Public government statements have cited cyber-attacks by terrorists as a major concern for national security. To date, no large-scale cyber-terrorist attack has been observed, but terrorists are known to be using the Internet for various routine purposes. The discovery of Stuxnet in 2010 was a milestone in the arena of cybersecurity because, although a malware attack on industrial control systems was long believed to be theoretically possible, it was different to see malware used in reality to cause real physical damage. Stuxnet demonstrated that a sufficiently determined adversary with sufficient resources might be able to damage U.S. critical infrastructure physically through a cyber attack. Did Stuxnet change the threat of cyber-terrorism?
This monograph examines cyberterrorism before and after Stuxnet by addressing three questions: 1) Motive—Are terrorists interested in launching cyber-attacks against U.S. critical infrastructures? 2) Means —Are terrorists building capabilities and skills for cyberattacks? and, 3) Opportunity—How vulnerable are U.S. critical infrastructures? Answers to these questions give a characterization of the post-Stuxnet cyberterrorism threat. The next question is why a major cyber-terrorist attack has not happened yet; this is explained from a cost-benefit perspective. Although cyberterrorism may not be an imminent threat, there are reasons to be concerned about the long-term threat and inevitability of cyberattacks. It is important to assess frequently the threat landscape and current government policies for enhancing the protection of national infrastructures.
Terrorists are known to use the Internet for communications, planning, recruitment, propaganda, and reconnaissance. They have shown interest in carrying out cyberattacks on U.S. critical infrastructures, although no such serious attacks are known publicly to have occurred. The discovery of the Stuxnet malware in July 2010, and its analysis over the next several months, was widely believed to have been a landmark event in cybersecurity, because it showed that cyberattacks against industrial control systems, hypothesized for a long time, are actually possible. After Stuxnet, there were public concerns that terrorists might be encouraged to acquire capabilities for similar cyberattacks.