RESEARCH PAPER

Cyber-Terror Ominous Menace or Phantasm Threat US Cyber-Threat

2011

Cyber-Terror ominous menace or phantasm threat US Cyber-Threat

ABSTRACT. For some years, experts and government officials have warned of cyber-terrorism as a ominous threat to national security.

INTRODUCTION The link between terrorism and computer technology has been a theme in the US national security literature for more than a decade. As early as 1991, a report on computer security declared: We are at risk. Increasingly, America depends on computers. . . . Tomorrows terrorist may be able to do more damage with a keyboard than with a bomb (National Academy of Sciences, 1991, p. 7). Subsequent years saw the gradual refinement of the threat image and an increasing amount of grim warnings, with the 1995 Oklahoma City bombing and the political activity in its aftermath marking the beginning of the firm establishment of a cyber-terror con-MD C, PhD, is Head of the New Risks Research Unit, Center for Security Studies (CSS), ETH Zurich,

However, if we define cyber-terror as an attack or series of attacks that is carried out by terrorists, that instills fear by effects that are destructive or disruptive, and that has a political, religious, or ideological

motivation, then none of the disruptive cyber-incidents of the last years qualify as examples of cyber-terrorism. So why has this fear been so president? Instead of trying to answer how long cyber-terror is likely to remain a fictional scenario, this paper analyzes the US cyber-terror discourse from a constructivist security studies angle: It looks at how cyber-threats in general, and cyber-terror in particular are framed, and speculates on characteristics that are

Switzerland; Coordinator of the Crisis and Risk Network (CRN), a Swiss-Swedish Internet and workshop dialog and on initiative for

responsible for the rapid and considerable political impact of the widespread

conceptualization of aspects of information technology as a security problem in the 1990s. Keywords: Cyber-terrorism, security studies, threat framing, information infrastructure

international security risks

national-level and

vulnerabilities;

Lecturer at the University of Zurich and the Swiss Federal Institute of Technology. Dr. D C holds a degree in political science, modern history, and international law from the University of Zurich. Address correspondence to: MD C, Center for Security Studies (CSS), ETH Zurich,

WEC, Weinbergstrasse 11, CH-8092 Zurich, Switzerland (E-mail: D@sipo.gess.ethz.ch). This paper has won the Millennium Award 2006 for an Outstanding Research Paper by a Younger Scholar from the Comparative Interdisciplinary Studies Section of the International Studies Association. The

real, has extensively studied various aspects of cyber-threats, and spends considerable sums on a variety of countermeasures (Abele-Wigert & D, 2006). This observation raises interesting questions from a security studies perspective: Why and how is a threat that has little or no relation to real-world occurrences political included on the there security specific

author would like to thank seven anonymous reviewers for their insightful comments and suggestions for improvements .Journal of Information Technology & Politics, Vol. 4(1) 2007 Available online at

agenda?

Are

characteristics that make it particularly likely to be there? Due to its vague nature, cyber-terrorism is a Play field for very different and diverse communities,

http://jitp.haworthpress.com 2007 by The Haworth Press. All rights reserved.

concerned with topics such as freedom of speech and Internet censorship (Gladman, 1998; Weimann, 2004a); cyber crime in connection with terrorism (Sofaer &

doi:10.1300/J516v04n01_03 19 concept that was closely linked to the critical

infrastructure protection (CIP) debate on the national security agenda. While

Goodman,2000); or information warfare and sub-state groups (Devost, Houghton, & Pollard, 1997; Rathmell, Overill, Valeri, & Gearson, 1997). This article will focus on cyber-threats and cyber-terror broadly

governments and the media repeatedly distribute information about cyber threats, real cyber-attacks resulting in deaths and injuries remain largely the stuff of

Hollywood movies or conspiracy theory. In fact, menacing scenarios of major disruptive occurrences in the cyber-domain, triggered by malicious actors, have remained just that scenarios. Nonetheless, for the US government (and to a lesser degree other governments around the world), the decision has been far more straightforward: it considers the threat to national security to be

framed as a national security issue. Previous research on the topic has generally been highly specific and policy-oriented (Alberts & Papp, 1997; Arquilla & Ronfeldt, 1996) and has often uncritically adopted arguments on the nature and scale of cyberterrorism from official statements or pieces of media coverage .This is epitomized in the tendency of many authors to hype the issue

with rhetorical dramatization and alarmist warnings (cf. Arquilla, 1998; Schwartau, 1994).Onthe other hand, the considerable hype has brought forth a counter-movement of more cautious voices that are deliberately more specific in their estimates of the threat (cf. Lewis, 2002; Wilson, 2003). The key question on which these two groups differ is whether or to what degree there is a credible or likely connection between terrorism and cyber-terrorism vulnerability of beyond critical the suspected

some few incidents with at least some potential for grave consequences.

Interestingly enough, both hyper and dehyper tend to agree on this point. But while the first group assumes that vicious attacks that wreak havoc and paralyze whole nations are imminent, more cautious researchers often point to the practical difficulties of a serious cyber attack (Ingles-le Nobel, 1999), question the assumption of critical

infrastructure vulnerabilities (Lewis, 2002; Smith, 1998, 2000), or point to unclear benefits of cyber-attacks for terrorist groups (Barak, 2004). Despite this caution,

infrastructures

(cf.Nicander&Ranstorp, 2004, p. 15) and consequently, at what point in future time such an attack might occur. While it is undisputed in both communities that cyberattacks and cyber-incidents cause major inconveniences and have cost billions of US dollars in lost intellectual property,

however, even the second group contends that one cannot afford to shrug off the threat (Denning, 2001a) due to unclear and rapid future technological development as well as dynamic change of the capabilities of terrorism groups themselves (Technical Analysis Group, 2003). To summarize the debate in a nutshell: due to too many uncertainties concerning the scope of the threat, experts are unable to conclude whether cyber-terror is fact or fiction, or, since they are unwilling to dismiss the threat completely, how long it is likely to remain fiction. So far, relatively few attempts have been made to apply IR theory in analyzing this development, with a few exceptions (Eriksson & Giacomello, 2006; Giacomello

maintenance and repair, lost revenue, and increased security in the last couple of years (Cashell, Jackson,Jickling,&Webel, 2004), these two groups differ considerably in their assessment of the future point in time at which such an attack might occur, and some even doubt whether there truly is a national security threat linked to the Internet and the information infrastructure. The main reason for this controversy is that cyber-threats have not materialized as a national security threat, even granted that there have been

&

Eriksson,

20

JOURNAL

OF &

with a strong emphasis on speech acts, that is, political language, and the implications this has for political agenda-setting and political relations (Adler, 1997; Buzan, Wver, & Wilde, 1998; Reus-Smit, 1996; Wver, 1995). In order to analyze why cyber-threats occupy such a prominent position on the security political agenda, this paper introduces a framework for the analysis of threat frames (Eriksson, 2001b; Eriksson & Noreen, 2002; Eriksson, 2001a), partly based on the Copenhagen schools securitization approach (Buzan, Wver, & Wilde, 1998). Threat framing refers to the process whereby particular agents develop specific interpretive schemas about what should be considered a threat or risk, how to respond to this threat, and who is

INFORMATION

TECHNOLOGY

POLITICS 2007; partly Latham, 2003). Research that has focused particularly on aspects of the construction of informationage security threats is also little influenced by theory or is mostly outdated (Bendrath, 2001, 2003; Eriksson, 2001b; newer:

Bendrath, Eriksson,&Giacomello, 2007;D C, in press). There is an agreement, though, that the elusive and unsubstantiated nature of cyber-threats means that approaches rooted in the constructivist mindset with a subjective ontology are particularly suitable for its analysis. Such approaches are typically linked to the constructivist research agenda and apply critical self-reflection to the inherently contradictory and problematic concept of security. These approaches were particularly influenced by the question of how and why new threats were moved onto the security agendas after the end of the Cold War. Traditional security policy

responsible for it. The paper focuses on the characteristics that might be responsible for the swiftness and considerable political impact of the

widespread conceptualization of IT as a security problem. In doing so, it aims to shed light on how the issue of cyberterrorism is perceived and represented by the US government, and what the consequences of this perception are. Thus, by considering the salience of this threat rather than simply arguing over its significance, it pushes the debate in a new direction and provides

research views threat images as given and actually out there, and assumes that security policies are responses to an objective increase of threats and risks (Walt, 1991). With constructivist approaches however, the focus is on how, when, and with what consequences political actors frame

somethinganythingas a security issue,

much-needed grounding and reference for the public debate on cyber-security. This paper has three parts. First, the theoretical framework is introduced. Second, the paper reconstructs how cyber-threats in general and cyber-terror in particular have been framed and treated over the years. Third, specific traits of cyber-threat frames are analyzed. THE FRAMING OF SECURITY THREATS As the end of the Cold War by and large coincided with the beginnings of the information revolution, this technological development which is about a special set of technologies, often subsumed under the heading of information and communication technologies (ICT) (Alberts, Papp, & Kemp, 1997)had a considerable impact on the perception and shaping of new threats. Next to the vast opportunities of an ICTdominated age in terms of economic development and democratization (Dutton, 1999; Loader, 1997; Thornton, 2001)

implications for national security (AbeleWigert & D, 2006; D & Wigert, 2004; Hundley& Anderson, 1997). It has become common in the information age to coin new terms by simply placing the prefixes cyber, computer, or information before another word. Thus, an among entire arsenal of

expressions

them cyber-crime,

information warfare, and cyber-terrorism has been created. Due to the newness of the topic and the sensationalist nature of the discourse on it, there have been few semantic walls erected around the relevant concepts in the information security

taxonomy, with the result that these terms have so many meanings and nuances that the words quickly become confusing or lose their meaning altogether (D,2007;Fisher, 2001).3The term cyber-threats, for example, denotes a rather MDC21 vague notion signifying the malicious use of information and communication technologies either as a target or as a weapon. Cyber-terrorism is one clear case of a cyber-threat. As the issue of cyber-terrorism has grown in popularity over the years, it has also acquired a range of meanings, depending on the context in which it is used. The term cyber-terrorism was allegedly coined in the 1980s by Barry Collin, a senior research fellow at the Institute for Security and Intelligence in

worries about the security or rather the insecurity of digital networks were of major concern from the beginning. While

extensively discussed on the technical level under the heading of IT-security, the information revolution was early on

perceived to have a number of negative

California,

as

hybrid

term

that

Web as an auxiliary recruitment and fundraising tool (Thomas, 2003; Weimann, 2004a; Weimann, 2004b), cyberspace has so far mainly served as a force-multiplier in intelligence gathering and target-acquisition for terrorist groups and not as an offensive weapon. Despite this, the term is used frequently in the political domain, detached from any academic definition of the issue, as a specter depicting a terrorist and a keyboard, wreaking havoc that can disrupt an entire society. Somewhat exemplary, Congressman Curt Weldon(R-Pennsylvania) placed cyber-terrorism at the top of his list of modern threats to the American way of life in 1999, when he said that in my opinion, neither missile proliferation nor weapons of mass destruction areas serious as the threat [of cyberterrorism] (Poulsen, 1999). In September 2002, Richard Clarke, former Special White House Adviser for Cyberspace Security, told ABC News: [Cyber- terrorism is] much easier to do than building a weapon of mass destruction. Cyber-attacks are a weapon of mass disruption, and theyre a lot cheaper and easier (Wallace, 2002). What is the meaning of such statements, one might ask? At all times, the cyber-threats debate was (and is) highly political. It is not only about predicting the future, but also about how to

encompasses the concepts of cybernetics and terrorism (Collin, 1997; Conway, 2002). In subsequent years, the term cybernetics was replaced by the term cyberspace, so that the concept is now composed of two elements: cyberspace and terrorism. As both concepts are notoriously difficult to define, cyber-terror itself was and still is a very elusive and poorly-defined concept.

Academics agree in general that to be labeled cyber-terrorism, cyber-incidents

must be mounted by sub-national terrorist groups, 4 be aimed at parts of the information infrastructure, in still terror by effects that are sufficiently destructive or disruptive to generate fear, and must have a political, religious, or ideological motivation (Denning, 2000, 2001a, 2001b; Devost, Houghton, & Pollard, 1997; Nelson, Choi, Iacobucci, Mitchell, & Gagnon, 1999; Pollitt, 1997). According to this definition, none of the larger and smaller disruptive cyber-incidents that we have experienced in the last couple of years has been an example of cyberterrorism. Even though most terrorist groups have seized on the opportunity accorded by the information revolution through an established multiple Web presence, access to uncensored propaganda, and by using the

prepare for it in the present. As a result of this, turf battles on different levels of government are the rule and ongoing. As there have been no major destructive attacks on the cyber-level, different scenarios, which are stories about possible futures, are providing the grounds on which decisions have to be made. The different actors involvedranging from government agencies to the technology community to insurance companieswith their divergent interests are therefore competing with each other by means of constructed versions of the future (Bendrath, 2001, 2003). Ultimately, it is about resources and about who is in charge to counter the threat. of The so-called in

(Wver, 1995). Ultimately, this means that issues become security issues not

necessarily because a real existential threat exists, but because the issue is successfully presented and established by key actors in the political arena as such a threat. Securitization studies aim to gain an understanding of who securitizes (the actor) which issues (the threat 22 JOURNAL OF INFORMATION TECHNOLOGY &

POLITICS subject), for whom or what (the referent object), why (the intentions and purposes), with what results (the outcome), and under what conditions (the structure) (Buzan, Wver, & Wilde, 1998, p. 32). To explain why certain issues seem more susceptible to securitization than others, and this is also the focus of this article, some scholars have established a stronger link to (cognitive) framing research that looks at special traits of the threat frames employed by key actors (Eriksson, 2001a; Eriksson, 2001b; Eriksson& Noreen, 2002). Frame theory is rooted in linguistic studies of interaction and points to the way shared assumptions and meanings shape the

Copenhagen

School

Security,

particular, developed an approach that focuses on the process of bringing an issue from a politicized or even non-politicized stage into the security domain. This process is called securitization (Buzan, Wver, & Wilde, 1998). The process is seen as a socially constructed, contextual speech act (Austin, 1962; Searle, 1969), meaning that by uttering the word security or another term expressing the need for exceptional measures, a professional of security, most often a state representative, claims a special right to use any means necessary to counter a certain threat

interpretation of any particular event (Oliver & Johnston, 2000). We understand framing to refer to the subtle selection of certain aspects of an issue in order to cue a specific response; the way an issue is framed

explains who is responsible and suggests potential solutions conveyed by images, stereotypes, messengers, and metaphors (Ryan, 1991, p. 59; Snow & Benford, 1992; Snow, Rocheford, Worden, & Benford, 1986). In threat framing, government

accepted frames influence the actions of actors and define meaning in the public mind (Gamson, 1992, p. 110; Snow, Rocheford, Worden,&Benford, 1986, p. 464). Social contests for the legitimate definition of reality are held by ways of different categories as expressed in frames. In the case of threat framing, the process of categorizing something as a particular threat has practical consequences when key actors begin seeing the world according to these categories. Framing theory addresses three main questions, the second of which will be our main focus: (a) how frames influence social action; (b) which frames are

officials and experts use certain phrases and also certain types of stories to add urgency to their case. Specific uses of language dramatize the actual threat: the use of specific phrases and words make its construction as a national security threat possible in the first place. Since there is no real-world reference for the threat, constant persuasion is required to sustain the sense that it is a real danger. And because the national security dimension is not

particularly successful for what reasons; and (c) how frames can be changed

completely obvious, it is necessary to use specific analogies (Cohn, 1987). Frame analysis can be seen as a strand of discourse analysis that mainly focuses on relevant content and argumentation (Gamson, 1992). Framing is an empirically observable

(Snow&Benford, 1988). There are three types of framing (ibid. 199-202): a.

diagnostic framing, which is about clearly defining a problem and assigning blame for the problem to an agent or agencies. In other words, this is about designating that which appears to be threatening (the subject of the threat image or threat subject) and what is perceived as threatened (the object of the threat image or referent object); b.

activity: frames are rooted in and constituted by group-based social interaction, which is available for first-hand observation,

examination, and analysis of texts (Snow & Benford, 1992). The high relevance of frames as social patterns is an outcome of the fact that frames define meaning and determine actions. Specifically, socially

prognostic framing, which is about offering solutions, and proposing specific strategies, tactics, and objectives by which these solutions may be achieved; c. motivational

framing, to rally the troops behind the cause or a call for action. Tothis list, they add a fourth key element, frame resonance,

information as well as the acquisition of sensitive but unclassified information (DCI Center for Security Evaluation Standards Group, 1995). Subsequently, we find policy efforts in two domains: the first one linked to the protection of federal agencies computer data from espionage, which was interlinked with the debate on encryption technology and led to the Computer Security Act of 1987,5 and the second one linked to the growing problem of computer crime, which led to the Computer Abuse Act of 1984/866 that laid the groundwork for the prosecution of computer crimes in the US. The first official threat frame can be found in National Security Decision Directive Number 145 on National and Policy on

meaning that the frame content must appeal to the existing values and beliefs of the target audience to become effective. In the following, we will conduct a mini-case study on the framing of the US cyber-terror discourse. Even though such an approach does not help to determine whether cyberterror is fact or fiction or how long it will remain fiction, we can identify those traits that have made cyber-threats such prominent features on the national security policy agendas. Data for the case study was collected from official policy papers,

hearings, and other statements of key actors. Top-level documents reflect actual

Telecommunications

Automated

presidential intentions, as opposed to public statements of purpose, which frequently leave out sensitive details and, on occasion, directly conflict with the stated goals of the administration.

Information Systems Security issued on September 17, 1984 (The White House, 1984): The technology to exploit these electronic systems is widespread and is used extensively by foreign nations and can be employed, as well, by terrorist groups and

DEVELOPMENT AND PARAMETERS OF THE US CYBER-TERROR DISCOURSE The beginnings of the cyber-threats debate go back to the Reagan administration, which was concerned with preventing what it viewed as damaging disclosures of classified

criminal elements. Government systems as well as those which process the private or proprietary information of US persons and businesses can become targets for foreign exploitation. As we will see below, this threat frame already contains most of the ingredients of the current threat frame, even

though in a slight variation. The threat subject ranges from foreign nations to terrorists to criminals. There is an emphasis on foreign exploitation, which seems to rule out that the problem could stem from US citizens. The referent object at this stage is limited to government systems and business systems that carry relevant information. Further, we can see that it is a fairly narrow threat frame that is concerned mainly about classified material and not about the society threatening aspects of cyber-threats yet. This can be attributed to the technological substructure, which was still lacking the quality of a mass phenomenon that it acquired when computer networks turned into a pivotal element of modern society (Ellison et al., 1997) and networks in a more abstracted sense became a metaphor for many aspects of modern life (Arquilla & Ronfeldt, 1996; Arquilla & Ronfeldt, 2001; Castells, 1996). Even though terrorist groups are listed as potential perpetrators in this 1984 document, the cyber-terror specter as such has not yet been born, for the same reason. Apart from a change in the technological environment, the broadening of the vulnerability aspect can be attributed to changing threat perceptions and other developments in the US military: We can observe a close link of the early cyber-

threats debate to the US Revolution in Military strategic, Affairswhich operational, refers and to the

tactical

consequences of the marriage of systems that collect, process, and communicate information with those that apply military force (Tilford, 1995)and the subsequent development of an information warfareinformation operations doctrine (D, 2002). While technology was seen mainly as a force enabler for a considerable number of years until after the end of the Cold War, the US developed the fear that their huge conventional military dominance would force any kind of adversary states or substate groupsto resort to asymmetric means, such as weapons of mass destruction, information operations, or terrorism in the future (Kolet, 2001). The 1991 Gulf War played a large role in demonstrating the benefits of the information differential provided by the information systems

employed (Campen, 1992; Eriksson, 1999), but it was also the Gulf War that birthed fear of the downside of this development mainly through experiences with the threat of data intrusion as perpetrated by hacker attacks against 34 Department of Defense computer sites during the conflict (Devost, 1995). In the after math of the Oklahoma City bombing in April 1995, the issue of cyber-

threats was definitely established as one the military establishment could and should not deal with alone, and it was closely connected to the concept of critical

on US infrastructures could originate in Iraq as well as in the US. A military counterstrike through cyberspace might therefore unwittingly constitute an operation of US armed forces on domestic territory, which is prohibited by the Posse Comitatus Act of 1878.7 One direct outcome of the Oklahoma City bombing was Presidential Decision Directive 39, which directed AttorneyGeneral Janet Renoto lead a governmentwide effort to re-examine the adequacy of the available infrastructure protection. As a result, Reno convened a working group to investigate the issue and report back to the cabinet with policy options (Freeh, 1997). The review, which was completed in early February 1996, particularly highlighted the lack of attention that had been given to protecting the cyber-infrastructure of critical information systems and computer

infrastructure protection. The advantages in use and dissemination of ICT were seen 24 JOURNAL OF INFORMATION

TECHNOLOGY & POLITICS to connote an over-proportional vulnerability, which

caused experts to fear that enemies who were likely to fail against the US war machine might instead plan to bring the US to its knees by striking vital points at home (Berkowitz, 1997)these points being

fundamental to the national security and the essential functioning of industrialized

societies as a whole, and not necessarily to the military in specific. Due to the nature of cyber-attacks, it became clear that is was often impossible to determine at the outset whether an intrusion is an act of vandalism, computer crime, terrorism, foreign

networks. Thus, the topic of cyber-threats was linked to the topics of critical protection and terrorism.

intelligence activity, or some form of strategic attack. The only way to determine the source, nature, and scope of the incident is to investigate. And the authority to investigate such matters and to obtain the necessary court orders or subpoenas clearly resides with law enforcement (Vatis,1998). US domestic law also gave the armed forces lawyers headaches, because an attack

infrastructure

Subsequently, President Bill Clinton started to develop a national protection strategy with his Presidential Commission on Critical Infrastructure

Protection (PCCIP) in 1996, and the issue remained a very high priority during his presidency and had a strong position in all the National Security Strategies between

1995 and 1999. The years1997/1998in particular were a watershed in terms of the views on cyber-threats. When comparing open hearings concerning national security or the annual defense reports over the years, we see how the issue takes a quantum leap in 1998: there is a great quantitative increase in the time and space given to the topic in public hearings. In addition, cyber threats came to be depicted as one of the prime dangers among the new threats. CIA director John Deutch, for example, had regularly warned of threats to national security from cyber-attacks since the mid-1990s. Asked in a Senate hearing to compare the danger with nuclear, biological, or chemical weapons, he answered,it is very, very close to the top (Deutch, 1996). The PCCIP presented its report in the fall of 1997 (PCCIP, 1997). The international impact of this document was such that it led to the firm establishment of the topic of cyber-threats and critical infrastructure protection on the security agenda of various countries (Abele-Wigert & D, 2006; D & Wigert, 2004). Clinton followed the recommendations of the PCCIP in May 1998 with his Presidential Decision Directives (PDD) 62 and 63 (White House, 1998a, 1998b). Clintons master plan

community

and

the

law

enforcement

agencies together built up further capacities for investigations of cyber-crimes, like computer forensics tools or close

surveillance of the hacker community; On the other hand, because of the amorphous nature of these non-state actors and

unknown enemies, a lot of effort was put into hardening the critical infrastructures (Bendrath, 2001). The distinct image of the cyber-terrorist also appears during these years. First mentioned in a public hearing in 1998, cyber-terror quickly became one of the catchphrases of the debate. Poor

definitions and careless use of terminology by many government officials is a major obstacle for meaningful discussion of the cyber-terror issue. A statement of President Bill Clinton, who was very influential in shaping the perception of the issue, can serve as an example of this semantic ambiguity. In his foreign policy farewell lecture at the University of Nebraska at Kearney in December 2000.

adopted a twofold response to cyber-threats: On the one hand, the intelligence