20 Years Later: A Cyber 9/11 Is UnlikelyTerror Groups Look Past Cyber as an Attack Platform
The possibility of a terrorist group launching a massive Sept. 11, 2001-scale cyberattack against the U.S. or an ally has been a concern for years, but cybersecurity pros with a background in intelligence and military affairs say such worries are likely to remain unwarranted.
Industry experts cite a variety of factors that they believe have given terrorist groups little reason to attempt such an attack, including cyberattacks simply not instilling the level of fear in the targeted population that terrorists desire. The experts also point out that conducting an attack that would cause mass casualties is likely beyond the capabilities of most terrorist organizations.
"You probably remember where you were on 9/11 and wondered what might be hit next. However, most people probably didn't have the same reaction to WannaCry or NotPetya," notes Jake Williams, formerly of the National Security Agency's elite hacking team and currently CTO at BreachQuest.
What terror groups have learned over the past two decades, however, is the internet is perfect for solving several of their more basic issues, such as radicalizing potential terrorists, funding, recruiting and training.
Etay Maor, a former researcher with the International Institute for Counter-Terrorism and currently senior director of cybersecurity strategy at Cato Network, says terror groups now have a highly refined model they follow for using the internet, but these efforts are passive and not kinetic.
"Extremist groups and terrorist groups use the internet heavily - just not for physical attacks." They use it for "propaganda information dissemination, recruitment, money, governing money in bitcoin and promoting ideas," he says, adding that such activity can lead to physical attacks.
No Cyber 9/11?
Cyberattacks are inconsistent with the primary goal of most terrorist organizations, the experts concur. A terror attack is supposed to inspire fear in a large population that believes it could be next, Williams notes.
"While there is a legitimate potential for a cyberattack to cause kinetic effects, this requires significant research and planning after gaining access to the target network," he says, "Thanks to the redundant safety controls in place in most critical infrastructure, these attacks are simply beyond the reach of terror groups. These attacks are barely within the reach of most nation-states, let alone nonstate actors."
Over the past 20 years, while nation-state groups, criminal gangs and even some rogue actors have adopted cyber tactics, the terrorists who targeted the World Trade Center, United Airlines Flight 93 and the Pentagon on Sept. 11, 2001, killing almost 3,000 people, have not. They prefer to stay with physical attacks that attract a lot of attention, says Chris Painter, who served as the State Department's top cyber official during the Obama administration and is also a former Justice Department prosecutor.
During this time, however, terrorist groups have adopted the internet as a way to communicate to like-minded followers, as well as a way to spread propaganda, but that has not crossed over into specific cyberthreats such as deploying ransomware or another type of malware.
"Their bailiwick is more trying to cause disruption, destruction and loss of life," says Painter, who now serves on the board of the Center for International Security and Cooperation. "And that's hard to do with cyber, but it's not impossible. … We have been very lucky that there have not been any major cyber fatality incidents. But [cyber has] not been their bread-and-butter. They want more splashy things."
Roger Caslow, who served as a senior intelligence officer for the Defense Intelligence Agency in the five years following 9/11, says he believes the world is so interconnected that a 9/11 scale cyberattack would be counter-productive for a nation-state actor and difficult for a terror group to pull off.
He points out that if a nation-state launched a cyberattack and destroyed a major U.S. agency or business sector, the economic repercussions would be worldwide and possibly be just as damaging to the attackers.
For this same reason, Caslow, who is currently CISO of the wastewater treatment utility HRSD, says a nation-state would not conduct such an attack and in all likelihood would stop an independent terror group from going down that path.
Caslow adds that successfully attacking facilities such as his water treatment plants or a power utility is no small task, as they are segmented. The attack would likely require insider help to be successful, he says.
The nation's power grid is even more segmented, Caslow notes, pointing out that to knock out electricity to more than a small region of the country, several utility companies would have to be simultaneously attacked.
Never Say 'Never'
Although groups such as al-Qaida have not explicitly adopted cyber tactics, Painter says it's possible that they may do so in the future. He notes that the barrier to entry continues to drop as malware, ransomware and botnets that attackers can rent or purchase on the darknet remain readily available.
"We've seen most recently with ransomware that there are ransomware-as-a-service [operations], where these groups essentially rent out their capabilities and their expertise to other groups," Painter says. "And you can imagine that there could even be a ransomware attack by a terrorist group because it causes some disruption, but it also allows the terrorists to make money off of it. That's one of the many issues with ransomware: who these actors are and do the proceeds sometimes go to terrorists and other groups."
There is also the possibility of what he calls a "blended attack," in which a destructive physical attack is followed by an attack that targets the networks of first responders and emergency communications, Painter notes.
Cato Network's Maor notes that while terror groups have not directly launched attacks, many are internet-savvy and use the web to play to their strengths. This includes inspiring jihadis in target countries and offering tips on how they can pull off a deadly attacks.
Most notoriously, this occurred with the terrorists who attacked the Boston Marathon in 2013.
Maor says those attackers likely learned online the information needed to create the pressure cooker bombs that killed three people and injured hundreds on April 15, 2013.
"Over the years, Al Qaeda and [the Islamic State group] have both successfully utilized the internet as a propaganda platform - used to recruit young teens all over the globe," says Austin Berglas, who formerly was an assistant special agent in charge of cyber investigations at the FBI's New York office.
Berglas, who is now global head of professional services at cybersecurity firm BlueVoyant, notes that the terrorist groups have fallen short in successfully executing a large-scale cyberattack - limiting themselves to DDoS and website defacement activities and using "hacker for hire" and partnerships with groups such as the Tunisian Cyber Army to support their cause.
But that a cyber 9/11 has not transpired does not mean the U.S. and other potential targets can let down their guard. The possibility remains, Berglas says.
"This lack of success will not last long - terrorist organizations are known, for years, to be actively reconnoitering critical infrastructure in the West and actively recruiting technically focused college majors to build an internal offensive cyber capability," Berglas says.
ISMG Managing Editor Scott Ferguson contributed to this article.