Since the terrorist attacks of September 11 2001, a lot of money has been spent on fighting terrorism. People who want money, whether for their department budgets, federal grants, or to fund startups, have been casting themselves as terrorist fighters. It has simply become to word du-jour. In the information security field, one of the outgrowths of this is the complete and utter overuse of the phrase cyber-terrorism. Admittedly I saw a lot more of this when I was in government circles than I do now in the private sector, so I suppose this is a “leftover rant”, but it is also intermittently popular in the media. Let me say loud and clear: cyber-terrorism does not exist – now, or ever. (Cyber-warfare is a more complex issue which I’ll deal with in another post).

I remember one government run conference I was at where almost half the talks focused on cyber-terrorism in some way. About halfway through the conference I cornered an academic friend of mine and asked him if he had ever, in his entire life, heard of even a single case of cyber-terrorism. After a few moments of thought the best he could come up with was that if a terrorist was very good, they would have infiltrated something and would be biding their time and waiting. Although this is a popular story amongst fear-mongers, it is not how terrorists work. The goal of terrorism is to wage a campaign of terror. To do so you take credit for everything you do in order to make your targets feel like you control the situation and not them. In fact, terrorists frequently try to take credit for things they didn’t do, just to assert themselves as being in control. Their goal is to gain attention – not avoid it. A terrorist wants to get on the front page of every newspaper in the world – they don’t even care if they killed anyone or blew anything up. (See for example the fact that Umar Abdulmutallab, better known as the Christmas day bomber, is being hailed as a hero even though his plan failed!) For the terrorists the Abdulmutallab attempt was a success not because it killed people or caused damage, but simply because it got us Americans to panic – they inflicted terror. Computer hacking simply doesn’t elicit the same response. The Chinese-Google hacking case arguably caused more damage, but it did not elicit the same fearful response from the American population. It was also almost certainly a much larger expenditure of resources. Why would any terrorist group expend ten times the resources for one-tenth the result? (Again, using their definition of the word result). Cyber-terrorists may make good movies, but they simply don’t exist in real life.