The oft-repeated fear of the modern age is of cyber-terrorism. How real is the threat and have we faced any significant cyber-terrorism to date?
To understand the issue, it is important to understand what is terrorism. A UN panel, on March 17, 2005, described terrorism as any act "intended to cause death or serious bodily harm to civilians or non-combatants to intimidate a population or compel a government or an international organization to do or abstain from doing any act.” Hence, we have narco-terrorists who indulge in wanton killing of civilians to pressurize the government to back off from them. We also have state-backed terrorists such as what India faces from its neighbouring country, where the state-backed terrorists indulge in wanton killing of civilians.
Is terrorism a manifestation of the 20th century? Not really. We have had recorded history of the Macedonian blood-thirsty hegemon, Alexander, killing every man, woman and child in cities after cities that he and his marauding troops overran. This was meant to spread terror and force other cities and kingdoms to surrender without putting up a fight. Alexander did the same to even the Greek cities, to subjugate them with utter terror. Over a thousand years later, the Great Mongol leader, Ghenghiz Khan followed the same strategy of terror, as part of war tactics. Another 800 years later, the British indulged in the most horrific terror act of bombing the beautiful city of Dresden and turning it into a fireball killing most men, women and children in the city, with the sole aim of terrorizing the German government into subjugation during World War II. That act of the terror bombing of Dresden triggered a free for all killing of civilians by all sides in Europe, that quickly degenerated into the most shameful and savage slaughter of humans in the entire history of humanity.
Many people confuse the acts of Bhagat Singh and other freedom fighters who chose the path of violence as terrorism. They were not acts of terrorism, simply because civilians were not harmed. And whenever civilians and non-combatants are harmed, that act becomes an act of terrorism, be it in the physical world, or the cyber world.
So clearly, the test of cyber-terrorism is whether civilians are harmed to send a message to the government. Now, let us take up the case of the massive grid failure in Mumbai on October 12th of last year, which as per New Your Times, was due to a cyberattack by a Chinese entity. The Chinese hackers had installed malware in the control system of the Maharashtra Electricity Supply company that supplies 1 GW of electricity to Mumbai. This crippled the energy supply to Mumbai, impacting schools, hospitals, offices, local trains and almost every aspect of life. It had a significant impact on civilians and the intention was to warn the Indian government of the ability of the Chinese to make deeper cyber-terrorism attacks on India if India continues to energetically defend its borders with China. This was a classic case of state-backed cyber-terrorism.
The impact could have been much more severe, such as in the case of the cyber-bombing of the nuclear centrifuges of Iran, where the centrifuges self-destroyed. However, the cyberattack on Iran was not a terrorist activity as the affected target was not civilian. But, imagine the metro signalling systems being cyber-jacked and metro trains made to collide. That would have an appalling impact on civilians. Similarly, banking systems, airlines, long-distance trains, customs systems, taxation systems, UPI etc could all be targeted, not for extracting an economic benefit as cyber-criminals do, but for bringing pressure on the government and degrading the ability of the government to respond on geopolitical developments.
So, what needs to be done? To begin with, there needs to be a standard response protocol developed for responding to cyberterrorism arising from both state and non-state actors. Second, the internet resilience initiatives of the government need to be accelerated. Imagine if the .in Top Level Domain (TLD) is deleted from the root servers of the internet. It will create mayhem in India. Therefore, the initiatives related to internet resilience in India, are critical. Third, there needs to be a regular cyber-audit of systems, including training, and regular updates of cybersecurity.
Unfortunately, advanced hackers with the appropriate threat vector, along with compromised humans in the loop, can break into the most sophisticated systems. Therefore, the monitoring should be not just of the cyber systems, but also of the humans in the loop. The unleashing of violence against the North-Easterners in Bangalore, using false narrative messages on social media, is also an act of cyber-terrorism. Therefore, regulations such as those that allow tracing of messages, become critical tools for combating cyber-terrorism.
We have slipped into a sinister new world of state and non-state actors shifting their acts of terrorism from the physical world to the cyber world. With everything and everyone getting more and more connected into one seamless fabric of interconnectedness, the impact of cyber-terrorism would be significantly higher than even the bombing of Hiroshima and Nagasaki. Of course, the Dresden bombing at the start of World War II, pale out in comparison to the bombing of Hiroshima and Nagasaki, at the end of the war. Both being savage acts of terrorism. Similarly, the Mumbai cyber-terrorism attack is but a benign prelude to the cyberterrorism of the near future.