Cyberterrorism: a black swan originating in the 5th domain

Terrorism and cyberterrorism: crimes that seek to manipulate our behavior

Although there is no agreed definition of terrorism, it has traditionally been considered to be a serious crime against humanity and to have the following characteristics: it is a crime against humanity.
International Humanitarian Law
has considered it to be a serious crime against humanity and to have the following characteristics:

• The presence of violent acts intended to cause serious injury or death to civilians or non-combatants.
• These are acts carried out by non-state actors and state actors (state terrorism).
• Its purpose is to intimidate a population and/or to condition the decisions of a government or organization.

In addition, according to the Council of Europe Convention on the Prevention of Terrorism, ratified by Spain in 1980, the following activities also form part of the crime of terrorism:

• Public provocation to commit terrorist crimes.
• Recruitment and/or training for terrorist purposes.
• Complicity in, organization of or contribution to the commission of these activities

New technologies have enabled a new dimension in which this pernicious crime can develop: cyberspace, also known in the world of security and defense as the “fifth domain”, the other four domains being land, sea, air and space. Thus, cyberterrorism would be, in a simplified form, the convergence between terrorism and cyberspace.

What are the main activities of cyberterrorism today?

As mentioned, cyberterrorism is considered a Black Swan because. has so far not involved the direct commission of an attack. However, this does not imply that terrorist activity in cyberspace does not exist or does not constitute a risk, since most of its tasks have focused on organizational processes such as:

• Propaganda: consists of the strategic dissemination of informational and audiovisual content to lead people through a cycle of recruitment, incitement and radicalization, which are the stages preceding the commission of a terrorist act.
• Training: this involves the sharing of manuals, among other documents, with procedures for carrying out terrorist acts.
• Financing: terrorist groups can be financed both on the Surface Web and on the Deep Web in many ways (donations, scams, trades, organized crime…).
  Deep Web in multiple ways (donations, scams, trades, organized crime…).
• Cyber-attacks: they can be multiple, ranging from the infection of systems with disruptive malware (DDoS and Ransomware) as happened to the French television channel TV5 Monde
  to the Phishing y Skimming to obtain funding.

Cyber-attacks or intrusions to computer systems are less common, because their materialization requires the concurrence of at least three factors:

1. Opportunity: failures in the security of the network and/or equipment, vulnerabilities in the security system…
2. Reasons: the main reasons are economic considerations, fun, ideology, self-realization and the search for social recognition.
3. Means: technical knowledge and material means to carry out the cyber-attack.

Cyberterrorism threatens Critical Infrastructure security

One of the main concerns of the authorities is that a terrorist group will carry out cyber-attacks against critical and/or essential infrastructures such as airports, hospitals, energy industry, ports, etc.

Both sabotage and take over of these essential services for human societies can pose serious risks, among others:

• Neutralization, collapse, cut-off or uncontrolled telephone networks, communications systems, power supply installations…
• Intervention in air, rail and nautical traffic, as well as manipulation of the light signal system of road traffic, causing collisions or rendering transport networks inoperative.
• Destruction of databases essential for the functioning of the country.

These risks are more likely to materialize today as a result of the proliferation of the following elements:

• Malware: can be purchased for a fee or free of charge on the Internet if it is open source malware. In addition, the development of Malware as a Service is becoming more and more common.
• Commercial software: they exploit both our dependence on it and the vulnerabilities of the software. Zero Day vulnerabilities of the software.
• Cyberweapons: these are cyberweapons developed by some states, they can be transferred, voluntarily or not, to terrorist groups.
• Conversationalists and insiders: it is possible that some hacking experts, or even the organization’s own employees, collaborate with terrorist groups.
• Globalization: the globalized use of the Internet and the anonymity it allows, especially in the Deep Web, create a scenario of impunity due to the difficulty of attributing the crime to an identifiable natural person.

How should we respond to these incidents?

In general terms, it will be important to know and apply the appropriate security procedures according to our responsibility in the organization, procedures that should be included in a specific Incident Response Plan for each infrastructure, always being able to rely on the collaboration of INCIBE-CERT in this response.

However, all planning for responding to these incidents must have in common the criteria for establishing security priorities upon detection of an incident, which is as follows:

1. Safety of people and protection of human life.
2. Protection of sensitive data and information.
3. Protection of other data and organizational information.
4. Prevention of damage to computer systems.
5. Minimization of service interruption.

It is important to bear in mind that, although no such attack has taken place to date, an understanding of the phenomenon of terrorism in cyberspace is essential for the
Security and National Defense
in democratic societies, which are increasingly technological, and therefore more vulnerable to threats and new risks for the security of the Fifth Domain.