Cyber-Terrorism: E-WWIII? (3 of 8)


The havoc created by groups like Anonymous can be considered minor intrusions when compared to the potential for full-fledged onslaught posed by cyber-terrorist organizations abroad. These attacks originate from independent groups and foreign government backed operations alike. When faced with the possibility of a cyber-attack by a foreign government, it would follow that this is an act of war and therefore should be categorized as “cyberwarfare.” Experts contend that these attacks nevertheless fall within the ambit of cyber-terrorism, because we are “clueless about did it or when they will strike again.”[1]

With increasing global tensions and modern technologies, cyberwars are replacing the classic “boots on the ground” campaigns. Although this can be seen as a welcomed alternative to sending men and women overseas, the downside is that we are truly in the dark as to who is infiltrating us. Hence the rise in casual espionage going on in our own country and abroad (sorry NSA).

cyber war red button


Concerns over whether the Chinese are attempting to gain access to American information and infrastructure are nothing new. However these concerns have hit a new ceiling when U.S. government officials begin striking down deals between major U.S. corporations and privately held Chinese corporations due to concerns over national security and telecommunications access. This was precisely what happened in 2010 when Sprint was in talks with Huawei, the largest telecommunications manufacturer in the world and alleged patsy for the People’s Liberation Army of China.[2]

The Congressmen who actively fought to keep Huawei from expanding into the U.S. market, point to the fact that the founder of the company, Ren Zhengfei, served as an engineer in the People’s Liberation Army (PLA) in the early 1980’s.[3] This red flag, and subsequent investigation, lead many to believe that Huawei was intentionally manufacturing telecommunication equipment that would allow unauthorized third party access; essentially acting as “a military and government contractor” to put flawed products on the U.S. market.[4] Furthermore, reports indicate that Huawei’s rapid global expansion has been largely funded by the Chinese government in as much as $30 billion. Although representatives for the corporation claim that the figure is closer to $10 billion, these rumors were somewhat substituted by their retort.

After a yearlong investigation by the House Intelligence Committee, the U.S. officially unveiled their stance and belief that Huawei was a national security threat. This conclusion was based on the corporation’s clear loyalties to the Chinese government,[5] which when coupled with obvious attempts to gain unauthorized access to “sensitive information” through the telecom’s equipment, alarmed and swayed the committee.[6] The committee bluntly stated that all American companies should avoid buying their equipment and that the Committee on Foreign Investment in the United States[7] should block any potential mergers involving the Chinese corporation.[8]

Following the release of the committee’s report, the ranking Democrat on the House Intelligence Committee, Dutch Ruppersberger, said that one of the many reasons for launching the investigations—besides Huawei’s connections to the Chinese government—was in part to education the American public and domestic businesses about the dangers associated with telecommunications.[9] “In the telecommunications world, once you get the camel’s nose in the tent, you can go anywhere.”[10] This metaphor summarizes the committee’s fear that once Huawei’s (and any other cyber-terrorist for that matter) is allowed to access U.S. networks on American soil, the Chinese government will exploit that access to “intercept high level communications, gather intelligence, wage cyber war, and shut down or disrupt critical services in times of national emergency.”[11]

During the two years of the Huawei debate, the PLA confirmed the existence of a specialized online “Blue Army” unit, which China’s defense ministry claims will be used to keep their networks safe from outside attacks.[12] Although most believed that the unit has been around since 2009 and may in fact be behind many of the cyber-attacks which originate from China in that time. Since the unveiling of the Blue Army, China has maintained its position as leader of cyber-attacks.

In early spring of this year, internet security firm Mandiant released a 74 page report discussing the large number of attacks they have been able to trace back to a single building in China, dubbed simply: Advanced Persistent Threat 1 (APT1).[13] Mandiant believes that this building is a front for a sub-group within the PLA and is carrying out these attacks on their behalf.

The APT1 life cycle consists of seven steps: 1) initial compromise, 2) establish foothold, 3) escalate privilege, 4) internal reconnaissance, 5) move laterally, 6) maintain presence, and 7) complete mission.  ATP1 may repeat the cycle from step 3 through 6 for months or even years, all the while syphoning off data from the main network.

The initial compromise is carried out by sending “spear phishing messages” that contain malicious attachments, a link to a malicious file, or a link to a malicious website to an individual within the target environment. Once that message or link has been activated, APT1 then establishes a foothold by developing “backdoors” within the host computer that can be exploited to give control to the hackers at ATP1.[14] Escalating privileges works by abusing more victims within the target network by acquiring more passwords and creating more backdoors, until the entire network is under the domain of ATP1.[15] Step 4, internal reconnaissance, refers to the actual espionage—searching databases for information, developing understandings of the inner workings of an organization, etc. The phrase moving laterally refers to installing malware and using compromised credentials to obtain a wider girth of remote access. ATP1 then maintains this presence, until the information sought has been obtained at which point the mission has been completed.[16]

The allegations made against the PLA using ATP1, were generally substantiated by a subsequent Congressional report which indicates China has continued intruding into U.S. computer networks and is focused on “exfiltrating” information on technology and building a picture of U.S. defense networks.[17] Presumably, this vast archive of defense tactics and information is being compiled so that China may successfully launch a cyber-attack against the U.S., aimed at crippling the most critical aspects of our government and emergency response services.


Such an attack was perpetrated by Russia in 2007 against Estonia, assumedly due to Estonia removing a cherished (by Russian descendants living in Estonia) wartime monument which was viewed by most Estonians as a symbol of foreign occupation.[18] The cyber-attacks that took place over several days in May 2007, came in several different forms: defacing Estonian websites, replacing web pages with Russian propaganda, and forcing site shut downs through the use of DDoS attacks.[19] The specific sites targeted with DDoS attacks included justice ministries, news publications, broadcasts, and official Estonian organizations. In order to stay operational, the main Estonian news network had to cut international internet connections, “effectively gagging the Estonian news services from telling the world about the attack on their country.”[20]

Furthermore, the attacks targeted critical computers for days that put Estonia on the brink of losing all digital capabilities, which would have shut off many vital services and caused massive, widespread social disruptions.[21] Estonian officials deemed this attack an act of war that according to Estonia’s Defense Minister was a national security emergency tantamount to a blockade.

At the time of the attack, NATO and U.S. officials denied the validity of any type of attack on behalf of Estonia against Russia unless it was specifically aimed at preventing Russia from carrying out future attacks.[22] However, in the 6 years since the attack was carried out, global perceptions and reactions to these attacks have changed. Today, scholars have equated measured responses to cyber-attacks with the common law principles of the right to self-defense.[23] It is because of this reliance that society, businesses, and governments have placed on the Internet as a replacement for the physical space (which was formally invaded in a naval blockade) that now qualifies a large-scale service disruption as an armed cyber-attack.[24]

Given these evolving definitions of what may constitute an attack, in retrospect the conflict in Estonia in today’s society would be more readily accepted as an act of cyber-terrorism. The main goals of the Russian hackers were to cause real world chaos, through the use of a computer based attack, in order to effect a government’s decision and fall in line with the terrorist organizations view. This conduct falls in line with the classic definition of cyber terrorism and the real world effects of the attack must be recognized when viewing the facts through the lens of common law aggression principles.

The law is still unclear as to how these governments may reasonably retaliate against such cyber-attacks without implicating international treaties concerns. Any reasonable and proportionate act of self-defense must be made against the responsible party. However, proving who the responsible actor is in the context of cyber-warfare may be especially difficult.  The nation who was attacked bears a double burden of attributing the attacks, as they must trace the attack to a physical region as well as determining that the opposing government actually sanctioned or was aware of the strike.[25] Outside of returning an attack to Russia, Estonia may have taken action against the government for failing to take action against the hackers located within the country who were responsible.[26] But how such actions would play out in the real world remains unseen.

Nevertheless, an ounce of prevention is worth a pound of cure! In the next post, we will look to what the U.S. has learned from these foreign cyber-attacks and how our own cyber-defense has changed since the emergence of cyber-terrorism as a national security concern.

[1] David Shamah, Latest viruses could mean ‘end of world as we know it,’ says man who discovered Flame, The Times of Israel, June 6, 2012, (last visited Oct. 7, 2013)

[2] See John Markoff & David Barboza, Chinese Telecom Giant in Push for U.S. Market, The New York Times (Oct. 25, 2012), available at

[3]  Id.

[4] Bryan Le, The Chinese Cyber-Threat, Asia Society (Aug. 4, 2011), available at

[5] As evidenced by subsidies made directly to corporation by the Chinese government. Michael S. Schmidt, Keith Bradsher & Christine Hauser, U.S. Panel Cites Risks in Chinese Equipment, The New York Times (Oct. 8, 2012), available at

[6]  Id..

[7] The Committee on Foreign Investment in the United States is “an interagency panel that reviews the national security implications of foreign investments.” Id.

[8] Id.

[9] Steve Kroft, Huawei Probed for Security, Espionage Risk, 60 Minutes (Oct. 7, 2012, 7:38 PM), available at;cbsCarousel.

[10] Id.

[11] Id. The committee specifically cited vulnerabilities in “electric power grids; banking and finance systems; natural gas, oil, and water systems; and rail and shipping channels,” which may utilized by a telecommunication hack to impose “devastating effects on all aspects of modern American living.” Farhad Manjoo, The Manchurian Network, Slate (Oct. 11, 2012, 5:19 PM), available at

[12] China Confirms Existence of Elite Cyber-Warfare Outfit the ‘Blue Army’, Fox News, May 26, 2011, (retrieved Oct. 7, 2013)

[13]  Mandiant Intelligence Center Report, Mandiant, Feb. 19, 2013, (last visited Oct. 7, 2013)

[14] These are the same type of backdoors which Huawei allegedly built into their telecommunications equipment to make it easier for the PLA attempting to spy on the users using the equipment. See

[15] See Mandiant, supra note 39.

[16] Id.

[17] Annual Report to Congress: Military and Security Developments Involving the People’s Republic of China 2013, available at

[18] Scott J. Shackelford, From Nuclear War to Net War: Analogizing Cyber Attacks in International Law, 27 Berkeley J. Int’l L. 192, 205 (2009).

[19] Id. at 206.

[20] Id.

[21] Id. at 210.

[22] Id.

[23] Sheng Li, When Does Internet Denial Trigger the Right of Armed Self-Defense?, 38 Yale J. Int’l L. 179, 182 (2013) (stating that in the early modern period, scholars conceived of self-defense as a natural right meant to redress injuries against the state’s sovereign rights).

[24] Id. at 197.

[25] Id. at 202-03.

[26] Id. at 203.

One Response to “Cyber-Terrorism: E-WWIII? (3 of 8)”

  1. I wonder how all of this plays out now that we know a little bit more about the extent of NSA’s spying efforts?!

    One of the ongoing complications of contemplating whether actions are cyberterrrorism is looking at what exactly was attacked and who did it. Even in the Chinese case, while everyone suspects that the Chinese government was behind the attacks that Mandiant reported on. The attacks did come from a building near the military center but not from within the center. China denied that it ran such a center. How does one government go about proving such a thing so that retaliation could be warranted. It can be shown that the attacks are being made, but how to prove who is making them, that is the really difficult thing.

    And in the case of Estonia, since the attack was primarily against commercial centers but stopped short of causing paralysis of the nation’s economy and no civilians were hurt or killed in the process, it begs the question whether the attack in question could actually be called cyberterrrorism. The issues are fascinating and complex.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: