Discourse around cyber security and cyber terrorism is changing. It is evolving, slowly but perceptibly, from anxiety about a single catastrophic event—a “cyber Pearl Harbor”—to a conversation about how to manage a digital threat landscape that includes a large number of smaller incidents directed against a wide range of targets. Some of these episodes, to be sure, may prove catastrophic to individual victims. The strategic impact of proliferating cyber challenges, however, is more likely to be felt in their accumulated effect on our economic interests over time than in a single catastrophic event targeting American infrastructure.
Alongside this shift in the strategic conversation about cybersecurity must come a parallel conceptual shift in how we understand the threat posed by the use of cyber capabilities by terrorist groups. The conversation must evolve from a focus on fears about cataclysmic acts of cyberterrorism to a focus on changing how we approach the use of digital organization and communication technologies by terrorist groups. We also must develop a conceptual vocabulary to deal with the use, by states, of destructive cyber capabilities against private actors for political ends.
A Subtle Shift in Discourse
For the last several years, a substantial part of the discussion about cyber risk among our national leadership has revolved around preventing or preparing for the risk of a single catastrophic cyber event that destroys some component of America’s critical infrastructure. Thus, in the fall of 2012, then-Secretary of Defense Leon Panetta warned about “a cyber Pearl Harbor; an attack that would cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability.” As recently as November 2014, Mike Rogers, then the Chairman of the House Permanent Select Committee on Intelligence prognosticated “that threat of a catastrophic and damaging cyber attack on U.S. critical infrastructure like our power or financial networks is actually becoming less hypothetical every day.”
Panetta and Rogers are correct—the threat of a cyber attack that results in catastrophic damage to critical infrastructure is a real (if low probability) risk. But the kind of cyberattacks that have become most prominent in recent years—the kind that have plagued Target, Home Depot, Sony Pictures, Anthem Health, and many, many others—are quite different. Rather than a single catastrophic event that cripples a component of American critical infrastructure, these attacks attrite America’s strategic dominance by targeting its economic interests over time. The combination of the cyber attack and expensive cybersecurity measures imposes large costs on American businesses and causes the seepage of valuable intellectual property.
Indeed, the accumulated threat posed by narrowly focused—albeit pervasive—intellectual property or cyber-enabled theft (of credit card and other personally identifiable information) is increasingly being recognized at a strategic level. As Director of National Intelligence James Clapper recently said, “Rather than a ‘Cyber Armageddon’ scenario that debilitates the entire U.S. infrastructure, we envision something different. We foresee an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security.”
This subtle shift in the discourse on cybersecurity has parallel implications for how we think about the most important threat posed by the use of cyber capabilities by terrorist groups. Terrorism is understood as the intentional use of violence and fear, generally by non-state actors, in pursuit of a political agenda. In the last several years, fears of “cyber terrorism” have become part of national discourse.
While it is valid to be concerned that terrorist groups might one day engage in cyberattacks that result in significant destruction, the threat landscape involving terrorist groups and cyber capabilities is different. Indeed, at a conceptual level, scholars like Thomas Rid assert that the kinds of cyber “attacks” with which we are familiar should not be thought of as acts of war. This is because the cyber “attacks” that we have faced do not use violence for instrumental purposes, as required according to Clausewitz’s canonical definition of “war.” Rather, the exercise of cyber capabilities is better thought of as some combination of espionage, sabotage, or subversion. Attacks by ISIS sympathizers on U.S. Central Command’s Twitter account just don’t cut it.
Instead of directing our efforts to the low probability risk of a cyber terrorist attack, we should focus our attention on better developing a conceptual framework for managing two terrorism-related uses of cyber capabilities that pose more immediate challenges. The first pertains to changing our understanding of what it means to “belong to” or provide “services” that are prohibited by law to a terrorist group. The second involves how we understand the use of coercive cyber attacks against private actors by nation-states.
The United States has long had laws against the provision of material support to terrorism. These statutes have generated the conviction of people like Sulaiman Abu Ghayth, Osama bin Laden’s son-in-law, for serving as al-Qaeda’s spokesman. They also served as the grounds for prosecuting Tarek Mehanna, convicted for “translating and posting on the Internet al Qaeda recruitment videos and other documents,” along with a litany of other acts. The Supreme Court’s 2010 decision in Holder v. Humanitarian Law Project also barred the provision of non-violent training to a designated terrorist organization, while at the same time affirming the First Amendment rights of individuals to engage in “independent advocacy,” even if that advocacy involves ideas embraced by terrorist groups.
The distributed and decentralized ways in which new(ish) terrorist phenomena like ISIS use social media to recruit and organize create a gray area between speech clearly protected by the First Amendment, and acts constituting criminal provision of material support. In that space, people not formally linked to terrorist groups make effective use of social media to benefit terrorist organizations. This conduct might not be punishable under U.S. criminal statutes barring the provision of material support to terrorist groups. There may also be a relatively large number of, say, Twitter users who serve as de facto recruiters for groups like ISIS, urging disaffected young people to go fight on their behalf. While this conduct might escape the ambit of today’s criminal laws, it nonetheless creates a significant problem for those trying to blunt the brutal effectiveness of ISIS.
Governments have noticed and are struggling to determine how to approach this problem within established constitutional frameworks. John Carlin, Assistant Attorney General for National Security, recently said that the Justice Department would “'consider criminal charges’ against people who are ‘proliferating ISIS social media.’” But he left undefined exactly under what circumstances DOJ would do so.
British government officials, operating in an environment with different legal and cultural understandings of the boundaries between permissible and prohibited speech, have been even more forward-leaning in criticizing social media companies whose platforms have “become the command-and-control networks of choice for terrorists and criminals.” But they too have struggled to identify the specific steps necessary (and permissible) to tackle the problem.
American traditions of free speech and public debate have facilitated incredible innovation and should not be sacrificed. At the same time, the ability of ISIS and other related groups to recruit and propagandize via social media is unprecedented. Determining how to navigate between competing values that prize free speech and that seek to degrade ISIS will be a dominant conceptual challenge for the internet generation.
As non-state actors use cyber means in new ways, governments—specifically rogue regimes like North Korea and Iran—are also shifting towards cyber capabilities to inflict damage on private actors with political objectives in mind. This trend departs from the traditional notion of terrorism as acts conducted by non-state actors. For example, the 2012 hacks on Saudi Aramco appear to have been attempts at retaliation by Iran for western efforts to halt its nuclear program through sanctions or cyber activities. Furthermore, North Korea recently objected to a satirical movie about Kim Jong Un by allegedly launching a destructive cyber attack on Sony Pictures and threatening violence against movie theaters that displayed it.
These acts would likely have been considered terrorist attacks had non-state actors conducted them, and/or if they had been kinetic in nature. But the attacks targeted private actors and were conducted by governments. And while the Sony hack attempted to coerce private companies with respect to their decision whether to show a movie, it is not clear how the U.S. government would respond if another government threatened (or committed) cyber attacks against dozens of companies in order to coerce the U.S. government with respect to its own activities. An acceleration of trends in which private companies are attacked for political reasons may put the U.S. government in the awkward position of having to defend companies with whose activities it might not agree. And, more generally, to pick and choose which American (or foreign) entities it will defend and which it will not.
The digitization of nearly all aspects of modern life has generated immense benefits. It has also however, facilitated easier means for engagement in nefarious activities. This altered landscape calls into question existing boundaries between familiar concepts—the distinction between acts of terrorism and other forms of political violence, the boundaries between free speech, and the provision of material support to terrorism, among many others. Solutions to these problems are a long way off; but the first step is to recognize their novelty.