Director of National Intelligence Dennis Blair caught the media’s attention recently with two major headlines when he presented this year’s Annual Threat Assessment (PDF)of the U.S. Intelligence Community. The first was his statement that the United States is "severely threatened" by cyberattacks of "extraordinary sophistication." The second was that al-Qaeda is intent on striking within the United States in the next six months. Both sections of the assessment are chilling, but they are unrelated.
Blair said that the United States faces challenges in cyberspace from nation states, terrorist networks, organized criminal groups, individuals, and other cyberactors. He went on to say, "Terrorist groups and their sympathizers have expressed interest in using cybermeans to target the United States and its citizens." Fortunately, interest does not equal capability. After raising the specter of cyberterrorism, Blair never mentioned the cyberthreat from al-Qaeda anywhere in the five pages he devoted to their plans to strike the United States. Here’s why.
While the United States’ critical infrastructure, from the electric grid to the financial sector, is vulnerable to attack through cyberspace, al-Qaeda lacks the capability and motivation to exploit these vulnerabilities. To penetrate, map, and damage the networks that control the industrial base requires a large team of experienced hackers, a lot of time, and advanced infrastructure. Only a handful of groups, mostly nation state actors, possess this level of capability, and al-Qaeda is not one of them.
In the last ten years, according to the National Counterterrorism Center’s Worldwide Incidents Tracking Database, there have been 63,192 incidents of terrorism. Not one was an incident of cyberterrorism. As Irving Lachow at NDU has pointed out, the jihadist community heavily relied on one London-based hacker known by the moniker Irhabi 007, who at best had moderate ability. Since his arrest in 2005, indications are that al-Qaeda’s cybercapabilities have only eroded. While continuing to rely on petty crime to fund many plots, al-Qaeda has been unable to capitalize on the explosion of cybercrime, lacking the technical capability to do so.
For al-Qaeda to do any real damage with cyberattacks, it would need to make a multi-year investment in developing offensive cybercapabilities and would need a secure facility and advance test bed from which to do it. Understanding the control software for an electric grid is not a widely available skill. It is one thing to find a way to hack into a network and quite another to know what to do once you’re inside.
Beyond the technical hurdles, al-Qaeda’s primary goal has always been to generate large numbers of casualties in addition to inflicting economic damage. But cyberattacks are largely weapons of mass disruption, not destruction. Causing a blackout or destroying airline reservations systems won’t kill many people, if any at all. The worst-case scenario is that a cyberattack could override controls at a chemical or nuclear plant and cause a chemical release or nuclear meltdown. Such an incident could kill thousands if not millions. Thankfully, the control systems for plants that could cause that kind of harm are still "air gapped," disconnected from networks that connect to the Internet.
In attempting to attack the homeland, the organization has relied on decidedly low-tech means. Of the twenty-two plots disrupted since 9/11, all involved the use of improvised explosives or small arms, and all were aimed at killing large numbers of people. In its twenty-year existence, al-Qaeda has never carried out a plot intended to do economic harm without also causing large numbers of casualties.
Concerns about cyberterrorism arise from the fact that al-Qaeda has expressed interest in devastating the U.S. economy and that Bin Laden has spoken of "bleeding America to the point of bankruptcy." But the context for these quotes is important, and has nothing to do with cyberterror aspirations. Bin Laden has articulated a goal of forcing the withdrawal of U.S. forces from the Muslim world by raising the costs of these deployments both politically and economically to the point that they are no longer sustainable. To do this, Bin Laden is borrowing a play from the mujahedeen, who pinned down the Soviets in Afghanistan for over a decade before forcing their withdrawal and, ultimately, the collapse of the Soviet Union.
For less than $500,000 and using box cutters as the primary weapon, al-Qaeda was able to create a military response that to date has cost between $1 trillion to $2.5 trillion. What kind of results could al-Qaeda get from hacking? If al-Qaeda were able to cause a power blackout by hacking SCADA systems, they couldn’t do much better than the tree limbs that caused the 2003 Northeast Blackout. That event put 50 million people in the United States and Canada in the dark for up to four days. Economists place the cost of that event between $4.5 and $10 billion, a blip in the $14.2 trillion economy.
One thing the United States has learned about the cost of disruption to the economy is that disruption causes pain that is short lived and minimal. A two-day snow storm doesn’t eliminate two days of economic activity, it only delays it. The same holds true for port closures and other disruptive activities.
For now, the United States has little to fear from al-Qaeda on the cyberfront. Only a handful of sophisticated nation states currently have the ability to carry out a devastating cyberstrike. In his assessment of the People’s Liberation Army Modernization program, Blair briefly noted that "China’s aggressive cyberactivities" pose challenges, and it’s true that China, Russia, and other countries’ capabilities do pose a real threat. Luckily, these countries also have vulnerable systems, as well as a lot to lose, in any conflict, cyber or otherwise.
The United States’ reliance on the Internet and dependence on automated systems connected to it represent a massive vulnerability to the United States, but it is not one that terrorist organizations are likely to be able to exploit anytime soon. As with any developing technology, the cost and other barriers to developing an advanced cyberoffensive are declining each year.
To stay ahead of al-Qaeda and other actors, the United States needs to make real investments to bolster the security of its critical infrastructure, starting with government and military systems but extending into the private sector, particularly the electric grid and the financial community. If infrastructure can be turned into a weapon, it shouldn’t be connected to the Internet at all, no matter what safeguards are in place. The United States needs to continue to raise its defense to ensure that whatever capabilities terrorists develop will not be sufficient to harm its freedom of action abroad or critical infrastructure at home.