When hackers believed by the U.S. government to have been sponsored by the state of North Korea infiltrated Sony Pictures’ corporate network and leaked reams of sensitive documents, the act was quickly labeled an act of “cyberterrorism.” When hackers claiming to be affiliated with ISIS subsequently hijacked the YouTube and Twitter accounts of the U.S. military’s Central Command, military officials called it an act of “cybervandalism.” A third category of cyberattack, which presents definitional challenges of its own, is “cyberwarfare.” In terms of the nature and scale of any official response, it obviously matters quite a lot which bucket the government and the media choose when they categorize a cyberattack to the public. So how is that choice made as a descriptive matter? And how should it be made?
It seems to me that there are several potentially relevant factors to assess when drawing the semantic line between cyberterrorism and cybervandalism. The ones that spring to mind are the origin of the attack (e.g., state-sponsored v. state-aligned v. unaligned); the target of the attack (e.g., public infrastructure v. corporate infrastructure; critical infrastructure—however defined—v. non-critical infrastructure); the nature of the harm caused (e.g., personal injury v. injury to property); and the reach and severity of the harm caused (e.g., minor or major; isolated v. pervasive). Are these the right factors to take into account? If so, what configuration of factors makes a cyberattack an act of cyberterrorism as opposed to an act cybervandalism? And how should we distinguish both cyberterrorism and cybervandalism from cyberwarfare? Is cyberwarfare only state-to-state?
As the Internet is increasingly beset by attacks of all kinds from all quarters in the name of all different ideologies (or just lulz), it seems vital to have in place a stable, rational way of classifying cyberattacks so that official responses can be appropriate and proportional. I know there are a lot of cybersecurity experts who read FTT. I am definitely not one. I’d love to hear your thoughts about a principled taxonomy for cyberattacks. If there’s a good article about this out there somewhere, I’d be happy to get the citation.