Table of Contents
INTRODUCTION
Globally, Technical/Digitalization clairvoyants are busy claiming that omnipresent and highly interconnected digital technology will scale up productivity and efficiency in an utopian realm, as well as new capabilities that the world has neither seen nor imagined.
By most prevalent definition standards; Cyber terrorism is the premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives, or to intimidate any person in furtherance of such objectives
Terror tactics have transformed over time as the class of criminal perpetrators and the security measures in place to obstruct them has advanced and evolved.
As known targets are hardened , terrorist groups typically shift to softer, more vulnerable ones. This transition is shown in the changing terrorist practices of the last hundred years, from political assassination in the early 20th century, to aeroplane hijacking and hostage taken by Middle Eastern terrorist groups in 1970s, attacks on police and army units and mainland car bombs preceded by warnings in 1990s, and a shift toward maximizing civilian casualties with suicide attacks by jihadists in the past 15 years.
Perhaps the most radical innovation in terror tactics in the 21st century to date has been the weaponisation of passenger aircraft by al-Qaeda in 2001.
New terrorist groups have deep pockets, are technically advanced thus capable of inflicting catastrophic damage to diversified set of targets. Mostly computers have been sought target and it’s impact thereafter as per numerous publications & works (pure cyberterrorism) but real danger posed by the synthesis of computers and terrorism is not only the insertion of computer as target in the terrorism matrix, but in many of the other areas, too.
Breakdown of Cyber Terrorism
Computers — the new age WMD aka. Weapons of Mass Destruction
Certainly at least ‘weapon’ of the cyberterrorist is a computer if not the target too. Well limiting the access to a computer just as to an explosive will be fruitful? Not exactly but almost. The paramount mandate is protection of plethora of ‘connected computer(s) without any exception. The constitution & law thereby guides how one should protect a firearm from illegal/dangerous use. The enforced use of trigger locks, although controversial, sought to prevent danger in case the weapon is illegally possessed.
Of course, explosive and guns are not analogous to computers. A better analogy might stem from the concept of an ‘attractive nuisance’. For example, a hotel owner shares some responsibility for injury caused by an escalator on his property — it is deemed an attractive nuisance, and as such, the innocent should be prevented from the harm.
There are laws in place which address the damage done by/to a third party from the intentional or unintentional misuse of a piece or part or whole of corporate/personal property. The applicability of such laws or the definition of ‘misuse’ with respect to computers has been unclear till sometime ago but now the sanctified & revived acts & laws are catching up. However, there is a need for clear laws and standards which will equivocally engulf & hold accountable all the operators of large networks of Internet-connected ecosystems ; both virtual and physical; to ensure a zero tolerance and occurrence of deviation from security & integrity at the least.
Potential Perperators
- Non-State Terrorist Organizations- Nation/State Cyber Teams
- Organized Criminals/Crime Syndicates- ‘Lone Wolf or Individual Attackers’
- Hacktivists
The capabilities and threats posed by these groups are assessed as characterised by different motivations, capabilities, and targeting priorities.
Categorization of Attacks
The attacks on the computer infrastructure (virtual-physical-hybrid) can be classified into three categories as such
- Physical Attack: The computer infrastructure is damaged by using conventional methods like bombs, fire etc.
- Syntactic Attack: The computer infrastructure is damaged by modifying the logic of the system to introduce delay or make the system unpredictable. Computer viruses and Trojans are used in this type of attack.
- Semantic Attack: It exploits the confidence of the user in the system. During the attack the information keyed in the system during entering and exiting the system is modified without the user’s knowledge to induce errors,
Cybercrime is way beyond system hijacks now; it’s a high level exploitation of social media platforms, impersonation of unique identities/profiles and thus the personally identifiable information (PII). This is catering to propaganda, sedition which further lead to acts of terror like suicide bombings, facilitation to criminals by unsuspected netizens, money laundering for terror funding.
Let’s consider three phases of progressively more sophisticated terrorist cyber capability:
Enabling – online activities that support the operations of terrorist groups, such as publicity and propaganda, recruitment, reconnaissance, clandestine communications between members, and disseminating manuals and know-how to incite and facilitate attacks by others.
Disruptive – online activities that disrupt the information technology of opponents, including pro-active cyber breaches of networks; dissemination of malware; exfiltration of digital information; financial theft and fraud; denial of service attacks; phishing and other information technology (IT) hacking activities.
Destructive – cyber attacks that trigger physical damage or injury through spoofing operation technology (OT) and digital control systems; attacks on Supervisory Control and Data Acquisition (SCADA) systems; disabling control and safety systems;
Cataclyzmic Catalysts to Cyberterrorism
There are emerging frontiers that can further escalate the grim situation of cyberterrorism unless they are globally regulated and made resilient by uniform laws and frameworks:
- IoT Internet of Things-A.I. Artificial Intelligence
- Human Chip Implants/Microchips aided by Genome Editing
- Next Generation Semiconductors bending laws of physics in extreme processing speed & sizes
Strategic focus for defining realistic cyber terrorism scenarios Typically Cyberterrorism has been across all vital & fundamental services – industries:
- Real Estate & Property
- Aviation
- Retail
- Construction
- Transport
- Power & Energy
- Healthcare
- Pharmaceutical
- Chemical
- Aerospace
Suggestive ranking for extremely prioritized cyber terrorism attack
These suggestive scenarios assessments are considered on the basis of an ‘extreme-case-scenario’ based on contributing factors resulting in extreme losses and then scored in terms of the following impacts broadly:
Mortality Rate: (ranked 0 to 10) Scenarios logarithmically ranked for their worst-case- scenario death toll where 0 indicates no deaths linked to the effects of the cyber attack, 1 indicates fewer than 10 deaths and 10 indicates a thousand or more.
Physical Damage: (ranked 0 to 10) In terms of economic costs of physical damage rendered by cyber terrorism activities, 0 indicates no physical damage whatsoever, and 10 indicates billions of pounds.
Plausibility: (ranked 0 to 10) Plausibility is defined as a combination of cyber capability (or the developing cyber capability within a three-year period) and motivation. Motivation is understood as the worth of ‘return’, or ‘utility’ to attacker, compared to an organisation’s financial or time investment; though an attack may be relatively easy to carry out, without the surety of significant impact in terms of death toll, public disruption or spectacular damage, it is implausible to consider it as a viable cyber terrorist threat for the current age.
RESULTING PROBLEMS/ISSUES
Prevalent paradoxical scenarios are out there on news papers to look at time and again so let us perpetuate what lies ahead
Near Future/Potential Scenarios of Cyber Terrosim
- 4G, 5G, Public Wi-Fi, Internet as well as Satellite Communications are defunct completely
- Power Distribution Grid has collapsed & cities have plunged in darkness.
- Elevators, escalators & electro-digital utilities in industries, hospitals, homes have gone kaput.
- Integrated Public Transport as well as Privately Operated Services comprising of airports, airlines, buses, trains, subways and cabs have come to a stand still suddenly.
People from commercial as well as residential premises have been forced out in the open due to rampant explosions, fires in electrical setups after water supplies thus fire hydrants-sprinklers dried up. Obviously rendering Police, Health, Fire & Emergency Services crippled due to combination of all abive.
Resulting in chaos, stampede, loot, barbarism thus degradation and loss of human life on an unprecedented scale.
The social, economical, political turmoil will surpass the disaster management capabilities and global supports devastating the nation.
REMEDIATION
(Proposed-to-Actualised)
Countering Cyber Terrorism
Crenshaw (Crenshaw, 1999) examined a summary of traditional counter- terrorist techniques as listed below with an India specific approach.
DETERRENCE
The exemplary adherence to exhibit the initiatives, tough stand and quick redressal of such issues must be undertaken by government on a serious note. This will send a strong message and instill a sense of hesitation if not an all out nullification of such acts. This will certainly instill resistance from Human Rights perspective.
REGULATORY FRAMEWORK
It has eveolved from IT Act 2000 till latest Draft Personal Data Protection Bill under consideration with active National Cybersecurity Policy in place. But
ENHANCED DEFENSE
The overall network of people, processes and technologies instrumental and necessary for the hardening of the virtual-physical-social-infrastructure must be strengthened and sustained for a seamless exchange, execution and to make decision along.
GLOBAL JOINT VENTURES
As of now, India is in a high level official joint venture with USA & ad-hoc cooperation from few more countries. Budapest Convention too is being considered to be associated with. This yet leaves a lot to be taken up and dealt with unless the national policies and infrastructures are conducive as well as matured to international standards.
ESTIMATING VULNERABILITIES
(Yet to be started in India)
The number of vulnerabilities present in the global supply of digital products in aggregate is not known and new products or updates, when released, are rarely thoroughly interrogated for an accurate count of new avenues of compromise or susceptibility. Exploitable vulnerabilities can exist in hardware, software, network protocols and programming languages, and be present on both local and remote, or isolated or connected systems.
The estimation of the same is adjudged by the virtue & benchmarking dynamically maintained by The Cyber Green project. The world’s computer emergency response teams report into a metrics portal at the Cyber Green Website. This shared resources allows for a general metric of the performance of computer emergency response teams (CERT) globally. This useful risk metric is derived from reports submitted by global CERTs, and these teams agree to report the submitted incidents they receive in two categories: ‘vulnerable nodes’ and ‘compromised nodes’.
National Cybersecurity Landscape
A progressive Public-Private Cooperation, Institutional & Regulatory Framework by hybrid though intermittent communication/exchange along hindering overall strength sought. The comprising bodies/institutions converging into government for example
- NIC: National Informatics Centre
- DSCI: Data Security Council of India
- CCPS: Cyber Crime Police Stations
- CERT-In:Indian Computer Emergency Response Team
- NISAP: National Information Security Assurance Program
- NCIIPC: National Critical Information Infrastructure Protection Centre
- CHCIT: Cyber and Hi-Tech Crime Investigation and Training Centre
- NIELIT: National Institute of Electronics and Information
Technology
Cybersecurity Strategy Maturity
As of November 2017, The second Global Cybersecurity Index (GCI), released by the UN telecommunications agency International Telecommunication Union (ITU), said only about half of all countries have a cybersecurity strategy or are in the process of developing one and urged more countries to consider national policies to protect against cybercrime.
India is ranked 23rd on the index with a score of 0.683 and has been listed in the “maturing” category, which refers to 77 countries that have developed complex commitments to cybersecurity and engage in cybersecurity programmes and initiatives.
Bibliography
- Cyberterrorism?, Symantec.
Pool re cyber terrorism, Cambridge Centre for Risk Studies.
Crenshaw