Crossroads Blog | CYBER SECURITY LAW AND POLICY

Criticism, Cyber Attacks, hacking, National Security, terrorism

Nation-State Cyberattacks are NOT Terrorism, asserts RAND expert

According to Martin C. Libicki, even when backed by nation-states, cyberattacks are not terrorism and should not be considered a national-security concern.  Do you agree?

Libicki is a senior management scientist at the nonprofit, nonpartisan RAND corporation.  In an article on the topic for Newsweek, Libicki defines terrorism as “the use of attacks to create visceral fear,” and he claims that cyberattacks do not fit that definition.  Merriam-Webster Dictionary defines “visceral” as “coming from strong emotions and not from logic or reason.” Do cyberattacks cause visceral fear? Below is a breakdown of Libicki’s argument that they do not.

Sony Attack

According to Libicki, the Sony attack was not decisive until there was a threat of actual terror: the threats made on the physical theaters that showed the film.  To support this claim, Libicki points out that Sony did not withdraw the film until the threats transitioned from threats of cyberattacks to threats of 9/11 style attacks on theaters showing the film.

Following a discussion on the Sony Attacks, Libicki commentated on various cyberattacks reported throughout the years.  Libicki seems to minimalize these attacks by continually referring to them as merely “trashing computers.”  Libicki appears again to minimalize these attacks by pointing out that “most computers are rendered inoperable from criminal not terrorist reasons.”

Attacks on Critical Infrastructure

Libicki points out that the number one fear when it comes to cyberattacks is that an attack will shut down critical infrastructure or confound a network-centric militaryAccording to Libicki, these are “hard targets” and the chance they will be hit is rare essentially because it has not yet been accomplished.  Libicki focuses on the fact that most cyberattacks, like physical terrorist attacks, have been focused on “soft targets” in which “security may have been an afterthought.”  In the cyberworld, the soft targets are corporations such as those involved in the entertainment industry, and in the physical world, the soft targets are undefended places where people congregate such as coffee shops, food markets, and trains.

Cyberattacks are Weapons of…the weak?

If either Iran or North Korea were strong and influential, they might have been able to head off being treated with what they regarded as such disrespect by tried-and-true methods of pressure and financial leverage.  But they are weak players and had to use other, more disruptive methods.

Are cyberattacks weapons of the weak?  Libicki argues that even conventional terrorism is a weapon by those without the ability to carry out conventional military tasks such as defending populations, or attacking the other side’s military.  However, given the advancement of technology, is it really fair to say that strong nation-states will always defer to conventional military tasks?  Even the United States has the ability to use hacking operations to go on the offensive.

Cyberattacks Do Not Share the Motives of Terrorist Attacks

Libicki argues that “political motives” are unprecedented for hacks as large as those against Sony, yet hacking to make a political point has been around as long as hacking.  However, using the Charlie Hebdo attack as an example, Libicki states that we should be more fearful of the real terrorist threats that come from “political motives” rather than “what we might strain to label as cyberterrorism.”

Libicki also differentiates cyberattacks from physical terrorism by claiming that hackers gain something from their attacks and that real, physical terrorists “gain nothing for themselves; their entire interaction with their victims is one of loss.” This statement comes down to what you define as “gaining something,” as many would argue that physical terrorists act from a powerful motive that serves them tremendously more than any economic figure or other benefit.

Cyberattacks Lack Element of “Terror”

The article goes on to claim that cyberattacks do not really create any terror.

[T]here is no reason why hackers should be taken seriously as experts in killing people.

First of all, given the recent research on the ability of hackers to potentially hack into medical devices and airplanes (to name a few), is it fair to say that hackers should not be taken seriously as experts in killing people? If a person were to hijack a plane, and physically cut the wiring causing the plane to crash, is that any different from a hacker causing the same result externally? Moreover, keep in mind that a single hacker can cause this damage to multiple planes at the same time.

One might point out that the physical damage is what creates the terror rather than the hacking, however, is this mere semantics? Does the fact that the chain reaction began in the cyber realm and ended in the physical realm really remove the cyber aspect from the equation when analyzing the damage?

[I]t is very difficult to generate a credible hacking threat against a specific target.

Is a threat any less credible coming from a hacker than a physical terrorist?  According to Libicki, once the hacking threat is made, the victims are able to find ways of countering it, “either by fixing faults, or by taking pains to disable network features that they otherwise find valuable.”  How different is this from physical threats? Areas can be evacuated, and officers can add more security protection.  In both the cyber and physical world the threats often outnumber the resources available to counter them.  As a result, only certain threats are determined serious enough for a response, and making that determination is often difficult if not impossible.  Moreover, in an ever-advancing cyberworld, wouldn’t the prevention and counter of cyber threats be more difficult?

Libicki also differentiates cyberattacks from ‘real terrorism’ by claiming that “visceral fear causes irrational behavior,” and that a cyberattacks do not cause people to act irrationally.  Libicki uses the example of 9/11, explaining that after 9/11 many individuals choose to drive rather than fly despite the odds of death per mile traveled are considerably higher. On the other hand, Libicki explained that in a cyberattacks like the Sony attack, companies now have to enter the risk of cyberattacks into their calculus of costs and profits from moviemaking, just as they do with other risks.

Do you agree? Did the Sony attack and others like it only create an economic fear with an easy fix? Think again about the airplane analogy.  Would a man physically cutting the wiring on a plane create a “visceral fear” that a hacker causing the same damage could not?

Cyberattacks Are Neither Public Safety Concerns Nor Are They National Security Concerns

According to Libicki, countries can choose to treat terrorism as a threat to public safety or a national security threat, and the logic of treating cyberattacks as either “is strained.”

Inasmuch as cyberattacks have yet to hurt anyone directly, non-military cyberattacks can be treated almost entirely in economic terms. There is no sound alternative to a cost-minimization test of public policy.

[T]he conventional military threat remains the big dog; cyberattacks are no more than the small tail by comparison.

What do you think? Read Libicki’s full article here.

 

 

 

Leave a Reply