Chapter 1 - Introduction to the Study

Chapter 1: Introduction to the Study

Chapter 1: Introduction to the Study

The United States acted quickly and aggressively following the terrorist attacks of September 11, 2001. The first retaliatory strikes in Afghanistan by the United States military occurred less than a month after 9/11 (Jenkins & Godges, 2011). Hundreds of U.S. Special Forces soldiers, Central Intelligence Agency operatives, and thousands of Northern Alliance tribesmen significantly weakened the Taliban regime and eliminated al Qaeda’s safe haven by mid-December of that year (Hellmuth, 2018a; Jenkins & Godges, 2011). Nevertheless, counterterrorism operations in Afghanistan have been ongoing for 19 continuous years as of 2020, making the conflict the longest in U.S. history. The United States public has yet to lose support for this conflict to levels seen during the Vietnam War. However, an equally strong and sustained U.S. retaliatory offensive following a major cyberterrorism attack against the country might not be as well received, since already elusive terrorism guidelines would be further complicated with the inclusion of cyberterrorism.

A growing reliance on the cyber domain in recent decades has created a new opportunity for individuals and groups to infiltrate U.S. targets that would otherwise be unattainable (Neely & Allen, 2018). Government organizations at all levels, financial institutions, and defense agencies now maintain large networked digital databases full of sensitive information (Holt & Kilger, 2012). Additionally, the proliferation of automated systems integrated in U.S. critical infrastructure such as water, sewer, telephone, and power systems leaves them all vulnerable to cyberattacks (Klein, 2015).

Given the limited publicly available U.S. government guidance for major cyberterrorism attacks, I explored the perceptions of U.S. terrorism and cybersecurity experts to understand how the country might better prevent and respond to large-scale cyberterrorism attacks. A response prepared during the sensitive and fervent days and weeks following a successful large-scale cyberterrorism attack might not result in a plan as well-crafted as one preemptively modeled. Additionally, post hoc cyberterrorism regulations have the potential to be emotionally charged, which was the atmosphere that the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT, hereafter Patriot) Act was created in following 9/11.

Justifications for military conflict have been well documented throughout history. Past wars and the rationale for each have largely been rooted in the theory of realism which was first debated by the Ancient Greek historian Thucydides and has subsequently seen numerous evolutions over the last 2,500 years (Morkevičius, 2015). However, a realist viewpoint focuses on countries with respect to the international arena and therefore does not offer much information regarding terrorism (Morkevičius, 2015). Additionally, Islamic terrorism is sometimes considered merely a tactic or fad that will eventually fade within the international world order dominated by sovereign states (hereafter states) and can thus be downplayed by international relations scholars.

Though incomplete, justifications for the use of military force against terrorist organizations, such as the United States versus the Taliban and al Qaeda, still generally demand a humanitarian approach to warfare, or jus in bello. Yet, like realism, just war theory also has limited applications for counterterrorism operations (Taylor, 2017). This theory prescribes that the United States should fight terrorist organizations in a moral manner within the constraints of the country’s constitutional democracy (Walzer, 2007). To further complicate matters, there is not one domestic or international agreed upon definition of terrorism despite extensive information being written on the subject (Dinniss, 2018; Gaibulloev et al., 2017; Marsili, 2019).

The United States classifies terrorists as unlawful enemy combatants as outlined in the Military Commissions Act of 2006 and in the Act’s 2009 amendment (Goode, 2015). Unlawful enemy combatant is a classification that is internationally disputed since the Third Geneva Convention only delineates between prisoners of war and noncombatants (Goode, 2015). Because of this, the United States would have considerable difficulty justifying military retaliation against the perpetrators of a successful large-scale cyberterrorism attack considered unlawful enemy combatants residing in a country not in open conflict with the United States (Goode, 2015).

Cyberterrorism is a frequently debated subject with some scholars even suggesting that cyberterrorism should not be discussed separately from acts of physical terrorism (Jarvis & Macdonald, 2015). However, the largely accepted definition of cyberterrorism that I used for this study is: terrorism in cyberspace that features attacks against computers and networks by subnational groups or individuals through violence or fear to coerce or intimidate a state’s government or citizens to further political or social objectives (Jenkins & Godges, 2011; Klein, 2015; Marsili, 2019; Warf & Fekete, 2016). Even though no large-scale cyberterrorism attack has been successful against the United States, damaging attacks are still conceivable as the world becomes more dependent on technology and terrorists continue to look for new ways to pursue cyber vulnerabilities to achieve objectives (Albahar, 2019; Dinniss, 2018; Warf & Fekete, 2016). Consequently, scholars and military commanders alike are well aware of the threats posed by cyberterrorism and regularly discuss the probability of a successful cyberterrorism attack disrupting or destroying critical aspects of the U.S. military, financial, and service sectors (Neely & Allen, 2018; Wirtz, 2017).

This opening chapter includes an overview of the study. Chapter 1 is organized starting with the background, problem statement, and purpose of the study. These areas provide a foundation for the study by outlining conflict as it relates to cyberterrorism and the potential issues that could arise from conflict. The chapter then continues into the study’s core and includes the research question, a brief description of the conceptual framework, and nature of the selected research paradigm and design. Next, definitions of key terminologies are provided along with illustrating study scope factors including limitations and delimitations. The chapter concludes with a statement of significance on why the study should be conducted before summarizing and transitioning to Chapter 2.

Background of the Study

No country has threatened victory over the U.S. military through conflict in decades. The United States has enjoyed complete military superiority in a unipolar world created after the fall of the Soviet Union in 1990. However, adversaries of the United States are constantly looking for ways to disrupt and defeat elements of the country through asymmetric warfare (Warf & Fekete, 2016).

As technology continues to exponentially increase in importance and sophistication, adversaries are finding ways to leverage these advancements for malicious intent. The United States would likely have casus* belli*, or justification for war, if a foreign government launched a cyberattack designed to cause catastrophic damage within the United States. However, if a foreign government covertly conscripted individuals or subnational organizations to carry out such an attack, the attack would be considered cyberterrorism. The lists of potential targets for cyberterrorists in the United States are vast (Albahar, 2019). The sheer number of targets essentially guarantees that terrorists will be able to exploit many exposed weaknesses (Klein, 2015). Whether state-sponsored or homegrown, cyberterrorism lets terrorists strike from virtually anywhere in the world making the attacks more sudden and less predictable (Albahar, 2019).

Hacking of U.S. agencies and businesses has been conducted by states, individuals, and groups driven by a wide range of motivations including profit, notoriety, and ideology. China has acknowledged the existence of the People’s Liberation Army Unit 61398, which was created specifically for cyber activities (Warf & Fekete, 2016). In 2015 the United States accused Unit 61398 of stealing data from 141 U.S. businesses (Mazanec, 2016). Similarly, the military of the Democratic People’s Republic of Korea (North Korea) has an elite hacking team known as Lab 110 modeled after, and possibly even trained by, Unit 61398 (Warf & Fekete, 2016). Lab 110 has successfully attacked U.S. Treasury Department servers on multiple occasions from 2009 to 2013 (Warf & Fekete, 2016). Lastly, Russia’s Federal Security Service (FSB) has an extensive history of conducting cyberattacks and has even been accused of starting Web War I against Estonia in April 2007, which prompted the Western world to begin discussing the reality of a cyberwar (Warf & Fekete, 2016). In addition to Estonia, the FSB has also been blamed for conducting cyberattacks against Georgia in 2008 and Ukraine in 2014 (Warf & Fekete, 2016). However, to date no cyberattacks designed to cause extensive damage within the United States have been successful (Klein, 2015; Kosseff, 2018).

The first and only successful cyberterrorism attack against the United States that has been brought to trial was conducted in 2015 by a Kosovo citizen named Ardit Ferizi, though the attack did not cause the deaths of any U.S. citizens as was its intent (Office of Public Affairs, 2016). In June 2015 Ferizi hacked into the server of a private U.S. company and extracted personally identifiable information on approximately 1,300 military and government employees (Office of Public Affairs, 2016). He then sent the information to Junaid Hussain, a member of the Islamic State of Iraq and Syria (ISIS), who published the information as a hit list on a website run by the Islamic State Hacking Division (ISHD; Office of Public Affairs, 2016). Ferizi was subsequently extradited from Malaysia to the United States where, in September 2016 he was sentenced to 20 years in prison for both providing material support to ISIS and gaining access to a protected computer without authorization (Office of Public Affairs, 2016). The Ferizi data dump was notable because it resulted in the only person in the United States convicted of cyberterrorism related charges as of 2020. However, Ferizi’s list was not the first or only United States related sensitive data release published by ISIS affiliated hacking organizations.

The ISHD first published a list of 100 U.S. military personnel in early 2015 prior to Ferizi’s own list being released in August of that year (Nance & Sampson, 2017). A second list of 100 different U.S. military personnel was also released in September 2015 by ISHD following Ferizi’s release (Nance & Sampson, 2017). Most recently, in May 2016 ISHD publicized the names and addresses of 76 United States military drone operators (Nance & Sampson, 2017).

Another ISIS affiliated hacking organization, the Cyber Caliphate Army, famously hacked the U.S. Central Command’s YouTube and Twitter sites in January 2015 and released their own lists of U.S. military personnel on three separate occasions in December 2015 and in January 2016 which totaled over 200 names (Nance & Sampson, 2017). Finally, in April 2016 yet another ISIS affiliated hacking group, the United Cyber Caliphate, released the names of 3,600 New York citizens under the title, We Want Them Dead followed by three large data dumps in April and June 2016 that totaled over 22,000 U.S. citizens listed as *Revenge for Muslims *(Nance & Sampson, 2017).

Yet, dangerous cyberterrorism events continue to be overlooked by U.S. policymakers given the lack of resulting tangible physical harm (Warf & Fekete, 2016). As cyberterrorism events are ignored, so are the potential responses and justifications to those responses. However, cyberterrorism is a very real option for terrorists due to its anonymity, debilitating potential, and psychological impact. It could be in the interest of the United States to not only be prepared for a cyberterrorism attack but to also be ready with the country’s response options following a successful attack. In this study, I addressed an existing gap in knowledge by considering better prevention and response strategies for a large-scale cyberterrorism attack against the United States.

Problem Statement

The United States assumes a largely defensive posture toward the thousands of daily cyberattacks conducted against the country. Cyberterrorists can therefore probe and execute cyberattacks against a host of U.S. networks with broad impunity. The United States would most likely respond to a successful large-scale cyberterrorism attack within a framework of regulations concerning physical acts of terrorism since no policy exists on how to respond to major cyberterrorism attacks against the country (Warf & Fekete, 2016). It is still legally unclear what attacks can even be considered cyberterrorism (Dinniss, 2018; Marsili, 2019; Warf & Fekete, 2016). Given the debilitating nature of cyberattacks and the potential to set off large-scale conflicts, the United States government may need to publish cyberterrorism prevention and response guidelines to better deter cyberterrorism attacks and dictate proportional response options. Policies aggressively preventing and condoning such attacks as well as articulating approved responses may result in countries being far less willing to sponsor destructive cyberterrorism attacks against the United States.

It is not known what terrorism and cybersecurity experts believe is the best way to prevent and respond to large-scale cyberterrorism attacks against the United States. A need therefore exists to learn more about U.S. cyberterrorism guidelines from the perception of experts. This research fills a gap in literature by presenting expert analysis on current U.S. government cyberterrorism policy including the validity of creating or improving U.S. cyberterrorism deterrence and response guidelines.

Purpose of the Study

The purpose of this qualitative study was to explore the perceptions of terrorism and cybersecurity experts in the United States to better understand how the country might prevent and respond to large-scale cyberterrorism attacks. A major successful cyberterrorism attack has never been conducted against the United States so it remains unseen what guidelines the country will use as the basis for a response. The current lack of guidance could leave the United States in a vulnerable position following a successful large-scale cyberterrorism attack given the unpredictability of potential responses. Through expert interviews, the study addressed if additional measures may be needed to better handle aspects of major cyberterrorism attacks, or if current policies are adequate to respond to these attacks.

Research Question

Research Question: How do terrorism and cybersecurity experts perceive that the United States might better prevent, cope with, and respond to large-scale cyberterrorism attacks?

Conceptual Framework

I used punctuated equilibrium theory to analyze the prospect of creating specific cyberterrorism response guidelines for the U.S. government. Punctuated equilibrium theory was introduced by Frank Baumgartner and Bryan Jones in Agendas and Instability in American Politics in 1993 (Baumgartner et al., 2018). This theory was designed to be broadly applied to a range of policymaking initiatives and focuses on policy change driven by political organizations during protracted periods of stability coupled with bouts of immediate change (Koski & Workman, 2018). Punctuated equilibrium theory has been used to address budget change and health initiatives as well as policies covering environmental, energy, tobacco, education, and political topics (Flink, 2017; Kuhlmann & Van der Heijden, 2018).

The political process is both rapid and slow as policymakers implement existing policies or create new ones to adapt to new information and changing needs (Baumgartner et al., 2018; Flink, 2017). Punctuated equilibrium theory suggests that governments often receive an overabundance of information that overloads individual cognitive processing abilities (Koski & Workman, 2018; Kuhlmann & van der Heijden, 2018). Information is therefore not accurately synthesized, which results in some policy issues being initially ignored with the potential for future overcorrections (Flink, 2017; Koski & Workman, 2018). For example, overinformed and overtasked policymakers have been displacing U.S. terrorism policy into a subsidiary role in favor of agendas that have the potential for explosive change such as COVID-19 economy stabilization, political reorganizing following the November 2020 presidential election, and new Department of Defense guidance shifting military focus away from terrorism and toward near-peer adversaries.

Punctuated equilibrium theory shows that all policy systems are susceptible to policy change through error correction or error accumulation (Baumgartner et al., 2018; Koski & Workman, 2018). Policymaking is incremental in the realm of error correction since policy is constantly adjusted in response to new information. Yet, organizational responses are never quite proportional to the problem due to disproportionate information processing, which can lead to punctuated changes (Flink, 2017; Koski & Workman, 2018). In error accumulation, policy does not respond to negative information due to barriers in the policymaking process. In this situation, pressure builds until a drastic policy change is required (Flink, 2017; Koski & Workman, 2018). This study could help U.S. policymakers avoid cyberterrorism error accumulation by identifying barriers preventing the formation of improved U.S. cyberterrorism deterrence and response options while also capitalizing on incremental change during stasis. A more detailed description of punctuated equilibrium theory relating to this study is given in Chapter 2.

Nature of the Study

Rudestam and Newton (2015) explained that the goal of research is to link the theoretical level with the empirical level. This qualitative study addressed the perceptions of U.S. terrorism and cybersecurity experts in order to support an open-ended hypothesis. I used a systems approach for this qualitative study. Patton (2015) explained that a systems perspective is important in dealing with real world interconnections and viewing things as being imbedded in larger holes. He stated that a holistic mindset is central to a systems approach since the properties of a system are lost when taken apart, and that synthetic thinking should also be applied in which the whole is explained (Patton, 2015). Patton (2015) finally believed that systems thinking is perfect for analysis where the area as a whole is reviewed for strengths and weaknesses.

In this study, I addressed perceived appropriate deterrence and response options for cyberterrorism attacks based on expert interviews. These options are decided within the context of the government, which is the identified system in this study. Individual components of the system are various government agencies such as the executive branch and its components, the Department of Defense, and the Department of State. Each organization has different focuses on terrorism and cybercrimes and they all, therefore, have their own characterizations concerning cyberterrorism laws. There is not one standard definition of terrorism within the United States (Dinniss, 2018; Gaibulloev & Sandler, 2019; Hoffman, 2017; Marsili, 2019). Instead, each organization has created their own definition to suit their specific points of focus. Based on a systems approach, I addressed if current guidelines are enough to adequately deter and respond to a cyberterrorism attack, or if more robust guidelines should be considered.

I used a one-on-one semistructured telephone interview as the instrument for this study to allow leeway for script diversions for clarifications or to grasp deeper meanings to answers. I identified the participants in this study through demonstrated expertise in their respective terrorism and cybersecurity career fields as they relate to cyberterrorism. I lastly assumed that data saturation would occur between eight to twelve individuals.

Definitions

*Bounded Rationality: *This idea denotes that policymakers are limited by cognitive limitations (Baumgartner et al. 2018).

Critical Infrastrucure: Defined in the United States as systems relating to cyber and physical defense, the economy, and public safety and health whose destruction or incapacitation would have debilitating impacts on their related sectors (Haber & Zarsky, 2017)

Cybersecurity: A state’s ability to guard cyberspace from crime, fraud, sabotage, espionage, and other destructive interactions using tools, policies, and actions (Weiss & Jankauskas, 2018).

Cyberspace: Computer and trancastional networks that store, send, and share information online as well as the physical computer systems and infrastructure that enable the flow of information and machine interaction (Klein, 2015; Weiss & Jankauskas, 2018).

Cyberterrorism: Terrorism in cyberspace that features attacks against computers and networks by subnational groups or individuals through violence or fear to coerce or intimidate a state’s government or citizens to further political or social objectives (Jenkins & Godges, 2011; Klein, 2015; Marsili, 2019; Warf & Fekete, 2016).

Cyberwarfare: Malicious actions in cyberspace that result in outcomes comparable to major kinetic violence (Shad, 2018).

Disproportionate Information Processing: Processing that contributes to the rate of policy change associated with punctuated changes described in punctuated equilibrium theory (Flink, 2017)

Punctuated Equilibrium Theory: A policy process theory for understanding change in organizations. Punctuated equilibrium theory posits that political processes operate primarily in stable environments defined by measured progress (Baumgartner et al., 2018). Yet, these same enviroments can also experience significant political change (Baumgartner et al., 2018). The cause of change is driven by political agendas and information flow and can be hindered by institutional friction or limited cognative abilities (Baumgartner et al., 2018; Flink, 2017; Kuhlmann & Van der Heijden, 2018).

Systems Approach: An approach dealing with real world interconnections as being imbedded in larger holes (Patton, 2015). A holistic mindset is therefore central to this approach since the properties of a system are lost when taken apart (Patton, 2015). The United States government was the system for this study.

Assumptions

Assumptions are aspects of the study that are believed but cannot be demonstrated to be true (Creswell, 2013). I assumed that all participants were knowledgeable on subjects related to their professions and that they all understood the context of the research. I chose the participants due to their notable resumes and accomplishments in their respective fields and I assumed that all participants provided accurate information. Lastly, I assumed that my military background as a member of the intelligence, surveillance, and reconnaissance community had no effect on the data collected and its public release.

I obtained all information used in this study from open source information. I had access to classified databases but did not utilize any government networks to search for cyber or terrorism specific information while enrolled in the doctoral program. I assumed, therefore, that the military public affairs office would promptly allow the release of this study.

Scope and Delimitations

United States cyberterrorism prevention and response strategies were the sole focus for this study, while excluding the applicability of creating specific laws related to a cyberterrorism attack. Since U.S. laws apply mainly to U.S. citizens, cyberterrorism laws would need to include a discussion on projecting laws into foreign countries as well as creating and amending international treaties to respond to cyberterrorism threats. Additionally, laws are more general in nature while a prevention and response narrative focuses on specific actions based on specific events determined by the residing national leadership. Because of this, an in-depth study of past laws concerning cybersecurity and terrorism were omitted and the research instead focused on a qualitative study using participant interviews to gain the perception of terrorism and cybersecurity experts.

This study could serve to promote dialogue between different federal government and private organizations under the common impetus of cyberterrorism. I gathered all information through interviews, allowing participants to focus on information they felt was relevant and important. Cyberterrorism is a new and evolving field, driving current information to become quickly outdated which is why the study relied heavily on expert knowledge.

Limitations

Limitations are potential weaknesses in a study that are out of the researcher’s control (Creswell, 2013). The main limitation of this study was the potential for incomplete information due to a limited number of participants. Creswell (2013) recommended three to ten contributors, and Morse (1994) suggested six participants to understand the core of the topic. While Creswell (2013) and Moore (1994) offered firm numbers, Merriam (2009) believed sampling size depended on many factors including research questions and data collection. Finally, both Merriam (2009) and Patton (2015) identified resource limitations as a major factor for determining sampling size.

All study participants worked in various government, security, legislation, and educational sectors so the perceptions of their knowledge could have been skewed by their own lived experiences. Another major limitation of this study was not knowing what controlled or classified guidance exists within the many U.S. government layers for preventing and responding to cyberterrorism attacks. However, classified information concerning cyberterrorism could not be used for public policy formation given the secret nature of the information not made available to every policymaker or foreign government.

I strived for unbiased research throughout this study, yet as a new researcher, it was imperative for me to identify and attempt to mitigate all potential biases before beginning the research. Above all, I attempted to avoid conformation bias by not forming any premature hypothesis or beliefs concerning cyberterrorism. I also objectively collected and analyzed all information before drawing any conclusions.

Significance of the Study

In this study, I investigated if cyberterrorism policies could be improved to ensure that a future U.S. federal government response to a large-scale cyberterrorism attack is effective, is in line with the values of the United States, and is also palatable with the international community. A multitude of domestic policies are created to directly address acts of physical terrorism. These policies could also be used to prevent and persecute acts of cyberterrorism. However, it might not be ideal to utilize physical terrorism policies to guide U.S. cyberterrorism agendas given the inconclusive nature of cyberattacks as well as the many disconnects between U.S. and international guidelines.

The United States government has not given serious thought to a large-scale cyberterrorism attack partially because terrorists are still believed to lack the technology to conduct these destructive attacks (Fidler, 2016; Nance & Sampson, 2017). Further, no scholarly research has been drafted to advocate for cyberterrorism specific policies designed to prevent or respond to debilitating cyberterrorism attacks within the United States. The only U.S. regulation that directly addresses cyberterrorism is section 814 Deterrence and Prevention of Cyberterrorism of the non-permanent Patriot Act (Podgor, 2002). However, section 814 focuses on penalties for individuals gaining unauthorized access to computers which would not benefit the United States in the aftermath of a successful large-scale cyberterrorism attack.

Given this lack of guidance, the United States government has the potential to make mistakes while attempting to retaliate from a successful significant cyberterrorism attack in a timely manner against an elusive enemy. An aggressive unilateral response by the United States to a cyberterrorism attack could subsequently generate negative repercussions against the country domestically, as well as from the greater international community. Yet, the negative effects of a retaliation could be minimized if the United States preemptively implemented an all-inclusive and universally palatable cyberterrorism strategy.

Summary

Terrorism is an evolving definition which is often tailored to align with the purposes of federal government entities each offering their own specific descriptions. There are also no sanctioned categories for terrorists at the international level as is evidenced by the United States’ controversial assertion of unlawful enemy combatants. The inclusion of cyber in the pursuit to define and categorize terrorists only serves to make the task of accurately classifying terrorists more complicated.

A vast majority of cyberattacks conducted against the United States have been thwarted, though cyberattacks attacks have and will continue to be successful against all levels of the U.S. government and industry. The country’s ever-increasing reliance on technology provides more daily opportunities for cyberattacks to occur in places within the United States that were once deemed untouchable. Terrorists are currently assessed to not possess the technology to conduct a damaging cyberattack against the United States, but the threat is getting more tangible with each passing day. It could also be in the realm of possibilities for terrorists to surprise the world with a large-scale cyberterrorism attack within the United States just as they did conventionally on September 11, 2001.

The United States has strict rules in place that guide conventional responses to hostilities. Following a large-scale cyberterrorism attack against the country, the U.S. government could adapt these guidelines to suite a new type of warfare, or they could ignore them all together. Either way, decisions would be made with incomplete information by U.S. leaders in the tense aftermath of a successful large-scale cyberterrorism attack. Because of this, it might benefit the U.S. government to draft a succinct response plan to a large-scale cyberterrorism attack in order to be prepared to respond smarty to any such attack and to also highlight a deterrence plan in order to prevent cyberterrorism attacks from occurring at all.

In Chapter 2, I provide an exhaustive review of the current literature related to cyberwarfare, terrorism, and cyberterrorism and identify the databases used to obtain this literature. I also expand on punctuated equilibrium theory and relate it to previous cyberterrorism associated work. I lastly review and synthesize available literature as it relates to the research question in order to justify the holistic thinking based on a systems approach.