Cyber Terrorism- a broader concept
NEERAJ AARORA, AICWA, LLB, PGD (Cyber Law), CFE (USA)
Cyber terrorism is an evolving concept, a striking realty in the wake of terrorist strikes that has taken place around the globe more particularly the recent Mumbai terrorist strikes. There is no denying the fact that greatest threat to the civilized society in the 21st Century is from the uncivilized or medieval mindset society in the form of terrorism. The threat of terrorism takes more dangerous dimension when it is undertaken with precision & impunity with the aid of information technology or computers.
The deadly combination of terrorism & information technology has given birth to new term Cyber terrorism. Before we discuss the possibilities & potential of cyberterrorism, we must first look at some acceptable definitions of the term. The word cyberterrorism refers to two elements: cyberspace and terrorism. Some of the definitions of cyberterrorism are as follows:
1. Cyberterrorism is a criminal act perpetrated by the use of computers and telecommunications capabilities, resulting in violence, destruction and/or disruption of services to create fear by causing confusion and uncertainty within a given population, with the goal of influencing a government or population to conform to a particular political, social, or ideological agenda. (Proposed by the National Infrastructure Protection Center, Analysis and Information Sharing Unit, USA).
2. Cyber-terrorism is any premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents. (US Federal Bureau of Investigation)
3. Cyberterrorism is the convergence of cyberspace and terrorism. It refers to unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear.Â Attacks that lead to death or bodily injury, explosions, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not. (Denning, D. (2000), Cyberterrorism, http://www.cs.georgetown.edu/~denning/infosec/cyberterror-GD.doc)
While the definition of cyber terrorism at 1 specifies that computer systems or telecommunication capabilities are used to conduct cyber terrorist attacks. However, the definition given by FBI at 2 only specifies that computer and information systems are the targets of cyber terrorist attacks. Arguably both elements should apply i.e. it may be used as a tool or target or both.
While an information system can be attacked in any number of ways using host of conventional methods like bombing, arson, etc, however for an act to be classed as cyberterrorism, the attacker must use information systems, technology, computer or other electronic means to launch the attack.
Cyber terrorism is one of various forms of cyber attack. Often the terms cyberterrorism and cyber attack are used interchangeably by layman but actually they differ in that every cyber terrorism is a cyber attack but not vice versa. The definition given by Professor Dorothy E. Denning (Professor of computer science at Georgetown University) at 3 is a comprehensive definition which demonstrates that for cyberterrorism to be perpetrated there are at least three elements which must be satisfied in order to distinguish a cyber terrorist attack from an ordinary cyber attack. Denning points out that politically motivated cyber attacks that lead to death or bodily injury, explosions, or severe economic loss would be examples of cyberterrorism. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt non-essential services or that are mainly a costly nuisance would not be covered under cyber terrorism.
Whether Ancillary cyber activities to further terrorism should be posited as Cyber Terrorism
The aforesaid definitions suggests that the use of the internet in an ancillary role in furtherance of terrorism (ancillary cyber activities) for example; terrorist use of information technology to formulate plans, spread propaganda, support terrorist recruiting, raise funds, and communicate is not regarded as cyber terrorism. It is only when the destructive nature of the act itself is carried out via computers or other cyber/electronic means through techniques such as infected e-mail attachments. Delivery of the terrorists message via the Internet does not constitute cyber terrorism. This restricted interpretation of the term Cyber Terrorism is further supported by Professor Gabriel Weimann, who suggests that Cyber terrorism means only the use of computer network tools to harm or shut down critical national infrastructures (such as energy, transportation, government operations). However, if we take the strict interpretation of the word cyber terrorism, then the terrorist use of computers as a facilitator of their activities, whether for propaganda, recruitment or even for mounting physical terrorist strike would not simply be Cyber terrorism. In other words, would the law deal with only core mischief for instance physical terrorist strike but what about the use of computer or information technology by terrorist which facilitated that strike? Lets take for instance, the master mind of terrorists to carry out covert terrorist operations sends information about possible targets, plans or other operational information via e-mail in encrypted format to the terrorists and the terrorists intercept the encrypted message and on its basis carry out operation of the magnitude we recently witnessed at Mumbai. Would the said use of Information technology to facilitate the horrendous terrorist strike with precision and impunity be an act of Cyber Terrorism or not, if we go by what has been suggested by Professor Dorothy E. Denning & Professor Gabriel Weimannit? Would it be an acceptable proposition in the Indian subcontinent given the current peculiar geopolitical situation? By grace of god, we have not yet witnessed anywhere in the world (except in Hollywood movie), two large aircraft collide due to breach or hacking of air traffic control system by terrorists. But in realty we do have witnessed terrorist strikes resulting in loss of huge precious human lives & destruction of property where during investigation; it has been found that information technology one way or the other has played an ancillary but pivotal role to the terrorist attack. Therefore, with due respect to above experts, it is the view of this author that such ancillary use of computer which facilitate (though indirectly) the terrorist acts of the gravity and magnitude similar to recent Mumbai strike should come under the purview of Cyber terrorism.
Newly inserted Section 66F in proposed IT Amendment Act deals with Cyber Terrorism
In the wake of recent Mumbai terrorist strike, cyber terrorism has been defined as an offence in newly inserted section 66F in proposed amendment to the IT Act”one who causes denial of access to computer resources, or has unauthorized access to a computer resource, or introduces a virus, with the intent to threaten the unity, integrity, security or sovereignty of India or to strike terror in any section of the people is deemed to be committing cyber terrorism. If a person has unauthorized access to a computer resource with the intent to breach the security of the state, its sovereignty and integrity, and friendly relations with foreign states, then also he is deemed to be committing cyber terrorism.
Further, Sections 69 and 69A of the amended Act empower the state to issue directions for interception, monitoring, decryption of any information through any computer resource; and for blocking websites in the interest of national security, and friendly relations with foreign states. Further, Section 69B empowers the government to authorize to monitor, collect traffic data or information through any computer resource for cyber security.
Thus, the wordings of Section 66 F suggests that the use of the internet in an ancillary role in furtherance of terrorism (ancillary cyber activities) for example; terrorist use of information technology to formulate plans, spread propaganda, support terrorist recruiting, raise funds, and communicate is not regarded as cyber terrorism. It is only when the destructive nature of the act itself is carried out via computers or other cyber/electronic means through techniques such as infected e-mail attachments. Delivery of the terrorists message via the Internet does not constitute cyber terrorism. The government can at most watch the use of Computer resource or IT communication resources by the terrorists. Thus, the IT Act needs to be made more stringent to incorporate even ancillary cyber activities to further terrorism as an act of cyber terrorism and thus, the wordings of Section 66F be suitably drafted.
Prevention of Electronic Crimes Ordinance, 2008 passed by Pakistan deals with ancillary cyber activities to further terrorism as Cyber terrorism
Ironically & most surprisingly, this view of the author finds support in the form of ordinance (ORDINANCE NO. IV OF 2008) recently passed in Pakistan by its President, Mr. Asif Ali Zardari. The said ordinance sets death penalty for Cyber Terrorism and describes cyber terrorism as accessing of a computer network or electronic system by someone who then “knowingly engages in or attempts to engage in a terroristic act. The definition of cyber terrorism (Section 17 of the Ordinance) inter-alia includes accessing of computer or computer network for aiding the commission of or attempting to aid the commission of an act of violence against the sovereignty of Pakistan, whether or not the commission of such act of violence is actually completed or not. Further, as per Section 11 of the said Ordinance, the misuse of encryption for committing terrorist activity shall be punished with imprisonment of either description for a term which may extend to five years, or with fine, or with both. Likewise, Section 9 of the said ordinance makes the misuse of electronic system or electronic device for instance selling, possessing, distributing or making available an electronic system or electronic device which could be used for terrorist activity, punishable with imprisonment for a term which may extend to three years, or with fine, or with both. Thus, the ordinance passed in Pakistan is unique and first of its kind in the world as it deviated from the traditional definition of Cyber Terrorism and realized the ground realities prevailing in the sub continent and the modus operandi adopted by the Terrorists and thus extending the concept of Cyber Terrorism to the Ancillary Cyber Activities furthering the core terrorist activities.
It is the high time for India to follow the suit given the current geopolitical situation prevailing in the Indian Sub-continent and the ease and expertise by which these terrorists organizations are using the information technology to further terrorist strikes.