Nature of Terrorism
Dave Carlson - February 4, 2008
America is not invincible. Its power has made this nation a terrorist target. Not only are terrorist attacks a threat in the physical world, but terrorism also is a very real threat in the cyber world. The purpose for a terrorist cyber attack is to cause economic damage. A difficulty with a cyber attack on a computer system, versus a physical attack, is identifying the attacker. Unseen attackers are a threat to information systems. Once a terrorist incident occurs, it is too late to plan. Physical security and access control appear to be an effective way to help reduce the risk of cyber attack. To retain their effectiveness, security and control systems must be consistent and applicable to everyone.
Nature of Terrorism
On September 11, 2001, Americans were reminded that the overwelming power that they had taken for granted over the past dozen years is not the same as omnipotence. What is less obvious but equally important is that the power is itself part of the cause of terrorist enmity and even a source of U.S. vulnerability. (Betts, 2002, p. 386)
Betts (2002) implied that America is not invincible. The very power of America has made this nation a terrorist target. It is a natural tendency of have-not humans to become jealous of those who have what the have-nots do not possess; as illustrated by terrorist groups using America’s power as a catalyst for their rage.
The Delaware Criminal Justice Council (2007) identified six basic components to all terrorism. “Terrorism is (1) an intentional and (2) rational (3) act of violence to (4) cause fear (5) in the target audience or society (6) for the purpose of changing behavior in that audience or society” (¶ 1). “Terrorism is a political act, the goal of which is to make a change. The terrorist is not driven by personal desires or ambitions. Terrorism is about impact on society” (¶ 2). For the purposes of this paper, the author will focus on the terrorist objective of disrupting the peaceful existence of a society.
Not only are terrorist attacks a threat in the physical world, but terrorism also is a very real threat in the virtual or cyber world. Cyber-terrorism was originally conceived in 1996 by combining the concepts of cyberspace and terrorism (Janczewski & Colarik, 2005). Because of the power and influence associated with computer systems, these systems have become specific targets of attack by terrorist organizations.
A difficulty with a cyber attack on a computer system, versus a physical attack, is identifying the attacker. Usually it is very difficult to determine the how or from where the attack originated (Cordesman, 2002). Richard Clarke, former Administration Counter Terrorism Advisor and National Security Advisor, suggested that the intended purpose for a terrorist cyber attack would be to cause economic damage (Rollins & Wilson, 2005). To protect organizations it is important to take every reasonable precaution to prevent or lessen the impact of a cyber attack.
Terrorist cyber attacks can impact information systems and business operations in several ways. Janczewski and Colarik (2005) discussed three primary impacts terrorist activities can have on Information Technology (IT) systems:
- "Direct attack on IT facilities
- Collateral IT damages resulting from terrorist attacks against other targets
- Using IT facilities for organizational purposes of terrorist organizations” (p. 41-42).
Bevelacqua and Stilp (2004) cautioned that once a terrorist incident occurs, it is too late to plan, since “plans no longer affect the outcome” (p. 23).
Planning to protect a business against terrorist cyber-attack is the same as protecting from other malicious attacks. The primary differences between a terrorist cyber-attack and other attacks or malware are the who and why of the attack (Cordesman, 2002). Just as it is important to protect systems from malware, both employees and information system professionals must take appropriate cautions to protect against deliberate cyber attacks.
Sullivan (2007) suggested several specific protective measures a business can implement to mitigate the impact of a cyber attack:
- Ensure anti-malware software is installed and kept current on each server and workstation.
- Do not disable the firewall software installed on workstations.
- Do not disclose any system passwords to unauthorized individuals. Do not disclose your personal passwords to anyone.
- Follow established scheduled back-up procedures.
- Do not install browser task bars or software not previously approved by the IT department or department manager.
- Allow automatic operating system and software updates to install.
Janczewski and Colarik (2005) suggested the following three general areas for information technology organizations to concentrate to mitigate the impact of a terrorist attack:
- Physical security. Deny terrorist access to physical facilities and equipment.
- Access control. Deny terrorist access to digital systems.
- Personnel security. Deny terrorist access to employment opportunities.
Even though unseen attackers are a threat to information systems, Janczewski and Colarik (2005) emphasized that the most important rule related to information security and thwarting terrorism is to prevent unauthorized people from wandering around the company premises. Physical security and access control appear to be an effective way to help reduce the risk of physical and cyber attack by terrorists. To retain their effectiveness, security and control systems must be consistent and applicable to everyone. A terrorist once said, “I have to be lucky only once, you must be lucky every time” (Bevelacqua & Stilp, 2004, p. 10).
Betts, R. K. (2002). The soft underbelly of American primacy: Tactical advantages of terror. In Howard, R. D. and Sawyer, R. L. (2005). Terrorism and counterterrorism: Understanding the new security environment, readings and interpretations (2 ed.) (pp. 386-401). New York: McGraw-Hill.
Bevelacqua, A. S. and Stilp, R. H. (2004). Terrorism handbook for operational responders (2 ed.). Clifton Park, NY: Thomson – Delmar Learning.
Cordesman, A. H. (2002). Cyber-threats, information warfare, and critical infrastructure protection: Defending the U.S. homeland. Westport, CT: Center for Strategic and International Studies.
Delaware Criminal Justice Council. (2007). The nature of terrorism. Retrieved February 1, 2008 from http://cjc.delaware.gov/terrorism/nature.shtml
Janczewski, L. and Colarik, A. (2005). Managerial guide for handling cyber-terrorism and information warfare. Hershey, PA: Idea Group Publishing.
Rollins, J. and Wilson, C. (2005). Terrorist capabilities for cyberattack: Overview and policy issues. [Electronic version.] RL33123 CRS Report for Congress. Washington, DC: Congressional Research Service. Retrieved February 4, 2008 from http://www.terrorisminfo.mipt.org/pdf/CRS_RL33123.pdf
Sullivan, D. (2007). 5 security rules every small and midsized business must know!. Retrieved February 1, 2008 from http://www.realtime-websecurity.com/podcast/2007/06/5_security_tips_for_small_and.html