Technology improvements and the rapid acceleration of computer systems and network have significantly impacted societies over the last 20 years, with countless improvements in work areas of productivity, health, connectivity, education and science (Gruyter, 2014, p. 459). Technology provides the foundation of the modern developed nation with computer systems operating and managing electrical, water, sewerage, telecommunications, transport and other utilities in vast, complex automated arrangements. Technological innovation has significantly enabled globalization by overcoming traditional territorial and national boundaries, connecting societies, organizations and people that would otherwise never would (Naseem, 1999, p. 636). These technology enhancements have created a hyperconnected world in which everyone has ‘the potential to communicate and to interact with anyone, anywhere at anytime’ (McGuire, 2014, p. 77). While there are countless benefits to hyperconnectivity, it also aids in the growth, proliferation and reach of criminal entities in scales that range from gangs to non-state terrorist groups. Paralleling the surge in dependence on technology and computer systems is the rise in threats to computer systems themselves, and threat of using computer systems to attack groups within society (Döge, 2016, p. 487). A challenge that has arisen when developing policy and legislation is clearly defining and separating cybercrime, cyberterrorism and cyberwar. This essay will contextualize the distinctiveness of cybercrime, cyberterrorism, and cyberwar, and will define the circumstances that allow for cyberterrorism to be separated from cybercrime and cyberwar.
Underlying Challenges of Cyber Attacks
There are a number of fundamental challenges that underpin the ability to differentiate the various types of cyberattacks, including the ability to attribute an attack to a source, and determining the effect an attack has on a system. Often the ability to attribute a malicious cyberattack beyond reasonable doubt, and in a timely manner, is portrayed as impossible by popular media as a result of ‘denial and deception tactics’ used by adversaries (Australian Cyber Security Centre, 2016, p. 5). If the incident is serious enough the Australian Government has the capability to attribute malicious activity to either a ‘broad category of adversary’ through to ‘specific state and individuals’ through collaboration between law enforcement and the intelligence community (Australian Cyber Security Centre, 2016, p. 5). The ability to attribute an attack is vitally important to a Government for establishing the range of response available, general enforcement of law, criminal investigations and development of stronger security practices. This is important when the range of participants for cyberattacks varies from criminals and ‘bored teenagers’ to state actors, with the most likely source and majority of attacks originating from ‘recreational hackers’ (Lewis, 2012, p. 9).
While network vulnerabilities continue to increase as a problem for business, some consider the national security threat as ‘overstated’, with organizations and systems ‘more robust than they appear’ (Lewis, 2012, p. 2). The natural development of organisational resilience has led to more ‘distributed, diverse, redundant and self-healing’ systems that reduce the impact of an attack (Lewis, 2012, p. 2). From the perspective of a strategic military, an attack that does ‘not degrade national capabilities are not significant’, whereby if an attack ‘does not cause damage that rises above the threshold of the routine disruptions that every economy experiences, it does not pose an immediate or significant risk to national security’ (Lewis, 2012, p. 3). With hundreds of systems supporting critical infrastructure across nations, failures occur on a routine daily basis with disruption lasting for days in extreme cases. An attacker would be required to disrupt multiple systems concurrently before anyone would notice (Lewis, 2012, p. 3). In many cases, cyberattacks alone are not enough and need to be conducted simultaneously with physical attacks to exploit vulnerabilities and cause maximum damage (Lewis, 2012, p. 4); for example, the disruption of systems supporting emergency services to multiply the impact of a physical event (Lewis, 2012, p. 10).
The associated cost of an attack can be high; Hurricane Andrew caused $25 billion dollars of damage, with the yearly average cost of natural disasters within the United States reaching $11 billion dollars – in comparison the Love Bug is estimated to have caused $15 billion of damage globally (Lewis, 2012, p. 11).
There has been an increase in the number of ‘disruptive attacks’ that purposefully draw attention to attacker’s ideological cause (Mandiant, 2016, p. 9), as opposed to ‘traditional low and slow’ methods that ensure an attacker remains undetected within a corporate network to enable data theft, intelligence gathering and corporate espionage. These disruptive attacks are typically characterized by the disclosure of confidential data that leads to corporate embarrassment and reputational damage; in extreme cases this includes the loss of business functions if critical systems are effected (Mandiant, 2016, p. 9), with reported cases of companies being forced to ‘rely on paper and telephone-based processes for weeks’ (Mandiant, 2016, p. 11). As a result of their high impact, disruptive attacks are likely to continue in popularity.
The disruptive nature of attacks is speculated to include actions that have the potential to impact or disable American financial markets, however little consideration is given for the collateral or self-impact of such an attack as a result of the interconnectivity and interdependencies of the global economic market (Lewis, 2012, p. 12). Damage and impact to critical infrastructure is considered trivial in comparison to the risk and potentially serious damage if a state actor was discovered to be the perpetrator (Lewis, 2012, p. 12).
The internet provides a tool for intelligence collection on targets, and an avenue for ‘clandestine penetration of computer networks’ for the purpose of collecting information not readily available to the public (Lewis, 2012, p. 10). As described by Mandiant as the ‘low and slow’ attack type, a sophisticated opponent will actively ensure their activities go unnoticed by not disrupting services or leaving messages because the intelligence collected may be far more valuable than any fallout from a disruptive attack (Lewis, 2012, p. 10).
Determining if malicious activity constitutes a cyberattack is also challenging. The Australian Government defines a cyberattack as the ‘deliberate act through cyberspace to manipulate, disrupt, deny, degrade or destroy computer networks, or the information resident on them, with the effect of seriously compromising national security, stability or economic prosperity’ (Australian Cyber Security Centre, 2016, p. 4). The media will often misuse terminology, exaggerate the effect or misunderstand malicious cyber activity to generate viewership – this was demonstrated with the media reporting of the distributed denial of service (DDoS) of the Australian Bureau of Statistics 2016 Census in 2016 (Australian Cyber Security Centre, 2016, p. 5) whereby the ‘cyberattack’ was conducted by ‘foreign actors’ rather than the actual event which was the pre-emptive termination of services as a result of a minor self-induced anomaly (Davidson, 2016) (Karp, 2016). The preemptive assumption of an attack type often has negative impacts with fear and blame occurring before any investigation can determine the facts; this readily occurs in the domain of terrorism with the Australian Attorney General stating in 2016 that ‘Not every mass casualty attack is an act of terrorism. Not every premeditated act of violence is an act of terrorism’, and specifically related it to the legal definition whereby ‘Terrorism is an act of violence or a threat of violence perpetrated for a political, religious or ideological cause, to coerce government or to intimidate the public’. This focus on the foundational definitions provides a basis whereby ‘if we’re going to understand this problem we have to anatomise it correctly’ (Hutchens, 2016); which is why the Australian Government continues to report that Australia is yet to be ‘subject to malicious cyber activity that […] constitute a cyberattack’ (Australian Cyber Security Centre, 2016, p. 5). When considering the contextual difference between cyberwar, cyberterrorism and cybercrime it is crucial to define and understand each category.
States have engaged in war for hundreds of years, however the introduction of cyber as the fifth domain of warfighting has created uncertainty over terminology (Gruyter, 2014, p. 459). Some definitions require a threshold to be met regarding the number and type of cyberattacks and ambiguity will continue to grow as threat actors conduct offensive and defensive cyber operations (Flowers & Zeadally, 2014).
War is the act of armed conflict between nations and in the past was declarable under The Hague Convention (III) of 1907 on the Conviction Relative to the Opening of Hostilities. When the United Nations Charter was established in 1945 war and armed conflict is only legally permitted when a United Nations Security Council Resolution is passed that permits its conduct – often after all diplomatic resolutions have failed – which was exhibited with the UN Security Council Resolution 678 that permitted armed conflict against Iraq to ‘restore international peace and security’ (United Nations Security Council, 1990).
International Humanitarian Law provides the basis of the ‘Laws of War’ that govern the conduct of armed conflicts; breaches of these laws are considered to be war crimes and are prosecuted by the International Criminal Court (International Committee of the Red Cross, 2010).
Technology innovation and the delayed development of supporting legal doctrine has challenged the concepts of jus in bello; a serious concern when the differences between a cyber and conventional kinetic battlefield ‘weaken the presumption and mechanism of conventional jus in bello rules’ (Wang, 2014, p. 44). Despite some differences to conventional armed conflict, the principles of jus in bello still apply when considering cyberwar; and more importantly these laws need to be applied because ‘cyberspace is not a law-free zone where anyone can conduct hostile activities without rules or restrain’ (Koh, 2012). The use of offensive cyber weapons for the conduct of hostilities does not constitute a violation of international law as long as it complies with the principles of jus in bello (Wang, 2014, p. 44).
To define a cyberattack as an armed attack for the purpose of international humanitarian law, the United States Department of Defense Dictionary of Military and Associated Terms articulates Computer Network Attack (CAN) as ‘actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves’ (Department of Defence, 2013). It is commonly accepted that a ‘data stream’ provides the function of a ‘conventional weapon in kinetic warfare’ for the purpose armed attacks in cyber space (Wang, 2014, p. 50), however this is not a binding instrument (Dörmann, 2013).
The application of International Humanitarian law is triggered when the attack threshold is met, which is defined as an ‘act of violence against the adversary, whether in offense or in defense’ (Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts,, Art. 49), with violence requiring an element of ‘physical force’ (Wang, 2014, p. 50). If a cyberattack causes ‘injury, death, damage or destruction’ it constitutes an attack under IHL (Schmitt, 2002, p. 374), and the NATO Cooperative Cyber defense Centre of Excellence has included interfering with ‘functionality’ as meeting the attack threshold (International Group of Experts at the Invitation of the NATO Cooperative Cyber Defense Centre of Excellence, 2013, p. 108). An example where functionality is interfered for the purpose of an attack is the deliberate ‘malfunction of cellphone and internet communications within a state’ (Wang, 2014, p. 51).
When an armed attack has occurred, the application of jus in bello relies on two basic assumptions: the use of force is controlled by a party and that the target is identified. The ability to accurately control a use of force within the cyber domain is ‘extremely limited since […] the severe consequences of […] attacks are secondary and uncertain’, additionally the dual-use of infrastructure is highly complex in the information communication and technology industry creating challenges for accurate identification and distinction of targets (Wang, 2014, p. 45). In a study in 2010 it was determined that 98% of United States government communications use civilian infrastructure (Jensen, 2013). With military departments heavily relying on civilian networks and organizations for the conduct of operations the dual-use principle has the potential to render a civilian population vulnerable to lawful attacks (Wang, 2014, p. 55).
As a result of the complex technical skill required to conduct cyber operations a civilian workforce is often employed which challenges an important aspect of jus in bello: only combatants are permitted to kill or participate in armed conflict (Wang, 2014, p. 45). The International Committee of the Red Cross (ICRC) has considered that cyber operations fall within direct participation in hostilities where ‘electronic interference with military computer networks could also suffice, whether through CNAs or Computer Network Exploitation, as well as wiretapping the adversary’s high command or transmitting tactical targeting information for an attack’ (Melzer, 2009, p. 48). It is considered highly probable that a number of civilian contractors are subject to lawful attacks as a result (Turns, 2012). A similar challenge exits regarding the loss of immunity with Central Intelligence Agency operators who conduct drone operations (Burt & Wagner, 2012).
To determine if a cyberattack constitutes cyberwar it must meet the legal requirements under jus in bello and jus ad bellum. Article 48 of Additional Protocol I states that parties involved in the conflict ‘shall at all times distinguish between the civilian population and combatants’ (AP I, 1977, Art. 48), with combatants defined as ‘members of the armed forces of a Party to a conflict, other than medical personnel and chaplains’ (AP I, 1977, Art. 43(2)). The definition of a military object under International Humanitarian law are ‘objects by their nature, location, purpose or use make an effective contribution to military action and whose total or partial destruction, capture or neutralization, in the circumstances ruling at the time, offers a definite military advantage’ (AP I, 1977, Art. 52(2)), with civilian objects considered to be ‘all objectives which are not military objectives’ (AP I, 1977, Art. 52(1)). Parties to armed conflict are only permitted to target civilians when they are undertaking direct participation in hostilities (Wang, 2014, p. 47). For a cyberattack to be considered an authorized armed attack for the purpose of cyberwar, it must be conducted against other combatants and military objects – if it fails to meet this criterion the cyberattack constitutes a crime. Additionally, the use of indiscriminate attacks is prohibited with the Human Rights Watch criticizing the United States targeting methodology in 2003 for relying on satellite phone geographical coordinates which ‘rendered U.S. precision weapons potentially indiscriminate’ (Human Rights Watch, 2003), similar considerations impact cyber weapons which when deployed may have indiscriminate effects.
The principle of proportionality within International Humanitarian Law regulates the unavoidable loss of civilian life when attacks are conducted against legitimate military objects; providing tolerance levels when balancing military advantage (Wang, 2014, p. 48). While no quantitative measure is provided, attacks are prohibited when they are ‘expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete direct military advantage anticipated’ (AP I, 1977, Art. 51(5) (b)).
To provide clear guidance on the principles of jus in bello in relation to cyberwar, the NATO CCD COE published the ‘Tallinn Manual of International Law Applicable to Cyber Warfare’; a non-binding document that provides guidance on the gap between cyberspace and international law. While the Tallinn manual attempts to legitimize cyberwar, it does not include any guidance on the role of non-state actors in cyberwar or cyberterrorism (Tereshchenko, 2012, p. 35).
Categorizing cyberattacks as cyberwar is challenging because the attacks are ambiguous compared to conventional attacks, are easily camouflaged due to the challenges of attribution, often target civilian infrastructure and rarely meet the requirements of international humanitarian law (Döge, 2016, p. 499).
The term terrorism can be traced back to France’s ‘reign of terror’ between 1793 and 1794 (Addicott, 2004, p. 1), with the terminologies appearance in literature gradually increased from the 1940s, with peaks in the late 1970s and 1980s, before increasing significantly after the 11th of September 2001 (Google, 2016). Yet despite the increased use of the term terrorism ‘there is no global consensus on a precise definition of terrorism’ (Addicott, 2004, p. 1). Since the French reign of terror the strategy of terrorism has slowly evolved as a ‘means of bringing about political change opposed by established governments’ (Crenshaw, 1990, p. 10), with terrorism adopting new methods over time that introduce new opportunities for dissent, including hostage taking (Crenshaw, 1990). Regardless of the method of dissent, the nature and rationality of terrorism has remained unchanged with extremists seeking ‘a radical change in the status quo’ in order to creates a new advantage, or ‘the defense of privileges they perceive to be threatened’ (Crenshaw, 1990, p. 10), with extremists turning to violent terrorist methods when other non-violent methods of dissent have failed (Crenshaw, 1990). Most common definitions do not clearly articulate that terrorism ‘may be used by insurgents and incumbent regimes’ (Wardlaw, 1982), with the definition of political terrorism summarized as ‘the use, or threat of use, of violence by an individual or a group, whether acting for or in opposition to established authority, when such action is designed to create extreme anxiety and/or fear-inducing effects in a target group larger than the immediate victims with the purpose of coercing that group into acceding to the political demands of the perpetrators’ (Wardlaw, 1982, p. 16). This academic definition underpins the legal definitions across most western nations, whereby a terrorist act ‘is carried out for the purpose of advancing a political, religious or ideological cause; is intended to intimidate a section of the public, or compel a government to do or abstain from doing any act; and involves serious violence against a person, property, or endangers life’ (Hardy & Williams, 2014, p. 5). In order for an act to be considered terrorism, it must meet the legal requirements of such an act.
The introduction of communication technology and its embedded nature in the fabric of society and economies creates a tool for any organisation to exploit. Technology is an enabler, allowing a labor force greater flexibility, access, speed and scale for productivity; whether for economic or social good, or for the conduct of war, armed conflict or terrorism. Extremist organizations have embraced technology to provide advantage over adversaries, with internet enabled groups engaging in asymmetric attacks that exceed pre-existing capabilities by leveraging decentralized communication systems (Holt, 2012, p. 339).
Advanced communications technology has created a new method for dissent in the same way that commercial air travel provides the opportunity for hijackings. Terrorist organizations continue to use the cyber domain as a tool for ‘communication, fund-raising and public relations’, along with stealing ‘credit card numbers […] to provide financial support for their operations’ (Lewis, 2012, p. 8). While terrorist use of the internet has generated significant interest, it has constituted no more than ‘propaganda, intelligence collection or the digital equivalent of graffiti’ (Lewis, 2012, p. 8).
In order to meet the legal requirements, cyberterrorism must meet the legal requirement for terrorism along with being ‘conduct involving computer or internet technology that … intentionally causes serious interference with an essential service, facility or system, if such interference is likely to endanger life or cause significant economic or environmental damage’ (Hardy & Williams, 2014).
The role of technology or cyber as a method of conducting terrorism does not change the nature or rationale of terrorism because it does not alter the requirements of instilling fear within a group by threatening violence for the purpose of political coercion. The confusion over terminology and definitions is also underpinned by a belief ignorant to the idea that terrorism is conduct by both insurgents and incumbent regimes; the language surrounding incursions turns from terrorism to cyberattacks simply because ‘terrorist acts fall within the canon only when conducted by official enemies’, given that when the ‘US and its clients are agents, they are acts of retaliation and self defense of democracy and human rights’ (Chomsky, 1991, p. 35). This is important when states who employ terrorism are more ‘effective and dangerous’ than insurgents simply because they ‘possess […] greater resources and abilities’ (Stohl, 2014, p. 85), yet in despite of this consideration the Global Terrorism database does not include acts of state terrorism (Institute for Economics & Peace, 2014, p. 9).
A lack of adherence to the correct definitions has also led to instances of exaggeration with ‘radical discussions listing copyright infringement as cyberterrorism’ (Global Research, 2013).
The basic use of technology by criminal organizations, nation states or extremist organizations for nefarious purposes is considered the ‘misuse’ of technology rather than ‘cyberterrorism’ (Yannakogeorgos, 2014), with the use of technology to communicate, plan, organize, or promote an act of terrorism constitutes conspiracy and incitement within the Australian Criminal Code Act 1995. It is well known that terrorist organisations use cyberspace to facilitate funding, conduct information operations campaigns and encourage additional violence, however it is only the violent act itself that constitute terrorism (Hinnen, 2004).
Legal definitions also provide protection for legitimate civil disobedience, with a political protest exception detailed within Australian legislation that allows for the conduct of advocacy, protests, dissent and industrial action so long as it does not cause serious harm, death, endanger life, or create serious risk to the health and safety of the public (Hardy & Williams, 2014, p. 11). This important distinction prevents groups such as Anonymous, LulzSec and AntiSec being classified as terrorist when they are simply hacktivists; despite attempts by ex-NSA chief Michael Hayden to blur the distinction (Tereshchenko, 2012, p. 32).
When analyzing the potential for non-state terrorist organisation to conduct cyberterrorism as legally defined within the TA2000 it becomes apparent that while they demonstrate ‘a savvy understanding of social media and […] propaganda, terrorist cyber capabilities […] remain rudimentary and show few signs of improving’ (Australian Cyber Security Centre, 2016, p. 6). Non-state terrorist organisation are ‘unlikely [to] compromise a secure network and generate a significant disruptive effect’ in the near future (Australian Cyber Security Centre, 2016, p. 6), while state actors have already demonstrated this capability and also conduct acts of terrorism. Non-state terrorist organisation are likely to continue low-grade malicious activity including DDoS, hijacking social media accounts, and website defacement; all of which do not reach the legal threshold required to constitute (cyber)terrorism and are therefore just (cyber)crime.
Cybercrime is a ‘pervasive threat to Australia’s national interests and prosperity’ where high use of technology has made it an ‘attractive target for serious and organized crime’. Cybercrime offers new opportunities for ‘lucrative financial gains’ (Australian Cyber Security Centre, 2016, p. 6) and the hyperconnectivity of cyberspace provides instant access to a significantly larger range of targets compared to opportunistic crime that requires physical co-location. Cybercrime terminology has been established within criminology research and is defined as ‘offenses that involve and depend on the use of new communication technologies for their commission’ (Leukfeldt & Yar, 2016, p. 263). Cybercrime includes a number of offences, from ‘hacking’ and the distribution of malware, to ‘piracy, fraud, stalking, bullying, distribution of hateful representations, and sexual victimization’ (Leukfeldt & Yar, 2016, p. 263).
The transnational nature of cyberspace has seen the emergence of incredibly sophisticated gangs that exploit vulnerabilities in business networks for the purpose of fraud, and collecting ‘economically valuable’ information (Lewis, 2012, p. 12).
Substantial debate has occurred regarding the interrelationship and nature of cybercrime and cyberterrorism, often resulting in difficulty in distinguishing an attack (Holt, 2012, p. 339). Some research separates these incidents through the term ‘hacktivism’ which recognizes the use of malicious cyber activity to promote an activist agenda, recognizing that while these attacks may violate law they do not produce the required fear to meet legal terrorism thresholds (Holt, 2012, p. 341). The term hacktivism provides a method by which to identity criminal acts of protest that are analogues to real-life political action (Holt, 2012, p. 341). This ability to distinguish hacktivism from cyberterrorism is critical because it would be irresponsible to not distinguish the differences between ‘a net sit-in and the failure of an ATM network, between a cable TV outage and the potential damage by electromagnetic bombs, or between dragging down DNS servers and hijacking an airliner’ (Krapp, 2005, p. 89).
While cybercrime is a broad concept that encompasses offences that involve the use of technology, it is prudent to remember that terrorism is a criminal offence and therefor cyberterrorism is a sub-set of cybercrime.
There are a number of case studies that highlight the challenges, or ease, by which cyberattacks can be categorized between cyberwar, cyberterrorism or cybercrime; including Stuxnet, attacks against the Australian Bureau of Meteorology, the North Korean hack of Sony Entertainment and the subsequent response by the United States, Russia in Georgia and the weeks of mischief carried out by LulzSec and AntiSec.
In 2009 the most highly sophisticated malicious code was set upon the Internet with the goal of locating very specific industrial control systems within Iran. Spreading to air-gapped systems via flash drives and zero-day exploits, the malware destroyed up to 1000 centrifuges at the Natanz nuclear enrichment facility for the purpose of slowing down Iran’s nuclear program (Holt, 2012, p. 342) (Goodin, 2015). During the final days of Stuxnet malicious activity several Iranian nuclear physicist working at Natanz were assassinated using magnetized car bombs; creating speculation that the threat actor may not have been satisfied with Stuxnet’s impact and resorted to physical attacks (Zetter, 2010). While Stuxnet has been heavily attributed to the United States and Israel (Langner, 2013) research by the NATO’s Cooperative Cyber Defense Center of Excellence concluded that ‘Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force’ and according to the Tallinn Manual on the International Law Applicable to Cyber weapons would likely violate international law (Zetter, 2013). The only justification for this armed attack is self-dense, however the United States does not have a legitimate argument for self-defense, or pre-emptive self-defense under International Humanitarian Law. Article 51 of the UN Charter states that ‘Nothing … shall impair the inherent right of individual or collective self-defense if an armed attack occurs’, and Article 2 states that ‘members shall settle their international disputes by peaceful means in such a manner that international peace and security, and justice, are not endangered… [and] members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state’. While a limited right for pre-emptive self-defense exists under customary law with the Caroline Test, it requires that the threat be ‘imminent’ while ‘pursuing peaceful means is not an option’ with the response being proportionate to the threat. As an armed attack had not occurred against the United Sates, and the requirement for pre-emption must be ‘instant, overwhelming, leaving no choice of means, and no moment of deliberation’ (Arend, 2003), it is difficult to justify that the Iranian nuclear threat met this criteria, nor that peaceful means were no longer an option. While Stuxnet may have adhered to the basic principles of the Laws of Armed Conflict, the United States did not have a legal right to conduct an armed attack against Iran, and therefore does not constitute a legally authorized armed attacked under International Humanitarian Law. If Stuxnet were to be considered cyberwar, it would have the potential to be classified as a war crime.
If not cyberwar, does Stuxnet constitute cyberterrorism? To meet the legal requirements under the United Kingdom Terrorism Act 2000 the action must be designed to influence a government, be made for the purpose of advancing a political cause, and involve serious damage to property and to seriously to interfere with or seriously disrupt an electronic system. Stuxnet was purpose built to advance western political ideals of nuclear proliferation, involved serious damage to property at Natanz, and seriously interfered with an electronic system. The only legal requirement that becomes difficult to categorize Stuxnet as cyberterrorism is the aim to influence government; with an aim to delay and damage Iran’s nuclear enrichment program rather than intimidate or influence, Stuxnet is closely aligned to sabotage rather than terrorism, and as such Stuxnet is considered cybercrime. Despite not meeting the requirements of war or terrorism, some states may view this level of cyber sabotage as a political act of war (Gorman & Barnes, 2011).
In 2015 Australia’s Signals Directorate detected malicious activity within the network of the Governments Bureau of Meteorology in the form of a Remote Access Tool (RAT); a tool favored by cybercriminals. The RAT was used to syphon information from the network and the Australian Cyber Security Centre was able to attribute the compromise to a specific foreign intelligence service (Australian Cyber Security Centre, 2016, p. 7). This level of state-based espionage is not unusual, however does not meet the criteria for cyberwar or cyberterrorism and remains as cybercrime.
In 2007 Estonia was the victim of a series of cyber-attacks during riots with Russia. Initial attacks against the public and private sector overloaded internet servers and caused wide ranging disruption to government functions and financial systems; causing direct impacts to domestic order, and indirect secondary social impacts by impairing the ‘normal communication with government’ (Wang, 2014, p. 52). Russia conducted similar denial of service cyber-attacks against Georgia during the Russo-Georgian War in 2008 (Hruska, 2008). These cyber-attacks, while disruptive, still fail to meet the threshold require for an armed attack under international humanitarian law and are therefore not cyberwar; nor do they meet the legal requirements for cyberterrorism.
On the 21st of October 2016, hacktivists supporting WikiLeaks attacked the Domain Name System (DNS) infrastructure of Dyn, crippling the internet services within the United States and Europe (Gallagher, 2016). The attack is suspected to be in response to the Ecuadorian government removing internet access from Julian Assange a few days prior (@WikiLeaks, 2016). The significant DDoS attack took place using a botnet of Internet of Things (IOT) devices powered by the Mirai malware that produced the record breaking 620 Gbps cyber-attack against Brian Krebs; the Mirai source code is now publically available for anyone to use (Krebs, 2016). While this hacktivism shows the fragility of the internet to large scale attacks, this particular attack meets the requirement of cyberterrorism under the UK Terrorism Act 2000; it seriously disrupted an electronic system, it was designed to advance a political ideal, and the action was designed to influence and intimidate the government and a section of the public. While the Australian terrorism legislation provides for an activist exemption that would exclude this act as cyberterrorism, the UK Terrorism Act does not.
More concerning is the trending rise and impact of non-state and state-based attacks that has some security researchers concluding that ‘someone has been probing the defenses of the companies that run critical pieces of the Internet’ with attacks becoming more complex and testing the response behaviors and operating procedures of companies (Schneier, 2016). The act of probing a target to map defense systems and response behavior is a common military tactic, and may be a sign that an adversary is calibrating a cyber weapon (Schneier, 2016).
When an Al Qaeda training manual states that explosives are the preferred weapon because they ‘strike the enemy with sheer terror and fright’, and cyberattacks have so far proved to result in little public notice beyond routine outages (Lewis, 2012, p. 8), this growth in the impact of cyberattacks may change their behavior. If a cyber weapon that causes a global outage is released simultaneously with a large-scale terrorism event, it will have an exponential impact on public fear. There is also potential for state-actors to conduct similar attacks to allow governments to ‘coax the public into supporting […] policies’, by creating a ‘climate of fear’ (Hill & Marion, 2016, p. 5); a common practice by politicians to sway public opinion for unpopular policies.
Cyberterrorism is distinctly different from other cyber threats, primarily cyberwar and cybercrime, as a result of its requirement to intimidate or instill fear in a government or populace. Discourse on the topic and the media continue to misuse the terminology as a result of incomplete or incorrect definitions. When paired back to the legal definitions these cyber threats become distinctively different and should be treated accordingly. Each threat type requires, and allows, a different response type: with cyberwar allowing for response by armed attack in self-defense, to policing action under cybercrime and the subset of cyberterrorism. The misclassification of cyber-attacks only generates confusion, and as stated by the Australian Attorney General ‘if we’re going to understand this problem we have to anatomise it correctly’ (Hutchens, 2016).