Stephen Bonner, a partner in KPMG’s Information Protection & Business Resilience team, investigates
It is certainly true that terrorist groups exploit the internet to recruit, communicate, fundraise, plan and mobilise. There have been many examples of terrorist groups using the internet and social media to reach out to potential recruits, disseminate propaganda and assist in the radicalisation process. The Inspire online magazine produced by Al Qaeda in the Arabian Peninsula, which included articles on bomb making and instructions on how to contact the group, was just one high profile example.
Of course, such groups will be cautious of government surveillance, and the Snowden revelations will have done nothing to diminish their (possibly well founded) paranoia. Some terrorist groups have produced detailed guides (including educational videos) on internet security, designed their own encryption tools and made extensive use of the TOR network (an online anonymity and censorship resistance network) as part of their quest to remain undetected.
The internet also provides a vital source of targeting material which can help terrorist groups plan and organise their activities. On-line mapping, streetscapes, urban plans and other publicly available information on potential targets can also assist in planning a terrorist attack. We value our openness as a society, but with such openness come risks.
Social media also provides a unique and valuable insight into the so called pattern of life of target individuals, helping identify friends, colleagues, travel arrangements, homes and even routes to work. For example, a simple Foursquare or Facebook check-in can give away time, location and details of who else is around – as can the meta-data which comes with our favourite photograph. The same social media also gives insights into our life history, attitudes and beliefs – helpful for both terrorist recruitment and for targeting.
All of which suggests that terrorist groups are becoming increasingly internet‑savvy – but the question remains – would terrorists mount a cyber attack?
The US intelligence community threat assessment states that they “have seen indications that some terrorist organisations have heightened interest in developing offensive cyber capabilities, but they will probably be constrained by inherent resource and organisational limitations and competing priorities.”
There has been much discussion amongst think tanks worldwide over this issue and opinion remains divided. Clearly, our dependence on the internet has grown to the point where many critical infrastructure systems are connected (either directly or indirectly) to the internet. Moreover, this year the World Economic Forum Global Risk report raised the spectre of “Digital Disintegration” as we become increasingly dependent on cyberspace.
Despite our dependence on the internet, cyber attacks seem to lack the visceral impact of a bomb in a crowded place with the immediate media coverage of carnage and destruction, the stuff of terror and therefore terrorism. Hollywood has postulated many cyber terrorism scenarios, but they have yet to usurp shrapnel filled pressure cookers, truck bombs and hijacked aircraft as weapons of terror on the Big Screen in the cyber world.
Of course, it is easy to be complacent as terrorist groups are continually looking for new attack techniques which can defeat our security measures. Often we can track innovation in terrorist methods to one or two key individuals within a terrorist group who bring particular skills or experience. Frequently the military have seen a new improvised explosive device technique developed and fielded across Afghanistan within weeks.
The right cyber skills
Terrorist groups backed by foreign governments are more likely to possess the intent and capability to conduct cyber attacks. Some governments are suspected of providing finances, infrastructure and sanctuary to terrorist groups whose objectives align with their own.
The Al‑Qassam Cyber Fighters, who take their name from Hamas’s military wing, were responsible for attacks on US financial institutions in 2012. Such was the scale and length of this campaign, media reports suggested, the US government suspected the group was backed by Iran. Equally, the relationship between the Syrian Electronic Army, which defaces websites and conducts denial of service attacks against Syrian President Bashar al-Assad’s political opponents, and the Syrian government remains unclear.
So my advice is, do not discount a cyber dimension to terrorism, but perhaps set it in the context of other “clear and present dangers” including country sponsored attacks, the militarisation of cyber space, and the ever present risk of accidental system failures due to error or incompetence.
While cyber terrorism may in future represent a threat to such infrastructure, currently it ranks behind many other threats.
I would argue that good cyber security can do much to improve the resilience of our critical infrastructure irrespective of the motivation of the attacker, useful when our conventional categories of state, terrorist and criminal become blurred in cyberspace.
Getting the right balance
Our governments have a duty to help us strike a balance between the openness which is fundamental to our democratic society, and the security necessary to frustrate attacks on that very society. That balance must be struck with one idea front of mind; the openness and freedom of the Internet is exactly what cyber-terror is likely to aim to disrupt, we must not let the cyber-terrorists win by giving up real freedoms as an attempt to reduce imaginary harms. Also we must remember that much, if not all, of our critical infrastructure is now in private hands and that striking that balance also requires discussions with industry and commerce over the nature of the threat and the risks we as a nation are prepared to tolerate.
Those choices are not just national choices, but have global implications for companies and the decisions they make about investing in the UK. Firms seek a secure and stable environment for business – whether that be fiscal policy or cyber security, but they also understand quite keenly the costs of doing business in any given country.
Unfortunately, we are far from having a solid basis on which to make risk judgements around cyber threats, whether terrorist or otherwise. We also have a long way to go to understand the systemic risks which we as a country face from our growing dependence on cyberspace.
The UK government has made good progress in developing and implementing its national cyber security strategy, but we must always be cautious about the natural tendency of governments to cloak such discussions in secrecy. So I would urge an open dialogue around the nature of the cyber threat to the UK, our collective understanding of the risks to the UK, and the business and national incentives around managing those risks.