From computerised transport systems and energy grids, our modern-day infrastructure and industries are at risk of cyber terrorist threats.
Excerpt from the 2019 Global Terrorism Index
Today, we are living in the Industry 4.0 era. This is not new, as it has already been happening for the last seven or eight years. It is an era of smart manufacturing and factories, but also of smart cities and energy grids, cloud and cognitive computing, the Internet of things and artificial intelligence.
Our world has changed and continues to do so to an even faster pace.
This new context, analysed from the terrorist threat perspective, unfortunately presents more and new vulnerabilities. All the “classic” threats are still there, from plane hijacking to mail bombs, and many new ones have been added.
From a legislative and political perspective, I must add that the problems come not only from the huge diversity of threats we face; there is also a real difficulty to define the threats.
When does a criminal activity become a terrorist activity? When does the responsibility of the non-state actor end and the responsibility of the state actor begin?
How can a cyber attack be criminalised when a single perpetrator can hide behind many layers of geographical locations, jurisdictional authority, and cyber identity, and operate with no prior warning signs before an attack and no traces left after?
In the European Union (EU), our work is based on the legal definition of terrorist offences as defined in the Council Framework decision 2002/475/JHA1.
Criminal offences, from attacks upon a person’s life to interfering with or disrupting the supply of water or power, if committed as part of one of the above aims, are treated as a terrorist offence.
In 2017, there was a strong step in the right direction, as under the new Directive on Combating Terrorism, cyberattacks were added to the list of terrorist offences, allowing for the prosecution of cyberterrorism. The 2018 Network and Information Security Directive and the proposed establishment of an European Union Cybersecurity Agency mirrors this step forward.
Despite being among the most advanced forces in the response to terrorist threats, the European Union still lacks behind perpetrators’ resourcefulness and rapid technological advancements. Adding to the practical difficulties of identifying what exactly can be considered as terrorist activity, we have the problem of an outdated definition. In the Industry 4.0 era, working with a 17-year-old terrorism definition is already archaic. At the time when we agreed upon what can be considered as a terrorist act, there were no social networks, no cryptocurrencies, and no civilian or commercial drones.
We need clarity and determination in our legislative tools. They are the cornerstone for a strong and efficient institutional framework, and they are equally important for an effective array of intervention tools designed to foil, protect, deter, and, of course, criminalise terrorism.
Of course, the European Union alone can’t be effective in the Industry 4.0 era context. Even with the strong involvement of our traditional partners, we are still vulnerable and weak in criminalising terrorism. A global effort, backed by resolute United Nations decisions, is mandatory.
Fortunately, we have the power and instruments to push forward the international community towards a future where those whose goal it is to instil fear or cripple whole countries, will no longer be able to strike, run, and hide. Let’s not overlook the fact the EU is a global power in any way we measure it. We have formidable economic, political and diplomatic might. This force can bring to our grasp the necessary intervention and persuasion tools for reaching our goals, if we really want to.
Looking at the conclusions of numerous social studies published in the last years, I must say that European citizens desperately want this “fight with terror” to end. They also want the EU to be the winner of this fight.
In 2016, 2017, and 2018, EU citizens pointed out “more EU involvement in the fight against terrorism” as their top priority. Even with a drop in support from 82 per cent to 77 per cent it remained the topic with the highest support at EU level, surpassing unemployment, environment, and migration. Citizens clearly want the EU to have a more determined role in countering terrorism and, as we already saw, this can’t be done only by building a ‘Fortress Europe’. In today’s connected world we need global solutions.
I consider the EU citizens’ concern as fully justified. It is not only because we, in Europe, have been a prime target in the last five years of so many terrorist attacks, during which hundreds of EU citizens lost their lives. It is also because, considering the level and particularities of our development, the EU is particularly vulnerable to the new terrorist threats of Industry 4.0 era.
The WannaCry attack from 2017 showed us how vulnerable our computer networks are. The National Health Services of both England and Scotland were crippled with up to 70,000 devices—including computers, MRI scanners, blood-storage refrigerators and theatre equipment— affected.
Many European companies including car producers, banks, telecommunication operators from almost all EU countries, and even universities and ministries, were also hit. With 200,000 computers infected and US$4 billion in losses, WannaCry was also immensely costly.
Is Lazarus Group, the alleged cybercrime group behind the WannaCry attack, a criminal group or a terrorist group? We have to decide and act accordingly.
For the moment, it was labelled as an Advanced Persistent Threat (APT), along with other 15 similar already identified structures from China, Vietnam, Iran, North Korea, Russian Federation, and one from the United States.
The attack’s impact would have been much worse if a kill-switch had not been discovered, or if it had been specifically targeting highly critical infrastructure, like nuclear power plants, energy grids, dams or railway systems.
This opens the discussion about another terrifying vulnerability that we have: a terrorist attack that would take full advantage of the tools and targets available in the Industry 4.0 era — our critical infrastructure, and especially our energy grids.
WannaCry attacks, and the many similar, but smaller ransom attacks, have the main purpose of generating resources (money and data). Rarely can they physically harm someone.
Meanwhile, a direct attack upon energy grids, for example one targeting the gas transport systems, performed in the middle of the winter, can actually kill people.
Not to mention that it will score very high in the intimidation factor and in the socio-economic destabilising factor. Such an attack could also be accompanied by threats and demands related to a specific governmental policy.
We know that the tools are available. For example, Stuxnet, a malicious computer worm, first uncovered in 2010, specifically targets programmable logic controllers(PLCs), which allow the automation of electromechanical processes, such as those used to control machinery and industrial processes, including centrifuges for separating nuclear material.
In a report published in December 2010, the Institute for Science and International Security suggests that Stuxnet is a reasonable explanation for the apparent damage of up to 1,000 centrifuges at the Natanz nuclear enrichment lab in Iran.
Stuxnet’s design and architecture are not domain-specific and could be tailored as a platform for attacking modern supervisory control and data acquisition, also known as SCADA, and PLC systems.
For example, in factory assembly lines, power plants or energy grids, the majority of which reside in Europe, Japan and the US. Maybe we’ve just been lucky here, in Europe, as Stuxnet is apparently linked to the National Security Agency and Israeli intelligence. But, this doesn’t mean that other APT state-sponsored groups don’t have the resources or the motivation to develop similar cyber weapons.
Looking back, we notice that our counterterrorism measures are generally developed in response to an attack. First, a new kind of attack takes place and after we develop and implement countering measures. Some work, some don’t.
Today, the state of play indicates the imminence of a major terrorist attack, targeting, for example, energy grids. We already saw recently, in Saudi Arabia, that it is possible, using inexpensive and ready-available drones, and it can have global effects. We also saw that, despite huge military spending—Saudi Arabia has the third largest military expenditures and is ranked first when measured as a share of GDP—the vulnerability remains.
If we want to be effective, and our citizens demand it, the solution doesn’t come from taller and thicker walls or firewalls. While they are needed, they will not deliver lasting security, but more costs.
In the Industry 4.0 era, the lasting solutions to the new terrorist threats requires cooperation at the global level. As others are not ashamed to use their power for personal gains, the EU should not be ashamed to use its own tremendous economic, political and diplomatic power for the benefit of all
. Tackling the new terrorist threats can be done only on a global scale by closing all the rabbit holes, committing to pursue the perpetrators no matter where they hide, and bringing those responsible to justice.
Just like the European environmental agenda, tackling terrorism will make a better tomorrow possible not only to the European citizens, but to all.
This essay was first published in the 2019 Global Terrorism Index. The opinions expressed throughout this article are the opinions of the individual authors and do not necessarily reflect the opinions of Vision of Humanity or the Institute for Economics & Peace.