In 1991, the US National Academy of Sciences predicted that “tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb” (1991, p.7). While the threat of cyberterrorist attacks has likely been exaggerated by the media, it cannot be denied that major cyber-attacks such as the WannaCry ransomware and the Petya malware attacks in 2017 highlighted the vulnerability of cyber systems worldwide to external pernicious influence. To date, cyberterrorism has largely been addressed unilaterally by national security agencies, legislators, and academics. However, an interdisciplinary approach is crucial to the study of cyberterrorism, which is an evolving and often contested concept in academia and policymaking. Collaboration between political scientists, sociologists, legal scholars, human rights organisations, security and defence experts, and IT experts is needed to comprehensively understand and address the threat posed by cyberterrorism.
The meaning of cyberterrorism itself is contested by experts. In 2000, information security researcher Dr Dorothy Denning defined cyberterrorism as “unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives”. Under Denning’s definition, the tools and target of the cyberterrorist are exclusively digital and refer to a scenario in which a cyber-attack interferes with an essential public service such as an online health service system. Other scholars prefer Denning’s broader understanding of cyberterrorism as the “convergence of terrorism and cyberspace”, which plausibly includes the use of the internet by terrorists for recruitment, finance and communications. For instance, Gordon and Ford argued that cyberterrorism occurs wherever the “factors and abilities of the virtual world are leveraged by the terrorist in order to complete his mission” (2002, p.637). Arguably, this conception of cyberterrorism is too broad as such activities lack the violent and fear-inducing component of terrorism, and would only serve to exaggerate the threat posed. As Hardy and Williams note, Distributed Denial of Service (DDoS) attacks such as those levied by political hacktivist group Anonymous against government websites that have a far less severe impact than terrorist attacks such as 9/11 should not be labelled as terrorism for this reason (2014, p.2). While this definitional dilemma may appear trivial or academic, definitions have important implications when adopted into policy or legislation. A narrow definition could fail to adequately address threats and thus fail to protect the public, whilst a broad definition of cyberterrorism could “justify draconian anti-terrorism legislation” that could infringe upon privacy and free speech, and waste the resources of the criminal justice system (Lavorgna, 2020, p.177).
The Council of Europe’s Budapest Convention on Cybercrime calls upon states to criminalise “offences against the confidentiality, integrity and availability of computer data and systems”, including system interference and illegal access. States have gone about criminalising cyberterrorism in different ways with varying standards for interference and intention. For instance, the UK has been criticised for the wide scope of its definition of terrorism in the Terrorism Act 2000 as it applies to cyberspace (Hardy and Williams, 2014, p.7). Under the Act, a cyber-attack need not cause any interference, but rather intention is enough to prosecute the perpetrator. The attack need only interfere with an electronic system and not critical infrastructure to qualify as terrorism, meaning that a DDoS attack on a government website would constitute terrorism. Finally, the Act applies to cyber-attacks that are designed to merely ‘influence’ the UK government. This standard is much lower than that of Australia, where an attack must have the effect of ‘intimidating’ the government to be prosecutable, while Canada goes further and requires that the attack compel the government to act in order to constitute terrorism. Thus, while the UK’s legal definition of terrorism comprehensively covers threats emanating from cyberspace, there is a risk that it goes too far in treating less serious uses of the internet as terrorism, which has ramifications for all internet users.
It is of particular importance that legislators take into account diverging viewpoints from legal scholars, cybersecurity experts and civil society representatives when drafting anti-cyberterrorism legislation (2001). As Wells et al. argue, criminal law should be continually “validated and reviewed to ensure its continued effectiveness against the continually evolving challenges, vectors, and vehicles of cybercrime and cyberterrorism” (Akhgar and Brewster, 2016, p.45).
Legislators and policymakers should take into account the constructivist perspective proposed by political scientists and sociologists when responding to cyberterrorism. These scholars have argued that there is value in studying how cyberterrorism is socially constructed or produced by the media, policymakers, and the private sector (Jarvis, Nouri and Whiting, 2014, p.34). By studying the construction of the threat as a social fact, we can understand both who benefits from the amplification of the threat and the solutions which have been proposed in response to it. For instance, it is widely acknowledged that cyberterrorism has been subject to hyperbole and fearmongering; being referred to as an ‘electronic Pearl Harbour’ or indeed ‘electronic Chernobyl’ (Stohl, 2014, p.89). Certainly, the idea that terrorists could cause death and destruction through hacking has “captured the public imagination” (Hardy and Williams, 2014, p.1). A constructivist approach acknowledges that attempts to accurately quantify risks in cyberspace are informed by such sensationalism, making critical engagement with terms such as ‘cyberterrorism’ essential for moving forward. Indeed, Dr Myriam Dunn Cavelty of the Centre for Security Studies at the University of Zurich has argued that cyberterrorism is nothing more than a “narrated catastrophe”’ conflated by self-serving politicians and a lucrative cyber-security market and exacerbated by the psychological tendency to fear risks despite their low probability (2013, p.112). These factors lead to a distortion of the cyberterrorist threat and disproportionate pressure for regulatory action.
Security and defence experts play an important role in tackling cyberterrorism. While major international players such as the US mostly condemn cyberterrorism, they have nevertheless built up their cyber war abilities over the last decade (Stohl). Indeed, the most damaging cyber-attack thus far was ‘Stuxnet’, a worm reportedly created by the US and Israel which caused extensive damage through malware to Iran’s nuclear technology (Lavorgna, 2020, pp.170-1). While cyber-attacks attributed to states or their proxies can be considered ‘cyberwarfare’, using conventional understandings of military security can be counterproductive. Cybersecurity is “not exclusively a military problem”, and using the language of “attack”, “aggression” and “threat” can create a false understanding that cyber-attacks always intrude from the outside, done “by them to us” (Cornish et al., 2009, p.2). Rather, cyberterrorism should be seen as a complex problem with no obvious boundary between perpetrator and victim, necessitating a multidisciplinary approach to solve the issue. As Schwab argues, the fourth industrial revolution has brought about increasingly ‘hybrid’ forms of conflict where “the distinction between war and peace, combatant and noncombatant, and even violence and nonviolence (think cyberwarfare) is becoming uncomfortably blurry” (2018). As Lavorgna notes, early warning systems are of critical importance when addressing such cyber-attacks, with rapid communication between cybersecurity bodies and law enforcement, intelligence agencies and private Computer Emergency Response Teams needed to counter the threat (2020, p172).
As Lavorgna argues, the collection of information for the suppression of cyberterrorism remains one of the thorniest issues in counterterrorism policymaking, necessitating input from human rights groups and cybersecurity experts (2020, p.181). Lerhke has argued in favour of mass surveillance as a counterterrorism tool, arguing that it is the “quiet and patient tool” that can prevent terrorism before it becomes a threat by deterring terrorist plots and disrupting communications (2018, p.229). Mass surveillance of online activities could create a passive environment that is hostile to cyberterrorism by raising the costs of plotting or carrying out preparations for a cyber-attack. For instance, in Norway, Computer Security Incident Response Teams and Computer Emergency Response Teams monitor the internet and warn public and private industry of imminent attacks. However, mass surveillance as a tool for combatting cyberterrorism comes with costs. Personal data has immense predictive power which, while useful for anticipating cyberterror attacks, can also be sold and misused, comprising citizens’ privacy and personal autonomy. As Hagen and Lysne note, another major challenge for governments is that surveillance software, once purchased, can be stolen and used against law-abiding citizens by criminal or terrorist organisations (2016, p.77). In this way, as Lavorgna notes, cyberterrorism tests the endurance of our democratic values as well as our cyber-defences.
To conclude, moving forward cyberterrorism should be addressed from a range of disciplines and actors. Political scientists and legal experts should take care to consider the definition of cyberterrorism to advise legislators seeking to criminalise certain online activities. Tech companies and experts should collaborate with intelligence agencies, police forces, lawyers and civil society groups to develop effective yet ethical tools for internet surveillance and data sharing, in order to ensure citizens’ privacy and autonomy. While the future of cyberterrorism is not known, an interdisciplinary approach is essential to respond to the challenges of contemporary criminality.
Bibliography
Akhgar, B. and Brewster, B. (2016) Combatting Cybercrime and Cyberterrorism: Challenges, Trends and Priorities (Springer International Publishing Switzerland).
---Wells, D., Brewster, B. and Akhgar, B., ‘Challenges Priorities and Policies: Mapping the Research Requirements of Cybercrime and Cyberterrorism Stakeholders’
Chen, T., Jarvis, L. and Macdonald, S. (eds.) (2014) Cyberterrorism Understanding, Assessment, and Response (Springer, New York).
---Jarvis, L., Nouri, L. and Whiting, A., ‘Understanding, Locating and Constructing Cyberterrorism’
---Hardy, K. and Williams, G., ‘What is ‘Cyberterrorism’? Computer and Internet Technology in Legal Definitions of Terrorism’
---Stohl, M., ‘Dr. Strangeweb: Or How They Stopped Worrying and Learned to Love Cyber War’
Cornish, P., Hughes, R., & Livingstone, D. (2009) ‘Cyberspace and the National Security of the United Kingdom: Threats and responses’ (Chatham House).
Council of Europe (2001) ‘Convention on Cybercrime’ (ETS No. 185), Available at: https://www.coe.int/en/web/conventions/full-list?module=treaty-detail&treatynum=185.
Denning, D. (2000) ‘Cyberterrorism: testimony before the Special Oversight Panel on Terrorism Committee on Armed Service U.S. House of Representatives’.
Ford, R. and Gordon, S. (2002) ‘Cyberterrorism?’, Computers & Security, 21(7), pp636-647.
Hagen, J. and Lysne, O. (2016) ‘Protecting the digitized society—the challenge of balancing surveillance and privacy’, The Cyber Defense Review , 1(1), pp. 75-90.
Lavorgna, A. (2020) Cybercrimes: Critical Issues in a Global Context (Bloomsbury Publishing).
National Academy of Sciences (1991) ‘Computers at Risk: Safe Computing in the Information Age’, (Washington,
DC, National Academy Press).
Pisoiu, D. and Jackson, R. (2018) Contemporary Debates on Terrorism, Routledge.
---Conway, M. and Dunn Cavelty, M., ‘Is cyberterrorism a real threat?’.
Schwab, K. (2018) ‘The fourth industrial revolution: What it means, how to respond’, World Economic Forum, Available at: https://www.weforum.org/agenda/2016/01/the-fourthindustrial-revolution-what-it-means-and-how-to-respond/
Szabó and Vissy v Hungary (2016) 37138/14.
Tech Against Terrorism (2022) ‘Report: Transparency Report for Year One of the Terrorist Content Analytics Platform (TCAP)’, Available at: https://www.techagainstterrorism.org/research/.
Yardley, J. (2012) ‘Panic Seizes India as a Region’s Strife Radiates’, The New York Times, Available at: https://www.nytimes.com/2012/08/18/world/asia/panic-radiates-from-indian-state-of-assam.html.
Comments