also crack the aircrafts in-cockpit sensors. Much of the same can be done to
the rail lines.
A cyberterrorist will remotely alter the formulas of medication at pharmaceutical
manufacturers. The potential loss of life is unfathomable.
The cyberterrorist may then decide to remotely change the pressure in the gas
lines, causing a valve failure, and a block of a sleepy suburb detonates and burns.
Likewise, the electrical grid is becoming steadily more vulnerable.

In 1997, the National Security Agency (NSA) conducted an exercise code-named

Eligible Receiver.30 The results were chilling. The exercise began when NSA officials
briefed a thirty-five person Red Team of NSA computer hackers on the ground rules.
They were told that they were to attempt to hack into and disrupt U.S. national security
systems. Their primary target was to be the U.S. Pacific Command in Hawaii, which is
responsible for all military contingencies and operations conducted in the Pacific theater, including the tension-wracked Korean peninsula. Members of the Red Team were
allowed to use only software tools and other hacking utilities that could be downloaded
freely from the Internet through any one of the hundreds, and possibly thousands, of
hacker websites. The Pentagons own arsenal of secret offensive information warfare
tools was off limits to the hackers. Although they were allowed to penetrate various
Pentagon networks, the Red Team was prohibited from breaking any U.S. laws.
Posing as hackers hired by the North Korean intelligence service, the Red Team
dispersed around the country and began digging their way into military networks. They
navigated through cyberspace with ease, mapping networks and logging passwords gained
through brute-force cracking (a trial-and-error method of decoding encrypted data such
as passwords or encryption keys by trying all possible combinations) and the more subtle
tactic of social engineeringsometimes it was just easier to call somebody on the telephone, pretend to be a technician or high-ranking official, and ask for the password. The
team gained unfettered access to dozens of critical Pentagon computer systems. With
that level of access, they were free to create legitimate user accounts for other hackers,
delete accounts belonging to authorized officials, reformat server hard drives and scramble
the data, or simply shut systems down. They were able to break through network defenses with ease, after which they could conduct DoS attacks, read or make minor changes
to sensitive e-mail messages, and disrupt telephone services. They did so without being
traced or identified.
The results of the exercise stunned all who were involved. Using hacking tools that
were available to anybody on the Internet, the Red Team could have crippled the U.S.
militarys command-and-control system for the entire Pacific theater of operations. From
a military perspective, that alone was appalling. But it soon became clear that the exercise had revealed much broader vulnerabilities. During the course of analyzing what the
Red Team had accomplished, NSA officials discovered that much of the private-sector
infrastructure in the United States, such as the telecommunications and electric power
grids, could easily be sent into a tailspin using the same tools and techniques.
The vulnerability of the energy industry is at the heart of Black Ice: The Invisible
Threat of Cyberterror, a book published in 2003 and written by Computerworld journalist and former intelligence officer Dan Verton.31 Verton argues that Americas energy
sector would be the first domino to fall in a strategic cyberterrorist attack against the
United States. The book explores in frightening detail how the impact of such an attack

Cyberterrorism

139

could rival, or even exceed, the consequences of a more traditional, physical attack.
Verton claims that during any given year, the average large utility company experiences
about one million cyberintrusions that require investigation to ensure that critical system
components have not been compromised. Data collected by Riptech, Inc.a Virginiabased company specializing in the security of online information and financial systems
on cyberattacks during the six months following the 9/11 attacks showed that companies
in the energy industry suffered intrusions at twice the rate of other industries, with the
number of severe or critical attacks requiring immediate intervention averaging 12.5 per
company.32
Deregulation and the increased focus on profitability have forced utilities and other
companies to move more and more of their operations to the Internet as a means of
improving efficiency and reducing costs. The energy industry and many other industrial
sectors have opened their enterprises to a vast array of cyberdisruptions by creating
inadvertent Internet links (both physical and wireless) between their corporate networks
and the digital crown jewels of most industrial processes: the supervisory control and
data acquisition (SCADA) systems. These systems manage the actual flow of electricity
and natural gas and perform other critical functions in various industrial control settings,
such as chemical processing plants, water purification and delivery systems, wastewater
management facilities, and a host of manufacturing firms. A terrorists ability to control,
disrupt, or alter the command and monitoring functions performed by these systems
could threaten regional and possibly national security.
New vulnerabilities that could leave the way open to a cyberattack are being discovered all the time: according to Symantec, one of the worlds corporate leaders in the
field of cybersecurity, the number of software holes (software security flaws that allow malicious hackers to exploit the system) reported in the nations computer networks
grew by 80 percent in 2002. Still, the company says it has yet to record a single cyberterrorist
attackby its definition, one originating in a country on the State Departments terror
watch list. That could be because those inclined to commit terrorist acts do not yet have
the know-how to inflict significant damage, or perhaps because hackers and adept virus
writers are not sympathetic to the goals of terrorist organizations. However, should the
two groups find common ground, the results could be devastating.
Equally alarming is the prospect of terrorists themselves designing computer software for government agencies. Remarkably, at least one instance of such a situation is
known to have occurred, as reported by Denning.33 In March 2000, Japans Metropolitan Police Department announced that a software system it had procured to track 150
police vehicles, including unmarked cars, had been developed by the Aum Shinryko
cult, the same group that gassed the Tokyo subway in 1995, killing twelve people and
injuring six thousand more. Additionally, members of this cult had developed software
for at least eighty Japanese firms and ten government agencies. They had worked as
subcontractors to other firms, making it almost impossible for the end users to know
who had developed the software they purchased. As subcontractors, Denning argues, the
cult could have installed Trojan horses to launch or facilitate
Despite stepped-up security measures in the wake of 9/11, an Ipsos Public Affairs
survey of 395 IT professionals, conducted on behalf of the Business Software Alliance
during June 2002, revealed a lack of confidence in the governments ability to defend
itself against a cyberattack. Almost half (49 percent) felt than an attack is likely, and
more than half (55 percent) said the risk of a major cyberattack on the United States
has increased since 9/11. The figure jumped to 59 percent among individuals responsible
for their companys computer and Internet security. Almost three-quarters (72 percent)

140

G. Weimann

believed there is a gap between the threat of a major cyberattack and the governments
ability to defend against it, with the figure increasing to 84 percent among those respondents who are most knowledgeable about security. Furthermore, 86 percent thought the
U.S. government should devote more time and resources to defending against cyberattacks than it did to addressing Y2K issues, and 96 percent stressed the importance of
securing sensitive information so that hackers will not be able to access it even if they
break into the governments computer system. Those surveyed were concerned about
attacks not only on the government but on other likely targets as well. Almost threequarters (74 percent) believed that national financial institutions, such as Wall Street or
big national banks, would be likely targets within the next year, and around two-thirds
believed that attacks were likely to be launched within the next twelve months against
the computer systems that run communications networks (e.g., telephones and the Internet),
transportation infrastructure (e.g., air traffic control computer systems), and utilities (e.g.,
water stations, dams, and power plants).
A study released in December 2003 appeared to confirm the IT professionals skepticism about the ability of the government to defend itself against cyberattacks.34 Conducted by the House Government Reform Subcommittee on Technology, the study examined computer security in federal agencies over the course of a year and awarded
grades. Scores were based on numerous criteria, including how well an agency trained
its employees in security and the extent to which it met established security procedures
such as limiting access to privileged data and eliminating easily guessed passwords.
More than half the federal agencies surveyed received a grade of D or F. The Department of Homeland Security, which has a division devoted to monitoring cybersecurity,
received the lowest overall score of the twenty-four agencies surveyed. Also earning an
F was the Justice Department, the agency charged with investigating and prosecuting
cases of hacking and other forms of cybercrime. Thirteen agencies improved their scores
slightly compared with the previous year, nudging the overall government grade from
an F up to a D. Commenting on these results, Rep. Adam H. Putnam (R-FL), chairman
of the House Government Reform Subcommittee on Technology, declared that the threat
of cyberattack is real. . . . The damage that could be inflicted both in terms of financial
loss and, potentially, loss of life is considerable.35
Such studies, together with the enormous media interest in the subject, have fueled
popular fears about cyberterrorism. A study by the Pew Internet and American Life
Project found in 2003 that nearly half of the one thousand Americans surveyed were
worried that terrorists could launch attacks through the networks connecting home computers and power utilities. The Pew study, based on telephone interviews with 1,000
adults, found that 11 percent of respondents were very worried and 38 percent were
somewhat worried about an attack launched through computer networks. The survey
was taken in early August, before the major blackout struck the Northeast and before
several damaging new viruses afflicted computers throughout the country. Because of
those events, the level of awareness concerning cyberterrorism might be even higher
today, said Lee Rainie, director of the project.36
Former National Security Advisor Anthony Lake, in his book Six Nightmares, argues, Millions of computer-savvy individuals could wreak havoc against the United
States.37 Lake, whose chapter e-Terror, e-Crime is a veritable case study in cyberattack
alarmism, worries that cyberattackers could crash planes; tamper with food or medicines
to poison populations; or disrupt the economy by shutting down electrical and communication systems. The genie is well outside the bottle, he claims, now that attackers
have jammed 911 lines in Miami, overwhelmed the e-mail system at one Air Force

Cyberterrorism

141

base, and infiltrated an unclassified Pentagon computer. However, Lake and other
alarmists do not distinguish between hackers and terrorists. They also fail to ask an
obvious question: If there are so many malicious hackers at work (19 million, by Lakes
count), why have their attacks been, by and large, fairly innocuous?

Confusing Hackers with Terrorists

Despite significant investment in technology and infrastructure to protect against attacks,
cyberterrorism represents one of the greatest challenges in present and future terrorism.
In the 2002 research study conducted by the Computer Crime Research Center, 90 percent of respondents detected computer security breaches within the last 12 months. In
another more recent study conducted by CIO Online, 92 percent of companies have
experienced computer attacks and/or breaches in the last 12 months.38 But there are
various actors involved in cyberattacks and most of them are not terrorists. According to
Michael Vatis, head of the Institute for Security Technology Studies at Dartmouth College (and previously the head of the FBIs cyberterrorism unit), the potential attackers
are grouped in four categories:39
Terrorists: To date, few terrorist groups have used cyberattacks as a weapon.
However, terrorists are known to be extensively interested in the Internet as a
weapon and as a target. Although it is unclear whether Osama bin Ladens Al
Qaeda organization has developed cyber attack capabilities, members of this network use information technology to formulate plans for cyberattacks. Thus,
argues Vatis, trends seem clearly to point to the possibility of terrorists using
information technology as a weapon against critical infrastructure targets.
Nation-States: Several nation-states, including supporters of terrorism, such as
Syria, North Korea, Iran, Sudan, and Libya, may develop information warfare
capabilities that could be turned against the United States and its allies. China,
Cuba, and Russia, among others, are also believed to be developing cyberwarfare
capabilities.
Terrorist Sympathizers: This category contains those actors probably most likely
to engage in attacks. If the American campaign against terrorism is perceived as a
crusade against people of the Muslim faith, a variety of pro-Muslim hacker
groups could launch cyberattacks against the United States and its allies. Others
with anti-U.S. or anti-allied sentiments, such as members of the anti-capitalism
and anti-globalization movements, or Chinese hackers still upset about the 2001
surveillance plane incident or the 1999 accidental NATO bombing of the Chinese
Embassy in Belgrade, could join in such attacks.
Thrill Seekers (or cyberjoyriders): There are many hackers and script kiddies
who simply want to gain notoriety through high profile attacks. However, such
individuals can still have significant disruptive impact, as evidenced by the February 2000 DoS attacks and recent destructive worms.
Although the first three categories are certainly related to terrorism, the last one
may not be engaged in cyberterrorism. For now, the most damaging attacks and intrusions, experts say, are typically carried out either by disgruntled corporate insiders intent
on embezzlement or sabotage, or by individual hackerstypically young and male
seeking thrills and notoriety. According to a report issued in 2002 by the IBM Global
Security Analysis Lab, 90 percent of hackers are amateurs with limited technical profi-

142

G. Weimann

ciency, 9 percent are more skilled at gaining unauthorized access but do not damage the
files they read, and only 1 percent are highly skilled and intent on copying files or
damaging programs and systems. Most hackers, it should be noted, concentrate on writing programs that expose security flaws in computer software, mainly in the operating
systems produced by Microsoft. Their efforts in this direction have sometimes embarrassed corporations but have also been responsible for alerting the public and security
professionals to major security flaws in software. Moreover, although there are hackers
with the ability to damage systems, disrupt e-commerce, and force websites offline, the
vast majority of hackers do not have the necessary skills and knowledge. The ones who
do generally do not seek to wreak havoc. Douglas Thomas, a professor at the University
of Southern California, spent seven years studying computer hackers in an effort to
understand better who they are and what motivates them.40 Thomas interviewed hundreds of hackers and explored their literature. In testimony on 24 July 2002, before
the House Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, Thomas argued that with the vast majority of hackers, I would
say 99 percent of them, the risk [of cyberterrorism] is negligible for the simple reason
that those hackers do not have the skill or ability to organize or execute an attack that
would be anything more than a minor inconvenience. His judgment was echoed in
Assessing the Risks of Cybertwrrorism, Cyber War, and Other Cyber Threats, a 2002
report for the Center for Strategic and International Studies, written by Jim Lewis, a
sixteen-year veteran of the State and Commerce Departments.41 The idea that hackers
are going to bring the nation to its knees is too far-fetched a scenario to be taken seriously, Lewis argued. Nations are more robust than the early analysts of cyberterrorism
and cyberwarfare give them credit for. Infastructure systems [are] more flexible and
responsive in restoring service than the early analysts realized, in part because they have
to deal with failure on a routine basis.42
Why are hackers seen as threatening and why are quick associations made between
hacker activity and terrorist activity? Most of what hackers do is write programs that
expose security flaws in computer software, mainly in the operating systems produced by
Microsoft. That process of hacking has been responsible, particularly over the past decade,
for alerting the public and security professionals to major security flaws in software.
Hackers force computer software manufacturers to pay attention to security. They find
security flaws, and when they point them out, hackers tend to be associated with the flaws,
blaming the messengers. Thus, what hackers see as a public service, pointing out dangerous and troubling security risks, many people see as criminal activity. And while there are
hackers who can do damage to systems, disrupt e-commerce, or even force websites
offline, the vast majority of them cannot. The ones who can, generally do not.
Hackers tend to exaggerate their own abilities out of a sense of bravado. Hacking
stories make good copy, argues Thomas, but they are very rarely accurate, tending to
exaggerate threats and downplay the realities of the event.43 There is a big difference,
he claims in the testimony, between hacking into NASAs central control system (which
has not happened) and hacking into the server that hosts their web page (which has
happened repeatedly). Most media reports fail to distinguish between the two (or to
explain that hacking a web page is essentially the same as spray painting a billboard,
posing very little actual risk). The media, moreover, tends to exaggerate threats, particularly by reasoning from false analogies between hacking and virus spread and cyberterrorism. But the media are just one factor; law enforcement, security consultants, and
even software corporations are all highly motivated to embrace similar outlooks. It is to
their advantage to have everyone believe that the threat to the nations security is severe.

Cyberterrorism

143

However, even the distinction between hackers and terrorists is becoming less lucid.
In February 2004, Gen. John Gordon, Assistant Secretary for Intelligence at DHS who
also serves as chairman of the Homeland Security Council, spoke at the RSA Conference in San Francisco.44 Gordon said that terrorists and so-called cyberterroristspeople
that use the Internet to wreak havoc on the everyday lives of American citizenshave
some key similarities in their tactics. The al Qaeda enemy fights from the shadows,
Gordon said. This is similar to the cyberterrorist community.45 Both types of attackers
also can carry out their plans on limited resources and can make multiple attempts to
succeed in mounting an attack, he said. Gordon said that whether someone detonates a
bomb that causes bodily harm to innocent people or hacks into a web-based IT system
in a way that could, for instance, take a power grid offline and result in a blackout, the
result is ostensibly the same; both are acts of terrorism. The damage will be the same
whether the attacker was a bored teenager, an organized criminal or a [hostile] nation or
state. We need to focus on the vulnerabilitiesand not get too hung up on who the
attacker will be. Because of the level of threat cyberterrorists pose, implementing cybersecurity
technology is paramount among the aims of the Homeland Security Council, Gordon
said.

How Real is the Threat of Cyberterror?

Amid all the dire warnings and alarming statistics that the subject of cyberterrorism
generates, it is important to remember one simple statistic: so far, there has been no
recorded instance of a terrorist cyberattack on U.S. public facilities, transportation systems, nuclear power plants, power grids, or other key components of the national infrastructure. Cyberattacks are common, but terrorists have not conducted them and they
have not sought to inflict the kind of damage that would qualify them as cyberterrorism.
As Green reported, when U.S. troops recovered Al Qaeda laptops in Afghanistan,
officials were surprised to find its members more technologically adept than previously
believed.46 They discovered structural and engineering software, electronic models of a
dam, and information on computerized water systems, nuclear power plants, and U.S.
and European stadiums. But, Green argued, the evidence did not suggest that Al Qaeda
operatives were planning cyberattacks, only that they were using the Internet to communicate and coordinate physical attacks.47 Neither Al Qaeda nor any other terrorist organization appears to have tried to stage a serious cyberattack.
Many computer security experts do not believe that it is possible to use the Internet
to inflict death on a large scale. Some pointed out that the resilience of computer systems to attack is the result of significant investments of time, money, and expertise. As
Green described, nuclear weapons and other sensitive military systems enjoy the most
basic form of Internet security.48 He argued that they are air-gapped, meaning that
they are not physically connected to the Internet and are therefore inaccessible to outside hackers. The Defense Department has developed various measures to protect key
systems by isolating them from the Internet and even from the Pentagons internal computer network. Moreover, as a defensive measure, all new software must be submitted to
the National Security Agency for security check and approval.
The 9/11 events led to a growing awareness of airliners vulnerability to cyberterrorism. For example, in 2002, Senator Charles Schumer (D-NY) described the absolute havoc and devastation that would result if cyberterrorists suddenly shut down our
air traffic control system, with thousands of planes in mid-flight. However, argues
Green, cybersecurity experts give some of their highest marks to the Federal Aviation

144

G. Weimann

Authority, which separates its administrative and air traffic control systems. Thus, he
claims, it is impossible to hijack a plane remotely, which eliminates the possibility of a
high-tech 9/11 scenario in which planes are used as weapons.
Another source of concern are secondary targets such as power grids, oil pipelines,
and dams that might be attacked to inflict other forms of mass destruction. Because
most of these systems are in the private sector, they tend to be less secure than government systems. In addition, as Green notes, companies increasingly use the Internet to
manage SCADA systems that control such processes as regulating the flow of oil in
pipelines and the level of water in dams. To illustrate the threat of such attack, a story in
The Washington Post in June 2003 on Al Qaeda cyberterrorism related an anecdote
about a teenager hacker who allegedly broke into the SCADA system at Arizonas Theodore Roosevelt Dam in 1998 and could, according to the article, unleash millions of
gallons of water and thus threaten the neighboring communities. However, a subsequent
probe by the tech-news site CNet.com revealed the story to be largely exaggerated; the
hacker could not have gained control of the dam and no lives or property were really at
risk.
To assess the potential threat of cyberterrorism, experts such as Denning suggest that
two questions be asked: Are there targets that are vulnerable to cyberattacks? And are
there actors with the capability and motivation to carry out such attacks? The answer to
the first question is yes: critical infrastructure systems are complex and therefore bound
to contain weaknesses that might be exploited, and even systems that seem hardened to
outside manipulation might be accessed by insiders, acting alone or in concert with
terrorists, to cause considerable harm. But what of the second question?
According to Green, only a few people besides a companys own employees possess the specific technical know-how required to run a specialized SCADA system. In
April 2002, an Australian man used an Internet connection to release a million gallons
of raw sewage along Queenslands Sunshine Coast after being turned down for a government job. When police arrested him, they discovered that he had worked for the
company that designed the sewage treatment plants control software. It is possible, of
course, that such disgruntled employees might be recruited by terrorist groups, but even
if the terrorists did enlist inside help, the degree of damage they could cause would still
be limited. As Green argued, the employees of companies that handle power grids, oil
and gas utilities, and communications are well rehearsed in dealing with the fallout from
hurricanes, floods, tornadoes, and other natural disasters. They are also equally adept at
containing and remedying problems that stem from human action.
Denning draws attention to a report published in August 1999 by the Center for the
Study of Terrorism and Irregular Warfare at the Naval Postgraduate School (NPS) in
Monterey, California titled Cyber-Terror: Prospects and Implications.49 The report, argues
Denning, shows that terrorists generally lack the wherewithal and human capital needed
to mount attacks that involve more than annoying but relatively harmless hacks. The
study examined five types of terrorist groups: religious, New Age, ethnonationalist separatist, revolutionary, and far-right extremists. Of these, only the religious groups were
judged likely to seek the capacity to inflict massive damage. Hacker groups, the study
determined, are psychologically and organizationally ill suited to cyberterrorism, and
any massive disruption of the information infrastructure would run counter to their selfinterest.
A year later, in October 2000, the NPS group issued a second report, this one
examining the decision-making process by which substate groups engaged in armed

Cyberterrorism

145

resistance develop new operational methods, including cyberterrorism. Denning claims

this report also shows that although substate groups may find cyberterror attractive as a
nonlethal weapon, terrorists have not yet integrated information technology into their
strategy and tactics and that significant barriers between hackers and terrorists may prevent their integration into one group.
Another illustration of the limited likelihood of terrorists launching a highly damaging
cyberattack comes from a simulation sponsored by the U.S. Naval War College. The
college contracted with a research group to simulate a massive cyberattack on the nations
information infrastructure. Government hackers and security analysts gathered in July
2002, in Newport, R.I., for a war game dubbed Digital Pearl Harbor. The results were
far from devastating: the hackers failed to crash the Internet, although they did cause
serious sporadic damage. According to a CNet.com report on the exercise published in
August 2002, officials concluded that terrorists hoping to stage such an attack would
require a syndicate with significant resources, including $200 million, country-level intelligence and five years of preparation time.50
In May 2004 cyberterrorism expert Andy Cutts of Dartmouths Institute for Security Technology Studies reported on Operation Livewire, a recent nationwide cyberterror
simulation that tested Americas preparedness in the event of a major cyberattack.51
Cutts spoke specifically about the possibility of a sustained, campaign-level attack on
U.S. computing networks, such as banking, law enforcement, energy and emergency
response networks, by an unknown adversary. Because of the anonymous nature of cyberterrorism, he said, such an attack could come from virtually any source, including an
enemy state or a small terrorist group. There have been examples of cyber attacks that
have gone on for years, and the National Security Agency still does not know who is
perpetrating them, Cutts said. There are hundreds of thousands of computers in this
country that are compromised.52 When asked if there was any idea of who was controlling these computers, Cutts said there was not. He added that through Operation Livewire,
the federally funded ISTS learned valuable lessons about how various agencies and
entities respond to such attacks and that this information would help ISTS and other
groups to correct the nations vulnerabilities. The simulation involved an East Coast
state and city, a West Coast state and city, as well as various corporations in the telecommunications, trading, banking, and energy sectors. Because participants were wary
of sharing their networks and security vulnerabilities with an outside organization, Cutts
said, allaying their security concerns was of the utmost importance. Cutts was optimistic
about the improvements in Americas cyber security that can result from simulations
such as Operation Livewire, although he acknowledged that the nation has a long way
to go in preparing itself for cyberterrorism.
Concern over cyberterrorism is particularly acute in the United States; an entire
industry has emerged to grapple with the threatthink tanks have launched new projects
and issued white papers, experts have testified to its dangers before Congress, private
companies have hastily deployed security consultants and software designed to protect
public and private targets, and the media have trumpeted the threat with such front-page
headlines as this one, in The Washington Post in June 2003: Cyber-Attacks by Al
Qaeda Feared, Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts
Say. The federal government has requested $4.5 billion for infrastructure security; the
FBI boasts more than 1,000 cyber investigators; President Bush and Vice President
Cheney keep the issue before the public; and in response to 11 September, Bush created
the office of cybersecurity in the White House.

146

G. Weimann

Conclusion
As Denning concludes, At least for now, hijacked vehicles, truck bombs, and biological weapons seem to pose a greater threat than cyber terrorism. However, just as the
events of September 11 caught us by surprise, so could a major cyber assault. We cannot afford to shrug off the threat.53 There is alarming evidence that modern terrorists
consider seriously adding cyberterrorism to their arsenal. While bin Laden may have
his finger on the trigger, his grandchildren may have their fingers on the computer
mouse, remarked Frank Cilluffo, the Associate Vice President for Homeland Security
at George Washington University in a statement that has been widely cited. Verton, for
example, argues that al Qaeda [has] shown itself to have an incessant appetite for
modern technology, and provides numerous citations from bin Laden and other Al
Qaeda leaders to show their recognition of this new cyberweapon.54 In the wake of the
11 September attacks, bin Laden reportedly gave a statement to an editor of an Arab
newspaper indicating that hundreds of Muslim scientists were with him who would use
their knowledge . . . ranging from computers to electronics against the infidels.55 And
indeed, in the caves in Afghanistan, American troops found plans for Al Qaeda to attack
computer systems while some of Al Qaedas recruits were sent to train in high-tech
systems. One of them was LHoussaine Kherchtou, a 36-year-old Moroccan who joined
Al Qaeda in 1991 and was sent to learn high-tech methods of surveillance from Abu
Mohamed al-Ameriki (the American).56 He joined other trainees in using electronic
databases to learn about potential targets such as bridges and major sports stadiums.
After his basic training, Kherchtou joined Al Qaedas electronic workshop in Hyatabad
in Peshawar, Pakistan, the center of Al Qaedas research and development for forging
electronic documents, message encoding and decoding, encryption techniques, and methods
of breaking encryption.57
Future terrorists may indeed see greater potential for cyberterrorism than do the
terrorists of today. Furthermore, the next generation of terrorists are now growing up in
a digital world, one in which hacking tools are sure to become more powerful, more
simple to use, and easier to access. Cyberterrorism may also become more attractive as
the real and virtual worlds become more closely coupled. For instance, a terrorist group
might simultaneously explode a bomb at a train station and launch a cyberattack on the
communications infrastructure, thus magnifying the impact of the event. Unless these
systems are carefully secured, conducting an online operation that physically harms someone
may be as easy tomorrow as penetrating a website is today. Paradoxically, success in
the war on terror is likely to make terrorists turn increasingly to unconventional weapons such as cyberterrorism. The challenge is to assess what needs to be done to address
this ambiguous but potential threat of cyberterrorismbut do so without inflating its
real significance and manipulating the fear it inspires.
In conclusion, the bulk of the evidence to date shows that terrorist groups are making widespread use of the Internet, but so far they have not resorted to cyberterrorism.
The threat of cyberterrorism may be exaggerated and manipulated, but it can be neither
denied nor ignored: Verton, in Black Ice: The Invisible Threat of Cyber-Terror, warns
that the terrorist organizations are moving toward cyberterrorism, and, I urge you to
think differently about the future before the disaster occurs.58

Notes
1. National Research Council. Computers at Risk (Washington, DC: National Academy
Press, 1991).

Cyberterrorism

147

2. D. Thomas. Cyber Terrorism and Critical Infrastructure Protection. Statement to the

subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, 24 July 2002.
3. J. Lewis. Assessing the Risks of Cybertwrrorism, Cyber War, and Other Cyber Threats.
Report submitted to the Center for Strategic and International Studies (CSIS), Washington, DC,
2002), p. 1.
4. J. Green. 2002. The Myth of Cyberterrorism. Washington Monthly, November, also
available at (www.washingtonmonthly.com/features/2001/0211/green/html).
5. For example, the downing of a U.S. spy plane in Chinese airspace (April 2001) resulted
in an increase in attacks from both Chinese and U.S. hackers (mostly web site defacements).
Another example occurred in 1997 when a group aligned with the Liberation Tigers of Tamil
Elam (LTTE) reportedly swamped Sri Lankan embassies with 800 e-mails a day over a two-week
period.
6. A. Embar-Seddon. Cyberterrorism. The American Behavioral Scientist 45 (2002), pp.
10331043.
7. R. White and S. Sclavos. Targeting our Computers. The Washington Post, 15 August
2003, p. A27.
8. D. Denning. Is Cyber Terror Next? New York: U.S. Social Science Research Council,
available at (http://www.ssrc.org/sept11/essays/denning.htm.2001).
9. Green, The Myth of Cyberterrorism.
10. Cited by Green, ibid.
11. G. Weimann and C. Winn. The theater of terror (New York: Longman Publication,
1994), p. 20.
12. Mullins, W. A Sourcebook on Domestic and International Terrorism, 2nd edition (Springfield,
Illinois: Charles Thomas Publisher, 1997), p. 9.
13. Smart, I. The Power of Terror, in Contemporary Terrorism: Selected Readings, edited
by J. D. Elliot and L. K. Gibson (Gaithersburg, MD: IACP, 1978).
14. B. Hoffman. Inside Terrorism (New York: Columbia University Press, 1998).
15. M. Conway. What is Cyberterrorism? The Story so Far. Journal of Information Warfare, 2(2) (2003), pp. 3342; M. Conway. Reality Bytes: Cyberterrorism and Terrorist Use of
the Internet. First Monday, 7(11) (2002), available at (http://www.firstmonday.org/issues/issue7_11/
conway/index.html).
16. On the use of the Internet for conventional purposes by modern terrorists, see Y.
Tzfati and G. Weimann. WWW.Terrorism.com: Terror on the Internet. Studies in Conflict and
Terrorism 25(5) (2002), pp. 317332; G. Weimann. WWW.Terror.Net: How Modern Terrorism
Uses the Internet. Special Report, 116 (Washington DC: United States Institute of Peace, 2004).
17. Cited by Green, ibid.
18. Cited in P. Thibodeau. US commission eyes cyberterrorism threat ahead, Computerworld,
17 September 2001, available at (http://www.computerworld.com/securitytopics/security/story/
0,10801,63965,00.html).
19. From NPRs Bob Edwards talk with senators Jon Kyl and Dianne Feinstein, 18 March
2004.
20. Cited in R. Bendrath. The American Cyber-Angst and the Real World. In Robert
Latham (Ed.): Bombs and Bandwidth: The Emerging Relationship between IT and Security (New
York: The New Press, 2003), pp. 4973.
21. Green, 2002.
22. A. Gonsalves. Security Expected to Take a Larger Bite of IT Budgets. TechWeb News,
8 June 2004, available at (http://www.crime-research.org/news/08.06.2004/414).
23. Green, 2002.
24. To illustrate the supposed ease with which our enemies could subvert a dam, The Washington Posts June story on Al Qaeda cyberterrorism related an anecdote about a 12-year-old who
hacked into the SCADA system at Arizonas Theodore Roosevelt Dam in 1998, and was, the
article intimated, within mere keystrokes of unleashing millions of gallons of water on helpless
downstream communities. But a subsequent investigation by the tech-news site CNet.com re-

148

G. Weimann

vealed the tale to be largely apocryphalthe incident occurred in 1994, the hacker was 27, and,
most importantly, investigators concluded that he could not have gained control of the dam and
that no lives or property were ever at risk.
25. D. Ronfeldt and J. Arquilla. Networks, Netwars, and the Fight for the Future. First
Monday 6(10) (2001); J. Arquilla and D. Ronfeldt. The Advent of Netwar (revisited) (2001). In
Networks and Netwars, edited by J. Arquilla and D. Ronfeldt (Santa Monica: RAND Corporation), pp. 125).
26. D. Denning. 1999. Activism, Hacktivism, and Cyberterrorism: The Internet as a Tool
for Influencing Foreign Policy (Washington, DC: Nautilus, 1999), available at (http://www.nautilus.org/
info-policy/workshop/papers/denning.html); D. Denning. 2000a. Testimony before the Special Oversight
Panel on Terrorism, U.S. House of Representatives, Committee on Armed Services 23 May 2000a,
available at (http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html); D. Denning. 2000b.
Cyberterrorism. Global Dialogue (Autumn), (2000b), available at (http://www.cs.georgetown.edu/
~denning/infosec/cyberterror-GD.doc); Denning, op. cit.
27. Ibid.
28. C. Nicol. (not dated). Internet Censorship Case Study: Euskal Herria Journal, The
APC European Internet Rights Project, available at (http://europe.rights.apc.org/cases/ehj.html).
29. B. Collin. 1997. The Future of Cyberterrorism. Crime and Justice International (March
issue, 1997), pp. 1518, available at (http://afgen.com/terrorism1.html).
30. See Realizing the Potential of C4I: Fundamental Challenges, a report prepared by the
Committee to Review DOD C4I Plans and Programs, Commission on Physical Sciences, Mathematics, and Applications, National Research Council, 1999. Available at (http://www.nap.edu/
catalog/6457.html).
31. D. Verton. Black Ice: The Invisible Threat of Cyberterrorism (New York: McGraw-Hill
Osborne Media, 2003a).
32. Reported at (http://www.computerworld.com/securitytopics/security/story/).
33. D., Denning. 2001.Is Cyber Terror Next?, op. cit..
34. Reported by B. Krebs. 2003. Feds Building Internet Monitoring Center. The Washington Post Online, January 31, at: http://www.washingtonpost.com/ac2/wp-dyn/A3409-2003Jan30.
35. Cited in Krebs, ibid.
36. Cited in The Washington Post, 3 September 2003.
37. A. Lake. Six Nightmares (New York: Little, Brown and Company, 2000).
38. K. Coleman. 2003. Cyber Terrorism. Directions Magazine, 10 October 2003, available at (http://www.directionsmag.com/article.php?article_id=432).
39. M. A. Vatis.. Cyber Attacks During the War on Terrorism: A Predictive Analysis,
2001. Special Report, Institute for Security and Technology Studies, available at
(http://www.ists.dartmouth.edu/ISTS/counterterrorism/cyber_attacks.htm).
40. Thomas, op. cit.
41. Lewis, op. cit.
42. Cited in N. Shachtman. 2002. Terrorists on the Net? Who cares? Wired News, 20
December 2002, available at (http://www.wired.com/news/infostructure/0,1377,56935,00.html).
43. Op. cit.
44. See (http://2004.rsaconference.com/).
45. Cited in E. Montalbano. 2004. Homeland Security Chair likens Cyber Terrorists to
Al Qaeda. CRN News, available at (http://www.crn.com/sections/BreakingNews/
dailyarchives.asp?ArticleID=48215).
46. Green, 2002.
47. Green, op. cit.
48. Ibid.
49. Denning, op. cit.
50. Cited in Green, op. cit.
51. T. Spellman. 2004. Expert: U.S. At Risk of Cyberterrorism. The Dartmouth Online,
19 April 2004, available at (http://www.thedartmouth.com/article.php?aid=2004041901010k/).
52. Cited in Spellman, ibid.

Cyberterrorism

149

53. Ibid.
54. Verton, 2003a, op. cit., p. 93.
55. Hamid Mir, editor of Ausaf newspaper, cited in Verton 2003a, op. cit., p. 108.
56. Court transcript, U.S. vs. Osama bin Laden, 21 February 2002.
57. Ibid.
58. D. Verton. Cyberterrorism & security: New definitions for new realities, paper presented at the Cato Institute Book Forum, 12 November 2003b, Washington, DC.