February 20, 2018

Cyberterrorism or Cybervandalism?

When hackers believed by the U.S. government to have been sponsored by the state of North Korea infiltrated Sony Pictures’ corporate network and leaked reams of sensitive documents, the act was quickly labeled an act of “cyberterrorism.” When hackers claiming to be affiliated with ISIS subsequently hijacked the YouTube and Twitter accounts of the U.S. military’s Central Command, military officials called it an act of “cybervandalism.” A third category of cyberattack, which presents definitional challenges of its own, is “cyberwarfare.” In terms of the nature and scale of any official response, it obviously matters quite a lot which bucket the government and the media choose when they categorize a cyberattack to the public. So how is that choice made as a descriptive matter? And how should it be made?

It seems to me that there are several potentially relevant factors to assess when drawing the semantic line between cyberterrorism and cybervandalism. The ones that spring to mind are the origin of the attack (e.g., state-sponsored v. state-aligned v. unaligned); the target of the attack (e.g., public infrastructure v. corporate infrastructure; critical infrastructure—however defined—v. non-critical infrastructure); the nature of the harm caused (e.g., personal injury v. injury to property); and the reach and severity of the harm caused (e.g., minor or major; isolated v. pervasive). Are these the right factors to take into account? If so, what configuration of factors makes a cyberattack an act of cyberterrorism as opposed to an act cybervandalism? And how should we distinguish both cyberterrorism and cybervandalism from cyberwarfare? Is cyberwarfare only state-to-state?

As the Internet is increasingly beset by attacks of all kinds from all quarters in the name of all different ideologies (or just lulz), it seems vital to have in place a stable, rational way of classifying cyberattacks so that official responses can be appropriate and proportional. I know there are a lot of cybersecurity experts who read FTT. I am definitely not one. I’d love to hear your thoughts about a principled taxonomy for cyberattacks. If there’s a good article about this out there somewhere, I’d be happy to get the citation.


  1. Andre Gironda says:

    Those are excellent factors! Great questions!!

    To answer your questions, please consider a quadrant-based game theory model where q1 is cyber crime (signaling with identity theft, peaking with cyber vandalism such as website or social media defacements, and terminating with DoS, ransomware, and extortionware) leading next to q2: cyber espionage (signaling with value-chain subversion such as the supply chain and terminating with intellectual property theft). These are the rather benign quadrants, but they may result in excessive loss to brand equity, reputation damage, and other intangible asset losses which cyber insurance cannot cover.

    The following quadrants are both a continuation and an escalation from the previous quadrants. The primary, q3, focuses in on cyber sabotage (as opposed to cyber terrorism, as we will see in q4) where signaling events such as the DoS, ransomware, and extortionware found in q1 turn their focus on critical infrastructure and terminate in the destruction of property. q4 is about kinetic cyber aka loss of limb or loss of life. Cyber war is heavily hinged on the most-severe terminating events in q3 or q4.

    You will find that q1 and q4 are typically sub-state actors, while q2 and q3 are nearly always state actors. In this game theory model, nobody is innocent (or as you described, “unaligned”). A nation or multiple nations are always allowing the criminal or terrorist activity to continue without interference, indirectly financing these operations if nothing else.

    I am looking for a home to place this research if you can recommend one.

  2. Nice Cyber-site you have there. Pity if it was replaced with kiddie porn.

    If “mere vandalism” were to happen to you or your property, would you not think it “terrorism”?

    But your point is valid, though I think a better way to express it would be that a crime in cyberspace should be mapped into whatever the equivalent act and damage would be if it was physical.