Thousands of Israelis continue to live in fear after Iranian hackers stole their personal details, including sexual orientation and HIV status, from the dating site Atraf, popular in the LGBTQ community. Leaking the information could have devastating consequences for the victims.

This attack is part of a growing trend of states engaging in cyber terrorism, which targets civilian infrastructure and services in order to endanger lives, cause fear, and create panic, just like traditional terrorism. But because cyber terrorists can attack with a click, from afar, the consequences could be much more far-reaching than suicide bombers or missiles. Cyber terrorism is a weapon that can be used daily, not just in wartime. 

While countries have long relied on cyber tools for legitimate uses such as sending messages to other states, the fact that some are now using them to provoke fear and cause bodily harm to members of the general population means that their actions have crossed a line to become terrorism. Cyber terrorism is also different from cybercrime, where the attackers are private groups rather than states, and the motive is often money, either through extracting ransom payments or acquiring information to sell on the Dark Web.

It is a growing threat to everyone and every society, and the stakes are high. It has become clear that cyberattacks can be fatal: Some legal experts and surviving family members have blamed ransomware attacks on hospitals, including in Germany and the United States, for causing patient deaths, although the parties and motivations behind those attacks remain unclear. 

Governments around the world, whose duty it is to protect their citizens from such harm and fear, must take further steps. This will help businesses, which are often the gateway to attacks, be more vigilant and effective at stopping or mitigating damage from potential attacks.

Regulation Is Needed, but That’s Not Enough
In recent years, many governments have increased the funding and departments tasked with preventing cyber terrorism, with the United States saying last summer that it would give investigating ransomware attacks the same priority as investigating terrorism. But governments also need to dedicate more resources to prevention. Most cyber-terrorism threats to the United States and Western countries stem from state-backed actors in countries that also pose the largest military threats, including Iran, China, North Korea, and Russia. 

Remember that cyber terrorists are striking private companies and organizations in order to access data they can use to cause fear and panic or invoke other damage. The software supply chain is another growing potential avenue for cyber terrorism. Software suppliers — which can ultimately lead to access to high-value targets like utility companies, airports, and police departments — offer attackers another indirect route to potentially disrupt or cut off services, endangering lives. In fact, the hackers got into the Atraf dating site via the servers of Web hosting company Cyberserve

Expanding cybersecurity regulations — now limited to sectors such as government, as well as financial and energy companies — to all sectors, including the software supply chain, would help somewhat. But regulations, which are rarely actually enforced, are not enough on their own. All organizations, big and small, also need experts to evaluate and secure their digital assets on a daily basis, and to keep up with the latest cyber intelligence about new threats.

Advocacy and Public Education 
Governments also need to invest in educating their populations about the increasing risk and dangers of cyber terrorism. This could help companies realize that compliance with regulations isn’t enough, and that they need to understand their real-world vulnerabilities. If organizations understand how easily cyber terrorists could take advantage of their vulnerabilities, they will be more likely to invest in repairing them. Civilian populations also need to understand that every person — and the passwords they choose, as well as their ability to distinguish secure sites and online connections from suspicious sites and recognize phishing attempts — plays a role in mitigating or preventing cyber terrorism. This will not only improve security but empower citizens who feel they could make a difference and positively contribute to public safety.

We are still in the early days of cyber terrorism. This challenge is new; even Israel, which is considered a world leader in fighting traditional terrorism, is not adequately prepared for the continuing and growing threat of cyber terrorism. In addition to the Atraf attack, Iran has been blamed for many cyberattacks targeting civilians in Israel, including on water infrastructure and on an insurance company, all with potentially devastating consequences for thousands of civilians.

With all of its benefits of deniability, relatively low costs, and the ability to attack from anywhere, at any time — as well as the risk of copycat attacks — there is no doubt that cyber terrorism will increasingly threaten civilians everywhere. Governments and private companies must stand up to this challenge for the sake of protecting all of society.

Source: www.darkreading.com