Speaker Abstracts

Edward T. Barrett, US Naval Academy

“Cyber Terrorism: Ramifications for Liberal Democracies”

This paper explores the ethics of possible responses by economically advanced liberal democracies to cyber terrorism. Lamentations over the future of liberalism have proliferated over the past several years. Culprits have included cultural effects of rights-based politics, economic globalization combined with crony capitalism, populism and identity politics. But cyber terrorism—sublethal and lethal—promises to aggravate internally-generated problems and create others in vulnerable open societies. The first part of the paper describes the social pathologies caused by cyber terrorism, including increased fragmentation/alienation, frustration, cynicism and fear. The second part examines ethically unacceptable responses to the political delegitimization caused by these pathologies: fearful insecurity, increased privatized security, political fragmentation, or a post-catastrophe national security state. The third part explores the ethically acceptable but politically challenging option of implementing moderate but effective security-enhancing measures for citizens rightfully wary about state power and the right to privacy; and offers a liability-based framework for responding defensively and punitively to sublethal and lethal cyber terrorism.

Kyung-Shick Choi, Boston University

Ransomware Terrorism and Bitcoin: An Exploratory Study of Bitcoin and its Relations to Ransomware Attacks

This study is designed to facilitate an important role in raising awareness on the evolution of ransomware terrorism -- while potentially minimizing cybercrime victimization in an advanced information era. Under the assumption that well-publicized criminal activities can impact the general public’s awareness level and behavior, we examined the impact of two of the well-known ransomware (CryptoLocker and WannaCry) cases on online search queries and bitcoin price index. To capture the interdependencies among ransomware attack, search queries, and bitcoin market across time series, we use vector error correction (VEC) models. The findings indicate that the fame of ransomware cases may increase the level of public awareness toward ransomware and bitcoin, which also triggers the increase in bitcoin price at the same time. Ransomware terrorism related preventive and control measures are discussed via an application of Cyber-Routine Activities Theory.

Timothy Edgar, Brown University

The Destabilizing Effects of Legal Uncertainty in Applying International Law to Cyber Attacks

The most relevant work I've done is about the destabilizing effects of legal uncertainty in the application of traditional international law principles to cyber attacks. The result has been a "free-for-all" because no one can really say what kinds of cyber attacks (whether by states or non-state groups) meet the threshold of an "armed attack" triggering the right to self-defense under article 51 of the UN Charter, or what kinds of responses are lawful and proportionate. I don't think an international treaty is feasible and I don't think discussions about cyber norms have been very productive. I've attached a popular article from 2015 that summaries some of my views on the legal issues.

So what is the solution? For the US government, the best answer is simply to do no harm – 1) have a strong bias towards disclosing vulnerabilities so they can be fixed, instead of keeping them so they can be used for intelligence or cyber attacks, 2) let the EU to lead the way on regulating the private sector to encourage better data security and privacy, and 2) let companies deploy strong encryption without back doors.

Miguel Gomez, ETH Zurich

Cyber Malaise: The Effect of Extended Exposure to Cybersecurity Incidents

Over the past decade, advancements in technological and organizational capabilities among cyber-capable actors is observed through the emergence of cyber operations capable of exercising effects in physical space. The possibility of inflicting physical damage through this virtual domain continues to reinforce images of “cyber doom” across increasingly ICT-dependent societies. This notion, however, appears paradoxical given the absence of persistent physical effects resulting from offensive cyber operations and the restraint exercised by cyber-capable actors. Moreover, the unabated integration of these vulnerable systems into our day-to-day lives exhibited by the adoption of technologies such as the Internet-of-Things leads one to question whether or not this sense of dread associates with the exploitation of cyberspace is as severe as we are made to believe. Through a series of survey experiments this paper illustrates that fear among the general public associated with malicious behavior in cyberspace is not as salient as initially claimed. Specifically, we assert that constant exposure to these events through public statements results in a numbing effect among consumers of this information. This, as a consequence, leads to a reduced emotional response to succeeding cases of incidents in cyberspace. In terms of its significance, the paper offers two noteworthy contributions. First, an understanding of how these affect individuals allows us to better gauge the overall efficacy of these operations. If cyberspace is indeed a practical coercive instrument, a greater awareness of how it is perceived by the public is necessary for validating this claim. Second, if malicious behavior in cyberspace does indeed result in a numbing effect, then attempts to promote better cyber-hygiene would need to adapt to take this sense of “normalcy” to prevent negligence from setting in. While past research focused significantly on the perceived utility gained through the exploitation of cyberspace, it is equally important to take into account its effects on individuals especially as this phenomenon increasingly becomes commonplace.

Jian Hua, University of the District of Columbia

Are We Ready for Cyberterrorist Attacks? Examining the Role of Individual Resilience

Cyberterrorist attacks on financial systems can have devastating impacts on individuals, businesses, and even national economy. Given these facts and taking into consideration the possibility of the worst-case scenario, security researchers and practitioners would be extremely interested in finding the answers to the following questions: (1) What would happen if credit/debit cards and ATMs cannot be used following a cyberterrorist attack? (2) How long can Americans survive without payment instruments? (3) Would Americans be resilient to such terrorist attacks and avoid chaos in their lives and communities?

“Resilience” is defined by the U.S. Department of Homeland Security (DHS) as “ability to resist, absorb, recover from or successfully adapt to adversity or a change in conditions” (DHS, 2011). Reliance is a salient concept in the disaster recovery literature because research and practice have shown that building resilience in communities and citizens is a way to reduce the impacts that disasters can have on the nation and its communities. Research has also shown that individual resilience is integral to community and national resilience. It is a critical capacity to ensure people can cope with disastrous situations and bounce back strong from such situations. However, very few studies have been conducted in the IS field on individual resilience to massive cyber attacks, especially cyberterrorist attacks.

This study aims to explore the antecedents of individual resilience and its consequent economic resilient behavior. Essentially, this study examines the relationship between individual resilience and their economic resilient behavior, discovers the role of fear in individual economic resilient behavior, and explores the antecedents of individual resilience. By empirically validating the proposed research model, this study develops the individual economic resilient behavior model to predict individual behavior after cyberterrorist attacks by integrating the literature on resilience and fear appraisal. The research model integrates the resilience literature with the fear appraisal literature to address individuals’ fears of cyberterrorist attacks on financial systems. The primary research questions in this study are: (1) How does individual resilience influence individual economic resilient behavior? (2) What are the antecedents of individual resilience? (3) What role does fear play in individual economic resilient behavior?

The research model is tested empirically using data collected through an online survey. The results show that (1) community support and family financial management significantly increase resilience toward cyberterrorist attacks, and (2) resilience to and fear of cyberterrorist attacks significantly influence individuals’ behaviors in handling their finances.

The findings of this study can provide recommendations for cyber disaster planning and recovery regarding how to create resilient communities and encourage civilian resilience after cyberterrorist attacks on financial systems. These findings may help IT practitioners develop strategies to build cyber resilience capacities among individuals and communities. These findings may also be generalized to other cyberterrorist attacks and help understand the impact of individual resilience. The study contributes to our knowledge of citizens’ post-cyber-attack adaptive and recovery behaviors.

Nadiya Kostyuk, University of Michigan

Public Perception of Cyber Institutions: Evidence from Survey Experiments in Russia and the United States

Over the last decade, states have been creating publicly observable cyber institutions to deter their adversaries from attacking them via cyberspace. While a significant body of work studies this deterrent effect, no studies examine how public perceives these cyber institutions in both deterring and target-of-deterrence countries.

Fielded on three samples (from American and Russian public, and elites), original surveys demonstrate that some citizens perceive bureaucratic changes as a satisfactory sign of governmental work, despite their lack of access to specific information about the implemented changes. In a target-of-deterrence country, the public perceives increased cyber investment by the deterring country as a threat and prefer its government to implement additional observable security measures. In both scenarios, some individuals become anxious about cyber bureaucratic encroachment and perceive this expansion in cyber capability as a direct threat to their civil liberties and freedoms. The paper concludes by showing the discrepancy in perception between elites and masses of the desired and actual effects of public cyber-protection measures.

Arie W. Kruglanski, University of Maryland

What Prevents Cyber-Terrorism? The Psychology of a Puzzle

Despite the potential to inflict immense damage on civilian populations through activities in the cyberspace (Panetta, 2012), there have been so far no recorded instances of cyber-terrorism as such. Cyber attacks of varied proportions have been committed by nation states such as Russia, China, Israel, the U.S. and Iran. “Hacking” by individuals and groups has been relatively commonplace, as has been cybercrime, but cyberterrorism (Defined as “the premeditated, politically motivated attack against information, computer systems, computer programs and data which results in violence against non-combatant targets by subnational groups or clandestine agents” (Pollit, 1998, p. 285), has yet to occur. In an attempt to speculate why this might be the case, I will describe a conceptual model that identifies three major factors (Needs, Narratives, and Networks) underlying individuals’ decision to embark on violent extremism, and address the absence of cyber-terrorism from its perspective. Specifically, I will explore the possibilities that (1) individuals’ Need (for significance and mattering) may be more efficiently served by means other than cyber attacks, and that (2) the ideological narrative to which the Hacker community (Network) subscribes is unrelated if not downright inconsistent with religious and national causes. However, because narratives and networks may change, the current state of affairs does not negate possible cyber-terrorism in the future.

George R. Lucas, U.S. Naval Academy (Annapolis)

“Star Wars—Cyber Terrorists in Outer Space?”

In this paper I propose to describe and analyze newly-emerging and highly-disruptive terrorist threats to “Other-than-Internet” (OTI) cyber domain infrastructure lodged primarily in geosynchronous orbit. The potential of non-state actors to seriously disable communications and geographical location satellites and other hardware infrastructure supporting critical civilian, as well as military operations, is a component of the overall threat of conflict in the cyber domain that has been relatively neglected. It is, however, no longer merely a speculative, “science-fiction” threat.

In a monograph originally written several years before this conference [“Ethics & Cyber Warfare” (OUP 2017)], I expressed skepticism about the danger posed by terrorists in the cyber domain. At that time, their threat was considered on par with that of nation-states, attempting to interfere with power grids, destroy dams and other vital infrastructure, cause chemical factories to explode, and civilian aircraft literally to fall from the sky [e.g., Richard C. Clarke, et alia (2010)]. In contrast to this hyperinflated cyber hysteria, I argued that if terrorists could accomplish these objectives, or attempt to build (or replicate) some malevolent version of “Stuxnet” (for example), they would long since have done so. Since they had not done so (and since these objectives had proven expensive, difficult, and time-consuming, even for most nation-states), terrorist likely were not able to achieve this sort of internet (and software-based) disruption the cyber domain.

That skepticism was grounded in speculation concerning physical effects-based cyber threats. Yet, at the same time, I had begun to describe an alternative form of cyber conflict I labeled “state-sponsored hacktivism.” That threat, of an altogether different sort, involved mastery by states of disruptive interference already practiced successfully by terrorists, anarchists, and political hacktivists. Terrorists and insurgents had demonstrated (effectively taught) these alternative techniques to nation-state actors, who found them much easier and less resource-intensive to emulate than effects-based weapons. The highly effective “weaponization” of social media by terrorist groups is a case in point [P.W. Singer & E.T. Brookings, “Like War” (2018)].

The new threat is not based in the virtual cyber domain, but aimed instead at space-based OTI infrastructure: communication satellites, command and control systems, and especially GPS. It is now quite feasible for a non-state organization to obtain and successfully launch a small payload into near space orbit, for example. If the payload consists of no more than golf balls or even moth balls, the ballistics of their release is sufficient to destroy or disable a nearby GPS satellite, or a command-and-control orbital device that enables control of everything from national power grids to the planting and harvesting of vital crops (a deliberate new weaponization of what has long been known as “the Kessler effect”). Meanwhile, on the planet’s surface, small and easily affordable GPS tracker-disabling devices are readily available online, and have already been used (inadvertently) to disable GPS signals at a range of 20-100 meters and more. The Philadelphia International airport was subject to such interference only a few months ago. All this is much more feasible and readily achievable than designing complex software weapons to achieve the same result. Our ability to counter these threats depends upon our ability to recognize and understand them.

Sharon Matzkin, University of Haifa

Public Confidence in Government: Ghosts of Terror Past and Cyberterror Future

Do lethal and non-lethal cyberterror attacks affect public confidence in government institutions? What psychological mechanisms underlie this relationship? The majority of current scholarship debates the security aspects of cyberterror, while the psychological impacts are often neglected. To address these questions, I develop two models predicting public confidence following cyberterror and conventional terror. Data draw from 1848 participants in three countries (Israel, U.S. and the U.K.) who underwent a population-based survey-experiment via three Internet crowdsourcing panels. Findings show that the associations between most variants of terror and public confidence can be better understood as being mediated by affective variables rather than direct. This is demonstrated by the many significant indirect paths in the models. However, non-lethal cyberterror was directly and negatively associated with the public’s confidence in the abilities of government institutions to prevent future terror attacks. The findings are subsequently discussed in terms of their implications for future research on public confidence following cyberterror attacks.

Harry Oppenheimer and Josh Kertzer, Harvard University

Do Cyber Attacks Corrode?: Cyberattacks and Domestic Politics

Pundits and policymakers have recently expressed concern about cyberattacks' corrosive effects, as democratic publics turn on one another and against prevailing institutions. But what makes cyberattacks' effects on domestic politics so different from conventional attacks, which typically lead publics to band together and rally around prevailing institutions? We create original datasets of rally events and publicly-acknowledged cyberattacks of US government targets during the Obama administration, showing that cyberattacks do in fact produce rally effects, though with slightly different dynamics. We then field a survey experiment to study the microfoundations of public responses to cyberattacks, showing that Americans see cyber as especially threatening, suggesting that concerns about attribution potentially lead to a lack of confidence in the ability of government institutions to handle the attacks.

Ganna Pogrebnam, University of Birmingham

Using Behavioral Data Science to Diagnose and Prevent Cyberterrorism: The Case of Cities

Contemporary cyberattacks infrequently rely on sophisticated technology. Instead, adversaries resort to the inventive use of social engineering. With the rise of smart cities, cybersecurity threats are no longer an individual risk or a private sector problem. In the 21^st century, adversaries target infrastructure and, especially, urban infrastructure, more and more often. Cities are vulnerable to cybersecurity threats. Moreover, urban areas are often not prepared to face cyberattacks. We argue that behavioral data science can help diagnose cyber risks and show how understanding of urban science versus cybercriminals’ business models and their behavioral types can help identify and address vulnerabilities in city cybersecurity systems. While cities tend to use “one-size-fits-all” security, cybercriminals are applying “customized” approaches to each attack. By using behavioral segmentation of cybercriminals, we can build multi-layered security systems which will target different types of adversaries with various sophistication levels.

Thomas Scotto, University of Strathclyde

Game Theory Analysis of How Attribution in Cyber Attacks Effects Response Options

We argue that there are two defining features of cyber-conflict. The first is that, unlike traditional military encounters, the cost of launching a cyber-attack is significantly lower than the cost of defending against such an attack. This links the logic to cyber conflict to that of nuclear conflict, one where traditional defense is quite difficult and states instead turn to deterrence. Secondly, attributing cyber attacks to their true source is difficult and less likely to succeed than attribution in the case of a conventional attack. These phenomenon, when combined with the record of cyber conflict, lead to two puzzles. The first question is why states are less willing to adopt maximalist cyber-deterrence strategies, instead opting for much more proportional and low-intensity retaliations. Second, given the difficulty of attributing a cyber attack, is there a way of successfully deterring a cyber-attack without resorting to maximalist responses? We examine these questions by modeling formally cyber-conflict and cyberdeterrence in a stylized three player game. We find first, that maximalist deterrence strategies become significantly less effective, and often counterproductive, in the presence of misattribution and uncertainty.

Ryan Shandler, University of Haifa

The Political Effects of Exposure to Cyber Terrorism – A Multi-Country Experiment

Cyber terrorism has evolved into a threat that can pose catastrophic and lethal consequences. How does exposure to this new phenomenon affect political attitudes? Honing in on one particular political effect – demand for retaliatory strikes against perpetrators – we explore how civilians respond to acts of cyber terror. To test this, we run a series of three controlled experiments in the United States, United Kingdom and Israel where 1,848 respondents are exposed to simulated television news reports that portrayed fatal and non-fatal, cyber and conventional terror attacks. The findings reveal that cyber terrorism causes strong changes in political attitudes, but that this is dependent on the lethality of the attack. Having observed a distinct cyber-terrorism effect, we test for the underlying psychological mechanisms that drive this response and compare the results to conventional terrorism. We find that the psychological mechanism underpinning the cyber terror effect operates in the same manner as its conventional counterpart with anger as the primary intervening variable.

Brandon Valeriano, Marine Corp University

Revisionist Actors in Cyberspace: Experimenting with Power Imbalances and Digital Aggression

We examine how rogue states use the connectivity of the modern world to advance their interests, and in the process, threaten the stability and trust inherent in the international system. Regional revisionist actors and terrorists are using digital means to advance their interests and challenge great powers. Yet few have sought to analyze theoretically and empirically the cyber strategies of revisionist actors. Using a computer-based two-player simulation, we demonstrate that the decision-making process used by revisionist actors frames cyber operations not to equalize power imbalances, but either as a form of domination (for the stronger powers) or a form of signaling to avoid conflict (for the weaker power). We demonstrate theoretically the behavioral tendencies of actors seeking to attack Great Powers and how these powers fight off challengers. Consequently, this paper provides both a theoretical foundation for one prevalent form of representation in cyberspace through the use of experimental methods.