All across Canada, individuals, companies, governments, and even the military have become increasingly reliant on the Internet for a diverse array of activities. Although this shift to Internet based activity has brought substantial benefits to consumers, companies, and governments, it has also created new vulnerabilities, which both state and non-state actors have sought to exploit.
In recent years, there has been an alarming increase in the number of cyber attacks upon government, corporate, and military systems. Responding to this emerging threat, the Canadian government has launched a number of efforts to secure the nation’s cyber space from both state and non-state actors. Leading the charge, Public Safety Canada recently launched a new cyber strategy, entitled Canada’s Cyber Security Strategy: For a Stronger and More Prosperous Canada.
There is, however, some contention about the magnitude and direction of the government’s policies, as analysts disagree on both the degree of danger posed by cyber attacks and the most effective way to coordinate Canada’s cyber security efforts. This disagreement is particularly acute when dealing with the threat posed by terrorist groups, as no consensus exists as to whether or not these groups pose a danger. Unfortunately, it is impossible to design and implement good public policy without a proper understanding of the threat faced. This begs the question: what, exactly, is the nature and severity of the threat posed by cyber terrorism?
Are They a Threat?
As things currently stand, there are no publicly recorded instances of cyber terrorism in either Canada, the United States, or Europe. Instead, most cyber attacks are either attributed to states, such as China, or criminal groups. As a result, the potential danger posed by terrorist groups is often overlooked, as it is argued that such groups either lack the capability or interest to launch such attacks. This is not, however, universally accepted. Indeed, there is considerable evidence to suggest that such groups may have both the incentive and resources to eventually acquire such a capability. If so, it may only be a matter of time until such groups become dangerous cyber actors.
Cyber attacks have a number of features that would lend themselves to use by terrorist groups. First, such attacks are relatively cheap, as they can often be carried out using commercially available equipment and programs acquired from the shadier corners of the Internet. As such, the barriers to entry are relatively low, which is often an important consideration for cash-strapped groups.
Second, such attacks can be conducted anonymously, as they can easily be routed across multiple jurisdictions. This makes cyber attacks notoriously difficult to trace. Following up on such attacks often requires investigators to obtain warrants in multiple countries. Although 2001’s Convention on Cybercrime was designed to speed the process of obtaining such warrants, the treaty’s coverage is still rather thin. Only forty states have signed and ratified the treaty and the signatories are largely confined to the member states of the Council of Europe (with the unfortunate exception of Russia) and a few smaller states. Outside of Europe, the only major treaty members are the United States, Australia, and Japan. Canada is a signatory to the treaty, but it has yet to ratify it. Unfortunately, this coverage hardly provides the global scope necessary to quickly follow up on ongoing or recent attacks.
Third, the variety of targets is enormous. Canada is home to over 933 major dams. It is also home to a significant number of chemical plants, refineries, power stations, reactors, and water treatment facilities, and many of these systems have come to rely on the Internet, rather than proprietary networks, for control functions. The vast majority of such infrastructure is also owned and operated by the private sector, who utilize varying levels of security. As such, there is a high likelihood that a determined attacker would be able to find systems vulnerable to infiltration.
Fourth, the attacks can be conducted remotely from beyond Canada’s borders, which means that terrorists do not need to risk arrest by domestic law enforcement agencies in order to launch their attacks. This also nullifies many of the security advantages provided by our investment into border security since 9/11.
Fifth, such attacks can potentially affect a large group of people. In 2000, the Lovebug virus affected 50 million systems in ten days and caused up to $15 billion in economic damage—not bad for a Filipino student operating out of his dorm room.
Given these advantages, it would be surprising if terrorist groups were not already developing, or at the very least interested in developing, the capacity to conduct operations in cyber space. For many, adopting cyber attacks would be a relatively natural evolution. Most terrorists already rely upon the Internet for communication and recruitment purposes. Using the internet to actually carry out attacks would only take things one step further.
How Vulnerable Are We?
If the characteristics of cyber attacks suggest that we should be worried about their adoption by terrorist groups, it becomes important to analyze whether or not such weapons could cause significant damage to Canada or whether they are merely a “weapon of mass inconvenience.” Such an analysis will be an important in determining the appropriate level of government attention to devote to the issue.
As things currently stand, there is considerable evidence to suggest that a well-executed cyber attack could cause significant damage to Canada. This is because an increasing portion of Canada’s critical infrastructure has come to rely on the Internet in order to operate.
Of particular concern is the increasing number of industrial Supervisory Control and Data Acquisition (SCADA) systems controlled via the Internet rather than through proprietary networks. These systems are frequently cited as potential targets for terrorists, because they control complex industrial infrastructure, such as power grids, dams, and chemical plants. Refineries across Alberta, for example, can often be controlled from corporate headquarters in Calgary, via an internet link. If a terrorist group were able to breach the security of one of these systems, they could potentially cause a plant to explore, unleash millions of cubic feet of water upon an unsuspecting communities, or leave a large swathe of the continent in the dark. This type of attack would have devastating consequences.
Deadly or Just Inconvenient?
There are, however, a number of analysts who cast doubt on the actual impact of cyber attacks. Douglas Birch, for example, notes that power outages are a fairly common occurrence, which provides a good baseline to estimate the potential damage that could be caused by an attack against Canada’s power grid. The effects of blackouts, he observes, are rarely catastrophic, even when the power goes out for several days, as most critical systems, such as emergency services and hospitals, have backup generators. This, in turn, leads him to conclude that cyber attacks are more likely to be a ‘weapon of mass inconvenience’ than a significant threat to the Canada.
While Birch and others like him, such as James Lewis, have a legitimate point about the first order impact of a potential cyber attack, they fail to consider the secondary impact of terrorist attacks: the widespread fear and panic that they can cause. In addition to its initial impact, there is a substantial risk that a major incident of cyber terrorism would prompt a backlash against Internet based activity. This would have significant ramifications for the Canadian economy, as a large per cent of economic activity has come to rely upon Internet for a wide variety of functions.
High Tech Terrorists
It might also be questioned whether or not terrorist groups have the technological capabilities to pull off such an attack. Rose Tsang of the Goldman School of Public Policy estimates that it would take a team of highly trained hackers six months to design a program to penetrate and control an industrial control system. If correct, this means that the barriers to employing an attack might be higher than some analysts have suggested. This does not mean, however, that the possibility of cyber terrorism should be dismissed.
Although terrorist groups are often imagined as drawing their members from the poor and disaffected masses, evidence from the social sciences suggests that terrorist groups often recruit members with significant levels formal education. Most of the suicide bombers involved in the events of 9/11, for example, had either university degrees or at least some form of post-secondary education. Engineers, in particular, seem to be over represented in Islamic terrorist groups. Indeed, both Khalid Sheikh Mohammed and Mohamed Atta, the planners responsible for the events of 9/11, had engineering backgrounds. This suggests that terrorist groups might be far more capable of assembling a cabal of sophisticated hackers than public perception would anticipate.
State Versus Non-state Attacks
There are also those who dismiss the threat posed by potential cyber terrorists by arguing that we should be primarily worried about the cyber attacks that are already being committed by states. While states certainly have more organizational capacity and resources than terrorist groups, the threat posed by cyber terrorism is unique and should not be neglected.
States, unlike terrorist groups, have a limited incentive to cause major destruction, as they are often reliant upon the systems that a major attack would disrupt. In most states, they continue to depend on the west’s economic viability for their own economic fortunes, which discourages major attacks. China, for example, is highly dependant on the world financial system for its continued well being. It has, as a result, only a limited incentive to cause major disruption to to it. This means that states are far more likely to limit their online exploits to activities such as industrial espionage. Terrorist groups, by contrast, are not particularly reliant upon the Internet. As such, they are far less constrained than states. This, as Joseph Nye suggests, means that a “a cyber 9/11 may be more likely than the often mentioned cyber Pearl Harbor.”
Unique Threats Require Unique Policy Prescriptions
When taken together, the factors outlined above suggest that there is a need to craft specific cyber policies to address the unique and dangerous threat posed by cyber terrorism. The nature of the threat means that policies designed to deal with traditional cyber threats, such as state based attacks and cyber criminals, will not properly address the threat of cyber terrorism. If Canada should fail to take the unique nature of the full spectrum of cyber threat into consideration, it will leave itself vulnerable to a potentially catastrophic attack.
 Government of Canada, Canada’s Cyber Security Strategy: For a Stronger and More Prosperous Canada (2010), http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/cbr-scrt-strtgy/cbr-scrt-strtgy-eng.pdf.
 Bill Nelson, Rodney Choi, Michael Iacobucci, Mark Mitchell, Greg Gagnon, Cyberterror: Prospects and Implications (Monteray, CA: Center for the Study of Irregular Warfare, 1999), 44-58.
 Gabriel Weimann, “Cyberterrorism: The Sum of All Fears,” Studies in Conflict and Terrorism 28 (2005): 144.
 Ibid., 137.
 Nye Joseph S., “Nuclear Lessons for Cyber Security,” Strategic Studies Quarterly (Winter 2011): 20.
 Stewart Baker, Skating on Stilts: Why We Aren’t Stopping Tomorrow’s Terrorism (Stanford: Hoover Institution Press, 2010).
 Environment Canada, “Dams and Diversions,” http://www.ec.gc.ca/eau-water/default.asp?lang=En&n=9D404A01-1 (accessed November 8, 2013).
 Hai-Cheng Chu, Der-Jiunn Deng, Han-Chieh Chao, and Yeuh-Min Huang, “Next Generation of Terrorism: Ubiquitous Cyber Terrorism with the Accumulation of all Intangible Fears,” Journal of Universal Computer Science 15, no 1 (2009): 2374.
 Gabriel Weimann, “Cyberterrorism: How Real is the Threat?” United States Institute of Peace Special Report 119 (December 2004): 6.
 James A. Lewis, Assessing the Risks of Cyber Terrorism, Cyber War, and Other Cyber Threats (Washington: Center for Strategic and International Studies, 2002), 8.
 James R. Clapper, “Worldwide Threat Assessment of the US Intelligence Community,” Statement for the Record, March 12, 2013, http://intelligence.senate.gov/130312/clapper.pdf.
 Douglas Birch, “Forget Revolution,” Foreign Policy, October 1, 2012, http://www.foreignpolicy.com/articles/2012/10/01/forget_revolution (accessed March 20, 2013).
 Weimann, “Cyberterrorism” 144.
 Clapper, “Worldwide Threat Assessment.”
 Lewis, Assessing the Risks of Cyber Terrorism; Birch, “Forget Revolution.”
 Birch, “Forget Revolution.”
 Lewis, Assessing the Risks of Cyber Terrorism, 4.
 Rose Tsang, “Cyberthreats, Vulnerabilities and Attacks on SCADA Networks,” working paper, University of Califronia, Goldman School of Public Policy, 2009, 2, http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf (accessed May 12, 2013).
 Efraim Benmelech and Claude Berrebi, “Human Capital and the Productivity of Suicide Bombers, Journal of Economic Perspectives 21, no. 3 (Summer 2007): 225-238.
 Diego Gambetta and Steffen Hertog, “Engineers of Jihad,” Sociology Working Papers 2007-10, http://www.nuff.ox.ac.uk/users/gambetta/Engineers%20of%20Jihad.pdf (accessed September 7, 2013); Diego Gambetta and Steffen Hertog, “Why are there so many Engineers among Islamic Radicals,” European Journal of Sociology 50, no. 2 (August 2009), 201-230.
 Suzanne C. Nielson, “Pursuing Security in Cyberspace: Strategic and Organizational Challenges,” Orbis (Summer 2012): 340.
 Fred Kaplan, “What is the Real Threat of a Chinese Cyberattack,” Slate, February 20, 2012, www.slate.com (accessed March 8, 2012).
 Clapper, “Worldwide Threat Assessment,” 1.
 Nye, “Nuclear Lessons for Cyber Security,” 22.