Upload
pauline-maxwell
View
212
Download
0
Embed Size (px)
Citation preview
www.css.ethz.ch
New York, 28 June 2006
Myriam Dunn
CENTER FOR SECURITY STUDIES
Swiss Federal Institute of Technology (ETH Zurich)
Cyber-Terror Looming Threat or Phantom Menace?
www.css.ethz.ch
What is the Problem?
“We are at risk. Increasingly, America depends on computers. [...] Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb”
National Academy of Sciences, “Computers at Risk”, 1991
“In my opinion, neither missile proliferation nor weapons of mass destruction are as serious as the threat [of cyberterrorism]"
Curt Weldon (R-Pennsylvania), 1999
"[Attacks against the US banking system] would devastate the United States more than a nuclear device let off over a major city"
Robert Bennett (R-Utah) , 2001
"Our nation is at grave risk of a cyberattack that could devastate the national psyche and economy more broadly than did the 9/11 attacks"
Letter sent to President Bush by Richard Clarke and
more than 50 top computer scientists, 2002
www.css.ethz.ch
Hypers vs. De-hypers
“Hypers” assume vicious attacks that wreak havoc and paralyze whole nations to be imminent
“De-hypers” (usually more technically educated political advisors and journalists)
point to the practical difficulties of a serious cyber-attack, question the assumption of critical infrastructure vulnerabilities, point to unclear benefits of cyber-attacks for terrorist groups.
Despite this caution, however, even de-hypers contend that one “cannot afford to shrug off the threat” (Denning, 2001)
due to unclear and rapid future technological development dynamic change of the capabilities of terrorism groups
www.css.ethz.ch
Fact or Fiction?
Due to too many uncertainties, experts are unable to conclude whether cyber-terror is fact or fiction
Or, since they are unwilling to dismiss the threat completely, how long it is likely to remain fiction
There is no empirical evidence that would help to overcome this problem
Data on vulnerabilities is patchy No consolidated statistics regarding computer-based threats or incident rates existIntrusion detection technology limitedLack of baseline knowledge of normal activity on critical networked systemsConcrete intelligence data (which non-state actor is likely to employ cyber-tools as an offensive weapon at what point in time and for what reasons?) unavailable
www.css.ethz.ch
Reality Check
Cyber-attacks and cyber-incidents
cause major inconvenienceshave cost billions of dollars in lost intellectual property, maintenance and repair, lost revenue, and increased security
But: whether they constitute a national security threat is highly controversial!
Reason: All doomsday scenarios of cyber-attacks that result in massive deaths or injury remain largely the stuff of Hollywood scripts or conspiracy theory
www.css.ethz.ch
Cyberterror – A Comparison of Definitions
Very little reflection on the implicit underlying notions of terrorism that influence the cyber-terror definitions
Two main areas in which clarification is frequently sought
To resolve the confusion between cyber-terrorism and cyber-crime
Lack of clear definitions of the two phenomena reflects a general confusion between the two terms
To make a clear distinction between a) terrorist use of computers as a facilitator of their activities, and b) terrorism involving computer technology as a weapon or target
www.css.ethz.ch
Cyberterror – A Definition
To be labeled cyber-terrorism, cyber-incidents must
be mounted by sub-national terrorist groups, be aimed at parts of the information infrastructure, instill “terror” by effects that are sufficiently destructive or disruptive to generate fear, and must have a political, religious, or ideological motivation.
According to this definition, none of the larger and smaller disruptive “cyber”-incidents that we have experienced in the last couple of years have been examples of cyber-terrorism!
www.css.ethz.ch
The Puzzle
Despite the fact that cyber-terror has not truly manifested itself as a threat, it is treated as if it were
The US government (and other governments), considers
the threat to national security to be real, has extensively studied various aspects of cyber-threats, and spends considerable sums on various countermeasures
We observe the firm establishment, worldwide proliferation, and persistence of a “virtual” threat image on the national security agenda (truly society-threatening incidents remain mere scenarios)
Question: On what basis are countermeasures drafted if there is no real world experience?
What factors are decisive for making threats (potential) national security threats in the eyes of key actors?
www.css.ethz.ch
Theory of Threat Politics I
Copenhagen School of Security: Issues become a security issue not necessarily because a real existential threat exists, but because the issue is successfully presented as such a threat by key actors in the political arena (=securitization)
Securitization studies aim to gain an understanding of who securitizes (the actor), on what issues (the threat subject), for whom (the referent object), why (the intentions and purposes), with what results (the outcome), and under what conditions (the structure/institutions)
Threat framing: process whereby particular agents develop specific interpretive schemas about what should be considered a threat or risk, how to respond to this threat, and who is responsible for it
Features of the threat frame are decisive for whether issues make it on the security agenda or take on societal prominence
www.css.ethz.ch
Theory of Threat Politics II
Threat Politics: The political process that a) moves threats onto the political agenda, b) removes threats from the agenda, or c) alters the face of threats on the political agenda
When a condition turns into a problem that threatens national security in the eyes of professionals of security the first threat frame emerges If an event changes beliefs or resources of professionals of security then a reframing of the threat frame is initiated new discourse strands are interlinked or decoupled by referencing (seeking to establish linkages with existing terms
The broader the range of threat subjects in threat frame the more likely the threat frame will emerge as winning
The more the referent object is about domestic and social well-being the more likely the threat frame will emerge as winning
The more urgent the motivational call the more likely the threat frame will emerge as winning
www.css.ethz.ch
Policy Windows – Examples
Phase I: Securitization / Initial Threat Framing
Hacking, Phreaking, insecurityViruses and Worms (e.g. Morris)„Cuckoo‘s Egg“ Incident (1987)„Computers at Risk“ (1991)
Phase II: Re-framing
Oklahoma City BombingAfterwards: cyber-threats and critical infrastructures interlinked“wake-up call”
www.css.ethz.ch
Cyber-terror Threat Frame I
Cyber-threats constructed as a threat to society’s core values, especially national security, and to the economic and social well-being of a nation
Very broad and indeterminate framing of threat subject underscores a perspective of vulnerability, uncertainty, and insecurity
Image of cyber-terrorist and that of larger set of cyber-perpetrators are not separated in official statements (hacker=terrorist)
Introduction of numerous non-state enemies as threat subjects abolishes distinction between
internal and external threats the private and public spheres of action
Characteristics imply that boundaries between civil and military spheres of action are dissolved
www.css.ethz.ch
Cyber-terror Threat Frame II
Cyber-terror frame combines two of the great fears of the late 20th century
Fear of random, incomprehensible, and uncontrollable victimizationDistrust or outright fear of computer technology
Technology is feared because it is seen as complex, abstract, and arcane in its impact on individuals
Notion of technology being “out of control”, a recurring theme in political and philosophical thoughtStrengthened by increase in “connectivity” that the information revolution brings
www.css.ethz.ch
Conclusion
The main problem with the concept of cyber-terror is the terror suffix
Cyber-terror is not the main problemCan be easily turned into profit engine
Should aim to “de-securitize” the issue to allow more leeway (interpretation and actual politics)
Focus on economic aspects of cyber-security
Help to overcome “free rider” problemHelp to create a market for cyber-security, which could reduce much of the insecurity of the information infrastructure