Could Bin Laden's Death Prompt a Cyber Attack?

commentary

May 6, 2011

This commentary originally appeared on RAND.org and GlobalSecurity.org on May 6, 2011.

The death of Osama Bin Laden at the hands of U.S. forces raises the possibility that his followers will try to strike back at the United States. Since attacks such as 9/11 take years to plan, some speculate that they may attempt to launch a crippling cyber attack. While some response can be expected, the likelihood of any large-scale cyber attack from Bin Laden's followers is low for three reasons: they have shown no capability for such an attack, a crippling attack takes months or years to plan and execute, and the sort of cyber attack Al Qaeda is likely to pull off would not offer the same propaganda value as a dramatic physical attack.

Al Qaeda has not demonstrated any real capability in this field. This is not to say that they could not conduct — or hire someone else to conduct — a cyber attack. But it would likely be Web-site defacement or temporary disablement of a corporate or ".gov" site. That kind of cyber attack occurred after Julian Assange was arrested, as angry followers apparently redirected traffic from a Swedish official's site to a pro-Wikileaks site and defaced a Swedish prosecutor's site. Attacks of this kind are a nuisance, but relatively easy to fix.

Of more significance would be a bombardment attack by thousands of computer hits that overwhelm a site and cause it to crash. That is not terribly hard to do. An attack of that kind befell MasterCard and Visa and caused temporary outages when "hacktivists" supporting Assange hit them repeatedly. Called "denial of service" attacks, these too are fairly easily addressed.

A truly monumental attack that could cripple key U.S. computer systems — something akin to the Stuxnet worms attack on Iran's nuclear infrastructure, for example — would take many months of planning, significant expertise, and a great deal of money to pull off. The magnitude of such an attack requires the resources of a nation-state — not lone hackers or smart, small terrorist cells. If Al Qaeda operatives had such a capability, they probably would have used it already.

This is not to say that they could not eventually finance a sophisticated cyber attack. But America has long been on the alert for such an attack because it could take down major computerized systems on which significant commerce and government functions depend. Such an attack would likely be aimed at key cyber systems and be intended to interfere with electrical grids, interrupt transmissions from the Global Positioning System (GPS), or foil electronic fund transfers.

The United States acknowledges a vulnerability that stems in part from widespread use of commercial software for military purposes. That dependence enables potential adversaries to buy the same software, study it, and practice attacks that could be devastating to both private commerce and public defense.

Al Qaeda adherents are also less likely to devote significant energies to a cyber attack because it would not offer as much visual bang to trumpet their exploits — unless they managed to pull off the sort of monumental attack that seems well beyond their capacity. The kinds of attacks they are likely to muster would be relatively invisible and, unless those targeted announce they have been attacked, no one would even know that an attack took place.

Rogue nation-states, or certain criminal enterprises, are more likely than Al Qaeda to have the capability to infiltrate and exploit cyber space in dramatic fashion. Vigilance is the best prevention and the U.S. Cyber Command, the private sector, and the Department of Homeland Security have so far demonstrated an ability to keep serious attacks from happening here.


Isaac Porche is a senior researcher at the RAND Corporation, a nonprofit institution that helps improve policy and decisionmaking through research and analysis.

More About This Commentary

Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.