The ever-growing dependence of man on cybernetworks has unbridled a modish genre of cyberthreat called cyberterrorism. The pervasive cyberspace has provided an advantageous operational frontier to the terrorists for executing cyberattacks on critical infrastructures, spreading hate propaganda over the Internet and using it for recruitment, planning and effecting terror attacks. Furthermore, it has proliferated terror configurations and metamorphosed terror operations. There is the most urgent need to secure our cyberspace from such formidable cyberthreats. Formulating a cybersecurity strategy through international cooperation is a desideratum to confront mushrooming cyberterrorism which poses a severe threat to global security and current economic scenario. This article examines cyberterrorism as a component of cyberthreats and further analyses the constitutional obligation of the state to protect cyberspace.
The Internet is a prime example of how terrorists can behave in a truly transnational way; in response, States need to think and function in an equally transnational manner.1
—Ban Ki-moon
The development of cyberspace has been one of the greatest technological achievements of mankind. These technological advances entrust mankind with incredible benefits in diverse fields, yet they always influence the nature of security threats in society. Amongst contemporary security vulnerabilities, cyberthreats have emerged as a critical threat to our society.2 Cyberthreat is an amorphic change in the nature of threats that is capable of convulsing the economic3 and social order of the world.4 These threats are hard to detect and difficult to investigate because of their anonymity.5 Since the Internet has developed as an unregulated, open architect, the globally integrated transnational character6 of cyberspace has favoured the growth of cyberthreats. It has been ideal for offenders wanting to anonymously carry out criminal activities in the cyberworld beyond territorial borders, thereby amplifying the scope of crime and stimulating it to move beyond mental torture, anguish and physical assault. Today, the criminals target the Web to derange the global order and virtual life of people.
Based on the perpetrators and their motives, cyberthreats can be disaggregated into four types.
Cybercrimes are criminal activities carried out through a computer network, wherein a computer might be the target or used in the commission of an offence. Thus, it is the use of information technology for criminal activities.7 Cybercrime has evolved in unexpected ways,8 with cyber criminals embracing innovative and highly inventive techniques for executing diverse cyber offences.9 The voluminous, expansive use of the Internet has led to a large online population, not only exposing many people and businesses to cybercrimes but also causing several vulnerabilities, including towering economic losses.10
The act of using a computer network to gain unlawful access to confidential information from another computer is called cyber-espionage. It is executed to extract classified information from the government and other crucial organisations. Cyber-espionage cases are intensifying, where cyber-enabled illegal abstraction of data, intellectual properties (IPs)11 and trade secrets worth billions of dollars is being accomplished.12 Besides being inexpensive and easy to commit, cyber-espionage is hard to prove with certitude.13 The most gripping instance of cyber-espionage in India was the hacking of Prime Minister’s Office website in 201114 and the breach of 12,000 sensitive email accounts of government officials in 2012.15 Overseas Indian missions have also reported several instances of cyberattacks.16
Cyberwarfare is the use of cyberspace to conduct acts of warfare against other countries.17 It includes attacks like distributed denial of services,18 defacing of websites and so on. Cyberspace is considered the fifth dimension of warfare, after land, ocean, air and space. In fact, the Pentagon and North Atlantic Treaty Organization (NATO) have designated cyberspace as an ‘operational domain’, just like air, land and sea.19 The United States (US) cybersecurity doctrine provides for the right to military action against cyberattacks.20 The US has also elevated the United States Cyber Command to the status of a ‘Unified Combatant Command’.21
Presently, states are working in an environment of threat and detriment in cyberspace.22 This has triggered a response to prepare themselves for defending their networks against the growing sophistication of cyberattacks they face. More than 140 countries have developed or are in the process of developing their patenting and proficiency in cyberwarfare.23
Cyberterrorism, a term first coined by Barry Collin in the 1980s,24 is the convergence of terrorism and cyberspace. It involves an attack over a computer network(s) for the political objectives of terrorists to cause massive destruction or fear among the masses and target the government(s). Cyberterrorism aims to invade cybernetworks responsible for the maintenance of national security and destroy information of strategic importance. It is one of the biggest threats to the security of any country,25 capable of causing loss of life and humanity, creating international economic chaos26 and effecting ruinous environmental casualties by hacking into various critical infrastructure (CI) systems. The notable characteristic of cyberterrorism is to use its economic competence to clinch inordinate effects of terror over cyber and real world through cyber-crafted means, like destruction of cybernetwork, denial of service attacks and data exfiltration.
Dangers created by cyberterrorism warrant immediate global consideration. However, states have been ineffective in advancing a consensual approach by which varied acts of terrorism in cyberspace can be brought under the nomenclature of cyberterrorism. Currently, no universally agreed definition for cyberterrorism exists,27 even though it has been acknowledged internationally as a major risk to global peace. It is probably because of the saying, ‘one man’s terrorist is another man’s freedom fighter’. Subsequently, different perspectives over the elemental constituents and definitions of cyberterrorism will be contemplated.
Cyberterrorism is unlawful attacks and threat of attacks against computers, networks, and information stored therein, that is carried out to intimidate or coerce a government or its people in furtherance of some political or social objectives.28 It is the ‘premeditated, politically motivated attacks by sub-national groups or clandestine agents against information, computer systems, computer programs and data that results in violence against non-combatant targets.’29 It aims at seriously affecting information systems of private companies and government ministries and agencies by gaining illegal access to their computer networks and destroying data.30 Cyberterrorism, as a small landmass of the vast territory of terrorism, uses cyberspace as a target or means, or even a weapon, to achieve the predetermined terrorist goal. In other words, it is the unlawful disruption or destruction of digital property to coerce or intimidate governments or societies in the pursuit of religious, political or ideological goals.31 It is an act of politically influenced violence involving physical damage or even personal injury, occasioned by remote digital interference with technology systems.32
Cyberterrorism not only damages systems but also includes intelligence gathering and disinformation. It even exists beyond the boundaries of cyberspace and incorporates physical devastation of infrastructure. The NATO defines cyberterrorism as ‘cyberattack using or exploiting computer or communication networks to cause sufficient destruction or disruption to generate fear or intimidate a society into an ideological goal’.33 The most acknowledged definition of cyberterrorism is of Professor Dorothy E. Denning, as an unlawful attack against computer networks to cause violence against any property or person(s), intending to intimidate a government.34
While studying cyberterrorism, it is imperative to discern the two aspects of usage of cyber technology by terrorists: (i) to facilitate their terror activities; and (ii) to use cyberspace as a weapon to target the virtual population or execute terror activities.
It is clear from the discussion here that cybercrime and cyberterrorism are not coterminous. Most definitions of cyberterrorism establish a restricted functional framework for the scope of cyberterrorism.35 For a cyberattack to qualify as an act of cyberterrorism, it must be politically motivated; cause physical or other forms of destructions or disruptions, like attacks affecting the unity, integrity and sovereignty of a country; cause loss of life (such as use of cybernetworks in 26/11 Mumbai terror attack);36 and result in grave infrastructural destruction or severe economic losses. The use of cyberspace and information and communication technologies (ICTs) by terror outfits to facilitate their functional activities (like organisational communications) should be considered as cybercrime. Reckoning the ‘facilitating part’ under the definition of cyberterrorism would intensify the scope of cyberterrorism and augment the problem to be rectified.
Cyberterrorism poses critical security threats to the world. The CIs, like nuclear installations, power grids, air surveillance systems, stock markets and banking networks, are dependent upon cyberspace. This functional dependence has made CIs vulnerable to cyberterror attacks and increased the scope for cyberterror footprints exponentially.37 Most CIs globally are poorly protected.38 Therefore, cyberterror attacks on CIs can cause egregious damages to the society. Further, today there is a persistent threat of sensitive information of national interests being stolen by terrorists, destruction of computer networks or systems superintending the functioning of CIs.39
Cyberterrorism is based on specific objectives, such as:
Cyberattacks by terrorists majorly focus on two domains: control systems45 and data in cyberspace. Consequently, the security challenges against cyberterror attacks generally vary across these two scopes. The first possibility is that terror outfits, such as Al-Qaeda and the Islamic State (IS), would exploit the information space to launch a cyberattack to ruin the CI facility of a particular state (Kudankulam Nuclear Power Plant cyberattack).46 In the second instance, the Internet is abused to attack webspace or other trivial frameworks for their political intents, coalesced with the likeliness that such virtual attacks could turn adamantly grave to the point of being catalogued as a cyberterror attack.47
Terrorist organisations use cyberspace for recruitment,48 command and control49 and spreading their ideology.50,51 Internet being the largest reservoir of knowledge has fuelled terror outfits to use this quality to set up virtual training camps in cyberspace. In 2003, Al-Qaeda established its first online digital repository, providing information on matters ranging from bomb-making to survival skills.52 Today, the Internet is used by multiple self-radicalised patrons as a resource bank.53 Cyberspace has emerged as a new operational domain54 for terror and extremist establishments, appending new dimensions to cybersecurity of precluding online jihadist recruitment,55 radicalisation56 and raising of funds.57 The terror outfit of IS has manoeuvred this stratagem and used it proficiently for itself.58 The militant group was able to recruit 30,000 fighters through social media.59 Social media subsequently helped the group to establish its franchises and expand its base in different countries.60 Additionally, terrorists use Internet proficiency to reach out to masses to inspire acts of terror as well as disseminate their messages.61
Cyberspace offers anonymity, easy access and convenience to terrorists to reach the masses without much monetary expenditure. The ubiquitous cyberworld enables terrorists to launch cyberattacks having far-reaching impacts and causing staggering damages, more critical than physical attacks.62 Traditional terror attacks are restricted to the physical limits of the place of attack. Also, while people outside the territorial limits of the attack do read and observe such incidents, they do not get affected directly. A cyberterror attack, however, encompasses the potential of affecting millions without any territorial limitations; at times, it is more enigmatic to find the perpetrator and trace the point of origin of cyberterror attacks.63 Hence, cyberspace facilitates cyberterrorists by enabling them to have a far greater reach than ever before. Further, global interconnectivity of cyberspace results in proliferation of potential targets for terrorists to attack, making it more dangerous than other terror attacks. Such unmatched capabilities of cyberterrorism give terrorists extraordinary leverage to engender more harm to society.
Thus, different factors make cyberattacks a capitative choice of terrorists:
The mushrooming menace of cyberterrorism has stimulated states and international organisations to reform the global cybersecurity architecture for combating cyberterrorism.
Convention on Cybercrime
The European Union’s Convention on Cybercrime, also called the Budapest Convention,69 is the sole binding international convention on cybercrimes.70 It aims at harmonising domestic laws,71 including an international cooperative framework,72 and also proposes to improvise investigation techniques on cybercrimes for member states. India is not part of this treaty.
United Nations (UN)
Brazil, Russia, India, China and South Africa (BRICS) Counter-Terrorism Strategy
The strategy aims to counter international terrorism and its funding, enhance cooperation in mutual legal assistance and extradition against terrorists, improve practical cooperation among security agencies through intelligence sharing, etc. The strategy resolves to ‘counter extremist narratives conducive to terrorism and the misuse of the Internet and social media for the purposes of terrorist recruitment, radicalization and incitement and providing financial and material support for terrorists.’82
Shanghai Cooperation Organisation (SCO)
The SCO has adopted several significant steps to counter the menace of cyberterrorism.83 It established the Regional Anti-Terrorist Structure (RATS) in 2001 against terrorism.84 The 22nd session of SCO RATS council approved various proposals to combat cyberterrorism,85 and also discussed the proposal to establish a cyberterrorism centre.86 In 2019, SCO member states conducted anti-cyberterrorism drills to prepare for future cyberterror crisis.87 Further, in 2015, SCO submitted to UNGA an International Code of Conduct for Information Security,88 proposing a secured and rule-based order in cyberspace.89 The code suggests international cooperation among states to combat exploitation of ICTs for terror-related operations.90 Furthermore, it specifies a code of conduct,91 responsibilities of states92 and rights of individuals93 in cyberspace.
Cybersecurity and Infrastructure Security Agency (CISA) Act
The act establishes that the CISA will secure American cybernetworks and CIs, devise US cybersecurity formations and develop potential to defend cyberattacks. Further, it secures the federal government’s ‘.gov’ domain network. It also houses the National Risk Management Center (NRMC), which addresses most strategic threats to the country’s CI and crucial functions whose disruption can have devastating impacts over American national interests, like security and economy.94 In 2017, the US President issued an executive order (EO 13800) to modernise US cybersecurity proficiencies against intensifying cybersecurity threats over CIs and other strategic assets.95
National Cyber Strategy of the US
The strategy, released in 2018,96 strengthens the US cyberspace to respond against cyberattacks. It focuses on securing federal networks and CIs, as well as combating cyberattacks. The cyber strategy primarily aims to protect American people, preserve peace and advance American interests.97 It also provides for military action to combat cyberattacks.98
Israel launched its first-ever National Cybersecurity Strategy in 2017. The policy document expounds the country’s plan to advance its cyber robustness, systemic resilience and civilian national cyber defence.99 The objective is to develop an international collaboration against global cyberthreats, which certainly includes cyberterror threats.100 It also prioritises to defend Israeli economic, business and social interests in cyberspace.101
The Israel government passed several resolutions, like 3611,102 2443 and 2444, to expand institutional capacity for cybersecurity framework by establishing National Cyber Directorate.103 Israel’s cybersecurity framework focuses on four priority areas:
The UK introduced the National Cyber Security Programme in 2015 to protect its computer networks from cyberattacks. A five-year National Cyber Security Strategy was also revealed in 2016 to make UK’s cyberspace resilient from cyberattacks and more secure by 2021.104 Further, in 2017, National Cyber Security Centre was opened to respond to high-end cyberattacks.105
The Information Technology Act (hereafter the Act) sanctions legal provisions concerning cyberterrorism. Section 66F106 of the Act enacts legislative framework over cyberterrorism. It provides for punishment, extending to life imprisonment, for cyberterrorism,107 along with three essential elements for an act to constitute as cyberterrorism:
(i) unlawful denial of access to any legally authorised person from accessing any online or computer resource or network;108 or
(ii) unauthorised attempt to intrude or access any computer resource;109 or
(iii) introduce or cause to introduce any computer contaminant.110
3. Harm: The act must also cause harm, like death, injuries to people, adverse or destructive effect on the critical information infrastructure (CII), damage or destruction of property or such disruptions likely to cause disturbances in such services or supplies which are essential to life
Further, Section 66F also applies to instances where a person without any authorisation or by exceeding his legitimate authorisation intentionally penetrates or accesses a computer resource and obtains access to such data, or information or computer base which has been restricted for Indian security interests, or whose disclosure would affect the sovereign interests of India, etc.111 Protected Systems and CII
The Act has a provision of ‘protected systems’, empowering the appropriate government to declare any computer resource that either directly or indirectly affects the facility of CII as ‘protected system’.112 Section 70(3) sanctions punishment up to 10 years with fine in case a person secures or attempts to secure access to a protected system.113 The explanation clause of Section 70 defines CII as: ‘The computer resource, incapacitation or destruction of which, shall have a debilitating impact on national security, economy, public health or safety.’114
The central government, under Section 70A of the Act, has designated National Critical Information Infrastructure Protection Centre (NCIIPC)115 as the National Nodal Agency in respect of CII protection.116 The union government has also established Defence Cyber Agency117 to deal with matters of cyberwarfare and cybersecurity.118
Indian Computer Emergency Response Team (CERT-In)
Section 70B of the Act provides for the constitution of CERT-In to maintain India’s cybersecurity and counter cybersecurity threats against it. The CERT-In is expected to protect India’s cyberspace from cyberattacks, issue alert and advisories about the latest cyberthreats, as well as coordinate counter-measures to prevent and respond against any possible cybersecurity incident. Keywords: Cyber Security