Managing Network Security

Terrorism and Cyberspace

by Fred Cohen

Series Introduction

Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


I have heard a lot about cyber terrorism over the last several years, and you have probably heard your share as well. As I am a scientist by training, nature, and desire, I have a basic approach to all problems - the method (no - not acting). The method says that you create hypotheses, do experiments to try to refute them, and get refutations or confirmations that are then used to adjust the theory (or not). In the case of cyber terrorism, theories abound. Every pundit on the planet seems to think they know something - but few of them know very much. The problem is that there is no good way to do experiments. So we fall back on investigative skills as the only alternative to experiments for differentiating sound candidates from foolishness.

Most people who start talking about terrorism begin with a definition or some such thing. I will not. For my purposes I just assume that terrorists are people listed on the US State Department's list of terrorist organizations. If I miss a few it doesn't matter because there are so many on the list I can never get through them all anyway. If I include some who are not really terrorists by your definition, don't be offended - I didn't write the list. And who makes the list is not as important as the basic notion anyway.

The basic notion that I have about trying to understand cyber terrorism is that it can only be done by looking at one group at a time. You look at group after group after group and try to understand all you can about them in the available amount of time. Then you start to draw conclusions as you see the forest emerging from all those trees.

The Trees

You might reasonably ask how many trees I have looked at on my quest to understand the forest. At this point I have had students in graduate classes and professional researchers working with me for a number of years on this subject. The net effect is that we have done mid-level depth studies on about 20 terrorist groups in the last few years. Earlier studies are probably not all that relevant to the cyber terror issue.

In your walk through forests, you might have noticed that besides the trees, there are some other things there - like the moss and grass and animals, etc. In the cyber arena, there are also things besides terrorist groups, and you have to understand them in order to understand how the terrorist groups might be able to exploit information technologies to their ends. In this arena I have a lot of experience, having done lots of work on critical infrastructures and consulting for corporations and governments over the years.

Of course the forest lives in an overall environment, as does information technology. If cyber terrorism is to be understood, it must be understood in context. The context of the day is focussed on the so-called Middle East - that region at the intersection of Africa, Asia, and Europe that is mostly desert and sitting on top of a huge oil field. Both historically, because of trade routes, and currently, because of the oil trade, this region has been and is today, critical to the wealth of nations. The predominantly Arab population of the region wants Israel out of there and the 'West' (that being mostly the US and Western European nations) wants Israel to remain, for reasons ranging from religious heritage to strategic positioning (e.g., Keep the peoples of the region at war and they will not realize that they are squandering their wealth buying guns from the West in exchange for the oil they sold to the west - leaving them with old guns that are only useful for fighting each other anyway). Of course there are lots of other terrorist groups that are lower profile today, but rest assured, they are still out there.

The Forrest

It should not be a big shock coming from me that I will take the approach that risks are a result of a conspiracy of threats, vulnerabilities and consequences. After all, I have written about it in this column a few times a year since 1995. In order to understand the forest, we must take the trees, mosses, other living creatures, and the outside environment into account, or we certainly miss the big picture. From this perspective, the only difference between cyber terrorism and other areas of information system abuse is the threat. The vulnerabilities that are present in information systems and the range of consequences of the exploitation of those systems by threats is more or less the same regardless of who the attacker is. This not strictly true because different threats have different combinations of things they apply with different levels of simultanaety toward different ends.

So if we are to understand this forest, we might want to start by looking at what consequences a terrorist organization might reasonably seek through cyber space. That's what a lot of folks do - they start by trying to find enormous consequences and see if they can back track those consequences to some sequence of acts that could be done by terrorist organizations. How about starting with the end of the world as we know it and seeing if terrorist groups could do it? Let's see, how would we end the world, and could we find a way to do it within the means of terrorists?

The terrorists are at somewhat of a disadvantage here because, for the most part, they really don't want to end the world, even if some of them are willing to brainwash other parents' teenaged children into committing suicide 'for the cause'. Indeed, they are sitting on the attacker's side of the fence - seeking insiders to take advantage of systems, trying to get and keep funded, working to get explosives and cache them where nation states won't take them away, trying to recruit pre-brainwashed teenagers and steep them in propaganda for a lifetime of exploitation, and so forth.

What You Do

Of course we all care about the terrorist situation and the loss of life happening every day in the regions of conflict, but this does not make it a critical part of our everyday work life. Even if a terrorist group could end the world via cyber attack, it would have very little to do with what most of you do every day. So another issue that has to be considered is how cyber terrorism impacts what those who manage network security do. That has more to do with what the terrorists do every day than the one-off events they may be able to create on rare occasions. And indeed, if we can address the everyday issue, the one-off issue will be far less likely to ever happen.

So let's assume for the moment that we could focus our resources on fighting cyber terrorism in our organizations. What would that mean to most of us? Probably very little. Indeed, most of us are already defending our information systems by managing risks. The overall theory is that if each of us manages risks reasonably well, then in the aggregate we will manage the overall risk reasonably well and we will all be the better for it.

But unfortunately, this falls over when it comes to issues like cyber terrorism. The reason for this is that the successful terrorist sits closer to the edge of our risk management spectrum than its center. The terrorist typically remains low profile until they become very high profile for a short period of time. They are trained in infiltration - which is to say - they are supposed to act assimilated until they do their big terror thing. If they commit crimes all along the way, it will be more likely that we will catch them along the way, so they try to keep a low profile, work their way into the desired position for the mission over a period of years, and then strike when the opportunity is right. As we all know but few admit, insider threats are dealt with poorly by our risk management processes.

What Terrorists do in Cyberspace

So if we are going to look out for the cyber terrorists, it will probably be helpful to know what to look for. I cannot tell you what will happen in the future. If I knew, I would probably keep it to myself anyway. So all I can really do is tell you about the past. Recent history shows that terrorists do the following things in cyberspace:

While there are some other ways that terrorist groups might use information technology, the vast majority of activities to date have been in the areas described above. There have been outliers - ranging from the use of a chat room by a Palestinian group to lure and kill an Israeli teenager - to the attempts to break into US energy companies by middle Eastern groups - to the sale of software to run police systems by the Aum Shinrikyo group in Japan - to the exploitation of laser-based remote bomb controls by the IRA. Obviously, if you encounter anything like this you would want to report it to federal authorities right away.


Just as business has prospered in the Internet era because of the efficiencies associated with deeply embedded information technology, criminal and terrorist groups have taken advantage of the technology to their own ends. Technology brings efficiency to all who use it.

From the perspective of the security manager, cyber terrorism has not changed much about the way you operate, but it does produce some changes in the way you might respond to incidents. In particular, it should produce changes in the response processes and policies with regard to Internet use.

I have said for some time that many unreported criminal activities exploiting information technology should be reported. This might be viewed as an excuse for pushing that policy forward. It is not an excuse for it, it is merely another example of the importance of recognizing criminal activity and dealing with it. In this case the criminals will kill people who find them out, so it is more severe than many of the insider crimes that most security managers cover up from time to time.

About The Author:

Fred Cohen is researching information protection as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates, and educating cyber defenders over-the-Internet as a practitioner in residence in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at or visiting