Is the threat of Cyber-Terrorism justified?
As the COVID-19 pandemic rages on throughout the world, many have taken safe-haven at home during strict state-mandated lockdowns. Despite this, connecting with the outside world has never been easier: from our homes, we can work, learn and talk at face-to-face contact near-seamlessly over screens, facilitated by the internet. But the increased use of cyber technologies like the video-conferencing app Zoom, for instance, has brought our dependence on such cyber-systems and their security into question. At the forefront are understandably augmented concerns over hacking, cyberattacks and even cyberterrorism. Yet these same concerns have been at the forefront of the debate around cyber-security since its inception decades ago, when it began to seem plausible that terrorism might find some manifestation in the cyber-sphere. This assumption ignites a sense of fear and angst; emotions that have magnified the issue. But while the concern about the potential danger of cyber-terrorism is certainly valid, the embellishment of the issue amongst members of the media, academia and government has been fundamentally unjustified. With a simple search today, you can find articles like, “Why Zoom Hacking Is No Doubt Cyber Terrorism Against Black People”, and other hyperbolic claims of cyber-terroristic nature.[1] Such assertions equate and synonymise cyber-attacks and hacktivism with cyber-terrorism, defining the latter in alarmist terms and therein raising and magnifying the perceived security threat of the issue, despite the fact many scholars agree it has never actually occurred.[2]
This essay seeks to explore how the threat of cyber-terrorism has become so tangible, while in actuality it remains an intangible hypothetical. Using the theoretical framework of securitisation and frame theory, cyber-terrorism will be proven to be an issue that has been largely over-exaggerated by media, academic, and state agents which tout its plausible but highly abstract reality as actuality through alarmist rhetoric. In short, the perceived threat of cyber-terrorism has been justified by the agencies that securitise it.
First, however, the debate surrounding cyber-terrorism must be addressed, as it is principally a definitional issue. Secondly, securitisation and frame theory will be explained. Finally, an analysis of the individual to state level in the form of media, academia and government agencies, respectively, will make a case for their particular roles in framing the security threat. International agencies like NATO will not be addressed due to the fact that they mostly deal with cyber-warfare and law, and their approach to cyber-terrorism hinges on the states that inform them.[3]’[4]’[5]
Definitions
The term ‘cyberterrorism’ was first coined in the 1980s by Barry Collin, a senior research fellow at the Institute for Security and Intelligence in California, who referred to the ever-increasing convergence of cyberspace and terrorism.[6] The persistence and extent of the definitional debate around the latter has been well documented.[7] It is perhaps unsurprising then that, like conventional or kinetic terrorism, there is no universally putative definition of ‘cyber-terrorism’.[8] Combining the two greatest fears of modern times—the fear of random violence and the cynicism of computer technology—the general premise is that as states and infrastructure rely more heavily upon computer networks to function, new vulnerabilities create a massive ‘Achilles Heel’ which can be taken advantage of by ill-intended actors to inflict violence.[9]’[10]
The divide on how to term cyber-terrorism is also twofold. The first is referential in nature: what does, or rather, should, the term cyber-terrorism refer? The second is relational: how is cyber-terrorism similar or dissimilar from other forms of violence. Is it, for example, simply a sub-set of terrorism which includes a diverse spectrum of violence? Or is it a distinct phenomenon with its own separate characteristics?[11] The former question can be split into a narrow and broader views. As Brunst and Talihärm note, a narrower, target-oriented view will define cyber-terrorism closely with a restricted definition of terrorism: politically motivated attacks that cause actual violence to combatants. A broader, tool-oriented perspective may regard all uses of the internet by terrorists as violent cyber-terrorism.[12]’[13] The latter question also sparks a number of narrow or broad views, although over the qualitative differences between cyber-terrorism and terrorism.[14]
When concepts like cyber-terrorism—which can be precisely delineated—are stretched to make them indistinguishable from more general concepts like cyber-attacks, we undermine our own capacity to fully grasp the phenomena.[15] A narrow definition of cyberterrorism that follows closely with an equally restrictive terrorism definition is essential for juxtaposing, analysing, and hence understanding how rhetoric employing a broader meaning is able to frame an abstract security threat as one that is not only tangible, but pressing. For this, Kenney’s definition works well:
Cyberterrorism refers to cyberattacks against computer systems outside of cyberwarfare, resulting in substantial physical harm or violence against civilian non-combatants intended to terrorize wider audiences for some political, social, or religious end.[16]
Important to note, moreover, is what cyber-terrorism is not. Cyber-terrorism is still yet to occur—no case fulfils all the requirements of the definition. Other cyber-threats, however, have. Actors in the three aforementioned agencies will often mischaracterise cyber-terrorism as either: hacktivism, cyber-attacks, cyber-warfare or cyber-crime. Hacktivism includes hackers defacing or altering the cyber-space for political, but not violent means. Cyber-attacks seek to inflict violence for political gain, but fall short of inflicting harm against civilian combatants. Cyber-warfare regards political cyber-attacks between states. Cyber-crime involves harm inflicted not for political gain, but economic profit.[17]
Theoretical Framework
Essential to understanding how cyber-terrorism is framed is securitisation theory. A constructivist theory developed by the Copenhagen School of Security, it challenges traditional IR approaches to security by averring that, while issues may not be ultimately threatening in themselves, successfully presenting them as ‘security’ threats ensures that they become supportable security problems. This is certainly true for cyber-terrorism. The process of bringing an issue into the security domain is called securitisation.[18]
The development of securitisation is seen as a “socially constructed contextual speech act”, implying that by voicing (or writing) the word ‘security’ (or another term articulating the need for unordinary measures), a “professional of security” claims a unique ability to use any means necessary to counter a certain threat.[19] Hence, threats are constructed through language and rhetoric. Securitisation theory aims to understand “who securitises (the actor), what the issue is (threat subject), for whom and for what (the referent object), why (the intentions and purposes), with what results (the outcome), and under what conditions (the structure).”[20] In this case, the actors are the three agencies, the threat subject is cyber-terrorism, the referent object is the respective public’s cyber-security (and security from violence), and the result is that the threat becomes apparent and superficially justified. The purpose(s) of cyber-terrorism’s securitisation will not be discussed at length—this essay is not concerned with why the threat has become securitised; only to understand how it has become so.
Also of use is framing theory, a subset of securitisation theory that explains how government officials and experts use language to dramatize a threat by using certain phrases and words to make its construction as a national security threat possible. From this theory, frame resonance will be discussed in regard to each agent as it is prevalent in all. Frame resonance explains how a framed issue and content must appeal to existing values and beliefs of an audience to become effective.[21]
Media
Much of the discussion on cyberterrorism takes place in the media.[22] It is more than common for journalists to falsely equate hacktivism, cyber-attacks, and cyber-crime as a synonym of cyber-terrorism, thereby conflating the threat we actually face from the latter.[23] As Denning notes, the media is abound with examples of mischaracterisation—“cyber-terrorism and cyber-attacks are sexy right now…[It is] novel, original, it captures people’s imagination.[24]
Approaching this issue quantitatively, a study by Jarvis et al., analyses 535 news items published by 31 different media outlets across 7 English-speaking countries between 2008 and 2013. The researchers found that, of 400 articles which had cyber-terrorism as their primary or secondary focus, 268 (67%) were markedly concerned over the issue. A further 33 (8%) items had concern with elements of scepticism. Perhaps the most striking find, however, was the number of articles that were sceptical about cyber-terrorism posing any threat at all; only eight items (2%). In a qualitative analysis of 2010 alone, article headlines bordered on dramatic. One in the UK’s most widely read newspaper presaged the necessity to ‘Fight cyber war before planes fall out of the sky.’ Another, equally foreboding one announced, ‘Why Britain is desperately vulnerable to cyber terror’.[25]
These findings show that news coverage’s role is significant and actively involved in the production of the cyber-terrorism security threat through mischaracterisation and use of a socially constructed speech act—“they have a constitutive, rather than a corresponding relationship to the ‘reality’ of cyberterrorism,” regardless of whether a real threat exists.[26] When this construction becomes widely circulated and replicated, moreover, prevailing narratives on cyber-terrorism can, quite rapidly, take on the façade of “an external ‘reality’ which seems to confirm it as…common-sense.”[27] The media uses frame resonance to make the threat appealing by playing to the distrust of computer technology and fear of terrorism in general. It comes as no surprise, argues Green, “that cyberterrorism now ranks alongside other weapons of mass destruction in the public consciousness.”[28]
As unfortunate as this situation is, it can also be understood given the tight deadlines that reporters face, and the myriad “experts” who fail to distinguish definitions that journalists draw from. Further explicable is the temptation that outlet editors face to exploit melodramatic terms like ‘cyber-terrorism’ to entice clicks. What is less understandable, and perhaps less defensible, is when highly educated scholars with “time and intellectual freedom” fail to make such distinctions.[29]
Academia
Although many academics wisely emphasise the contrasts between cyber-terrorism and other cyber-threats, others are not immune from definitional laxity and hyperbole—a characteristic that plagues popular dialogue on the subject.[30] Perhaps the most notorious example of academic embellishment was published in 1991 by the National Research Council, in which they claimed: “Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.”[31]
Recent studies have continued in this vein. One study by Gable claims that there have been millions of cyber-terrorist incidents.[32] Another declares that “the actual number” of cyber-terrorist attacks annually “is so colossal that there could not be accurate reporting on just how frequently those attacks occur.”[33] These academics suggest that cyber-terrorism is inescapable; that thousands of incidents occur every day.
Academics who ‘concept stretch’ can also affect how cyber-terrorism is framed in other agencies (media, government) if their expression of the threat is taken as certainty. The circulation and affirmation of definitional ambiguity may then have further knock-on effects on how policy-makers and security officials understand and approach the issue.[34] For example, one letter from computer scientist Roy Maxion to President George Bush decries that, “Our nation is at grave risk of a cyberattack that could devastate the national psyche and economy more broadly than did the 9/11 attacks.” Co-signed by 50 other computer scientists, provocative language like this promotes clear frame resonance: it plays to the fears of state officials that a cyber-terrorist attack will match that of a traditional one.[35]
The State
The term ‘cyber-terrorism’, as before mentioned, merges two spheres that most policy-makers and administration officials also do not fully understand and therefore tend to fear. These policy makers, like previous agents, are susceptible to overstatement as ‘prophets of doom’. In 2002, Senator Charles Schumer (D-NY) described “the absolute havoc and devastation that would result if cyberterrorists suddenly shut down our air traffic control system, with thousands of planes in mid-flight.” In an NPR interview in 2004, Diane Feinstein (D-CA) and Jon Kyl (R-AZ) expressed their anxiety over cyber-terrorism and the nation’s computer system vulnerabilities.[36]
State policy-makers will also use cyber-attacks, or other related phenomena, to validate an active approach to a false cyber-terrorist threat. By employing ‘othering’, Cavelty argues, a danger is constructed that stems from the fear of an enemy (threat subject) that is located outside of the actor’s nation in both “geographical and moral terms”, reinforcing a nation’s collective self (frame resonance). The use of rhetoric around ‘our infrastructure or computers’ amplifies this effect, moreover implying that defence against such threats comes under the purview of national security policy.[37]
Action in policy taken against the threat of what is lazily termed ‘cyber-terrorism’ lends clout to the concept. As Cavelty describes, President Clinton influenced the perception of cyber-terrorism markedly with his 1998 Presidential Decision Directives 63 and 64, which led to a firm establishment of addressing cyber-terror in policy and rhetoric. As Clinton explained in 2000, “One of the biggest threats to the future is going to be cyberterrorism.”[38] As a presidential candidate, George W. Bush referred to the “rise of cyber-terrorism’, and following the 9/11 attacks, created the Office of Cyberspace Security. Today, the FBI contains thousands of ‘cyber-investigators’.[39] Here, speech act makes way for forming action on the announced issue—and it seems to be hitting home. In a survey of 725 cities on the second anniversary of the 9/11 attacks, cyberterrorism ranked at the top of a list of city officials’ fears, alongside chemical weapons and biological warfare.[40]
In the UK as well, such misunderstanding appears, wherein cyber-terrorism was classed as a ‘Tier-One’ threat in 2010. This move came under no scrutiny by MP’s, who all consciously agreed to its underlying definition. Classifying the threat as one of their highest priorities in national security, provided a theme for the government that could be vocalised repeatedly by ministers, MP’s and Lords, therein consciously or unconsciously securitising the threat of cyber-terrorism in society and moving it beyond the political.[41]
Conclusion
Cyber-terrorism is now a buzzword employed to aggravate fear. Its alarmist use preys on the general public’s angst, mistrust and ignorance of both computer systems and traditional terrorism. This essay has sought to dial back the manipulative rhetoric to analyse what cyber-terrorism is and is not, hence clearing the mirage and finding what the actual threat being presented is. By narrowly defining cyber-terrorism, it leaves no room for misunderstanding. In using securitisation and frame theory, it then seeks to explain how cyber-terrorism has risen as a credible threat, facilitated by agents in media, academia and government. Among these agents, a pattern emerges: the use of speech act, and its further procreation, creates a compelling and resonant image of cyber-terrorism as a valid security threat. Each agent, moreover, draws on one another, creating a chaotic melding of ambiguity and manipulation of the subject. The most destructive forces of the cyber-terrorism threat justification is lack of correct information, and worse, the spread of misinformation. Whereas cyber-attacks and hacktivism are frequent, concrete occurrences that must be addressed, cyber-terrorism should not be used synonymously alongside them—it is a possibility, not an assurance. The future struggle for policy and decision-makers lies in carefully navigating the rocky shoals between hysterical cyber-angst and ignorant complacency. Policy should focus on the broad range of cyber-threats and terrorists’ use of the Internet to organise and communicate, without hastily invoking the spectre of cyber-terrorism.
[1] Ogunnaike, Jade. “Why Zoom Hacking Is No Doubt Cyber Terrorism Against Black People - Blavity.” Blavity News & Politics, Blavity, 6 Apr. 2020, [blavity.com/why-zoom-hacking-is-no-doubt-cyber-terrorism-against-black-people?category1=opinion.]
[2] Conway, Maura. "Cyberterrorism: The Story So Far." Journal of Information Warfare 2, no. 2, 2003, 33. Accessed April 7, 2020. [www.jstor.org/stable/26502767.]
[3] Hunker 2010, 1-2.
[4] Marsili 2018, 172.
[5] Tumkevič 2018, 75.
[6] Collin 1997, 15-18.
[7] Jarvis et al. 2015, 658.
[8] Yunos and Sulaman 2017, 1.
[9] Lewis 2002, 1.
[10] Smith 2015, 131.
[11] Jarvis et al. 2015, 660.
[12] Brunst 2010, 51.
[13] Talihärm 2010, 63-4.
[14] Jarvis et al. 661.
[15] Sartori 1970, 1033.
[16] Kenney 2016, 144.
[17] Ibid., 151.
[18] Cavelty 2008, 22.
[19] Ibid., 23.
[20] Buzan et al. 1998, 32.
[21] Benford and Snow, 619-20.
[22] Weimman 2005, 135.
[23] Embar-Seddon 2002, 1034.
[24] Denning 2001.
[25] Jarvis et al. 2015, 70-3.
[26] Ibid., 61.
[27] Ibid., 72.
[28] Green 2002.
[29] Kenney 2016, 157.
[30] Ibid., 158.
[31] NRC 1991, 23.
[32] Gable 2010, 63.
[33] Kenney 2016, 160.
[34] Kenney 2015, 127.
[35] Weimman 2005, 130.
[36] Ibid., 133, 143.
[37] Cavelty 2008, 34.
[38] Ibid., 25-7.
[39] Weimman 2005, 145.
[40] Kenney 2015, 134.
[41] Mott 2018, 74-7.
