“What’s in a name?” Exploring and analyzing the concept of cyberterrorism and the link between terrorism and cyberspace

(1)

“What’s in a name?”

Exploring and analyzing the concept of cyberterrorism

and the link between terrorism and cyberspace

Master Thesis in Crisis and Security Management

Faculty of Governance and Global Affairs

Leiden University

Name: Claudia Pino Student number: s2091011 Supervisor: Dr. Johannes Vüllers

Second Reader: Prof. dr. Bibi van den Berg Words count: 22833

(2)

Acknowledgements

The thesis is the concluding ‘section’ of a remarkable chapter of one’s life. In this case, it is the final step of my studies for the MSc in Crisis and Security Management.

No words would be enough to explain how much I learned and how much I have grown. However, what can I say is that this path comes to its conclusion thanks to many people and individuals who helped me out throughout the way. I would call these people guiding lights in the darkest days, and for that, I will always be thankful.

Foremost, I would like to express my gratitude towards my family, who supported me along this path and held me when I wanted to give up. They reminded me of the core reasons why I got to the point I was, and in the end, they were right.

I am highly indebted to the many people I met during this long, fantastic, adventurous, and enlightening year. All of you, no-one excluded, helped me in a way that I probably will not be ever able to repay. The friends, the family you chose, the one who stayed from the very beginning to the very end and the one that came in out of a sudden and despite the circumstances were always there, ready to help.

Furthermore, I would like to express my deepest gratitude to my supervisors, Dr. Vüllers and Prof. dr. Bibi van den Berg, who did not give up on me when times went rough, and to the study advisers, a valuable hand and source of support.

Finally, I would like to thank me, for not giving up and teaching myself the most important lesson:

the best part of it comes at the end when you think you have everything to lose, that is when you rise up.

(3)

Abstract

Cyberspace is today considered one of the main domains, together with air, sea, land, and space operations. Hence, in response to main developments, countries, as well as individuals, found themselves in the position of improving their technological capabilities.

Furthermore, as countries become more technologically-dependent, they become also even more exposed to a broader range of threats. Terrorist groups can indeed exploit the internet in order to carry out their activities, ranging from propaganda to recruiting and perpetration of attacks.

The thesis analyses and investigates the phenomenon of cyberterrorism and attempts to assess the reasons why none of the cyber-attacks so far occurred has been labeled as cyberterrorism.

(4)

The main purpose of this chapter is to identify and outline the problem. The research question will be presented and the academic and societal relevance of the study at hand addressed. Finally, the last section of this first chapter will present the structure of the study in order to provide a clearer overview of the topic.

1.1 When the physical and the virtual world converge

Ever since the Industrial Revolution, the emergence of several technologies changed many aspects of society and the way daily activities are carried out. The rapid growth in the usage of Information Technology (IT) systems, computers, and the Internet positively influenced socio-economic growth. The ‘virtual’ world, as a product of the digital revolution, remarkably influenced human activities and modern societies in general, which as Castells suggested, quickly turned into networked societies (Castells, 2009:1). The increase in interconnectedness and possibility to communicate and purchase goods from different geographical areas further provided for greater flexibility and considerable benefits in the international arena (Castells, 2009:1; Sartor, 2012:1). Notwithstanding, across the years, some problematic issues arouse as well, since the number of threats and vulnerabilities to which societies are exposed grew exponentially paving the way to new possibilities for criminal activities too.

Nowadays, the Internet has become particularly relevant in the fields of politics, social interactions, and criminal activities. As follows, several concerns are raised due to the overreliance on the Information and Telecommunication systems (Gotsiridze, 2018:11).

By its intrinsic nature, cyberspace “knows no national border, nor do cyber threats” (Muller et al., 2018:48). Accordingly, it notably allows for a vast number of conducts which are detrimental to both individuals and countries’ national security. In particular, contrarily to what happens in the ‘physical’ world, malicious or criminal actors can operate in cyberspace, believing they can do whatever they can get away with, denying their involvement. In particular, the prefix “cyber” has been widely used in different contexts and with a variety of different meanings. For instance, many ‘traditional’ activities, such as protests, acts of sabotage, espionage, or even criminal or terrorist-related activities found in the cyber world their virtual twin (Oluga et al., 2014; Karanasiou, 2014). As a consequence, the creation of new terms such as “cyber-sabotage,” “cyber-espionage,” “cyber-warfare” and

(7)

2005:135; Jarvis and Macdonald, 2014:53). For instance, this cyber “hype” also led to the creation of a Cyber Lexicon (2018) which addressed the main terms concerning cybersecurity and cyber resilience in the financial sector (FSB, 2018).

1.2 Cyber-attacks and Terrorism: The research problem

Cyberspace and cyber-related issues became quite relevant in the international security discourse, especially for what concerns the possibility to include the use of the Internet as a means to carry out activities with criminal purposes. According to a report by Cybersecurity Ventures, since 2013, the number of records stolen from breaches amounts to 3,809,448, with an attack being carried out every 44 seconds (Mello, 2018). Then, the rapid increase of cyber-attacks, especially in terms of severity, as, for instance, shown in the list provided by the Center of Strategic and International Studies (CSIS) on their website, requires also new measures to counteract these new emerging situations (CSIS,2018). Accordingly, cyber-attacks – and cyber issues in general – made it quickly to the top of the international (and national) agendas, now treated as one of the significant challenges to global security, in particular as regards to the protection of both critical infrastructures and civilians (Housen-Couriel, 2013:1; Aaviksoo, 2010:14).

For instance, the 2010 Stuxnet cyber-attack against a nuclear power station in Iran, the series of attacks also struck against Estonia the same year are examples of the multiple disruptive – and to some extents destructive – potentialities offered by cyber activities.

Besides, further concerns, emerge as regards to the exploitation and use of the Internet for terrorist purposes. In 2015, for example, the young British Hacker, Junaid Hussain was involved in a series of attacks under a group known as the “Cyber Caliphate” with the purpose of defacing both French websites and the U.S. Central Command (Mele, 2017:110). Later on, in 2016, a Kosovarian Hacker, Ardit Ferizi, hacked an online retailer website in order to steal data belonging to U.S. Military and Security service personnel, for which he was charged, for the first time in history, both for computer crimes offenses and terrorism (Schmitt, 2015). Although these are only a few of the possible examples of cyber incidents, they underline the main concerns regarding the opportunities offered by cyberspace. According to the data reported in several risks and analysis reports, the number of cyber-attacks is rapidly increasing. In a report by FireEye (2019), it is stated, indeed, that in 2017 the number of targeted attacks amounted to 56%, the number was raised to 64% in 2018. Furthermore, a report from the Ponemon Institute highlights how out of a subset of 701 organizations operating in industrial and critical infrastructures sectors, almost the 90% of the respondents suffered multiple cyber-attacks able to cause a data breach or a relevant disruption to their operations and plants (Ponemon Institute,

(8)

2019). Whilst occurring more frequently, these types of attacks also fueled a lively debate on the existence of anything like ‘cyberterrorism’ (Atalay & Sanci, 2015; Rid, 2013; Jarvis et al., 2014; Biller, 2013; Hardy, 2011; Kilovaty 2016; Finlay, 2018; Conway, 2011; Talı̇härm, 2010; Brill, 2010). Undoubtedly, however, the Internet and more in general cyberspace offer an incredibly more extensive array of possibilities to terrorists and criminal organizations. As Walter Laqueur stated in 2015, “if the new terrorism directs its energies toward information warfare, its destructive power will be exponentially greater than any it wielded in the past – greater even than it would be with biological and chemical weapons” (Laqueuer, 1999; Atalay & Sanci,2015:2).

Whether anything like a cyber terror or ‘cyberterrorism’ exists is still a matter of debate, although the general consensus is that up-to-date there is no universally acknowledged act of cyberterrorism. In particular, one of the main reasons, as Thomas Rid, reader at the King’s College London’s Department of War Studies, suggested could lie in the fact that those with the capabilities have no intention to pursue an act of cyberterrorism, whereas those with the intention quite often lack the capabilities (Rid, 2013).

The vital interests of states, however, are not only threatened by vulnerabilities of the main critical infrastructure as threats and dangers run even deeper. Undermining trust in a government’s ability to protect its citizens, indeed, can spread panic and destabilize democracies (Aaviksoo, 2010:14). Hence, the convergence between the physical and the virtual worlds, primarily if used for terrorist purposes, and in particular for actions carried out by non-state actors through the use of force or violence in order to cause fear or intimidate and to pursue a specific ideological, religious or political objective, may create interesting combinations and unveil a dangerous potential.

In particular, as Hardy suggests in his article “while most people would recognize an act of Islamic suicide terrorism if they saw one, these other forms are largely speculative extensions of historical ideas about terrorism, and raise a number of unanswered questions about how to appropriately define terrorist acts, both in political discourse and in criminal legislation: Does an attack have to kill or injure real people to qualify as an act of terrorism? Can an act of terrorism cause pure economic loss? Can an act of terrorism be directed at websites and email systems?” (Hardy, 2011:152).

With this regard, the definition of (traditional) terrorism, is already surrounded by a lack of clarity and ambiguities and can undoubtedly be intended differently by different actors, according to their own interests (Schmid, 2004:384; Bruce, 2013:). Although several recent cases have been identified by the media and by some governments as cyberterrorism, none of them has been universally accepted as such. For instance, the 2016 Ardit Ferizi case, or the United Kingdom’s young hacker, Junaid Hussain, cases (Ackerman et al., 2015) which became quite popular for the references made to the cyberterrorism phenomenon as reported by the media.

(9)

Although a number of literature focused on the possibility of terrorist activities to converge in cyberspace (Armenia and Tsaples, 2018; Baldi et al., 2003; Hua & Bapna, 2013; Veerasamy, 2009; Ahmad and Yunos, 2012; Heickero, 2007; Gordon and Ford, 2002; Conway, 2002; Lachow & Richardson, 2007; Theohary, 2011; Ogun, 2012; Gotsiridze, 2018; Conway, 2007; Brill, 2010), as suggested, there is no universal or accepted definition of cyberterrorism. Although the United Nations Drugs and Organized Crime (UNOCD) thoroughly studied the many explications of a terrorist use of cyberspace, whose findings and considerations are included in the 2012 report, however, the catastrophic effects of a potential cyberterrorist attack tend to be considered more fictional than real. Furthermore, some controversial issues may arise: For instance, whether or not the eventual definition of cyberterrorism should be applied both to state and non-state actors; or whether traditional anti-terror laws could be applied to cyber-attacks.

1.3. Research Question

In the light of this short introduction, the primary purpose of the research at hand is to answer the general research question: Why so far, no cyber-attack has been labeled as ‘cyber terrorism’? In order to accurately assess the above-mentioned research question, an exploratory study will be conducted with the purpose of not only delineating a workable definition of cyberterrorism and identifiable indicators which could be used to assess the already occurred cyber-incidents, but also to understanding whether certain factors exist to influence how states (may)use the (cyber)terrorism label. In particular, the study will focus on known political, ideological, or religious motivated cyber-attacks towards critical infrastructures and will try to assess the main policies adopted and legal norms enacted in selected states.

1.4. Relevance of the study

The study is particularly relevant to the field of Crisis and Security Management since the main technological developments provide new opportunities for the commission of unlawful acts able to undermine the security and prosperity of a country. Accordingly, this thesis seeks to contribute to the ongoing discussion regarding cyberterrorism. In particular, a critical assessment of the phenomenon will hopefully lead to a coherent and structured framework through which cyber-attacks could be analyzed under the lens of cyberterrorism.

(10)

1.4.1. Academic Relevance

The purpose of this study is to analyze why none of the cyber-attacks which have been carried out so far has been considered or labeled as an act of cyberterrorism. To begin with, there are generally some problems arising from labeling cyber events as cyberterrorism, or an event as terrorism. The main reasons lie, indeed, in the lack of agreement surrounding both the terms “cyber” and “terrorism.” Accordingly, the research at hand could be considered an important contribution to the body of literature for many reasons. The increasing attention by the media towards the impact and consequences of cyber-attacks quickly facilitated the inclusion of these new terms into the common lexicon. Hence, the increasing relevance of cyberterrorism – especially from a political perspective – makes it an interesting topic to explore. Particularly, in the light of its policy implications when the purpose is to determine which countermeasures to adopt to tackle the issue.

Moreover, in order to contribute to the conceptualization framework as provided by existing literature, several questions can be taken into further consideration, for instance: What is cyberterrorism? Is cyberterrorism any different from traditional terrorism and if so, how? Not to mention what is the empirical evidence of cyber-terrorism?

Previous scholarship also highlighted existing similarities between cybercrime and cyberterrorism, calling for a better conceptualization of the terms. However, besides the terminological and conceptual gap, the limited empirical evidence further complicates the process. There are currently no acknowledged factors which might help to identify, in the first place, an attack as cyberterrorism or how a government would use that specific label. Notwithstanding, the identification of some standard indicators might be considered useful in order to assess the phenomenon. Moreover, no existing literature has been focusing on the “why,” that is an exploration of the reasons why none of the attacks so far occurred has been labeled as cyberterrorism. Hence, in this sense, the study at hand could be considered as innovative.

1.4.2. Societal Relevance

The number of attacks on information systems and networks exponentially increased throughout the years (Billers, 2013:280). Furthermore, the growing interest by the public and the media could be considered a good account of the societal relevance of the study. President Obama identified computer network attacks as “one of the most serious economic and national security risks the U.S. face as a nation and that America’s economic prosperity in the 21st century will depend on cybersecurity” (The White House, 2009 in Biller, 2013: 280-281).

(11)

Despite a strand of literature still considers the eventuality of cyberterrorist attack as a rare possibility, the increasing attention towards the phenomenon is undeniable. As Biller reports, between 2006 to 2010, a 650 percent increase in cyber-attacks on federal agencies has been reported (Biller, 2013:282).

Several examples show how the increase in politically motivated cyber-attacks account for the disruptive potential of such phenomenon (Asal et al. 2016; Biller, 2013). These types of attacks would not only be limited to governmental websites in the public sector but also be able to have an impact on corporations in the private one. Although recognized as state-sponsored attacks, possible examples could be the attack suffered by Google (supposedly originated from China), the 2007 Estonia attack or the 2009 cyber-attack against South Korea (Biller, 2013:283).

Richard Clarke, in his book “Cyber War,” also addressed the disruptive potential effect of a significant cyberattack on civilian infrastructures” (Clarke 2010 in Biller, 2013:281). Furthermore, the possibility of attacks, for instance, to power grids should not be considered as a remote possibility, but instead as an actual threat (Biller, 2013:284; Knake, 2017). Accordingly, the dramatic rise both in vulnerabilities and attacks requires also increasing awareness on behalf of governments and citizens. Thus, as stated by Biller, cyber-attacks may be compared with traditional terrorist attacks, especially if it is considered that terrorist organizations have lately been using internet and information systems as a weapon of terror (Biller, 2013).

In addition, further conceptualization and investigation on cyberterrorism may also represent a useful tool for law enforcement and security service having to deal with the issue.

1.5. Thesis Outline

The purpose of this first part of the study is to introduce the topic of cyberterrorism and clarifying the problem and the goal of the research. In the remainder of the paper, however, the author will proceed with further clarifications of the main concepts involved. In the second chapter, the theoretical framework of the study will be presented. The phenomenon of cyberterrorism will be further conceptualized, and a list of hypothetical cyber-events with terrorist connotations will be highlighted. The third chapter will introduce the methodological framework of the study and chosen research strategy. For instance, how the concept of cyberterrorism has been operationalized in the study and the cases selected and analyzed. The fourth and fifth chapter will then be dedicated to the presentation of findings, analysis, and discussion as regards to the selected cases, and finally the concluding remarks and suggestion for future research presented in the ending chapter.

(12)

Chapter 2. Theoretical Framework

The introduction already addressed the focus and relevance of the study. This section will present a broad outline of previous literature and analyze the main issues. The research at hand aims to investigate the link between cyberspace and terrorism and analyze the concept of cyberterrorism in order to provide an answer to the main research question. In particular, different elements will be examined in order to reconstruct the boundaries and reasons for the debate surrounding cyberterrorism.

2.1. The link between cyberspace and terrorism 2.1.1. Cyber-attacks

The borderless nature of cyberspace exacerbates the challenges posed to law enforcement agencies and governments. One of the most prominent issues concerning global security comes in the form of cyber-attacks perpetrated with the purpose of interfering, disabling or destroying a computer system or, eventually, disrupting its functions. Cyber-attacks may also be targeting both physical or not physical components of a computer, and overall, there is currently no standardized definition of cyber-attacks. According to the Merriam-Webster online dictionary, these can be defined as: “attempts to gain illegal access to a computer or computer system for the purpose of causing damage or harm” (Merriam-Webster, 2018). Whereas according to the Oxford Dictionary, they are “an attempt by hackers to damage or destroy a computer network or system” (Oxford Dictionary, 2018). Although leading to one of the main features of cyber-attacks – namely, to cause actual damage or disruption – on the other hand, these are not conclusive definitions. In fact, these types of attacks can take a vast array of forms and could be carried out using a broad range of methods.

Accordingly, a cyber-attack could be defined as an action – happening in cyberspace – whether offensively or defensively, carried out to disrupt, disable, destroy or take over a computer system, or with the purpose to damage or steal the information kept therein (Kenney, 2015; Kilovaty, 2016). In addition, two further criteria may be taken into account when thinking about attacks perpetrated via cyberspace: (i) the objective of the attack; (ii) the modus operandi, that is the series of actions that precede and follow the attack. Based on the purpose, then the attacks could be directed towards other computers, or networks in order to cause damages, or gain a profit; or towards individuals, societies, or governments. Consistently, different targets would use different techniques, although “physical assaults” or the physical destruction of the object may not be included in the list (Kenney, 2015:113).

(13)

The North-Atlantic Treaty Organization Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia reports a series of definitions of cyber-attacks gathered from national security strategies of the member parties.

With this regard, the NATO more generally defines cyber-attacks as “actions taken to disrupt, deny, degrade or destroy information resident in a computer or computer network, or the computer or computer network itself” (NATO, 2014). The 2013 version of the Tallinn Manual on the International Law Applicable to Cyber Warfare, narrowly defines them as actions (‘cyber operations’), whether offensive or defensive, “reasonably expected to cause injury or death to people or damage to objects” (Tallin Manual, 2013; Kilovaty, 2016:145).

Accordingly, a cyber-attack will undoubtedly be carried out in the cyber domain, which generally includes Information and Telecommunication infrastructures and computer systems (ibid.). As regards to perpetrators, these might range from individuals, activists, states or non-state actors, with many different motivations and objectives, mostly driven by the possibility to gain some economic, social or political advantage. Thus, the common lexicon has been enriched by new – technical – terminology such as denial of service (DoS), Distributed denial of service (DDoS), social engineering, data theft, ransomware, Trojan horses, viruses or bugs. Empirical examples of such disruptive capabilities of cyber-attacks could be found in the Wannacry or NotPetya ransomware attacks, which caused several critical consequences worldwide (Hern, 2017).

In July 2016, the NATO, during a Summit in Warsaw, addressed cyber-attacks as “a clear challenge to the security of the Alliance and (…) as harmful to modern societies as a conventional attack” (NATO,2016). Accordingly, it could be stated that the attacks perpetrated through cyberspace define a new era of covert operations, in which multiple actors can work unnoticed, believing they can do whatever they can get away with and denying their involvement.

Furthermore, valuable and effective responses to the emerging cyber-challenges resulted in a series of measure, such as the 2001 Budapest Convention on Cybercrime, the 2005 Council Framework Decision on Attacks Against Information Systems adopted by the European Union, or the most recent General Data Protection Regulation (Regulation EU No. 679/2016) and the Directive on security of network and information systems (NIS Directive EU No. 1148/2016) which encompasses measures for standard high levels of security in the European Union.

Besides, new agencies and infrastructures have been created with the purpose to effectively tackle the issue, such as the European Network and Information Security Agency (ENISA) in 2004 and the European Cybercrime Centre at Europol (EC3) in 2013 (Carrapico & Barrinha, 2018:299).

(14)

2.1.2. The use of terrorism as a label

The terrorism discourse is, as provided by previous literature, usually shaped by the national context of a country. However, as Malkki and Sallamaa suggested, the main characteristics able to facilitate a differentiation among cases may vary and are yet understudied (Malkki and Sallamaa, 2018:862). For these reasons, one of the primary purposes of the thesis is to attempt to analyze not only the main characteristics of a cyber-event – or hypotheses of cyberterrorism – but also, to fill this void.

As already mentioned, although the concept of cyberterrorism has already been investigated, and attempts to provide a valid framework been made, no cyberterrorist attacks have been registered yet. The concept of terrorism itself is usually considered as a social construct. Accordingly, it could be stated that an action or event is considered as terrorism if a claim of its terrorist nature as such is made (“no incidence is inherently an act of terrorism”) (Malkki and Sallaama, 2018:863). Since the 1970s, the terrorist label has been used as a political tool, usually referring to moral judgment or political condemnation. Considerably, many advantages can derive from labeling an event as terrorism. For instance: “labelling the enemy as a terrorist and thereby evoking narratives and connotations, portraying the opponent as evil” (ibid.), may be a symbolic act with which one reveals the true nature of its actions, hence the construction of a subject or group as the enemy may be arising from a mere political choice (Malkki and Sallamaa, 2018; Mouffe, 2005; Barrinha, 2011). As follows, by using this rhetoric, governments may be able to justify the adoption of specific countermeasures, policies, or practices which may be related to a specific conflict.

Accordingly, the prominent role that terrorism and related countermeasures take on nowadays creates further incentives for using the term. In fact, it is about portraying the threat as a participation in the global battle against terrorism or a common enemy.

However, although the notion of terrorism already existed, in the aftermath of 9/11 attacks, the term has been used to indicate the main attacks carried out by jihadist terrorism. In any case, the terrorism label is a “powerful contextualized political choice” (Barrinha, 2011:168) and is usually inserted into a discursive structure; accordingly, this is usually used by politicians in order to trigger or identify a specific topic (Barrinha, 2011:165). Thus, the label becomes a tool “used to build consensus and solidarity in the face of perceived dangers to the community” (Malkki and Sallamaa, 2018:865). Notwithstanding, in some cases, governments instead preferred not to use the term also if some attacks shared similar characteristics with previous known terrorist attacks (Malkki and Sallamaa, 2018:865; Shelton, 2018; Williams, 2018). In many situations, labeling an event as terrorism was not considered as the best strategic decision. For example, in 1970s, the Dutch Government preferred not to use the term, and used another substitute, labelling some acts of domestic violence as “political

(15)

motivated activism” in order to avoid the opportunities to “feed into the injustice frames of those propagating for violent methods” (Malkki and Sallamaa, 2018:866). Despite the efforts made in the international community, the lack of a formal definition of terrorism makes the possibility to find a universal definition particularly problematic. In particular, there are certainly differences from a social and a political perspective on terrorism, and, furthermore, another element to consider is how countries pursue and prosecute such types of crimes. Most countries, indeed, do have their definitions in domestic laws, such as the existence of several criminal offenses, concerning the preparation of terrorist acts, or the act of owning particular objects may fall under the category (Hardy, 2017). Accordingly, even if some Western countries may be sharing similarities, there can be differences too in the way in which terrorism is defined or portrayed. Besides the main requirement being the intention to pursue some political, religious or ideological causes, hence the motive, what is certain is that in the case of terrorism the label carries “a connotation of absolutely illegitimate violence” (Guelke, 2006:182; Barrinha, 2011:167).

2.1.3. A terrorist use of cyberspace: Setting the boundaries

All the previous statements considered, cyberspace can indeed be seen as one of the main playing grounds in the international arena. Criminals and terrorist groups use the virtual reality for a wide range of activities in order to make an impact in the physical reality. For instance, activities such as propaganda or the possibility to launch cyber-attacks with the purpose to destroy, disrupt, or disable a computer network could find a breeding ground therein. Moreover, a technical background is no longer considered as necessary to carry out these activities, since cyberspace offers all the relevant sources to perpetrate such attacks through the dissemination of hacking manuals or virus-making software which can be easily found online.

A significant number of literature already documented the use of the Internet and latest technologies by terrorist groups in support of their activities (Klausen, 2015; Bloom et al., 2017; UNODC, 2012; Giantas and Stergiou, 2018; Ranstorp, 2006). As the United Nations Office on Drugs and Crime already noted in 2016, the main activities may consist in: propaganda, recruitment, communications, radicalization purposes, fundraising, training and planning and coordination of attacks (as shown in Figure 2).

In particular, well-known groups such as the Islamic State (IS or ISIS) or Al-Qaeda allegedly use the Internet for their own purposes, mainly social media, and social networking applications. More often, indeed, Jihadist websites are intentionally used to disseminate material, radicalize, and recruit. In

(16)

November 2003, Al-Shrq al-Awsat also reported that Al-Qaeda opened a virtual university for “Jihad Sciences” (Chen, 2014:12), with the additional purpose to educate on the use of technologies, explosive devices and electronic and media jihad. Furthermore, many referred to hypotheses of Cyber Jihad, or Cyber Caliphate as to identify the activities in cyberspace, namely cyber-attacks of different kinds carried out by “real-world” terrorist groups (Chen, 2014; Giantas and Stergious, 2018; UNODC, 2012). Thus, the broader use of the Internet probably changed the current practices of terrorism itself, also considering that both terrorist and criminal groups are now able to exploit the many global possibilities and take advantage of the very convenient costs of the Internet (Denning, 2009; Chen,2014:11).

There are many reasons why terrorist groups may be interested in cyber-attacks and to the benefits offered by the cyber domain. In particular, as depicted in Figure 1, some of the advantages include lower costs of the action, access to data, the possibility to communicate anonymously and reach a wider audience. In addition, Gabriel Weimann suggested that the existence of five certain factors is able to make cyber-attacks appealing to terrorists (Weimann, 2013, in Jarvis et al., 2014:70), for instance (as shown in Figure 1): lower financial costs; prospects of anonymity; a more comprehensive selection of available targets; the ability to conduct attacks remotely; the potential of multiple casualties (ibid.). On the other hand, Furnell and Warren also argued that “from the perspective of someone wishing to cause damage, there is now the capability to undermine and disable a society without a single shot being fired or missile being launched.” (Furnell, 1999 in Jarvis et al., 2014:70).

Figure 1.The main advantages as based on information on Weimann 2013, Jarvis 2014

When considering a cyberterrorist attack, generally the outcome is not pictured as disastrous as it can happen in the case of suicide bombings, or mass shooting. Notwithstanding, cyber-attacks already provided evidence of how economies and information systems vulnerabilities could become

(17)

already used the Internet to disseminate fear, and an example is the attack by the Tamil Tigers in Sri Lanka (Burns, 1997), while the Islamic State is also reportedly using the Internet for a wider range of activities (as shown in Figure 2), such as propaganda, data mining, funding, sharing information and planning attacks (Lewis, 2002; Weimann, 2005; Iklody, 2010; Bogdanoski, 2018).

Figure 2. Terrorists' use of cyberspace based on Bogdanoski, 2018

On this matter, the former UN Secretary General Ban Ki-Moon also addressed how the Internet can be considered “a prime example of how terrorists can behave in a truly transnational way; in response, States need to think and function in an equally transnational manner” (UNODC, 2013). Hence, cyberspace and technological advancements may concretely provide terrorists with the ability to “leverage potentially devastating cyber-attacks at a relatively low cost” (Housen-Couriel, 2013:1).

2.2. What is cyberterrorism?

The problematic nature of the concept of cyberterrorism lies within the difficulties to correctly provide a universal definition of the term. Quite often, activities such as life-pranks or socially and politically motivated attacks by hacktivists are confused and associated with cyberterrorism (Kenney, 2015:118). A lack of consensus on what has to be intended as an act of cyberterrorism hinders the process of identification, leaving space to other concepts such as cybercrime, hacktivism or activities of ‘ordinary terrorism’ (Housen-Couriel, 2013:20).

(18)

terrorism make for an uncertain and frightening future” (Laqueur, 1999:254; Conway, 2007:1). Hence, the different type of attacks could be determined to look at “motivation” as the main distinctive element. Once excluded financial gain as one of the main drivers, hacktivism seems to be the cyber activity more closely related to cyberterrorism. Notwithstanding, a further distinction is needed.

At the moment of writing, an undisputed definition of terrorism has not been reached yet, especially as regards to the use of violence for political purposes (Diaza-Paniagua, 2008:47 in Marsili, 2018:1). As in the case of ‘traditional terrorism,’ cyberterrorism suffers from the lack of an official, universal and legal accepted definition. Thus, despite the existence of a list of requisites and characteristics of what should be considered as terrorist activity, the United Nations have not yet succeeded in defining the notion of terrorism itself. The interpretation of what could be considered as terrorist activity is then usually left to “the unilateral interpretation of states, and it easily falls prey to changes that suit the interests of particular states at particular times” (Marsili, 2018:1). In the case of ‘cyberterrorism,’ indeed, similar traits could be shared with other phenomena such as ‘cyber-warfare’ or cybercrime. As a consequence, this definitional uncertainty further exacerbates the possibilities to structure and elaborate a clear and universal definition.

In particular, from a theoretical perspective, the concept of cyberterrorism is surrounded by a high degree of porosity, which together with the lack of an accepted legal framework keeps feeding doubts about its actual existence as a phenomenon. In addition, further complications in terms of recognition derive from the fact that it is usually subsumed under the larger category of cybercrime.

The possibility to reach a definitional agreement will certainly enhance good communication between bodies and improve social structures and governance of societies (Bruce, 2013). In fact, as Bruce already noted, different bodies, organizations, and governments usually elaborate on different definitions, able to suit their own purposes and bias (ibid.). With this regard, as the historian, J. Bowyer Bell once stated elsewhere, “tell me what you think about terrorism, and I will tell who you are” (Williams, 2018). Accordingly, cyberterrorism may be intended differently by many actors and in different contexts. As a result, understanding all how (cyber)terrorism could be labeled might help gain a deeper understanding of how different subjects differentiate acts of terrorism from other acts, as, for instance, simple criminal actions. However, if only the two most essential traits of terrorism are considered, such as the use of force or violence and political motivation, cyberterrorism itself could be assessed according to two different perspectives: a theoretical perspective and a socio-legal one.

(19)

2.2.1 Theoretical issues

Scholars are generally more cautious before labeling a particular attack as terrorism since the focus tends to be more on providing a definition of terrorism, which fits specific criteria in order to distinguish it, for instance, from other acts of violence as in the case at hand could be cybercrime or cyberwarfare. Accordingly, the main objectives could be understanding what the underlying motives, actors, or targets are and if once identified, they can be assessed under the light of a terrorist attack. The concept of ‘cyberterrorism’ has attracted scholars since the 1980s, raising a wide number of concerns (Oleksiweicz, 2016:137). In particular, the term has been coined by Barry Collins who at the time was working for the U.S. Institute for Security and Intelligence. Collins openly claimed the destructive potential of cyber-attacks if compared to traditional physical assaults (Collins, 1997; Jarvis et al., 2014:70). According to Collins, possible examples might include “contamination of food products through interference with manufacturing processes, and interception of air traffic control systems to engender fatal collision” (ibid.). Other authors, such as Dorothy Denning also suggested that cyberterrorism could be considered as: “the convergence of terrorism and cyberspace; […] generally understood to mean unlawful attacks and threats of attack against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives.

Further, to qualify as cyberterrorism, an attack should result in violence against persons or property or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not” (Armenia and Tsaples, 2018:110).

According to Denning, the concept can be associated not only with unlawful use of computers and information technologies (ibid.) but also with elements of terrorist activity (Oleksiewicz, 2016:136). Then, Armenia and Tasples identified some of the main characteristics able to qualify a cyberterrorist attack in the followings: (i) it should consist of violence against people or property; and (ii) at least be able to cause enough harm to generate fear. (Armenia and Tsaples, 2018:110). Another research carried out by Jarvis et al. (2014) tried to gain a broader understanding of cyberterrorism among the global research community (Jarvis et al. 2014:68). In particular, their research focuses on three issues: Whether a cyberterrorism attack has ever taken place; Whether it constitutes a significant threat, and if so against what referent; what are the most effective countermeasures and whether these differ from more traditional forms (ibid.).

(20)

However, as Biller states, the main cyberterrorism definitions are based on two general models: effect-based criteria and intent-based criteria (Biller, 2013:291). By combining these two Biller proposes his own definition of cyberterrorism as: “Premeditated, politically motivated computer network attacks perpetrated against noncombatant targets by subnational groups, designed to cause fear or anxiety in a civilian populace either by: a) inflicting, falsely appearing to inflict, or threatening to inflict, widespread damage to critical physical or informational infrastructure, national security-related information systems, or critical economic systems; or b) causing, appearing to cause, or threatening to cause any type of severe physical damage or human casualties” (Biller, 2013:291-292). As stated earlier, the emergence of competing perspectives surrounding the phenomenon quite often depicted cyberterrorism as a “logical sub-category of both terrorism and cyber-crime” (Hoffman 2006 in Biller, 2013:289). With this regard, however, the main difference between the terms lies in the ‘motive’ (Ahmad & Yunos, 2012). Consistently, whereas cybercrime is usually perpetrated for financial and economic purposes, the second is characterized by political and social motivations. In addition, cyber-terrorist attacks are characterized by the possibility to cause physical damage and disrupt economies. Accordingly, by taking into account the mentioned features, many authors believe that the concept should be interpreted in the light of a convergence between traditional terrorism and cyberspace (Parks and Duggan,2001; Hua & Bapna, 2013; Armenia and Tsaples, 2018). Due to the ambiguous nature of the concept, hence, a more detailed conceptualization of the term would be advisable in order to advance knowledge in the field. In particular, one of the most contested topics in academia is whether and how cyberterrorism poses a security threat and to whom (Jarvis et al., 2014:69). In particular, a strand of literature approaches cyberterrorism as “constitutive of a genuine security threat” whereas others adopt a more skeptical view, viewing it “as a little more than a hyperbolic media construction” (Jarvis et al., 2014:69).

For instance, Hansen and Nissenbaum (2009) referred to the securitization theory in the cybersecurity discourse, claiming that “cyber securitizations are particularly powerful precisely because they involve a double move out of the political realm: from the politicized to the securitized, and from the political to the technical concept” (Hansen and Nissenbaum, 2009 in Jarvis et al., 2014:71).

Susan Brenner also provided a definition of cyberterrorism, which could be considered as the use of computer technology to engage in terrorist activity (Brenner 2007 in Biller, 2013:308). However, her main assumption is that cyberterrorism should be conceived as another facet of crime. In order to make her claim, she categorizes the attacks in three types: Weapons of mass destruction attack, weapons of mass distraction and weapons of mass disruption. In the first case, weapons of mass destruction, Brenner excluded the attacks that originated through the internet, and that produced, as a result, a large-scale destruction (Biller, 2013:308). In particular, she suggested that a scenario in

(21)

which a cyberterrorist attack causes a nuclear power plant meltdown would be primarily remembered as a nuclear attack rather than a cyber one (ibid.).

On the other hand, the second category, the weapons of mass distraction, would not consist of violent physical effects, but rather psychological ones with detrimental consequences for governments. Brenner further provides an example of a hacked website which leads to mass panic and possibly death. The author believes the latter to be a more realistic possibility because this type of attack requires a lower level of sophistication and economic costs (Biller, 2013:309).

The final category, weapons of mass disruption, consists of attacks carried out against critical infrastructure, where the ultimate goal pursued by the perpetrators would be to undermine the citizens’ faith in governments (ibid.). Notwithstanding, Brenner identifies in the concrete possibility to use a cyber-attack in order to undermine faith in government as the only valid justification for further research and attention to the phenomenon to prevent it. As Kenney, suggests the use of cell-phones by terrorists, to detonate explosive devices does not create anything such as ‘cell-phone terrorism,’ or technological terrorism. Instead, terrorism can make use of those devices as ‘weapons’ or tools (Kenney, 2015).

All the above considered, however, one of the main issues – also typical of cyber-attacks in general – still concerns attribution of such attacks, further exacerbated in the case of cyberterrorism (Biller, 2013:331).

2.2.2. Socio-legal Issues

Agreeably, the term ‘terrorism’ entails an intrinsically negative connotation and is used in order to apply a pejorative perspective regarding enemies and opponents (Hoffman, 2006 in Williams 2017). In particular, politicians often apply the word “terrorism” in order to refer to acts from individuals and groups identified as opponents in order not only to demonize them and incite fear, but also to convince a population to (eventually) support controversial governmental actions, and to gain support by promoting “an us-vs-them” narrative. Accordingly, the decision to label certain activities as terrorism may also depend on whether a determined government sympathize or opposes the cause or the perpetrators concerned (ibid.).

The identification of cyber-terror events is further hyped by the media, which generally fail in distinguishing what type of phenomenon they are reporting, for instance, hacking or cyberterrorism. On the one hand, the term could be used in order to catch the attention of the readers, whilst on the other hand, it may contribute to creating fearful scenarios and trying to inform the general public on

(22)

the current technological dangers (Jarvis and Macdonald, 2014:53, Conway, 2011:3; Jarvis et al., 2014:71; Weimann, 2004:2).

All these premises considered, cyberterrorism came quickly to be constructed as a ‘new’ security threat. At the international level, however, the UN already recognized the potentialities of terrorist use of cyberspace (UNODC, 2012). In particular, as terrorism could be usually seen as ‘theatrical in nature,’ a cyber-attack in order to be qualified as terrorism, should be able to cause damage in the real world (Veraasamy, 2010:4; UN Counter-Terrorism Implementation Task Force, 2018; Biller, 2013:305-306). However, the lack of concrete, specific empirical cases makes it hardly possible to determine whether a real threat exists. Thus, short-term objectives may be difficult to be achieved, as opposed to long-term measures.

For this reason, the vast majority of measures are usually focused on creating awareness of the issue in order to facilitate stakeholders’ engagement. An example can, indeed, be considered the COuRAGE project (Cybercrime and Cyberterrorism European Research Agenda), also committed in the dissemination and communication of policy recommendations on the matter (COuRAGE, 2018). As in the case of traditional terrorism, the elaboration of precise legal definition might be helpful and facilitate prosecution (Bruce, 2013), since specific criteria must be complied with when assessing the characteristics and circumstances of an attack. However, in the case of cyberterrorism, the lack of empirical cases makes it particularly challenging to identify effective measures or legal definitions. Accordingly, a possible solution may be the application of already existing anti-terror legal frameworks to new emerging security issues, purposefully including cyberterrorism among the new possible threats in order to facilitate prosecution and – eventually – deterring potential activities of such kind.

In particular, some states have already included references to Information Technology in their codes or Anti-terror laws. For instance, in his study, Keiran Hardy addressed how in the aftermath of 9/11 several governments engaged in a “frenzy of lawmaking to counter an unprecedented, amorphous, transnational terrorist threat” (Hardy, 2011:152). In particular, he provides a framework and critique of the legislation that can be used to prosecute cyber-attacks as acts of terrorism in four Western Democracies, for instance: Australia, the United Kingdom, Canada, and New Zealand. Besides being part of the Commonwealth, these jurisdictions present a few commonalities, as they all adopted very similar definitions of terrorism, and referred to attacks against electronic systems and other infrastructures too (Hardy, 2011:153). According to the Oxford Dictionary, cyberterrorism could then be defined as “the politically motivated use of computers and information technology to cause severe disruption or widespread fear” (Oxford Dictionary, 2018).

(23)

The Tallin’s NATO Cooperative Cyber Defence Centre of Excellence collected some of the definitions of cyberterrorism provided by states and agencies. After a preliminary reading, the main perceived characteristics of cyberterrorism seems to include the followings:

- A politically motivated crime (Austria, 2013, US);

- Carried out by state or non-state actors; political fundamentalist groups; individual perpetrators (Austria);

- Against computers, networks, and information stored therein (Austria) or cyberinfrastructure particularly on control systems for non-nuclear critical energy infrastructure. (OSCE)

- Directed towards states, organizations, enterprises;

- With the purpose to: provoke a severe or long-term disruption of public life or to cause serious damage to economic activity, to severely intimidate the population;

- Including activities such as cybersabotage (Austria); Hacking, DDoS attacks, denials of service, logic bombs, Trojan horses, Worm viruses, HERF guns, etc. (South Korea).

On the website, also other definitions are reported. For instance, Poland (2012) defined cyberterrorism an “an offense of a terrorist nature committed in cyberspace”; Montenegro (2017), “a criminal act in cyberspace that aims to intimidate governments or their citizens, with the aim to achieve political goals”; the National Infrastructure Protection Center “a criminal act perpetrated through computers resulting in violence, death and/or destruction, and creating terror for the purpose of coercing a government to change its policies”; Italy (2013) “Ideologically motivated exploitations of systems' vulnerabilities with the intent of influencing a state or an international organization”. Based on another definition by the Federal Bureau of Investigation (FBI), the concept should then entail a “premeditated, politically motivated attack against information, computer systems, computer programs and data which results in violence against non-combatant targets by sub-national groups or clandestine agents” (Baldi et al., 2003:33). In addition to these, other elements can be identified, such as (1) a significant interference within the political, social or economic functioning of a nation, or (2) the induction of physical violence in order to create panic (Hua & Bapna, 2013:176).

2.2.3. Violence as the discriminant factor

A terrorist act is generally defined as a violent action directed towards a non-combatant target. As Conway suggested, the vast majority of domestic laws, nowadays, define traditional – or political –

(24)

terrorism “as requiring violence or the threat to or the taking of human life for political or ideological ends” (Conway, 2010:7). Accordingly, many doubts concern the possibility for a (possible) cyberterrorist attack to be considered as violent.

As Thomas Rid described, in his book “Cyber War Will Not Take Place” (2013) cyber-attacks should be seen as non-violent. Notwithstanding, however, the concept of violence may also be intended in a broader sense such as ‘sufficiently harmful consequences.’ Building upon Finlay, some types of cyber-attacks may have levels of destructiveness as comparable to those warranted by those defined as “kinetic attacks” (Finlay, 2018:358). In particular, according to the author, the precise purpose of injuring or causing harmful consequences together with the destructive potential of the act may indeed be considered as violence (ibid.). For instance, a cyber-attack able to disrupt, or destruct either critical infrastructure or military technologies or causing causal physical harm, that could be indeed intended as sufficiently severe “even if its destructiveness was limited to damaging information as such in the cyber domain could also pass the threshold of severity too” (Finlay, 2018:358).

In French and English Law, the concept of ‘violence’ is defined inter alia as physical or moral coercion, exerted on a person with the purpose of inducing him to perform a certain action. (Kilovaty, 2016:128). Hence, actions should not only be considered as physically forceful. The U.N. itself compared violent cyber actions to physical violence, underlying the same damaging potential (Kilovaty, 2016:129).

Hence, the intentions may be considered as equally important also when compared to consequences. For example, in the Stuxnet case, the intention (namely, the willingness to change the settings of processing plant in order to alter their speed), and the physical damage per se which resulted in financial loss and years in lost progress are fully capable of satisfying the destructive criterion as the intended outcome was to impede future nuclear development in Iran (Finlay, 2018:369-370). Furthermore, another critical element to be taken into account is the intention to maximize the target’s vulnerability through the use of software able to make the virus undetectable (ibid.). On the other hand, as Thomas Rid suggested, “the actual use of force is likely to be far more complex and mediated sequence of causes and consequences that ultimately result in violence and casualties” (Rid, 2012:9). Thus, these attacks cannot be considered as lethal.

Notwithstanding, as Finlay suggested, some actions are still able to exhibit the necessary degree of violent agency. One of the leading examples the author addressed is, indeed, the hypothetical logic bomb imagined by Rid, able to cause train crashes or cause electricity blackouts, or the collapse of air traffic systems deserves further considerations (Finlay, 2018:370). Accordingly, such types of (eventual) attacks embody some degrees of destructive potential as shown, for instance, by the

(25)

Stuxnet case. Furthermore, even the possibility to weaken any defense tool (e.g., firewalls) may be considered as a violent act per se (ibid.). As a consequence, it could be said that also cyber-attacks directed towards simple informational targets may satisfy the necessary conditions able to classify them as violence. Furthermore, the concept of violence may also entail the intention to target or deprive the victim of the opportunity to escape or react (“blocking someone from escaping a collapsing building, should be defined as violence”) (Finlay, 2018: 371-372). An example is the cyber-attack suffered in 2007 by Estonia.

Cyber-attacks can then be considered as weapons. On May 2009, President Barack Obama, during a speech on the new American Cybersecurity Strategy, acknowledged the destructive potential of cyber tools classifying them as weapons (Kilovaty, 2016:123). While disruptive cyber operations do not directly cause kinetic effects (Kilovaty, 2016:123), destructive cyber operations are fully capable of causing such effects. Hence, the disruptive features can be analyzed either together or in contrast with the destructive ones.

According to the National Initiative for Cybersecurity Careers and Studies (NICCS), disruptive events are defined as those “which cause an unplanned interruption in operations or functions for an unacceptable length of time” (Kilovaty, 2016:123). A disruptive operation happening in cyberspace should be initiated through computer systems using malicious tools, then distributed physically. Then, the harm would consist of causing an interruption of services, whose effects should be violent in nature (Kilovaty, 2016:124). For instance, disrupting governmental websites can and should be considered more serious than taking down an online retailer website (ibid.).

The violent factor should then be assessed on a case-by-case basis, which, however, should be taking into account three criteria:

1. “the essentiality of the disrupted target to the day-to-day civilian lives”;

2. “the scope of disruption, the number of individuals and organizations affected by the disruption,” and

3. “the duration of the operation, the presumption being that long-lasting effects are more likely to be violent” (Kilovaty, 2016:124).

Interpreting the disruptive effects as acts of violence could be easily achieved because of society’s overreliance on information systems. For instance, DDoS attacks may indeed be considered as harmful as physical force since the argument of “violence” can be “sufficiently broad to incorporate disruptive activities” (Kilovaty, 2016:127). The latter can then include the “deliberate exercise of physical force against a person, property […]” (Kilovaty, 2016:127-128), including intimidation.

(26)

All this considered, the analysis carried out by Thomas Rid, leading cyberwarfare scholar, is correct if only direct physical violent effects are considered (Kilovaty, 2016:130). However, this study at hand, in line with the hypotheses advanced by other authors suggests that not all cyber operations are violent, except for those that cause kinetic effects, detrimental to individuals, property or economic, thus including also intimidation.

2.4. Re-defining cyberterrorism

Building upon the previous considerations, cyberterrorism could be considered as the convergence between terrorism and cyberspace (Sadiku et al., 2016:6269; Denning, 2009; Conway 2007; Conway, 2009). Potentially, a “premeditated, politically motivated cyber-attack” could be considered as violent and detrimental to the security, prosperity, and economy of a country. In particular, such attacks would aim at generating enough fear to induce panic or to disrupt economies, but also to undermine the core values of a country. Although the general consensus agrees upon the fact that no cyberterrorist attack has occurred yet, many scholars also agree that cyberterrorism has “the potential to create a postmodern state of chaos, which may refer to a state of extreme disorder and confusion” (Sadiku et al., 2016:6269). These attacks may be targeting one or more critical infrastructures, or sensitive targets, such as hospitals, thus causing dreadful and unforeseeable consequences (ibid.). Furthermore, following further analysis of the literature, it is possible to identify the referent object in the states and citizens, considered non-combatant targets. In particular, according to the definition provided by Biller, a cyber-terrorist attack is designed to “cause fear or anxiety in a civilian populace either by: (i) inflicting, falsely appearing to inflict, or threatening to inflict, widespread damage to critical physical or informational infrastructure, national security, related information systems, or critical economic systems; or (ii) causing, appearing to cause, or threatening to cause any type of severe physical damage or human casualties” (Biller, 2013:291-292).

(27)

Figure 3. Proposed cyberterrorism framework based on Ahmad et al., 2013:6

Notwithstanding, without the use of technologies, the act itself would be considered a mere terrorist attack. Hence, cyberterrorism can be assessed by focusing on six main points as depicted by Figure 3: (i) domain (cyberspace); (ii) tools of attacks; (iii) motivations (social, political, religious); (iv)target (civilians or critical infrastructures); (v) impact of the attack; (vi) method of action (usually through unlawful means) (Ahmad et al., 2013:6, Figure 3). Each of these elements is necessary when trying to define cyberterrorism. On a more practical level, the lack of an ideological motivation would imply that the main purpose is to gain a financial gain as a result of the attack. Thus, this type of attack would more easily qualify as cybercrime. Similarly, the intention to target a state or combatants would more likely qualify the attack as an act of warfare rather than cyberterrorism.

Hence, in order to correctly re-define and re-address cyberterrorism, the traditional terrorism pre-requisites should be extended to cyber-terrorism as well, by removing, for instance, the requirements for violence resulting in death or serious destruction and “lowering the threshold also to disruption of digital property” (Conway, 2010:7). Accordingly, for the purpose of this study, and building upon all the above-considered perspectives, cyberterrorism is here defined as:

“A premeditate, ideological motivated attack perpetrated through cyberspace by unlawful means and

directed towards non-combatant targets (civilians) or critical infrastructures and able to cause fear, death, injuries, severe economic loss, mass disruption or seriously interfering with critical serviceoperations”

(28)

Terrorists can use the Internet for multiple reasons, for instance, to raise funds, recruit supporters, spread propaganda, and facilitate conventional gun-and-bomb assaults (Kenney, 2015:126). Accordingly, this may include the vast majority of terrorist activities on the Internet since terrorists may exploit the Internet in order to facilitate their attacks (ibid.). Building upon the general idea that no cyberterrorist attack has occurred yet, this study acknowledges the potentialities of such attacks.

In particular, in 1997 Barry Collin advanced some hypotheses based on the definition of terrorism itself, which included:

1. Acts in which terrorists, or cyberterrorists would remotely access “the processing control systems of a cereal manufacturer, change the levels of iron supplement, and sicken and kill the children of a nation eating the food” (Collins, 1997).

2. “A cyberterrorist will place a number of computerized bombs around a city, all simultaneously transmitting unique numeric patterns, each bomb receiving each other’s pattern. If bomb one stops transmitting, all the bombs detonate simultaneously” (Collins, 1997).

3. “A cyberterrorist attack will disrupt the banks or the international financial transactions, the stock exchanges, undermining the citizens’ confidence in the system” (Collins, 1997).

4. A cyberterrorist attack will be able to influence air traffic control systems, and making two large civilian aircraft collide, same as rail lines (Collins, 1997).

5. Cyberterrorists will be able to alter “the formulas of medication at pharmaceutical manufacturers, or remotely change the pressure in the gas lines. This would cause failures, and major incidents” (Collins, 1997).

6. The vulnerability of electrical grids.

Since terrorist may indeed gain many advantages from conducting these forms of attacks, the identification of “worst case scenario” is paramount. Although some of the presented hypotheses may appear unlikely, some of them constitute a real possibility for dangerous attacks. For instance, electrical power stations shut down, alteration, or disabling of telecommunications, destabilization of transportation or banking transactions (Aaviksoo, 2010:17). As addressed by an article on Harvard Business Review, cyber-attacks may also be directed against financial services and causing significant disruptions around the world, such as attacks by “rogue nations or terrorist groups on financial institutions or major infrastructures, or (…) on banks, investment funds (etc..)” (Mee and Schuermann, 2018). All of these would, indeed, represent an attack against countries financial services systems.

(29)

Furthermore, the impact on societies requires careful consideration, to the extent to which such attacks are carried out by perpetrators who seek for some governmental concessions or something in return. These types of events would be consistent with contemporary definitions of terrorist acts (Conway, 2010:7). However, the ‘human’ component, is still an essential factor to consider, which would make hypotheses of “pure cyberterrorism” even more complicated. Thus, a more realistic possibility could be the combination of physical and traditional terrorism with cyber techniques. These types of attack would be cheaper than traditional ones but would require more thorough coordination and long-term investments in terms of resources (Aaviksoo, 2010:17). The hypothetical scenario of data theft and re-use of those data by terrorist groups could be considered a cyber-terrorist attack if the effects of such actions can produce significant harmful effects or induce fear, or intimidate and coerce a government. The media have treated the Ferizi case as the first cyberterrorism case. However, further analysis is needed. If the definition takes into account actions strictly and directly happening in cyberspace, such as DDoS attack moved by political or ideological purposes, causing detrimental effects such as the Estonia case, these hypothetical cases would be compliant with the pre-requisites in the definition.

Overall, a worst-case scenario, as suggested by Biller, would be that of an enemy gaining access to a system, and capable of going undetected for an unlimited amount of time. This would also meet the requirements of a violent cyber-attack in this sense, being able to destabilize the defensive capacities of the victim. Accordingly, the possibility to use computer viruses or other cyber-tools and introducing them into computer systems or networks which are used in critical sectors such as energy, banking, communications, health environments, causing massive disruptions – and eventually destructions – would be compliant with such hypotheses.

(30)

Chapter 3. Methodology

The purpose of this section is to explain the methodological framework of the study. In the first part, the chosen research design will be outlined, and the concept of cyberterrorism operationalized. Then, the following sections will address case selection, data collection, and analysis. In the final part of this chapter, the main limitations of the study will also be addressed and presented.

3.1. Research Design

This study sets to explore the phenomenon of cyberterrorism, trying to investigate the reasons why none of the cyber-attacks so far occurred have been labeled as cyberterrorism. In order to gain a deeper understanding of the issue, a more detailed conceptualization of the term ‘cyberterrorism’ is needed in order to identify and assess the main factors and elements of what could be considered as a cyberterrorist attack. In particular, the research method combines both a qualitative reading of the material with a contextualization of the results.

This study is explorative in nature; hence, no hypotheses or propositions could be made in advance. Although qualitative approaches are quite often criticized for lacking the same rigor of quantitative studies, this type of study could be considered as valid when the purpose is to explore, indeed, complex phenomena. Accordingly, the value of a qualitative research methodology lies on the possibility to use it as a tool to determine or gain a deeper understanding of the “complex interactions occurring between individuals and their environment, and how they may be influencing the outcomes” (Anderson et al., 2013:88). This research, thus, undertakes to explore the current state of the academic knowledge in order to gain a comprehensive understanding of the issue and gather significant insights to cyberterrorism.

As provided in the theoretical framework, a remarkable body of literature in the “cyber” field already researched into the topic of cyberterrorism. However, as the research question provides, there is currently no trace of studies or investigations into the reasons why the attacks previously occurred have not been labeled as cyberterrorism.

All these considered, the study at hand will use a case study design in order to investigate the phenomena and provide an answer to the research question. This strategy can be used in descriptive, exploratory, or explanatory studies. In particular, it is considered optimal where the focus is trying to provide an answer to ‘how’ or ‘why’ questions. As follows, it is considered ideal when the purpose is to reach “an understanding of a complex issue and can add strength to what is already known through previous research” (Dooley, 2002:335). Moreover, since the main scope of the study will be