Download Full Text (2.9 MB)


View the Executive Summary

The discovery of STUXNET was a recent milestone in the arena of cyber security because it was the first malware designed to cause real world damage to industrial control systems. It demonstrated that a sufficiently determined adversary might be able to cause physical damage to U.S. critical infrastructure through a cyberattack. This monograph asks if STUXNET has had an effect on cyberterrorism in terms of motive, means, and opportunity. It is argued that terrorists have ample motive, opportunity, and modest means, which raises the question of why a major cyberattack has not happened yet. The lack of cyberattacks can be explained by a cost-benefit argument, and STUXNET has not changed the cost-benefit equation. Cyberattacks are unlikely in the near future, but the cost-benefit argument does not rule out the possibility of cyberattacks in the long term if costs change. There seems little that can be done to change terrorist motive or means. The only factor that is feasible to address is opportunity. Specifically, policies should enhance protection of national infrastructure to reduce the risk exposure to cyberattacks.



Publication Date



to be supplied

Cyberterrorism after STUXNET