Introduction
With the expansion of the modern digital environment and the ‘Internet of Things’ where virtually every device, system, and piece of infrastructure is connected to a network, cybersecurity has become a priority. For both military, civilian, and commercial systems, cyberspace has created an entirely new dimension, and the modern age has shown ubiquitous dependence on information technology and the Internet which exponentially increases opportunities and tools for attacks on the United States (Ashley, 2004). The grave threat of cyberattacks to national security is commonly understated and misunderstood. The United States remains vulnerable and largely unprepared for cyberterrorism threats that threaten its national security due to increased growth of adversary cyberterrorism capabilities, outdated domestic cybersecurity infrastructure, and a repeated instance of policy failures to address the issue.
Dangers of Cyberterrorism
Prior to discussing the causes of vulnerabilities, it is important to note the inherent dangers of cyberterrorism as this is a commonly misunderstood subject. While doomsday scenarios are well-known where cyberattacks penetrate nuclear forces or even the nuclear energy sector resulting in catastrophic levels of destruction, they are highly improbable as this highly sensitive infrastructure is protected better than most. The danger lies in many smaller-scale attacks. A cybersecurity expert has described the strategic problem surrounding cyber vulnerabilities as “death by a thousand hacks” (O’Hanlon, 2017).
Various state and non-state actors have been attacking U.S. infrastructure and interests in various means in the last few years with increased frequency and much greater consequences. Targets of attacks can be not just the military, industrial and defense industries, which are typically harder to penetrate due to the use of closed systems in many cases, but civilian and commercial systems. This includes financial services, healthcare, businesses, and retail organizations. For example, Iran has attacked U.S. corporations and Wall Street, such as Bank of America and Citigroup in 2012-2013. North Korea notoriously hacked Sony Pictures in 2014. Meanwhile, small businesses are more vulnerable than corporations because they lack cybersecurity capabilities and remain vulnerable to incursion by malware (Brewer & Young, 2020). The IBM Cyber Security Intelligence Index indicates that the top three sectors targeted by cyberattacks are healthcare, financial services, and manufacturing, largely due to the vast amount of personal information that can be collected which is then used for either monetary gain or potential coercion for intelligence (The Heritage Foundation, n.d.).
The question remains of how this poses danger to U.S. national security. Conventional terrorism utilizes kinetic means usually accompanied by violence, injury, and death for the primary purpose to generate fear and anxiety. Gross et al. (2017) found that cyberterrorism which is often neglected by policymakers as a threat to national security actually creates similar levels of fear and anxiety in the public that conventional terrorism would. Cyberterrorism intensifies vulnerabilities and hardens the political divide. These cyberattacks increase in frequency and intensity, with goals not immediately obvious, but as recent years have demonstrated, can have significant long-term consequences. When Russia was involved in hacking the DNC in 2016 and proven to have interfered in U.S. elections, it cast doubt on the legitimacy of the elections which were prevalent in the public discourse going into 2020 driven by misinformation. Therefore, the aim of modern threats goes beyond monetary or intelligence purposes, but to “impair public confidence, disrupt civil society and seed anxiety and insecurity by crippling digital and financial resources, undermining the institutions of governance and disrupting social networks” (Gross et al., 2017, p. 50).
Growth of Adversary Capabilities
The creation of the dimension of cyberspace also generated a unique environment that has virtually no limitations. Cyberattacks have unlimited range and speed and can be asymmetric and covert. They are also relatively easy and inexpensive to achieve while also having no traditional rules of conflict and engagement that conventional military conflicts may have. The United States has an increased number of adversaries, ranging from nation-states such as China, Russia, Iran, and North Korea to various terrorist organizations. The cyberworld is the quickest and most effective method in the modern world for these adversaries to attack the U.S. with a multitude of motives such as disruption, financial gain, decreasing military capabilities, sowing panic, publicity, decreased confidence, potential physical damage, and indirect loss of life that can be consequences of massive cyberterrorism (Ashley, 2004). Practically anyone with appropriate skills and access to the Internet can engage in cyberterrorism due to the prevalence of interconnectivity of major infrastructure. Smaller actors such as terrorist organizations may seek financial gain or maximize destruction, while others such as nation-states have long-term strategic and multifaceted goals.
The issue is that cyberwarfare is interconnected. In a complex and highly volatile geopolitical environment in the world, the risk of interstate conflict is higher than it has ever been since the Cold War. Adversaries are using cyberterrorism to “shape societies and markets, international rules and institutions, and international hotspots to their advantage” (Garamone, 2018). It is a race of technological superiority, and despite the U.S. being a well-developed country with advanced military capabilities, cybersecurity is an element where it has failed. Even military systems have shown to be inadequate, as a limited discrete attack on a key part of a major platform, such as a Navy ship, could virtually incapacitate it for hours or days, resulting in mission failure when time is a sensitive aspect. For, example an attack that disables propulsion can leave the vessel vulnerable in enemy waters (O’Hanlon, 2017). Ultimately, the cyber capabilities of adversaries have outmatched and exceeded the current U.S. potential to defend its systems. Even if immediate action is taken, this will persist for 5-10 years before the U.S. can fully implement a comprehensive cybersecurity strategy that can be effective, and it should also be considered that adversaries are also seeking to continuously evolve (O’Hanlon, 2017).
Weak Domestic Cybersecurity Infrastructure
As discussed in the dangers of cyberterrorism, the cybersecurity infrastructure of U.S. critical sectors is weak, outdated, and underfunded. This applies to both military and civilian systems. Cyber breaches are expected to cost the global economy $2.1 trillion annually, with the majority of that burden falling on the U.S. The costs of cyber attacks and cyberterrorism will exceed damages by all-natural disasters combined in any given year (The Heritage Foundation). There have been key examples both in the U.S. and abroad, as Russia has attacked political entities such as the DNC and took down the power grid in Ukraine, while Iran attacks financial systems and has been associated with a malware unleashed on the Saudi ARAMCO oil production systems destroying 30,000 computers (The Heritage Foundation).
While markets and media companies can recover and elections can have paper backups, it is the attacks on critical infrastructure such as power grids or oil production, that inherently affect the energy self-sufficiency of a nation on a large scale that is dangerous. As seen by the recent climate-caused massive power outage in Texas, a well-timed power outage can cause massive chaos and lost lives as well as multibillion consequences in lost production to the economy. A well-planned and executed cyber attack can cause the same amount of damage as a physical storm to critical infrastructure. As mentioned earlier, it is the smaller entities – firms and even government municipalities that are most vulnerable. Since the U.S. operates as a federal republic, states and local governments are mostly responsible for overseeing their own systems, where due to lack of funding, cybersecurity is not a priority. As a result, incidents such as a recent hacking of a small Florida town’s water supply system, almost led to the poisoning of 13,000 people as hackers manipulated the controls to change levels of lye in drinking water. Luckily, the change was caught by a cautious operator but serves as a key indicator of critical infrastructure intrusion which cybersecurity experts continuously highlight but often see no practical indicators of shifting priorities or appropriate policy shifts to mitigate the issue (Robles & Perlroth, 2021).
Policy Failures
Even as a Democratic free-market nation, it is ultimately to the government to protect not only military infrastructure but civilian public systems as well. Cybersecurity experts continuously indicate that broad civilian infrastructure and its vulnerabilities should be addressed (O’Hanlon, 2017). However, effective and resilient cybersecurity systems require significant long-term investment and expertise, factors that can only be achieved through funding and comprehensive policy. The U.S. government has a well-documented poor track record in implementing a comprehensive cyberspace strategy, even in the aftermath of numerous attacks in the mid-2010s by multiple adversaries. Not only is it a debate of political partisanship but also the slow-moving pieces of legislation and bureaucracy which ultimately undermine the effectiveness of policy (The Heritage Foundation, n.d.). National security efforts, even in the military, are inherently guided by the policy that has presented itself to be outdated and incompetent.
A 2018 report by the Government Accountability Office (GAO) found gaping holes in the existing state of the nation’s cybersecurity infrastructure and policy. The government has not developed a comprehensive cybersecurity strategy, nor has it performed effective oversight of efforts as required by already existing law and policy. There is an inherent cybersecurity policy lag which is leaving energy, transportation, communications, and economic services highly vulnerable to evolving sophisticated threats (Underwood, 2018). In fact, the cybersecurity position of the U.S. government is so bad that in 2017 alone, federal agencies saw 35,277 reported cyber incidents, ranging from DHS and State Department to USDA, HUD, and HHS (Sussman, 2019). A recent discovery in 2021, albeit an ongoing investigation, found a massive hacker infiltration of government systems, with over 18,000 entities compromised through contractors that are granted access to government servers (Myre, 2021). The myriad of cybersecurity issues at the government level highlights the errors and incompetence that are made at the federal level. Some agencies such as the State Department even lack official cybersecurity procedures, meanwhile, others are using decades-old infrastructure, with the end result of failing to remediate vulnerabilities in a timely fashion (Sussman, 2019).
As one method of addressing the rising cyberterrorism threat, it is generally recommended to leverage market forces which would motivate the private sector to invest and develop tools that could be used to secure the country’s diverse cyber networks. In combination with government funding and policy, it could be critical in creating a dynamic shield that is able to upkeep the instruments and methods available to hackers and adverse agents (The Heritage Foundation, n.d.). It is recommended that both private and government agencies strive to follow the NIST Cybersecurity Framework which is considered a gold standard in building a comprehensive security strategy in an organization (Sussman, 2019).
Conclusion
The dangers of cyberterrorism are real and present, ranging from challenging military capabilities to attacking critical civilian and commercial infrastructure. Cyberterrorism attacks can disrupt the functionality of these systems and create a sense of chaos and terror even if no lives are directly threatened. The flexible, rapidly evolving, and multifaceted nature of cyber-attacks has challenged existing safeguards in the United States, with multiple examples demonstrating a lack of preparation and poor ability to counter the country’s cybersecurity systems, particularly in the public sector. This is due to a number of vital policy failures and the general inability of the bureaucratic mechanism to keep up with existing threats.
References
Ashley, B. K. (2004). The United States is vulnerable to cyberterrorism. AFCEA.
Brewer, C., & Young, K. (2020). Cyberattacks are an ‘immediate’ challenge for businesses following the Iran strike. CNBC.
Garamone, J. (2018). Cyber tops the list of threats to the U.S., the director of national intelligence says. U.S. Department of Defense.
Gross, M. L., Canetti, D., & Vashdi, D. R. (2017). Cyberterrorism: Its effects on psychological well-being, public confidence and political attitudes. Journal of Cybersecurity, 3(1), 49-59.
Myre, G. (2021). U.S. security agencies: Massive computer hack is ‘likely Russian. NPR.
O’Hanlon, M. E. (2017). Cyber threats and how the United States should prepare. Brookings.
Robles, F., & Perlroth, N. (2021). ‘Dangerous stuff’: Hackers tried to poison the water supply of Florida town. The New York Times.
Sussman, B. (2019). D.C. disaster: Cybersecurity fails of the U.S. government. Secure World Expo.
The Heritage Foundation. (n.d.). The growing threat of cyberattacks. The U.S. must do more to secure its networks—but first, it must do no harm. The Heritage Foundation.
Underwood, K. (2018). The U.S. government urgently needs to address cybersecurity challenges. AFCEA.