The Washington PostDemocracy Dies in Darkness

Syrian hackers claim AP hack that tipped stock market by $136 billion. Is it terrorism?

This chart shows the Dow Jones Industrial Average during Tuesday afternoon's drop, caused by a fake A.P. tweet, inset at left.

At 1:07 p.m. on Tuesday, when the official Twitter account of the Associated Press sent a tweet to its nearly 2 million followers that warned, "Breaking: Two Explosions in the White House and Barack Obama is injured," some of the people who momentarily panicked were apparently on or near the trading floor of the New York Stock Exchange.

At 1:08, the Dow began a perilous but short-lived nosedive. It dropped about 150 points, from 14697.15 to 14548.58, before stabilizing at 1:10 p.m., when news that the tweet had been erroneous began to spread. By 1:13 p.m., the level had returned to 14690. During those three minutes, the "fake tweet erased $136 billion in equity market value," according to Bloomberg News' Nikolaj Gammeltoft.

Just two-and-a-half weeks ago, Bloomberg LP announced that it would begin adding a small number of Twitter accounts to its financial information terminals, which are ubiquitous in Wall Street's financial offices. The idea, ironically enough, was to combat misinformation spread on Twitter. In August, false information spread on Twitter suggesting that Syrian President Bashar al-Assad had been killed, sending crude oil prices spiking.

The market appears to have recovered from the AP Twitter hack, which was both juvenile and easily fixed. The AP got word out quickly that the tweet was the result of a hack, and Twitter shut down the compromised account.

About an hour after it was over, a group of hackers who cause trouble in support of Assad, an informal collective known as the Syrian Electronic Army, claimed responsibility for the attack. As I wrote Monday, the Syrian Electronic Army has been hijacking a string of high-profile Twitter feeds, often belonging to large media organizations, using them to denounce the United States and defend Assad.

The Syrian Electronic Army did not offer proof of its responsibility, nor did it send any tweets from the AP account championing its cause, possibly because it was shut down so quickly. A post at Enduring America points out that the Syrian Electronic Army's screenshot trumpeting the hack appears to show what hacking tools they may have used.

The hackers, whoever they were, got access to the AP account by sending malware through something called a "phishing" e-mail. The hackers sent an innocent-looking e-mail to AP staffers urging them to click on a link that, though they did not know it, would infect their computers with spy software. (The phishing e-mail in question actually lured its targets with an apparent link to this blog; sorry about that, AP, I promise that my blog is safe!) The software allowed the hackers to access the AP Twitter account and send out the erroneous tweet.

It was all a surprisingly sophisticated bit of cyber-espionage in pursuit of some childish vandalism. Still, that vandalism had a brief but very real effect on the New York Stock Exchange, one of the most important financial markets in the world. As NPR's Andy Carvin asked on Twitter, "When do vandals graduate to cyber terrorists?" What, he wondered, if the market had not rebounded so rapidly and completely? What if the hackers had been smart enough to simultaneously hijack multiple news organizations' Twitter feeds, sustaining the fiction from seconds to minutes? It's not as outlandish as it sounds; multiple news organizations have been hit by the Syrian Electronic Army in recent weeks.

One of the problems with cybersecurity and cyberwar is that the limits are so poorly defined. As with the Syrian Electronic Army, which backs but is not officially sponsored by the Syrian government, the line between vandalism and state acts of aggression can be difficult to find. And, even if you know who did the hacking, it's not clear what rises to the level of requiring retaliation. If North Korea was indeed behind the recent cyberattacks on South Korean financial institutions, does that count as an attack? What about the suspected Chinese military-sponsored hacks against U.S. institutions?

A recent study, commissioned by NATO, argued that any cyberattack that causes real-world physical property damage or death would merit a military retaliation. So, based on that definition, a temporary stock market dip would certainly not seem to rise to the level of demanding a real-world military as a terrorist attack might.

But what's significant here is not the relatively modest damage caused by the ultimately inconsequential hack, which probably does not cross the line separating vandalism from terrorism, it's the larger and still-unanswered question about where that line is -- and what happens when some individual or group crosses it.