The Terrorist Threat

An examination of terrorist groups and the threat to the National Information Infrastructure by Phillip Osborn

Abstract

Increasingly reports have appeared in the media that highlight the potential threat that terrorist groups pose to the nation. Along with reports of the fears leading up to the Year Two Thousand (Y2K) event, the media has reported that many government officials and experts are forecasting that terrorist groups will engineer attacks on the increasing connected and computer dependent national information infrastructure. With the steps outlined by these sources that are being taken to prevent terrorist assaults- the terrorist threat, real or imagined, is certainly enjoying popular attention.

This paper will attempt to substantiate this popular perception of the terrorist threat by identifying which terrorist groups have already carried out attacks on National Information Infrastructure (NII) targets, their motives and what they seek to accomplish, and which ones have or are pursuing the capability to carry them out.

As the worlds information systems become increasing connected, it becomes necessary to refer to terrorist attacks on any particular NII as an attack on the larger Global Information Infrastructure (GII) since attacks could have far reaching effects beyond any particular land border. The term NII should therefore be construed to incorporate the concept of GII when used in this paper.


Introduction

When I first selected the Terrorist threat as the subject for this paper I concluded it would be fairly easy to research and I would be able to find many examples of how terrorists have attacked all manner of information and computer systems. What drove me to this conclusion was an opinion influenced for the most part by stories read on the Internet, in newspapers, and in various security and law enforcement periodicals, that cyber terrorism was rampant and that terrorists not only attacked computer/information systems, but regularly used these systems as the method and base of the attack. My research has proved that to be fortunately untrue, which unfortunately has made researching the subject of the terrorist threat more difficult than I had imagined. My research has found that most terrorist groups have not departed from their traditional physical methods of attack and that they continue to prefer high-profile targets that grab a lot of media exposure.

For the most part individual computer users, small organizations, and even large organizations are not necessarily what terrorists would consider high-profile, the exception obviously being well known public figures, politicians, or companies. My research has shown that traditional terrorist groups use attacks to influence either social or political change. Attacks on individual computers would be less effective for attaining these terrorist goals then attacks on the larger information infrastructure. A successful attack on the underlying information infrastructure would effect a larger number of individuals and computers making for a bigger media event. For this reason I have chosen to concentrate this paper on the subject of the threat posed by terrorists to the NII, where attacks can be attributed to the groups that are poised to gain the most from them. To be sure, my research found many examples where information systems had been compromised, but these incidents which the media is happy to attribute to "terrorists" were either obviously the work of some other threat group (cracker, criminals, deranged people, etc), or did not fit the terrorist model -of which I will discuss in this paper. A brief example of the tendency for the media and others to refer to almost anything involving computer crimes and break-ins to terrorists, and to use the terms terrorist and cracker/hacker/etc. synonymously is explored in Appendix 1 .

The media, politicians, government officials, and some academics have all helped to foster the opinion that there are terrorists lurking around every corner of the information super highway. Perhaps stirring up public fear and concern is the best way to build a defense against it-even though the threat appears to be a future one. Even the present U.S. administration concedes this concept. "Nothing bad has happened yet," Nelson McCouch, spokesman for the President's Commission on Infrastructure Protection, said of cyber terrorism's potential threat. "That's more or less a false sense of security" (14) . This paper however will be an analysis based on credible and verifiable evidence that terrorist groups pose a threat to the NII.


TERRORISM and TERRORIST DEFINED

The analysis of the terrorist threat to the National Information Infrastructure requires that the terms terrorist and terrorism be defined. Just as a simple laymen's definition of a fisherman would be- someone that fishes; the simple definition of a terrorist would be someone who commits terrorism. This by examination may however be quite an over simplification. Is a person a fisherman that catches a fish by accident while surfing, or are only those that fish full time for their livelihood classified as fisherman? Is someone that commits an act of terrorism, whatever the motivation or target, considered a terrorist, or are only those that belong to well defined and recognized terrorist groups capable of conducting "terrorist" attacks? By focusing exclusively on identifying attacks on the NII that can be attributed to known terrorist organizations, then the analysis of the threat may be unnecessarily narrowed to exclude attacks that have been attributed to other threat groups such as hackers, activists, deranged people, and others which accomplish the same objectives. According to a RAND study titled “Countering the New Terrorism” which is cited frequently in this report, it is necessary to define terrorism according to the quality of the act, not the identity of the perpetrator or the nature of the cause (1). The purpose of this paper remains however to analyze the "terrorist" threat to the NII, by what would be considered by most to be terrorist groups . That the acts of some hackers and criminals can be likened to terrorist attacks in their results only points to a conclusion that all attacks on the NII could be classified in some manner as terrorist attacks. In fact, most of the articles researched for this paper cited incidents that were referred to as terrorist attack, but would be better attributed to hackers and computer based criminals.

What defines a terrorist then is what defines terrorism in the minds of most people and governments . The FBI defines terrorism as "the unlawful use of force or violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives" ; Brian Jenkins, the deputy chairman of the security consulting firm Kroll Associates and a member of the White House Commission on Aviation Safety and Security defined terrorism as "the use or threatened use of force designed to bring about political change"; and Walter Laqueur, Chairman of the International Research Council at the Center for Strategic and International Studies stated that “Terrorism constitutes the illegitimate use of force to achieve a political objective when innocent people are targeted ." All these definitions have the common underlying theme that terrorism involves the use or threatened use of force to induce fear to further a political or social goal. These definitions would seem to fit the laymen's definition of terrorism. Mental images of car bombings and airliner explosions are obvious in their intent and an easy stereotype to follow of typical terrorism. With regard to attacks on NII targets however, the definition of terrorism may have to be redefined.

The research for this paper has disclosed many documented incidents where the NII of various countries has been targeted by terrorist groups. Most of these attacks have followed the traditional methods employed in the past by these groups in attacking non- NII targets, typically bombing or other physically violent methods. But what about attacks that have been specifically targeted at information systems? How about attacks that have used information based system methods to commit the attacks. The RAND report refers to this as "cyberwar". Attacks of this nature would not necessarily fit the traditional definitions of terrorism in the mechanism in which they are carried out. While the purpose of this report is not to examine the various methods by which cyber terrorism could be manifest, a brief scenario for comparison will highlight the possible need for terrorism to be redefined.

The comparison would be a computer data center that is attacked by a terrorist group using a bomb versus cyberwar methods. A bomb blast could not only destroyed the computer center and data, but also level the building and kill hundreds of persons such as the bombing of the Morrow federal building in Oklahoma city, and the bombings of 2 U.S. Embassies in Africa did. The attacks were immediately identified as terrorist incidents because of the traditional methods used. Now compare that same attack perpetrated by a group using cyberwar methods where no bombs explode, no people were killed, but the computer system is damaged and the data destroyed. In this scenario the force used was not a bomb or other violent force, but the use of a non-violent method to achieve the same results. If the loss of the database caused fear and intimidation to a segment of society, then the terrorists achieved there goal- the method employed is irrelevant. If the loss of the database or computer system directly or indirectly caused the death of innocent people, such as opening flood gates or shutting off power in the dead of winter, then the correlation between cyber terrorism and traditional terrorism becomes more apparent. The logic leads one to the premise that while cyber terrorism may employ less violent methods, the end results are the same. Therefore the definition of terrorism should perhaps be modified so that the concepts of non-traditional acts such as strictly information system based assaults are included. A better definition of terrorism could describe any unlawful act or the threatened act against persons or property meant to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives. This definition preserves the underlying concepts of acts against people and property meant to induce fear and force change.


Known Terrorist Groups and Attacks

So now that we have a concept of what terrorism is, just who are these terrorist? According to the RAND. St. Andrews Chronology of International Terrorism, in 1968, the year credited as marking the advent of modern international terrorism, none of the then 11 identified terrorist organizations were classified as religious, political motivation being nearly the exclusive theme. By 1995 however nearly half of the 56 identified groups had dominant religious components. These numbers appear to fluctuate since by 1996 only 13 percent of the 46 identified groups had religious components (1).

An interesting trend that the RAND report identified is that more terrorist acts are being committee by individuals that have no or little affiliation with established terrorist groups. Cited as examples were the World Trade Center bombings and the Oklahoma City bombing. The RAND report found that the terrorist acts being committed by these smaller groups tend to be much more violent and deadly than those committed by the established and organized groups, and that the methods used are tending to less sophisticated, noting that the bomb used in the World Trade Center attack was fabricated using only a few hundred dollars worth of common hardware and household items (1).

There could be several reasons that more terrorist acts are being committed by individuals and small groups. One idea proposed that individuals with varying motivations are being recruited or manipulated by the more established terrorist groups to commit these attacks, another is that the Internet has made the information to fabricate the weapons and material in order to carry out these attacks available to willing parties, and up to this point this information had not existed in general circulation (1). Therefore is appears that terrorists run the gamut from being a lone person committing an act for there own or someone else's particular cause, to a member of a large terrorist organization. The research for this paper has also revealed that terrorist acts committed against NII targets have a long tradition which the following example illustrates.

One of the first and most celebrated attempted terrorist attacks on what could be considered the NII of the age was the Gunpowder Plot of Englishman Guy Fawkes in 1605. This conspiracy was the third of four attempts at harming King James, who was a supporter of the Calvinist faith. The motive behind this plot was revenge for the penal laws, which were measurements against catholic priests and recusants. The motive for the attack was to kill King James and establish a more Catholic friendly government. One of the conspirators rented an adjoining cellar which ran immediately below the House of Lords within the Parliament House. The cellar was filled with barrels of gunpowder and iron bars, all of which was concealed by lumber. Guy Fawkes was chosen to ignite it during the opening night of the House of Lords. In the blast it was assumed that both the King and his two sons would be killed, which would allow Princess Elizabeth to inherit the throne. The conspiracy was discovered and Guy Fawkes was arrested while in the process of lighting the fuse on Nov 5th, 1605. For his trouble, Fawkes and four others were hanged. To this day the Gun Powder Plot, and Guy Fawkes, are still remembered on November 5th in Ireland and by others who oppose the British Government. In England it is now considered a day of thanksgiving celebrating the thwarting of this planned act of terrorism and effigies are burned of what is affectionately referred to as "the Guy" (2) .

As far removed from our modern NII as 1605 is, on a more historical scale wouldn't the effect of blowing up the Parliament be the same as a terrorist group blowing up a major component of our NII? Is the seat of government even considered a major component of the NII. Since that is where many of the organizations and leaders tasked with the protection and oversight of the NII are based, an attack that disrupts those entities could have an effect on the operation of NII components. If it is agreed that the seat of government is an integral part, or at least important to the NII, then the above gunpowder plot illustrates that attacks by groups employing terrorist tactics against NII targets are nothing new.

From a more modern standpoint, numerous terrorist groups have been identified, analyzed, and their activities tracked by government agencies and international organizations. On October 8, 1997 the U.S. Department of State designated 30 groups as foreign terrorist organizations. Some of these groups are more familiar than others and some have faded from the scene. Notably missing from the list was the Irish Republican Army (IRA) which was left off because it declared a cease-fire on July 19, 1997. The 30 groups named by the State Department were (3):

Many of the above groups have employed traditional terrorist tactics of bombing, assassination, and kidnapping in order to further their cause. The RAND report found that terrorists turned out not to be very innovative tending to stick with a limited tactical repertoire using these limited techniques against high profile targets for the maximum effect of instilling fear in civilian populations. Which of these groups however have been identified as attacking NII targets? Which groups have employed attacks specifically against information systems as opposed to the infrastructure; and which groups have employed information systems in what the RAND report refers to as "cyberwar" techniques?(1) These questions are what this paper will attempt to answer.

Some terrorist groups have made it a practice to attack NII targets. According to the International Policy Institute for Counter-Terrorism (ict.org) which maintains a database that tracks terrorist attacks committed by terrorist groups dating from 1988 to the present- no less than 10 bombing attacks targeting oil pipelines and power lines have been attributed to terrorist groups. Most notably was a series carried out from January to December 1988 by the Ejericito de Liberacion Nacional (ELN) which executed about 50 bombing attacks targeting the 500 mile Cano-Limon oil pipeline causing extensive damage. These acts were part of the ELN campaign for the nationalization of the Colombian oil industry and against the joint operation of oil pipeline by Colombia's National Oil Firm together with Ecopetrol, Occidental and Shell oil companies. In 1998 this same group exploded a bomb on the Ocensa pipeline in Antioquia Department killing approximately 71 people and injuring at least 100 others. The explosion caused major damage when the spilled oil caught fire and burned nearby houses in the town of Machuca. The pipeline was jointly owned by the Colombia State Oil Company Ecopetrol and a consortium including U.S., French, British, and Canadian companies. The ELN claimed responsibility for the attack on 19 October (4).

Other examples of traditional terrorist attacks with NII implications can be found in several documented attacks on office buildings. In 1998 the ELN rebels bombed the offices of a subsidiary of the US-owned Dole company. The rebels overpowered the guards, gagged the employees and destroyed files before detonating four bombs, partially destroying the headquarters. In graffiti scrawled on the walls, the rebels accused the company owners of assisting paramilitary groups in the region. Another attack was in 1989 when UNISYS' office (US computer company) in Copenhagen Denmark was vandalized. Although no group claimed responsibility, the authorities held the Danish group BZ (See Appendix 3) responsible for the incident (4).

Banks which often house computer systems and financial records have been the target of numerous terrorist attacks and several examples were found to illustrate this:

In July 1998 , suspected members of the Liberation Tigers of Tamil Eelam (LTTE) rammed an explosives-laden truck into the Central Bank in the heart of downtown Colombo, Sri Lanka killing 90 civilians and injuring more than 1,400 others. The explosion caused major damage to the Central Bank building, an American Express office, the Intercontinental Hotel and several other buildings. Also in July 1998, Twelve bombs exploded outside banks in Medellin. One man was killed in the blast. A group calling itself the Popular Liberation Forces claimed responsibility. The group said it acted with urban guerrillas of the ELN, who also claimed responsibility for the event (4).

Whether these attacks were carried out for the purpose of attacking the information and records housed at these banks or to inflict civilian casualties and property damage is unanswered. It is probably safe to assume that financial transaction at the attacked institution were fairly disrupted by the attacks. As our country and the world moves in the direction of a more cash-less society, terrorist groups may see banks as a much more attractive target for the destruction of data and the disruption of transactions, rather than just a high body count. By attacking a bank at the hub of a financial network, the terrorist could effect a larger number of people, many of them far removed from the site of the attack. Like the attacks described above, these attackers need not become computer experts or even use cyberwar methods to have a devastating effect on a major component of the NII.

Another reported attack on a financial target appeared to be directed more at the information systems then the civilian population to the point of being almost obvious. In October, 1992 the Irish Republican Army (IRA) exploded a bomb in the heart of the London Square Mile financial district (5). One could speculate that the reason that the bomb was detonated on a Saturday was to cut down on the number of civilian casualties. Since traditionally the IRA appears to not have had few reservations about causing civilian casualties, what then was the target. Evidently the IRA may have seen the financial district as a significant component of the NII and targeted it for that reason. This theory is however some what defeated by another IRA bombing on Friday, February 09, 1996 when a huge bomb wrecked an office block in a London financial district, wounding more than 100. The blast occurred just minutes after the IRA ended a cease-fire.(8)

The above examples illustrate that terrorist have and probably will continue to attack infrastructure targets. But what about strictly information system targets that are components of the NII. Little evidence exists that terrorist groups have targeted these to any great degree. To be certain as was mentioned in this reports introduction, many government officials and experts have advised extensively about how dependent we are on these systems, and how vulnerable the NII is to a terrorist attack. In an Associated Press report U.S. National Security Adviser Sandy Berger said in response to questions after a National Press Club speech. `I think there's a whole new realm of threat we're going to be dealing with, the ability to take weapons of mass destruction across national borders with relative ease; the ability to attack our computers that run our infrastructure through cyber-terrorism.'' President William Clinton must listen to the advise of his advisers since in the same article President Clinton said he would ask Congress for $91 million to develop new technologies to combat cyber-terrorists (9).

A work titled: "Information Terrorism: Political Violence in the Information Age" identifies two general methods which a terrorist might employ an information terrorist attack: (1) when information technology (IT) is a target, and/or (2) when IT is the tool of a larger operation. The first method implies a terrorist would target an information system itself and any information infrastructure (e.g., power, communications, etc.) dependent upon it. The second method implies a terrorist would manipulate and exploit an information system forcing the system to perform a function for which it was not meant (such as spoofing air traffic control) (10).

Several interesting instances were found in an O'Rielly publication, Computer Security Basics, that could have been attributed to terrorists groups attacking information systems. In a 1988 instance, a computer virus infected a firm of computer consultants in San Jose, California. The virus not only damaged data on the computers, it also attacked a computer monitor by adjusting the scan rate to the point that it burst into flames. There is also speculation that a 1988 attack on the Kuwaiti royal family in which they were held hostage by terrorists aboard an aircraft was the result of information obtained from compromised airline computer systems. (6) This first example illustrates an attack where the IT system itself is the victim, the second illustrates where the system may have manipulated to perform an attackers function (ie; supply sensitive travel or passenger information to unauthorized sources)

Another incident that examples the second type of attack appeared when in a 1998 Reuters news service reported that U.S. intelligence officials identified what they said was the first known attack by a "terrorist group" on a target country's computer systems. The terrorist group identified is included in the above State Department list as the ethnic Tamil guerrillas Liberation Tigers of Tamil Eelam (LTTE). The attack swamped Sri Lankan embassies with electronic mail in a classic mail bombing denial of service attack . The attack was attributed to offshoot of the Liberation Tigers of Tamil Eelam called the "Internet Black Tigers", which claims to be an elite division of the LTTE. This group has developed what it calls "suicide e-mail bombings", to counter the flood of anti-LTTE propaganda on the web. Sri Lankan missions around the world, reportedly, had been effected by the attacks. Other attacks by the LTTE have included hacking into a government web site and altering it to transmit their own political propaganda. Another critical infrastructure attack occurred on the summer of 1998, when the LTTE bombed state-owned and private telecommunications facilities in Sri Lanka, damaging buildings and disrupting telephone service. (7)

Yet another group that is considered by some to be in the terrorist group, and by others as freedom fighters are the Mexican Zapatistas. Italian sympathizers of the Mexican Zapatistas, a rebel group located in the Chiapas state of Mexico, attacked web pages of Mexican financial institutions to protest the repressive initiatives carried out by the Mexican Government against the People of Chiapas and in support of the social demands of the Mexican People.

The preceding examples constitute the bulk of identified attacks attributed to terrorists. With so much dialog from both the public and private sector warning of potential danger to the NII posed by terrorist, there are conspicuously few true attacks to information systems that can be attributed to them.

One reason that few terrorist attacks on the NII have been recorded could be that the terrorists have not caught up with technology. They may be very capable of blowing up a building that houses a computer, but launching an information based attack against an information system may be beyond their capabilities. Another reason is that they simply have not gotten around to utilizing this method of attack- the methods currently employed serve their purpose and they don't feel a need to adopt unproved methods. Perhaps they feel that traditional low-tech high-profile fertilizer bombs make the terrorist's point better than a high tech information attack.

A better understanding as to why terrorists have not yet adopted cyberwar tactics may be gained by analyzing the motivation and goals that terrorists hope to achieve. Motivation and goals may be the factors which have kept attacks on the NII from occurring, or may drive future trends for these groups to pursue them.


Terrorist Motivation and Goals

As was discussed earlier, terrorism is defined by the type of action taken. Our updated definition, which was modified to include the cyberwar threat, defined terrorism as: any unlawful act or the threatened act against persons or property meant to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives. It follows that a terrorist undertakes terrorist actions in furtherance of the defined objective of- intimidation and coercion of a government, the civilian population, or any segment thereof, in furtherance of political or social objectives. The apparent goal of the attacks is therefore clear, to bring about change either political or social. The goals of the groups responsible for the attacks detailed previously fit well with our definition of terrorism and they will be examined.

There is one particular type of terrorist group however whose motives differ so much from those outlined above that they need to be addressed separately. The apocalyptic religious doomsday type cults have been responsible for some of the most terrifying and potentially deadly terrorist attacks to date. The terrorist group Aum Shinrikyo(Supreme Truth) is an example of this type of group (See Appendix 2 for a summary of this groups background). On 20 March 1995 Aum members carried six packages onto Tokyo subway trains and punctured the packages with umbrella tips, releasing deadly sarin gas that killed 12 persons and injured more than 5,000. Their goal does not seek change in the social or political landscape, but the elimination of society and political systems along with the human race. These groups while not having committed any recorded acts against any information based NII targets, have been known to make use of computers and the Internet in furtherance of their cause. Among the terrorist groups they perhaps pose the greatest threat to NII systems since their goal assumes the least dependency on the very existence of an NII system, in fact it would appear that the complete destruction of the GII would further their cause. Other terrorist groups by comparison depend increasingly on the NII as a resource themselves, therefore targeting the NII itself may actually help hinder them in achieving their goals.

Of the several attacks examined earlier, each was committed by terrorist groups on targets both within their own country, and on foreign soil. An examination of the targets identified in the preceding examples shows that many of them, especially the oil and banking targets had significant ties to foreign companies and or commerce. Some of these targets were specifically targeted because of these foreign connections in a effort to deter foreign investment in the parent government, and inevitably achieve their goals of social and political change through foreign or economic pressures. United States interests abroad remain a favorite target for international terrorist for this very reason (1).

To properly examine the motivations and goals of the groups identified as having committed information system based attacks against NII targets, some history and background of these groups is required. In the case of the Liberation Tigers of Tamil Eelam (LTTE), the group was founded in 1976, beginning as a militant student body called the "Tamil Students Movement" formed to protest government plans to limit access of Tamil students to universities. The LTTE is the most powerful Tamil group in Sri Lanka and uses overt and illegal methods to raise funds, acquire weapons, and publicize its cause of establishing an independent Tamil state in the northern part of the country. The LTTE has integrated a battlefield insurgent strategy with a terrorist program that targets key government and military personnel, the economy, and public infrastructure. The group tends to confine attacks to their own country with the only known attacks outside Sri Lanka being the suicide bomber attacks against Sri Lankan President Ranasinghe Premadasa in 1993 and Indian Prime Minister Rajiv Gandhi in 1991. (4). Add to this list of their external attacks the cyber-attack against Sri Lanka missions around the world.

Analyzing the LTTE attacks gives the impression that the group is content to limit their attacks to targets within their borders, the motivation of the attacks to cause the Sri-Lanka government to allow the formation of a Tamil state. That the LTTE had as its roots a radical student movement may point to why they are the first to have conducted this type of attack. Because of the academic origin of the group it is possible that members of the group may have a high degree of education in comparison to other groups. These students may have had exposure to computer systems and experience with NII that other groups have not. The fact that the LTTE was able to engineer what appears to be a denial- of- service attack proves that they, or their allies, possess the technical understanding to commit at least rudimentary cyberwar type attacks on their targets- indicating perhaps a better degree of familiarity with the subject. However no further publicized attacks have occurred since the 1997 attacks- possibly demonstrating that the LTTE may lack the technical sophistication to continue further cyber assaults. This group, which has a history of using deadly suicide bombing as a favored method of attacking high profile targets, may have simply decided that cyber attacks are less effective in getting their point across. Whatever the reason for not continuing with the cyber attacks, the fact that the group explored and then exploited the opportunity indicates a willingness to try new methods. When the LTTE recognizes, if they haven’t already, that instead on bombing a bank building they could do much more serious damage to the entire financial system by attacking the network infrastructure they will again be motivated to pursue less explosive methods.

The denial of service attack committed on the Sri-Lanka mission E-mail systems is in step with the LTTE methods of destroying a target. Following our earlier assumption that a cyber attack is either where information systems data is somehow manipulated or where the information systems itself is harmed as the victim, the correlation between this denial of service and destroying of property is drawn. How is shutting down a system the same as destroying it? If a service that is dependent on a network system is made unavailable to the users, the system for all practical purposes has been eliminated from the perspective of the users of that system, even if not permanently. The LTTE mantra of blowing things up to achieve their goals may further motivate them to use cyberwar methods to attack NII systems. Many types of cyber attacks on systems are designed to destroy the data that makes the operation of the system possible or effective. This ability to cause wide spread damage to targeted systems may be appealing to the LTTE as it fits their preferred model and may further motivate them to pursue cyber terrorism options. If the LTTE decides to attack Sri Lankan interests in the U.S. via cyber methods, then our own NII systems could be the unlikely victims of these attacks- a type of electronic collateral casualty of war if you will.

The hacking of the Sri Lankan government Web page is an example of the second type of cyber terrorist attack in which an information systems is manipulated to change the data. In the case of the LTTE, they manipulated the government Web page to display their message. This attack may have been much more effective because it kept the site up for the LTTE to exploit rather then just shutting it down. If they had been able to shut the site down, they would have not only denied the government of the Web site, but also denied themselves of the ability to get their message out. From the publics perspective the Web site would have just been unavailable or not responding, the LTTE would have had to claim that they were responsible, and the Sri Lankan government could have easily denied it. The other documented attack used by the sympathizers of the Zapatistas fits the info terrorist method of the manipulation of data as well.

The Zapatistas National Liberation Army (ELN) are a group considered freedom fighters by many supporters around the world. They represent a force based in the oil rich Chiapas state of Mexico opposed to the Mexican government for a host of reported oppressive reasons . In the original declaration of war the Zapatistas have explained that their struggle is for the following eleven points: work, land, housing, food, health care, education, independence, liberty, democracy, justice, and peace. Research into the group and the history of the conflict would better categorize the conflict as a civil war. In fact the ELN does not appear on the State Department list of Terrorist groups, and their activities appear to be directed at conflicts with the Mexican government and Army. The group has been supported by groups from all around the worlds that use the Internet to trumpet the cause of the Zapatistas (11). The attack committed on behalf of the Zapatistas by a group of Italian sympathizers however is one of the few documented cases where an attack was committed against an NII target that was info based. The fact that it was committed by Zapatistas sympathizers and from across the globe underscores the possibilities that cyber terrorism offers to other terrorist groups or their sympathizers..

The Attack itself targeted the Web pages of major Mexican banks by replacing the page with one that issued pro Zapatistas messages. That a Web page was assaulted and altered is nothing new- both the FBI and the U.S. Congress have had their Web pages altered and defaced by attackers and this remains a problem for other government agencies and businesses world-wide. What makes this attack unique is that it was carried out on-behalf of an opposing force against a NII target with the purpose of achieving a goal of political change- one of the goals established for terrorist acts. The motivation for the attack was two fold; from the perspective of the Italians who are apparently far removed from the Chiapas conflict they are helping to promote the Zapatistas cause, from the Zapatistas perspective they are trying to gain freedom from the Mexican government and are willing to take whatever help they can get from wherever they can get it. The attack also illustrates how with little effort on the Italian sympathizers part they were able to give assistance to the Zapatistas using the NII as a tool. All that was required was the willingness and the capability to do it. The attack did not destroy any data, but manipulated a system to publish a pro Zapatistas message. Was it a terrorist act? Well if the motivation on behalf of the Zapatistas was to cause fear in the Mexican government about the vulnerability of their NII and sought to make them give concessions to the Zapatistas, then the act meets the criteria we have established for terrorist acts. The Zapatistas motivation would be to continue this type of data manipulation attack since it does not harm the avenue by which they can continue to launch them. Changing the mode of attack to one where the info system itself is targeted could actually be detrimental to their goals by removing the means to launch such attacks.

Whether this last incident was or was not a terrorist act is a matter of perspective depending on whether you are a member of the Mexican government, or a Zapatista. The above analysis did came to one conclusion however- that all the perpetrators needed to conduct the attack was the willingness and the capability to do it. The next part of this paper explores the concepts of capability and potential. What terrorist groups possess the capability to attach NII targets from an information systems approach, and which groups have the potential to commit cyber terrorism.


Capability and Potential

Let us assume that terrorist groups are willing to conduct cyber terrorism against NII targets. Along with willingness the terrorists must also be capable of carrying out an attack. The capability to conduct these attacks requires the the terrorists to have the resources and the technical knowledge.

The resources side of the capability equation is easy to overcome if we are referring to funds and equipment. Many terrorist groups have supporters throughout the world who supply funds. Some terrorists groups are sponsored by governments such as Libya and the Sudan which have long been known to provide safe haven and training to terrorist groups. Some terrorist groups are funded by the personal fortunes of their leaders such as Osama bin Laden who has a estimated worth of more than $US250 million. But a large cache of money may not be required. In a report published by the Center for the Strategic & International Studies (CSIS), Information warfare specialists at the Pentagon were quoted as estimating that "a properly prepared and well-coordinated attack by fewer than 30 computer virtuosos strategically located around the world, with a budget of less than $10 million, could bring the United States to its knees . Such a strategic attack, mounted by a cyber-terrorist group, either substate or nonstate actors, would shut down everything from electric power grids to air traffic control centers" (12).

The physical resources hurdle is probably the easiest one to over come for terrorist groups. What resources and equipment are really required to conduct this sort of attack? The few documented info based attacks on information systems have used familiar hacker techniques. These types of attacks can be mounted by a single user using off the shelf equipment, and the falling prices of computer hardware make the obtaining of the necessary equipment well within the means of even the most cash strapped terrorist.

So if the funding and physical resource requirement is met, then what is required is the personnel or technical resources. Some groups such as the LTTE appear to already possess some of these, other groups such as the Al-Qa'ida which was founded by Osama bin Laden may have or are seeking to recruit these personnel resources. According to the CSIS bin Laden already uses laptops with satellite uplinks and heavily encrypted messages to liaise across national borders with his global underground network (12).

Terrorist groups with adequate funding can purchase not only the resources but the knowledge to conduct the attack. Testifying before a congressional committee in June 1996, Director of Central Intelligence John Deutch said criminal hackers were offering their services to so-called rogue states with "various schemes to undo vital U.S. interests through computer intrusions" and warned that an "electronic Pearl Harbor" was now a real threat (12). Another example of the avenue terrorist could take in acquiring the necessary knowledge was that during the Gulf War, according to Pentagon officials, a group of Dutch hackers offered to disrupt the U.S. military’s deployment to the Middle East for $1 million (16).

Rather then depend on buying mercenary assistance to launch their attacks, one well known group had begun obtaining the knowledge by recruitment into their regular ranks. For example, according to the Centre for Infrastructural Warfare Studies (CIWARS) intelligence sources have disclosed that in 1997 the Irish Republican Army was cultivating a cell of Net-savvy members.(13)

In a paper titled " Information Warfare: The Perfect Terrorist Weapon", Yael Shahar of ICT asked the question "Are terrorists currently capable of waging Infowar?" His answer is compelling:

A further and more frightening example of how terrorist groups could acquire the expertise to conduct cyber terrorism by recruitment is Japan's Aum Shinrikyo religious cult that is reported to have succeeded in recruiting highly trained scientists and graduate students in physics, chemistry, biology, medicine and electrical engineering. Its recruiting methods include a wide range of standard brainwashing techniques, such as sleep deprivation and forced isolation. This cult had arranged on one occasion for the mass-production of a thousand Russian K-74 rifles. It also purchased a helicopter (for air delivery of chemical weapons) and made repeated attempts to enter the plant facilities of major private sector enterprises with a view to spying and stealing advanced military technology. It also had equipment capable of cultivating bacterial weapons on a large scale and for biochemical testing. Aum Shinrikyo at one time even plotted to produce and use 70 tons of sarin. For this purpose, a large-scale chemical plant was built and the chemicals required for the synthesis of sarin were purchased. The cult's involvement with chemical warfare also included an assassination attempt with the nerve gas VX (a substance far more lethal than sarin), released in the car of a religious enemy of the cult, and the experimental pilot-plant production of poison gases such as tabun and soman (17).

The reason for providing so much detail on the above terrorist group should be obvious- if a group is capable of synthesizing exotic chemicals, espionage, assassinations, and building a large scale chemical plant, then they are either already capable of conducting cyber terrorism, or they will make themselves capable.

So if the capability to mount a info based terrorist attack on an information systems is easily within the reach of most terrorist groups, which groups have shown the potential or desire to commit one? Other than the above Japanese religious cult that seems capable of trying just about anything, what about the other groups? If past behavior is any indication- any group which has already attacked NII targets using conventional methods (ie; bombs) would be a good candidate. Case in point the LTTE in Sri Lanka. They traditionally have used low tech methods against NII targets, and have already committed a info based attack. One report researched for this paper stated that organizations such as the IRA have noticed recently that computer systems are often the most important and expensive casualty of bombs placed in commercial areas and reports that one of the IRA Web sites has a discussion thread in which they are openly discussing the way in which the IRA could use information warfare to attack the British establishment. Depending if the latest bid for peace in the region succeeds will dictate if we see real world evidence of the IRA's follow through of this infowar threat..

Terrorist groups with few members and little funding may also embrace info based attacks as the most effective way to achieve their goals. In the same vein as the saying that "On the Internet no one knows you are a dog", a small terrorist group could have as significant an impact as a large one. The risks are lower and the borderless nature of the GII makes the logistic of carrying out an info based attack a non-issue. These factors could all drive more terrorist groups to incorporate info based attacks into there cadre of tools.


Conclusions

Despite the significant number of reports coming from the media, as well as the government about the potential for terrorist attacks on the NII, there remains very few examples to indicate a shift by terrorist organizations away from the violent traditional methods of attack to high tech information system based ones. The reasons for this are not clear but some of the possible reasons have been discussed in this report. One fact is certain however, if the terrorist groups did not know just how vulnerable the nations of the world were to a NII attack, all the media coverage and government reports concerning the matter have been sure to educate them.

The measures taken by the United States and other governments to prepare and defend against such an attack, even in the absence of any documented terrorist exploitation are probably a good investment. Any measures taken to prevent an exploitation or attack on the NII will also serve to defend against any number of other threats such as those posed by mischievous hackers, deranged people, criminals, crackers, and unfriendly governments.

For the time being however it is the conclusion of this paper that terrorists will continue to attack NII targets the old fashioned way- with thunderous explosions. It is also concluded that some day, perhaps very soon, those thunderous explosions may seem quiet compared to another more earth shattering silence. The kind of silence caused when the all refrigerators across a country stop humming, all the air conditioners stop their whirl, and the computer screens of an entire nation go dark.


Bibliography


1.Lesser, Hoffman, Arquilla, Ronfeldt, Zanini , on-line at http://www.rand.org/publications/electronic/

2.The Gunpowder Plot. The Shakespeare.com Available on-line at http://www/shakespeare.com/Today/0127.html

3.Foreign Terrorist Organizations, Memo Released by the Office of the Coordinator for Counterterrorism, U.S. Department of State, October 8, 1997, Available on-line at http://www.state.gov/www/global/terrorism/terrorist_orgs_list.html

4.International Policy Institute for Counter-Terrorism, Available on -line at http://www.ict.org.il/

5.Concern Grows Over Effects Of IRA Bombings in London, News Article, The Baltimore Sun Available on-line at http://www-tech.mit.edu/V113/N24/brief2.24w.html.

6.Russel and Gangemi Sr, Computer Security Basics, O'Reilly Publication, 1991 revised July 1992

7.Cyberwarfare: fact or fiction?, a Janes publication article, September 21, 1999, Available on-line at http://jir.janes.com/sample/jir0499.html

8."IRA Bombing Blitz", Reuters news article, Friday, February 09, 1996

9."Clinton Asks Anti-Cyber-Terror Funds", Associated Press Article, Friday January 7, 2000

10.Devost, Houghton, Pollard, "Information Terrorism: Political Violence in the Information Age"

11. "The Zapatistas Social Net War in Mexico", a AND Publication, 1998, Available on-line at http://www.rand.org/publications/MR/MR994/MR994.pdf/

12."Cybercrime.Cyberterrorism.Cyberwarfare Averting An Electronic Waterloo" CSIS Panel Report; November 1998, Available on-line at http://www.csis.org/pubs/cyberfor.html

13. John Bolard, "Governments Beat Terrorists To Net Weapons", article for TechWeb, September 22, 1998, Available on-line at http://www.techweb.com/wire/story/TWB19980922S0018

14. Nelson McCouch, statement by, Available on-line at http://www2.nando.net/newsroom/ntn/info/020397/info4_6451.html

15. "Two States Tangle With Alleged 'Cyber-Terrorist'", Reuters News, Article, October 26, 1999, Available on line at http://www.infowar.com/law/99/law_102699c_j.shtm

16. "Information Warfare: The Perfect Terrorist Weapon", Yael Shahar, ICT, available on-line at http://www.ict.org.il/inter_ter/logo.htm

17. "The Anti-Semitism of Japan's Aum Shinrikyo: A Dangerous Revival" a paper by Ely Karmon ICT, October 15, 1999, Available on-line at http://www.ict.org.il/articles/articledet.cfm?articleid=92


APPENDIX

1. A typical search using WAIS engines returned hundreds of instances where articles had used the word terrorist in relation to other words which indicate a different threat group like crackers, hackers, professional thieves, and others. For example: of a search using Altavista looking for articles using the words Cyber Terrorist 1,700 articles were found, using Google (my personal favorite) over 4600 articles. Disregarding duplicates, of the large number of these I sampled only the two or three instances detailed in this paper can be attributed to recognized traditional terrorist groups.

2 Aum Shinrikyo began operating as a religious organization in July 1987, having been founded as the Aum Shinsen no Kai organization in 1984. The head of the cult was Chizuo Matsumoto, also known as Shoko Asahara, a partially blind, charismatic former acupuncturist and yoga instructor, self-styled as the “one and only person who has acquired supreme truth” and who attributed to himself supernatural powers. In March 1995, the cult had grown into a large organization of some 10,000 Japanese members, with branches in Russia, Germany, the United States and Sri Lanka Asahara and his followers, certain that the apocalypse was coming, thought at first to ensure survival through religion, but shifted gradually, during the years 1988-89, from preparing for the survival of people outside the group to the survival only of the “chosen,” and finally, in 1994, to “survival through combat.” In order to survive Armageddon they had to become practice possessed a special resistance to chemical and bacterial agents, should they be attacked by ABC (atomic, biological, chemical) weapons. Currently, Aum has nearly 2,000 followers, including more than 500 live-in members. The latter live in 15 cult bases across Japan. The cult owns 28 compounds in 18 Japanese prefectures for religious training, missionary work and other operations. Out of some 400 Aum disciples arrested in crackdowns on the cult since 1995, a total of 155 have returned after being released.

3. I researched this group and found information in a work titled: "Youth and Racist Violence in the Nordic Countries" by Dr. Timo Virtanen (ed.)a Researcher at Åbo Academy University, Finland. "The Blitz is the main autonomous (anarchist) youth group in Oslo, strongly involved in antiracist activities and other radical causes. Some parts of the group, often going under the name AFA (Anti-Fascist Action) have promoted violent methods in their struggle, whereas other 'blitzers' oppose such methods. The Danish counterpart to Blitz is the BZ movement. Both groups have lost much of their 'membership' during the 1990s."