A new report by a Washington policy think tank dismisses out of hand the idea that terrorist groups are currently launching cyber attacks and says that the recent attacks against U.S. and South Korean networks were not damaging enough to be considered serious incidents.The report, written by James Lewis of the Center for Strategic and International Studies, looks at cyberwar through the prism of the Korean attacks, which many commentators have speculated originated in North Korea. However, there has been little in the way of proof offered for this assessment, and Lewis doesn’t go down that road. Instead, he focuses on whether the attacks constituted an act of war and whether they could have been the work of a terrorist group.
The answer is no on both counts.
“The July event was not a serious attack. It was more like a noisy demonstration. The attackers used basic technologies and did no real damage. To date, we have not seen a serious cyber attack. That is only because the political circumstances that would justify such attacks by other militaries have not yet occurred and because most non-state actors have not yet acquired the necessary capabilities. As an aside, this last point undermines the notion of cyber terrorism. The alternative to the conclusion that terrorist groups currently lack the capabilities to launch a cyber attack is that they have these capabilities but have chosen not to use them. This alternative is nonsensical,” Lewis writes.
But that’s not to say that terrorist groups won’t one day be capable of launching such attacks. Just the opposite, in fact. There’s no reason to believe that organized, well-financed terrorist groups won’t soon acquire the ability to launch sophisticated attacks, Lewis concludes.
“A very rough estimate would say that there is a lag of three and eight years between the capabilities developed by advanced intelligence agencies and the capabilities available for purchase or rental in the cybercrime black market. The evidence for this is partial and anecdotal, but the trend has been consistent for more [than] two decades. This suggests that in less than a decade, perhaps much less, a terrorist group could enter the cybercrime black market and acquire the capabilities needed for a serious cyber attack,” he writes.
“The implications for the United States are troubling. We have, at best, a few years to get our defenses in order, to build robustness and resiliency into networks and critical infrastructure, and to modernize our laws to allow for adequate security. Our current defenses are inadequate to repel the attacks of a sophisticated opponent.”
The report, titled “The ‘Korean’ Cyber Attacks and Their Implications for Cyber Conflicts,” also discusses at length the limiting factors that currently are preventing foreign countries and organized criminal groups from attacking the U.S. Those deterrents, which include political constraints and the possibility of a physical retaliatory strike, have been of use so far, but may not continue to be for much longer. The difficulty of attributing an attack to any specific person or group makes these deterrents far less effective than they might otherwise be.
And the U.S. dependence on digital technology makes it somewhat more vulnerable to cyber attacks than other nations, Lews writes.
“In the Cold War, there was symmetry in vulnerabilities – each side had cities and populations that the other could hold hostage. That symmetry no longer exists. The United States is far more dependent on digital networks than its opponents and this asymmetric vulnerability means that the United States would come out worse in any cyber exchange,” Lewis writes.