Cyber space is regarded as the meeting place for criminal groups.1 Cyber space has recently emerged as the latest battleground in this digital age.2 The convergence of the physical and virtual worlds has resulted in the creation of a “new threat” called cyber terrorism.3 Before 9/11, much apprehension arose about the threat of cyber terrorism including fears about a “digital Pearl Harbour”.4 The millennium bug further enhanced this fear. 5 In the context of post 9/11, the threat of cyber terrorism is often linked to Al- Qaeda and other terrorist organisations. 6 Cyber terrorists are regarded as computer savvy individuals who look for vulnerabilities that can be easily exploited.7 Cyber terrorism is one of the recognised cyber crimes.8 It has been defined as the “premeditated use of disruptive activities, or the threat thereof, in cyber space, with the intention to further social, ideological, religious, political or similar objectives, or to intimidate any person in the furtherance of such objectives.9 Usually such attacks can take different forms: a terrorist could break into a company’s computer network causing havoc, sabotage a country’s gas lines or wreak havoc on the international finance system.10 These terrorist attacks against information infrastructures, computer systems, computer programmes and data may cause injury, loss of life and destruction of property. The aim of such unlawful attacks is to intimidate or persuade a government or its people to further a political or social objective.11 Cyber attack methods are also said to possess many advantages over conventional methods of terrorism.12 However, distinctions should be drawn between hacktivism and cyber terrorism, and the use of digital means for organisational purposes and the use of digital communications to actually commit acts of terror.13
The horrific events of 9/11 provided the impetus for many countries to introduce anti-terrorist legislation. Such anti- terrorist legislation not only focuses on legislation to criminalise cyber terrorist activity and impose penalties proportional to the act but also to prevent cyber terrorist activity or mitigate its impact by denying cyber terrorists materials, finance, support and equipment. The September 11 attacks illustrated that terrorism crosses national and ethnic boundaries and changed the prevailing attitudes to terrorism.14 Indeed, after 9/11, the discussion about cyber security and cyber terrorism took centre stage.15 The United States of America introduced the Patriot Act of 2001 in response to the 9/11 attacks on its soil. The United Kingdom has introduced a number of anti-terrorist legislation, namely, the Terrorism Act of 2000, the Anti-Terrorism, Crime and Security Act 2001 and the Terrorism Act of 2006. The Information Technology Amendment Act of 2008 in India contains a provision on cyber terrorism. South Africa has introduced a number of legislative measures to address the growing threat of cyber terrorism and terrorist financing such as the Prevention of Organised Crime Act 38 of 1999 (“POCA”), the Financial Intelligence Centre Act 38 of 2001 (“FICA”), the Electronic Communications and Transactions Act 25 of 2002 (“ECT), the Regulation of Interception of Communications and Provision of Communications-Related Information Act 70 of 2002 (“RICA”) and the Protection of Constitutional Democracy against Terrorism and Related Activities Act 33 of 2004 (“PCDTRA”).16
The article examines the definition of cyber terrorism and different uses of the Internet by terrorist groups. The article also looks at measures introduced in the United States of America, United Kingdom and India to address the threat posed by cyber terrorism. The South African position is also examined. The study reveals that some confusion exists between the terms “hacktivism” and “cyber terrorism”. This confusion together with media-induced fears about imminent threats about cyber terrorism has exaggerated the threat of cyber terrorism. Nevertheless, the study also demonstrates that while cyber terrorism does not pose an imminent threat, this could change in the near future. Therefore, the threat posed by cyber terrorism should not be taken lightly. To this end, proper and effective measures should be put in place to counteract such threats in the future. The article also contends that while the global fight against cyber terrorism is necessary, measures addressing cyber terrorism should not jeopardise basic human rights and fundamental freedoms. Therefore, countries need to ensure that a balance is maintained between the protection of human rights and the need for effective prosecution when enacting cyber terrorist legislation.
2 Definition of cyber terrorism
Terrorists are said to use the Internet to spread propaganda and conduct internal communications. However, threats resulting from terrorist use of the Internet have been strongly debated. According to Phillip Brunst, the difference in opinion is due to a lack of exact terminology about the term “cyber terrorism”.17 Maura Conway defines cyber terrorism as “acts of terrorism carried out using the Internet and /or against Internet infrastructures”.18 Dorothy Denning defines cyber terrorism as “the convergence of terrorism and cyberspace. It is understood to mean unlawful attacks and threats of attack against computers, networks and the information stored therein when done to intimidate or coerce a government or its people in the furtherance of political or social objectives”.19 Mark Pollit defines cyber terrorism as a “premeditated, politically motivated attack against information, computer systems, computer programmes, and data which result in violence against noncombatant targets by sub national groups or clandestine agents”.20 Such attacks may lead to death or bodily injury, or cause explosions, plane crashes, water contamination, severe economic loss or serious attacks against critical infrastructure.21 Cyber terrorism encompasses attacks against life and electronic infrastructure which are directed against national security establishments and critical infrastructure.22 The aim of the attacks is to cause a state of terror and panic in the general public. Terrorists may also use information technology to perpetrate new offences or exploit cyberspace to commit more traditional activities such as planning, intelligence, logistical capabilities and finance.23 Thus, terrorists may use computer technology to secure many of their organisational goals. However, attacks that disrupt nonessential services or present a costly nuisance do not amount to cyber terrorism.24 Denning also maintains that while terrorists may use cyberspace to facilitate traditional forms of terrorism such as bombings, or use the Internet to spread their messages and recruit supporters, there are few indications that they are actually pursuing cyber terrorism.25 However, this could change in the future.
The blurring of the distinction between hacktivism and cyber terrorism has also fuelled the debate on cyber terrorism. The term “hacking” refers to the use of special software and techniques of a disruptive nature (‘hacking tools’) to exploit computers.26 However, Peter Krapp maintains that hacktivists should not be regarded as secret agents, soldiers, terrorists or net warriors but rather as individuals or groups who strive to capture attention and achieve maximum media effect in their quest to raise the awareness of citizens regarding certain rights and liberties.27 It is debatable whether hacktivists will succeed in changing government policy.28 Nevertheless, hacktivism should be distinguished from cyber terrorism.
3 Different uses of the Internet by terrorist groups
Organised crime and terrorist groups are using sophisticated computer technology to bypass government detection and carry out destructive acts of violence. The actions of Rami Yousef who orchestrated the 1993 World Trade Center bombing by using encryption to store details of his scheme on his laptop computer, is a case in point .29 It has also been reported that the first known attack by terrorists against a country’s computer system took place in Sri Lanka in 1998, when the ethnic Tamil Tigers guerrillas overwhelmed Sri Lankan embassies with 800 e-mails a day over a two-week period. 30 These messages threatened massive disruption of communications, and caused fear and panic among ordinary Sri Lankans as the rebel group was notorious for killing people. During the war in Kosovo in 1999, Serb sympathisers tried to target the NATO website with viruses.31In another incident, cyber attacks were launched against the Estonian state during April 2007. The targets were the Estonian Parliament, banks, media houses and government departments. These attacks affected critical services.32 The events in Estonia illustrated how countries can be put at risk by attacks via the Internet.33 Thus computers have been used as tools by terrorists to execute terror attacks and advance their particular agendas.34 However, there is “little concrete evidence” to demonstrate that cyber terrorism has resulted in a catastrophic loss of life or physical destruction often associated with conventional terrorism.35
On the other hand, terrorists can also use the Internet for organisational purposes rather than to commit acts of terror. Terrorists can use the computer to commit various crimes such as identity theft, computer viruses, hacking, malware, destruction or manipulation of data.36 Terrorists can use information communication technologies (ICTs) and the Internet for different purposes: propaganda, information gathering, preparation of real-world attacks, publication of training material, communication, terrorist financing and attacks against critical infrastructures.37 This means that organisations or governments which depend on the operation of computers and computer networks can be easily attacked. The Internet has the advantage of being “a more immediate, individual, dynamic, in-depth, interactive, anonymous, unedited, cheaper and far-reaching process than conventional media”. 38 These factors facilitate the task of terrorists to execute their plans unhindered.39 Information on how to make bombs is also freely available on the Internet. 40 However, it should be borne in mind that “terrorist use of computers as a facilitator of their activities, whether for propaganda, recruitment, communication or other purposes is simply not cyber terrorism”.41 Similarly, protest action by way of” virtual sit-ins” on web sites (called electronic civil disobedience) does not amount to cyber terrorism.42
4 Cyber terrorism: Myth or reality?
Although cyber terrorism has become a more dominant force in the global battle between information and network warfare, much misconception still exists over what cyber terrorism entails. As stated earlier, it is important to recognise that all “cyberspace-based threats” are not necessarily terrorism.43 According to Stohl, the concern with the threat of cyber terrorism stems from a combination of fear and ignorance.44 Stohl maintains that the discussion about cyber security also involves some misinformation and the exploitation of fears of the general public.45 The failure to distinguish between hacktivism and cyber terrorism has also contributed to the fear and hype about the threat of cyber terrorism.46 Some writers believe that the media has also exaggerated the possibility of cyber terrorist attacks causing much concern and panic in the public domain.47 However, the number of potential targets and the lack of proper and adequate safeguards have also made addressing the threat a daunting task. One should also not underestimate the risk and potential of future threats.48 Thus, a need arises for the re-examination of commonly held beliefs about the nature of computer systems and cyber terrorism.49 To this end, measures to address cyber security, to introduce adequate cyber terrorist legislation and to make software safe and effective should be introduced. One should also bear in mind that the removal of technical information from the Internet (such as information on how to execute terror attacks), does not provide an adequate guarantee to safeguard the Internet as such material can be easily loaded onto offshore or other international severs.50 Gordon and Ford maintain that an urgent need arises for the development of minimum standards of security for computer networks.51 They also endorse the idea of negotiations to resolve long-standing disputes with terrorist groups, the careful use of surveillance techniques to gather information on terrorist communications and the sharing of information across various public and private sectors to combat terrorism.52
5 Comparative perspective
The following discussion will examine measures taken by the United States of America, the United Kingdom and India to address cyber terrorist threats. These countries have been the target of conventional terrorism; so it is not surprising that they are taking potential cyber terrorist threats seriously.
5.1 United States of America
Since September 11, concerns about cyber terrorism in the United States have multiplied. 53 The USA Patriot Act of 2001 was enacted By President George Bush in response to the 9/11 attacks on the World Trade Centre and Pentagon.54 Although the USA Patriot Act addresses several issues, certain key provisions relate to cyber security and other computer concerns. To this end, the Act has eased restrictions on electronic surveillance to facilitate the capture of terrorists.55 The Act also contains anti-money laundering provisions in order to prevent terrorists from achieving any financial gain from their actions.56 The Patriot Act also includes terrorism and computer crimes on its list of offences.57 However, the Act has been criticised for violating the civil rights of ordinary American citizens.58
Cyber terrorists are said to have the ability to cripple critical infrastructure such as communication, energy and government operations. Cell phones have also been used to track terrorists and to provide evidence against them.59 Terrorist websites are also under increased surveillance since 9/11 to strengthen the fight against terrorism.60 A call has also been made for the development of cyber intelligence as a better co-ordinated government discipline to predict computer-related threats and deter them.61 A bill on cyber security is currently being debated by the US Senate.62 The bill is aimed at the protection of critical infrastructure such as power and phone companies, water and treatment plants and wireless providers. The enactment of the USA Patriot Act and other measures taken by the American government demonstrates the government’s commitment to combat international terrorism including cyber terrorism.
The Terrorism Act of 2000 was introduced to address terror attacks in the United Kingdom. The listed prohibited actions include endangering another person’s life or creating a serious risk to the public health or safety, acts designed to seriously interfere with or disrupt an electronic system and acts involving serious violence to or death to another person or serious property damage.63 Section 1(2)(e) of the Terrorism Act 2000 describes a terrorist act as one that “is designed seriously to interfere with or seriously disrupt an electronic system”. The inclusion of this section is said to consider cyber terrorism.64 This phrase might contemplate cyber terrorism including for example, attacks on banking services through the internet and destruction of computer-stored data. The emphasis on “serious” is said to be important as “a costly nuisance” does not amount to cyber terrorism.65
In response to the September 11 attacks, the British Government passed the Anti-Terrorism, Crime and Security Act of 2001. On 14th December 2001, the British Anti- Terrorism, Crime and Security Act became law. Its object is to ensure the Government has adequate powers to counter the increased threat of terrorism in the United Kingdom following the events of September 11th. This Act has also been the subject of criticism.66
The Terrorism Act of 2006 was introduced in response to the 2007 London bombings.Provisions in the Act now make it illegal to ‘glorify terrorism’ and distribute terrorist publications. 67The Terrorism Act of 2006 also allows groups or organisations to be banned for those offences and covers anyone who gives or receives such training. The Act also creates new offences of undertaking terrorism training, preparation or planning of a terrorist act and disseminating terrorist publications. The Act has been criticised by human rights campaigners and concerns have been raised about the issue of “glorification”.68 Section 17 of the Act facilitates the prosecution of terrorist offences committed outside the United Kingdom.
Information available on the Internet is being used not only by sophisticated terrorist groups but also by disillusioned and unhappy individuals who are prepared to use terrorist tactics to pursue their agendas. To illustrate this, in 1999, a right-wing extremist David Copeland planted nail bombs in different areas of London.69 His actions targeted multi-racial communities and the gay community, and he killed three people and injured 179 over a period of three weeks. At his trial, Copeland disclosed that he learned his deadly techniques from the Internet by downloading copies of The Terrorist’s Handbook and How to Make Bombs: Book Two.70
Thus, the United Kingdom government is seeking protective measures against the cyber terrorist threat. To this end, the United Kingdom government has also set up the National Technical Assistance Centre which is a surveillance advice and interception facility.71 A call has been made to introduce a new offence that would render data inaccessible, introduce the use of more effective filtering mechanisms, educate the general public about cyber terrorism and create public-private partnerships to address security strategies in the computer industry.72 Terrorists are said to be increasingly using online technology to perpetrate cyber attacks and communicate their propaganda. Hence, the British Government has also recently launched a counter-terrorism strategy to keep pace with evolving technology and counteract radicalisation on the Internet. 73 A Cambridge technology company Plextek is also urging the UK Government to create a Cyber Attack Prevention Agency to effectively protect the national critical infrastructure against cyber terrorism.74 A recent proposal by the government to introduce a new strategy of interception of communication has been criticised by civil society as it will lead to a violation of people’s privacy.75 The above discussion demonstrates that the UK Government is taking the cyber terrorist threat seriously. The government has recognised that it has a primary duty to maintain security in all spheres of government. However, it remains the responsibility of human rights campaigners to monitor carefully the enforcement of anti-terrorist legislation and to ensure that miscarriages of justice are avoided.
The Information Technology Act of 2000 contained no provision on cyber terrorism. However, this lack of cyber security strategy was rectified when the Information Technology Amendment Act of 2008 was promulgated. The Information Technology Amendment Act contains a provision on cyber terrorism. Section 66F defines and penalises cyber terrorism. In order to qualify as a cyber terrorist act, the act must be committed with the intention to threaten the unity, integrity, security or sovereignty of India by way of interfering with authorised access to a computer resource, obtaining unauthorised access to a computer resource or damaging a computer network. The acts are punishable if they cause death or injuries to persons or cause damage or destruction to property, disrupt essential supplies or services or affect critical information infrastructure. The penalties range from three years’ imprisonment to life imprisonment and a fine depending on the seriousness of the crime.
India has been a target of conventional terrorism so it is not surprising that India is taking the threat of cyber terrorism seriously.76 It is submitted that stringent measures are necessary to combat the threat of cyber terrorism and to act as effective deterrents. The imposition of stringent punishment for cyber terrorism demonstrates the Indian government’s intention to prevent terrorists using the Internet to perpetrate crime. Whilst the provisions addressing cyber terrorism are welcomed, concerns have been raised about their potential abuse by government authorities.77 Nevertheless, the Act has been welcomed as a step in the right direction.78
The above discussion demonstrates that the United States of America, the United Kingdom and India are taking potential cyber terrorist threats seriously. All these countries have introduced legislation to address terrorism, terrorist financing and cyber terrorism. The increase in vigilance against cyber terrorist threats, the increased surveillance of terrorist websites and the introduction of a cyber security bill in the United States demonstrates the American government’s concern about cyber terrorism. Further steps taken in the United Kingdom include inter alia, the introduction of a surveillance and interception facility and the adoption of a counter terrorist strategy to combat terrorist activity on the Internet. The Information Technology Amendment Act in India contains a specific provision on cyber terrorism. Thus, protective measures are being taken to counteract terrorist threats on the Internet, address cyber security concerns and to keep abreast with evolving technology. However, legislation in these respective countries has also been criticized by human rights campaigners for violating the human rights and freedoms of their respective citizens. Thus, these countries need to ensure that their fight against cyber terrorism does not jeopardise basic human rights and fundamental freedoms. To this end, a balance should be maintained between the protection of basic human rights and the need for effective prosecution.