Introduction

Experts - self-appointed and a few other - often claim that malicious software (malware) is the ultimate tool for terrorist groups. The idea is that terrorist groups are interested in taking out parts of a nation's critical infrastucture, as a mean to reach their long-term goal(s). Countries, and organizations that are critical in a country's critical infrastructure, should therefore secure their systems with particular focus on this potential threat.

Malicious software has been easily available for a long time, and no particular affinity to using malware as a terrorist tool has been seen from terrorist groups. Nevertheless, this Security Information will attempt to analyze this claim.

In order to avoid misunderstandings, note that we will discuss the use of malware as the terror act itself. Obviously malware can be used as one of many instruments useful in the preparation for terrorist acts e.g. by placing trojans and spyware on crucial computers to gather information about the ultimate target.

The arguments from the advocators

The arguments from those who believe that malware is the next generation's tool in any terrorist group's arsenal, have the following elements:

1. One can use malware to target and paralyze/destroy a nation's critical infrastructure.
2. No major organization is needed to set up an attack using malware.
3. Malware created to target a nation's infrastructure is easy to obtain and extremely inexpensive compared to other tools needed to accomplish the same or similar effect.
4. It is not difficult for those who launch an attack using such malware, to hide themselves in a way that is almost untraceable.

These items all seem to be true. Is malware then really a terrorist's wet dream? Are we willing to buy into the general postulate?  Not quite - or at least not yet, as will be shown below. For this discussion to be useful, let us use some time to examine terrorism itself.

Characteristics of terrorism

It may be useful to start by defining the word "terrorism". Two definitions are:

Encyclopædia Britannica (Free online version):

Systematic use of violence to create a general climate of fear in a population and thereby to bring about a particular political objective. (...)

Wikipedia:

Terrorism in the modern sense is violence or other harmful acts committed (or threatened) against civilians for political or other ideological goals. Most definitions of terrorism include only those acts which are intended to create fear or "terror", are perpetrated for an ideological goal (as opposed to a lone attack), and deliberately target or utterly disregard the safety of non-combatants. Many definitions also include only acts of unlawful violence.  (...)

Other sources show similar definitions.

There are two key elements that are central in both of the abovementioned quotations - violence and general fear.

Examples of the kind actions performed by terrorist groups' acts are numerous, for example:

• Car bombs
• Blowing up airplanes
• Highjacking airplanes
• Forcing highjacked airplanes to crash into buildings
• Suicide bombings in crowds
• Suicide lorry attacks on official buildings
• Rockets launching into people of buildings
• Shooting into crowds or people
• Attacks on the general population using poisonous gas
• Taking hostages

All of the abovementioned examples more or less comply with the key elements that were focused on above. It is probably correct also to assume that the more violence involved, the more fear a terrorist act will generate in the general population. 
[Whether it is a wise tactic for a terrorist group to use such means to reach its ultimate goal is quite another issue, and beyond the scope of this Security Information.]

Malware as a tool for causing general fear by use of violence

Our Security Information for week 38 was an item about the history of malware, and included some examples of the malware attacks that have caused most problems in the latest 25 years. Several characteristics have and may be used for these attacks. However "violent" and "causing general fear" hardly appear as the terms, which come first into mind.

On the other hand it must be said that, as far as we know, no terrorist groups were involved in creation and distribution of these malware programs. Is it then possible to imagine a piece of malware that could cause general fear and involve some violence?

"Violence" is a term that is not precise, and one may perhaps use this for e.g. a virus that is particularly aggressive in its destructive payload, or a worm which spreading mechanism is very effective. Let us accept this for a moment.

We are then on to the "general fear" condition. Owners and employees of an organization that is severely hit by any piece of malware, and thereby not able to conduct its usual business, may of course be afraid as the organization will loose money and in worst case be forced to close down. Single users that are severely hit will feel that this is troublesome as they may no longer able to read their emails, surf the Internet, etc. But general fear among the public - hardly!

But the terrorist groups will target institutions that are critical for modern society to function, the advocators claim. And indeed it is conceivable that specially crafted malware may be able to disrupt a country's banking systems, electricity supply (at least in some regions at a time), communication systems etc. The problem seen from the terrorist groups' point of view, however, is that it is probably very hard to take down such systems for a very long time. Cooperation between different nations' computer emergency response teams is quite good, and it is probably possible to jointly stop a coordinated attack on one particular country. It may be necessary to go to quite drastic means to stop a sophisticated attack, but if the consequences for the targeted country are severe, the Internet community will probably accept the cost of disrupting other services for a short period of time until the attack is terminated permanently. One may therefore assume that the population in the targeted country will be irritated, feel that their normal activities are disrupted, experience that tasks that are usually taken as given are now awkward or impossible to perform. The country may potentially experience a huge loss of money in disrupted essential activity. However, it it dubious that there will be a general fear among the population.

Another consideration should also be mentioned: In order to effectively disrupt a country's critical infrastructure, quite sophisticated knowledge about these systems and their (potential) vulnerabilities must be gathered. This will normally be more complicated and complex than some of the terrorist acts that are mentioned above. On the other hand, other examples of terrorism that is mentioned, require substantial preparation, and knowledge of the targets.

Based on the discussion above it seems safe to conclude that malware in its currently known form is not a perticularly useful to use for terrorist groups as the terrorist act itself. It does not sufficiently comply with the "general fear" condition.

Malware as a tool in war between countries

In a situation with war between two countires there are different considerations involved. Effective use of malware may then very well be seen as a useful weapon for one of the parties, particularly combined with other weapons that are available. Several of the considerations and obstacles that terrorist groups will have to take into account will then not be present and/or can be disregarded as non-relevant. 
That discussion, however, is not relevant for this Security Information.