Cyberterror Prospects and Implications

Thumbnail Image
Nelson, Bill
Choi, Rodney
Iacobucci, Michael
Mitchell, Mark
Gagnon, Greg
Arquilla, John
Tucker, David
Date of Issue
October 1999
Much has been made of the threat of cyberterrorism since the report of the Marsh Commission in 1997. However, current analyses have merely identified the plethora of vulnerabilities in automated information systems (computers) and assumed that terrorist organizations would be willing to exploit these vulnerabilities. They adopt a rudimentary strategic analysis and conclude that cyberterrorism is inevitable because it provides terrorists with a potentially strategic advantage over the United States. We do not dispute the fact that our vulnerabilities are real and numerous. Further, we do not dispute that the consequences of exploitation are potentially severe, even strategically debilitating, if events unfolded in a manner described in some scenarios. However, based on our research, we also do not believe that terrorist organizations will soon possess the capabilities described in many of these scenarios. According to many analyses, the necessary tools for exploiting vulnerabilities in the infrastructure are immediately available, easy to use, and proliferating at an alarming rate. Yet, the United States has not experienced any strategic attacks on critical infrastructure by terrorist organizations (or any other organization, for that matter). Even during the conflict in Kosovo, the most serious "attacks" consisted of vandalizing web pages and denial of service attacks on e-mail servers. Annoying, yes, but hardly a strategic threat to the United States or NATO. This suggests that these tools are still insufficient for the purpose of mass disruption, and that there are requirements for effective use that go beyond the mere possession of these tools and a desire to inflict damage. Therefore, a key question we have asked is "Why haven't terrorist organizations taken advantage of this opportunity?" We believe that the costs of creating a capability sufficient to achieve terrorists’ ultimate goals are much higher than the conventional wisdom indicates. Likewise, simply offsetting development costs is but one of several challenges that must be taken into account. Terrorist organizations will likely measure the benefits of pursuing cyberterrorism from the perspective of both internal and external incentives. Besides development costs, internal incentives must also include the individual and group psychological processes that heavily affect terrorist organizations. In terms of external interests, the costs of pursuing cyberterror may never be attractive as long as traditional terrorist methods remain viable. We examined the issue of cyberterrorism from the perspective of an organization seeking to conduct a comprehensive assessment of its activities. Our assessment explores the costs, risks and benefits of adopting cyberterror, either as a stand-alone operation or as an adjunct to traditional terrorist operations. We believe that this analysis fills a gap in the current literature on cyberterrorism. While the assessment is by no means comprehensive, it offers the intelligence community a much-needed starting point for better understanding the true potential of this threat.
Series/Report No
Other Units
Center on Terrorism and Irregular Warfare
Naval Postgraduate School (U.S.)
NPS Report Number
Distribution Statement