During my time working for the CIA, at least once a year, senior policymakers or staffers would pose the question: How real is the threat of cyber terrorism? How likely is it that al-Qaida and then ISIS could conduct a major cyberattack?
In the years following Sept. 11, politicians and media outlets alike were propounding predictions about a “digital 9/11.” There has been a steady barrage of articles and speeches about terrorist cyber capabilities and the seemingly inevitable arrival of cyber-based terrorism.
And yet, an attack of this nature still has not materialized. For more than two decades, a cyber-terrorist attack that intentionally causes loss of life, destruction of property, and economic disruption has lived more on movie screens than in digital environments.
So, was it just failed future threat gazing — or were the ingredients for this type of attack simply not in place? Most importantly, have the conditions now changed?
Easier access to advanced malware tools, the scale of digital dependency and vulnerability, the increasing connectivity of industrial systems — all these are causing me to re-assess the potential for a cyber-terrorist attack.
Defining the problem
Cyber terrorism is not simply the use of cyber for terrorism. Terrorist groups have long used cyberspace to communicate, recruit, plan, and provide instruction for operations from the days of internet relay chat rooms to extremist web forums, Twitter, YouTube, and Telegram. We have also seen examples of lower-level DDoS disruption efforts and website defacing.
We cannot classify the recent spate of ransomware attacks like those on an Iowa grain cooperative, Kaseya, and JBS as cyber terrorism, despite the U.S. Department of Justice stating it would now treat ransomware groups with the same level of threat. Despicable and ruthless… sure, but profit drove the perpetrators here — not ideology.
Ransomware gangs, in general, do not have the intended end goal of destruction and loss of life. Instead, they cause temporary disruption of business operations and demand a fee to desist, any destruction an inadvertent side-effect of the primary purpose of extorting money.
Imagine if hackers had conducted the Colonial Pipeline attack with the intentional aim of disrupting industrial operations, forcing outages, and damaging critical equipment. Or if threat actors had destroyed the data without the option of unlocking the files or paying the ransom. After all, Colonial Pipeline paid the ransom, and it still took more than a week to get physical operations back online. In the meantime, global prices were already heavily impacted, and panic buying set in.
Had an attack been waged with the explicit intention of destruction without any chance of recovery, the outage most likely would have been extended for weeks, possibly months. There is no doubt that terrorist groups were watching and taking notes.
When it comes to actual attacks, terrorists have relied on more kinetic and accessible methods like knives, cars, and suicide bombs. These groups, for the most part, have not had the inclination or technology acumen to launch cyber campaigns. But with the proliferation of malware and sophisticated tools readily available to rent on the dark web, has the bar now lowered enough that terrorists may begin to investigate cyber sabotage?
Automation and Crime-as-a-Service (CaaS) have certainly made it easier to carry out certain cyberattacks. And the pay-off could be momentous when you consider our increasing dependency on technology, the rise of internet-connected vehicles and automated machines like cranes, as well as the potential for chaos, which recent events have validated. Case in point: Global shipping giant Maersk lost $300 million due to the disruption from NotPetya.
But it’s not just about financial damage — there are far worse consequences possible. Earlier this year in Oldsmar, Fla., hackers targeted the water treatment plant and nearly poisoned the water supply of an entire city. By applying this vulnerability to transport (air, ground, sea), nuclear facilities, and autonomous vehicles globally, the consequences could be astronomical.
In the deep, dark web
Terrorists could leverage cyber in several ways. They could certainly look to cyberspace for funding and join criminals in conducting traditional ransomware attacks. They could launch attacks that look like ransomware, using disguised wipers for example, but really have more destructive aims. Most concerningly, they could wage these kinds of attacks without stepping foot in the target country — marking a profound shift in the threat landscape.
Once you have the technology in place, physical security isn’t the only issue. Cyberspace is interconnected, anonymous, and ubiquitous — scary stuff in the hands of terrorists. Experts predict that within the next three to four years, cyber terrorists will have weaponized operational technology (OT) environments to harm or kill humans successfully.
Strangely, cyber criminals themselves may prove a line of defense. Ransomware groups function because of the tacit understanding with the victim that if they pay the fee, speedy recovery is possible. If the potential for recovery erodes or is mistrusted, the likelihood of payment and the ransomware business model falls apart. Cyber criminals often stress that any disruption caused is temporary: They don’t want to cause trouble; they just want money.
Many of the high-profile ransomware incidents we see today are the result of a multi-group effort — different cyber-criminal suppliers, each contributing a component to the result. While this lowers the technical threshold required to mount such an attack, it also demonstrates just how complicated such an operation is, that no single newcomer could attempt to undertake it. Unless terrorists have been working behind the scenes on their own tools, which is possible, they most likely will be forced to the Dark Web and purchasing the capabilities and access points from various threat actors.
So, what happens when wannabe terrorist affiliates attempt to operate in the ranks of ransomware gangs and attempt to deploy the tech to do harm intentionally? The relationship between organized crime and terrorism has only ever been an alliance of convenience.
Ransomware cartels do not want the level of attention true cyber-terrorism would bring, even on top of what they have today. There is a history of some level of self-policing their ranks. And, as we saw from the fallout post-Colonial Pipeline, some higher profile groups have even taken a pseudo-ethical stand against targeting CNI. This modicum of morality may go some way to prevent the malware leveraged by organized cybercrime from falling into a terrorist’s hands.
Time for reassessment?
Though I don’t think cyber terrorism is an imminent reality, technical capabilities and circumstances are aligning such that the threat of a cyber-terrorist attack must be reevaluated and most likely reprioritized.
Another area likely to impede near-term, large-scale cyberterrorism disruption lies in the likely desire to conduct an attack akin to traditional terrorism, which relies on the shock and awe of a grand event — an attack that would largely come from a manifestation in the physical world. From a cyber perspective, this would require some ability to interfere and manipulate industrial control systems (ICS), which would likely require a higher degree of technical competence to achieve.
Those few examples where ICS was directly affected are almost exclusively the work of sophisticated nation-states with considerable technical resources to draw from. However, this is an area where connectivity and accessibility from the internet or corporate networks are dramatically accelerating, and — by extension — vulnerability and outside access are increasing. It is also an area where the cybersecurity and understanding around it can often lag.
The rise of ransomware does have a silver lining: It has started to hold companies and government institutions to account, and many are closely reviewing their level of cyber risk, increasing their focus and prioritization of cybersecurity, and onboarding technologies better suited for the current and next generation of attacks.
Cyber terrorists will therefore have to work harder — likely in target selection rather than more sophisticated tooling. As always, terrorist groups will be on the hunt for soft targets, those companies and government bodies that are not prioritizing, resourcing, or evolving their cyber defenses.
Marcus Fowler is the director of strategic threat at Darktrace. Previously, he spent 15 years at the Central Intelligence Agency developing global cyber operations and technical strategies, led cyber efforts with various U.S. Intelligence Community elements and global partners, has extensive experience advising senior leaders on cyber efforts, and was an officer in the United States Marine Corps.