Adam Bede
    🖥️

    US Cyber Infrastructure & The Threat of Cyber Terrorism

    Subtitle

    Parsing fact from fiction in US cyber defense readiness

    Date
    April 18, 2019
    Tags
    Type
    Essay

    Overview

    This essay (LG 536, Prof. James Fitzgerald, DCU, April 2019, 5,042 words) examines whether US cyber infrastructure can adequately defend against the unique threat of cyber terrorism. It argues that — regardless of the sensationalism endemic to cyber prophecy — the current US cyber infrastructure is inadequate to meet the potential threats of cyber terrorism.

    Core Argument

    The essay navigates a middle path between cyber hype and cyber dismissal. While skeptical of the overblown rhetoric surrounding cyber Pearl Harbor predictions, it identifies three structural vulnerabilities that collectively render US cyber defense inadequate:

    1. Private Sector Dominance — 85% of US internet infrastructure is privately owned, yet private companies are prohibited from offensive cyber operations. They possess capacity (talent, networks, budgets) rivaling or exceeding USCYBERCOM and DHS, but are legally constrained to defense only.
    2. Cyber as Weapon — Cyber offers terrorists flexibility, low cost-to-entry, low risk, and the ability to iteratively fail with minimal consequence. The signal-to-noise ratio and privacy tradecraft provide cover. Leadership's generational cyber ignorance compounds the problem.
    3. Jurisdictional Ambiguity — Cyber terrorism straddles the fault line between DHS (domestic) and USCYBERCOM (military), with neither possessing clear authority. The DHS is underfunded relative to its mandate; USCYBERCOM's primary mission is defending military networks.

    Structure

    Defining Cyber Terrorism

    The essay constructs a working definition from governmental sources:

    • Cyberspace (DOD): "A global domain within the information environment consisting of the interdependent networks of information technology infrastructures and resident data"
    • Terrorism (22 USC § 2656f): "Premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents"
    • Cyber Terrorism (CRS): "The premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives"

    The essay uses government definitions deliberately — to judge the government's institutions and actions against its own words.

    Labeling

    The Sony Pictures hack (2014) case study demonstrates how political considerations, not definitions, determine classification. The attack met the government's own cyber terrorism criteria but was labeled "cyber vandalism" by Obama — because foreign/domestic policy considerations (threat escalation, proportional retaliation) overrode definitional consistency.

    Key insight: "The definitions presented ostensibly signal clarity but are applied by those in power when the terms serve their interests."

    The Tulip Systems Case Study

    During the 2008 Russo-Georgian war, Tulip Systems (Atlanta, GA) unilaterally offered to host Georgian government websites on US-based servers — without informing the US government. This exposed three inherent cyber problems:

    • Grey zones — conflict operating between peace and war
    • Attribution — inability to trace attacks to attackers
    • Non-state actors — private companies becoming de facto belligerents

    Private Perspective

    • Private enterprise owns 85% of US internet infrastructure
    • Top 6 tech companies spent ~$80B on R&D (vs. ~$15B total US cybersecurity budget)
    • Companies are prohibited from offensive response but possess rival or superior capacity
    • Companies often withhold breach information, further complicating the picture

    Cyber as a Weapon

    • Low cost-to-entry, high flexibility for attackers
    • Signal-to-noise ratio provides cover
    • Attribution problem cuts both ways: defenders can't identify attackers, but attackers may fail to claim credit (the "theatre of terror" paradox)
    • Map-territory disconnect: cyber's borderlessness makes comprehensive defense resource-intensive for the state vs. cheap offense for terrorists

    Jurisdiction

    • DHS secures the homeland but is underfunded (~$1.7B cyber budget)
    • USCYBERCOM has superior resources (~$8.5B DOD cyber) but primary mission is military networks
    • "Cyber Guard" exercises attempt to clarify roles, but Rishikof questions their efficacy
    • LTG McLaughlin admitted the government has only a "broad framework" with significant ambiguity

    Conclusion: Conway's Turn

    The essay closes with Maura Conway's intellectual evolution — from skeptic (2002–2014) to believer (2018) that cyberterrorism is a real and growing threat. Her trajectory mirrors the essay's argument: the loud language was wrong, but the quiet facts were accumulating.

    Closing with Herman Kahn's axiom: "The aggressor has to find only one crucial weakness; the defender has to find all of them, and in advance."

    Key Thinkers

    • Timothy Snyder — fabricated binaries, securitization rhetoric
    • Thomas Rid — Cyber War Will Not Take Place
    • David Sanger — The Perfect Weapon, cyber realism
    • Maura Conway — cyberterrorism skeptic turned believer
    • Robert Cox — "Theory is always for someone and some purpose"
    • Harvey Rishikof — cyber law, jurisdictional questions
    • Alexander Klimburg — The Darkening Web, definitional crisis
    • Herman Kahn — aggressor's advantage axiom
    • Yuval Noah Harari — theatre of terror
    • Amy Zegart — organizational roots of intelligence failure
    • Lawrence Wright — The Looming Tower, 9/11 narrative
    • Peter W. Singer — "The Cyber Terror Bogeyman"
    • Alfred Korzybski — map-territory relation applied to cyber

    Cross-References

    • This is the companion essay to the Cyber Law article — both written for the DCU MA, both on cyber, but this one focuses on terrorism infrastructure while the other focuses on legal governance
    • The labeling analysis directly connects to the "word vs. deed" theme running through the R&MC essay and Seasoned Optimism reflections
    • The Tulip Systems case extends the Cyber Law essay's private sector / privatization of sovereignty analysis
    • The map-territory framework connects to the IS Essay's McNamara metrics critique
    • The institutional failure thread (FBI-CIA pre-9/11) connects to the failure of imagination theme in the Cyber Law essay

    Publication Potential

    • The labeling analysis is the essay's most original contribution — the Sony case study as worked example of how political power determines classification
    • The Conway arc (skeptic → believer) offers a compelling narrative frame
    • The Kahn axiom closing is a strong rhetorical move worth preserving