Chapter 5 - Discussion, Conclusions, and Recommendations

Chapter 5: Discussion, Conclusions, and Recommendations

Chapter 5: Discussion, Conclusions, and Recommendations

Introduction

In this chapter, I provide a summation of the purpose and review the key findings of the study. I then discuss the limitations, recommendations, and implications of the study and finally end with the conclusion. The purpose of this qualitative study was to explore the perceptions of terrorism and cybersecurity experts in the United States to understand how the country might prevent and respond to a large-scale cyberterrorism attack. Through expert interviews, I addressed if additional measures were needed to better handle aspects of any major cyberterrorism attack. This study filled a gap in literature identified through an exhaustive literature review by presenting expert analysis on current U.S. government cyberterrorism policy including the validity of creating U.S. cyberterrorism specific deterrence and response guidelines.

I collected data from nine participants from August 27 to October 3, 2020 using semistructured telephone interviews. All interview questions were aligned with the research question by considering the study’s problem, purpose, structure, and theoretical foundation. The six themes that emerged from data analysis were as follows:

Terrorists’ cyber capabilities
Large-scale cyberterrorism attack probability
Large-scale cyberterrorism attack likely responses
Cyberterrorism prevention measures
Cyberterrorism policy agendas
International cyberterrorism considerations

Interpretation of the Findings

Through the findings, I successfully answered the study’s research question: How do terrorism and cybersecurity experts perceive that the United States might better prevent, cope with, and respond to large-scale cyberterrorism attacks? Most participants agreed that terrorist organizations do not have the organic capability to carry out a largescale cyberterrorism attack against the United States, so the probability of a successful large-scale cyberterrorism attack against the country is therefore low. However, most participants also agreed that non-state actors could conduct a successful major cyberattack against the United States with state assistance.

The literature review indicated that given these circumstances, the onus would be on the United States to correctly attribute the cyberattack and levy retribution accordingly. Most participants were satisfied with the United States’ ability to attribute cyberattacks with a high degree of confidence. Participants also unanimously agreed that the United States would respond quickly, aggressively, and lethally in response to a successful large-scale cyberattack and would not restrict responses to the cyber realm.

Information in the literature review emphasized that the United States would likely consider a state assisted cyberterrorism attack an act of war by the belligerent government and would respond in accordance with international law. I therefore concluded that the United States does not need to consider specific large-scale cyberterrorism attack response options since terrorists likely do not possess the capabilities to carry out an attack, and the United States would consider a state assisted large-scale cyberterrorism attack an act of war from the offending country.

However, participants also unanimously agreed that the United States could do much more to prevent destructive cyberattacks, including cyberterrorism attacks, through deterrence. Yet, any progress in U.S. cyberterrorism deterrence would require policymaker backing and coordination in both pre- and potentially post-attack environments. Experts must therefore observe and navigate U.S. government institutional friction described in these environments by punctuated equilibrium theory in order to offer improvements for cyberterrorism deterrence guidelines.

I used punctuated equilibrium theory to conceptualize expert cyberterrorism deterrence improvements in two very different environments in this study. Most participants highlighted the lack of technical knowledge amongst U.S. policymakers and agreed that cyber considerations would only be integrated into mainstream national policy discourse following a successful large-scale cyberterrorism attack against the country. In accordance with punctuated equilibrium theory, policymakers have demonstrated large-scale cyberattack complacency through bounded rationality and will likely overreact in the chaotic environment following a catastrophic cyberattack which could be problematic. However, most participants agreed that the United States would still be cognizant of international law when responding to a highly destructive cyberattack absent of any pre-drafted plans. I finally concluded that the United States must significantly improve cyberterrorism attack deterrence guidelines, but the country is not in danger of violating international law in the absence of this guidance.

Limitations of the Study

The main limitation of this study was the potential for incomplete information due to a limited number of participants. I identified a small pool of 89 potential participants meeting expert criteria for this study and drew data from only nine of those participants covering a topic that is relevant for scores of private and public organizations throughout the United States. Furthermore, all study participants worked in various government, security, legislation, and educational sectors so the perceptions of their knowledge could have been skewed by their own lived experiences. Another major limitation of this study was not knowing what controlled or classified information and guidance exists within the many U.S. government layers for preventing and responding to cyberattacks. Lastly, it was imperative for me to attempt to mitigate all potential biases as a new researcher to not inadvertently damage the integrity of the study.

Recommendations

The opportunities for further research are broad. In this study, I highlighted many areas for improvement including a lack of technical cyber education amongst U.S. policymakers, a lack of cyberterrorism defense coordination between and amongst U.S. public and private organizations, the reluctance of the U.S. government to distribute cyber related intelligence, and the absence of cyberterrorism issues amongst top national policy agendas. Each of these areas could be researched individually or as part of a broader theme to further investigate the absence of cyberterrorism within the U.S. national defense architecture. One major limitation for the study was not knowing what classified information exists relating to U.S. cyberterrorism defense initiatives. Therefore, a classified level cyberterrorism study could offer relevant policymakers a more complete view of the topic. Additionally, further research could be conducted with U.S. government support to include a broader sample of experts using both qualitative and quantitative methods in order to gain a deeper and more exact understanding of cyberterrorism focused issues. Lastly, this study could be rerun using similar methods in the future to gauge the developments of U.S. national policy and policymaker attitudes toward aspects of cyberterrorism.

Implications

The theoretical framework for this study was intended to be broadly applied to a range of policymaking initiatives focusing on policy change driven by political organizations during protracted periods of stability coupled with bouts of immediate change. The findings of this study addressed the high relevance of punctuated equilibrium theory since U.S. policymakers are the gatekeepers to improved cyberterrorism related policies. Specifically, I highlighted the need for better collective defense and prevention measures against large-scale cyberattacks in Theme 4. Yet, I demonstrated the reluctance of policymakers to address these issues in the absence of a successful large-scale cyberattack in Theme 5.

Therefore, punctuated equilibrium theory implications suggest that it would be incumbent on cyber experts to drive awareness from within and amongst organizations while simultaneously championing cyberterrorism policy consciousness since policymakers are likely not intrinsically motivated to focus on the issue. Moreover, the overarching implications of punctuated equilibrium theory can be applied to research focusing on all national policy agendas.

The implications for social change are vast. At a minimum, this study can contribute to dialogue on a number of issues absent in cyberterrorism literature discourse discussed in the results, including tracking terrorists’ cyber capabilities and improving the collective national cyber defense for small private businesses to large government organizations. Many advancements are required to create a unified U.S. cyber defense front along with associated policies. Future research could therefore explore improved cyberattack preparedness holistically or broken down into its many shortcomings presented in Theme 4.

Theme 5 also addressed the lack of cyberterrorism knowledge amongst U.S. policymakers, so this study can also be used to encourage greater policymaker cyberterrorism awareness through education and through requiring the synthesis of cyber related information from government organizations in order to make accurate determinations. Lastly, a recommendation generated from the results of this study would be to closely monitor terrorist organizations’ digital developments since continuous innovation in cyberspace could eventually lead to a* cyber 9/11* breakthrough, and the United States will need to be ready with deterrence and response options when that happens.

Conclusion

In this research study, I sought to determine if the United States needed cyberterrorism-specific deterrence and response guidelines in order to better prepare for and respond to successful large-scale cyberterrorism attacks. A thorough literature review found that the United States has not established cyberterrorism guidelines, with information generally being nonexistent on the topic, and I wanted to figure out why. I interviewed nine highly qualified cyber and terrorism experts to gather information and discovered different reasons for why the United States does not have cyberterrorism deterrence guidelines and why the country also does not have similarly specific response guidelines.

The United States presents a very weak cyber defense posture, which most participants in this study felt needed improvement, due primarily to policymaker inattention but also as a result of highly individualistic cyber defense efforts amongst virtually all U.S. organizations. Furthermore, the United States does not have cyberterrorism specific response guidelines primarily because terrorist organizations most likely do not have the capability to organically conduct a successful large-scale cyberterrorism attack.

However, cyber technologies are exponentially increasing in sophistication and proliferation which does not necessarily align with the metered and reflective progress of the U.S. government and could thus be problematic. Every U.S. policymaker will be well versed on cyberterrorism following a successful large-scale cyberterrorism attack, but likely not until then. It is therefore incumbent on cyber experts nationwide to surreptitiously improve defenses, raise awareness, and drive change until cyberspace is intuitively comprehended by a technically astute generation at some point in the future, and hopefully not as the result of a destructive cyberterrorism attack within the United States.