CYBERTERRORISM – A POSED POISON
by
Karmanye Thadani and Toms Kurian*

ABSTRACT




In this paper, we wish to examine the menace of cyberterrorism, particularly with respect to the propaganda in favour of terrorism on many a website. In this connection, we have done doctrinal legal research i.e. we have examined the relevant literature with respect to the field, and even some non-doctrinal legal research by checking out websites that advocate terrorism.

No religion preaches violence against innocent civilians. Nor does the Marxist ideology. In essence, it is our belief that all religions preach the message of peace and harmony (since this paper is not on theology but on law, we have not elaborated this point further). Similarly, Marxism, while opposing religion, calls for a just social order based on equality, and permits violence against the exploiters for that cause. But it is a humane ideology, and so are all established faiths. But, people have started propaganda on the Internet in favour of killing innocent civilians in the name of religion, and there are those who promote the same for turning their countries Communist, such as the Naxalites in India.

In this paper, we have attempted to identify the steps taken in this direction and how this problem can be solved.




















* Students of Gujrat National Law University (GNLU), Gandhinagar, India. The authors are grateful to Judge Dr. Mohammad Chawki for his kind cooperation, their faculty member, Mr. Balajirao, for his guidance and support, the GNLU library staff and the staff of the GNLU computer laboratory and Om Cyber Café in Gandhinagar.


I. INTRODUCTION
Terrorism is a major threat to the world today and the militant pan-Islamists and Communists, misinterpreting Islam and Marxism, have created havoc. Many innocent civilians have lost their lives because of terrorist activities. The emergence of the Internet in the last few years has enabled many terrorist organisations to use it as a platform to promote their inhuman ideology. They have also resorted to cyber crimes like hacking to get information and weaken administration.
This new brand of computer-related terrorism is known as ‘cyberterrorism’. The National Conference of State Legislatures (NCSL), a bipartisan organization of legislators and their staff created to help policymakers of all 50 states of the United States of America, address vital issues such as those affecting the economy or homeland security by providing them with a forum for exchanging ideas, sharing research and obtaining technical assistance[1], defines cyberterrorism as follows:
“the use of information technology by terrorist groups and individuals to further their agenda. This can include use of information technology to organize and execute attacks against networks, computer systems and telecommunications infrastructures, or for exchanging information or making threats electronically. Examples are hacking into computer systems, introducing viruses to vulnerable networks, web site defacing, denial-of-service attacks, or terrorist threats made via electronic communication”[2]
The existence of the open-source community, possibility of anonymity and wide reach of web users make the internet the best medium for terrorist propaganda. Take, for example, a website of the so-called Communist revolutionaries or Naxalites in India, http://naxalrevolution.blogspot.com/index.html , which on its home page and on every page, carries the following proclamation –
“The notion that a Naxalite is someone who hates his country is naive and usually idiotic. He is, more likely, one who likes his country more than the rest of us, and is thus more disturbed than the rest of us when he sees it debauched. He is not a bad citizen turning to crime; he is a good citizen fighting for justice and equality.”
Moreover, that very website contains an advertisement about an online newsletter, which blatantly gives an open offer to one and all to rape two and murder one for free till tribals last! For the purpose of subscription, those interested are requested to “use an anonymous email id which you do not use for anything else.” It further tells you to “subscribe to this newsletter at your own risk !”[3]

Belief in parliamentary democracy has been described to be a ‘mistake’.[4] Such a statement amounts to sedition under Section 124A of the Indian Penal Code (IPC). This section states that –

Whoever, by words, either spoken or written, or by signs, or by visible representation, or otherwise, brings or attempts to bring into hatred or contempt, or excites or attempts to excite disaffection towards the Government established by law in India shall be punished with imprisonment for life, to which fine may be added, or with imprisonment which may extend to three years, to which fine may be added, or with fine.”

Thus, such blatant statements arousing people to turn violent against the government established by law in India basically can amount to serious punishment. But, these Naxalites know that due to anonymity on the internet, they would go unpunished for making such statements.
Cyberterrorism, in all its forms, can have disastrous consequences. Cyberterrorism can have a serious large-scale influence on significant numbers of people. It can weaken countries' economy greatly, thereby stripping it of its resources and making it more vulnerable to military attack.
Cyberterror can also affect internet-based businesses. Like brick and mortar retailers and service providers, most websites that produce income (whether by advertising, monetary exchange for goods or paid services) could stand to lose money in the event of downtime created by cyber criminals.
As internet-businesses have increasing economic importance to countries, what is normally cybercrime becomes more political and therefore terror-related.
II. SCOPE OF CYBERTERRORISM
We may differentiate between cyberterrorism and cyber crime in general. In the words of Ashish Pandey, a scholar of cyber law in India, “A necessity may be felt about what is the need to distinguish between cyber terrorism and cyber crime. Both are criminal acts. However there is a compelling need to distinguish between both these crimes.”[5] While a cyber crime may be against an individual or a particular organisation, cyber terrorism is against the society at large, or against the government of the country. All cyber terrorist acts are cyber crimes but all cyber crimes are not cyber terrorist acts.

However, this classification may seem incorrect to a person who traditionally classifies any crime as an offence against the society at large. In this connection, the above-mentioned definition of cyberterrorism may be referred to. Another definition that may be stated in this regard is that cyberterrorism is “the pre-mediated use of disruptive activities, or the threat thereof, in cyberspace, with the intention to further social, ideological, political or similar objectives, or to intimidate any person in furtherance of such objectives.”[6]


Cyber crimes, that may not constitute cyberterrorism may include harassing individuals by emails, cyber-stalking (following the persons movements across the Internet by posting messages, sometimes threatening on the bulletin boards frequented by the victim and irritating him by other means), cyber defamation of individuals, hacking, e-mails spoofing (a spoof e-mail is one which misrepresents its origin), violation of intellectual property rights on the Internet, online trafficking in drugs, human-beings, weapons etc. and online fraud and cheating (e.g. credit card crimes).[7]

“With the increase in the role that computers play in all our activities, there is a threat of cyber terrorism looming large on the international community and respective national security. Computers today control power delivery, communications, aviation, medical, defence and financial services. They are used to store vital information, from medical records to business plans to criminal records. With all the advantages of using computers for storing and processing data, they have one major disadvantage i.e., they are vulnerable, amongst others to deliberate outside attack. ‘The modern thief can steal more with the computer than with the gun. Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.’

Terrorists are known to use information technology to formulate plans, raise funds, spread propaganda, and to communicate securely. For example, Ramzi Yousef, master mind of the first World Trade Center attack, stole detailed plans to destroy United States airliners on encrypted files in his lap top computer.”[8]

A website http://www.ummah/net/mhc/hackers .html listed tips for things such as hacking the Pentagon.[9] A hacker known as DoctorNuker has been defacing websites for the last six years with anti-American and pro-Laden propaganda.[10] There have been instances like the 1998 attack on Sri Lankan servers by the Internet Black Tigers, and the Mexican Zapatista movement in the same year.[11]

While the definitions of cyber terrorism stated above cover terrorist propaganda on the internet as well. However, there are scholars who give a much narrower definition of cyberterrorism. In their opinion, only “serious attacks against critical infrastructures could be acts of cyber terrorism, depending on their impact.”[12]

Such scholars classify terrorist propaganda on the internet as distinct from cyberterrorism. However, they do not ignore the importance of such malicious propaganda. Mr. SVJ Rao, who belongs to this school of thought points out that it is ironical that among those who realise the propaganda potential of computer networks, at the earliest were various racial and other hate groups. The Ku Klux Klan and various neo-Nazi groups have used the internet to spread disaffection against blacks and Jews. Similarly, so-called fundamentalist Muslims have used the internet to spread disaffection against non-Muslims. Even so-called fundamentalist Hindus and Christians have done the same against Muslims. With respect to people with Communist convictions, the case of Naxalites in India has already been discussed in detail earlier.
III. SOLUTION
There is no doubt about the fact that cyberterrorism is a serious phenomenon, and whether or not the threat is hyped, it is realistic and not one that can be ignored. In any case, propaganda against specific nations, races or religious groups, including inciting people to turn violent against them, needs to be controlled. For, freedom to express never meant freedom to kill… such websites help in networking killing and make people kill. And for the purpose, there should exist an international convention to deal with the same.

Several steps have been taken in this direction. The G8 countries established Subgroup of High-Tech Crime in 1997. At a meeting in Washington D.C. they adopted ten principles to combat computer crime aiming to ensure that no criminal receives ‘safe haven’ anywhere in the world.
At their last meeting on May 11, 2004, a joint communiqué was issued – Continuing to Strengthen Domestic Laws. To truly build global capacities to combat terrorist and criminal uses of the Internet, all countries must continue to improve laws that criminalize misuses of computer networks and that allow for faster cooperation on Internet-related investigations. With the Council of Europe’s Convention on Cybercrime coming into force on July 1, 2004, we should take steps to encourage the adoption of the legal standards it contains on a broad basis”.
In December 1999, Stanford University in California, organized a conference on International Cooperation to Combat Cyber Crime and Terrorism and based on that in the year 2000, it introduced a Proposal for an International Convention on Cyber Crime and Terrorism.
In the same year, a United Nations Resolution was adopted by the General Assembly on ways to combat the criminal misuse of information technologies. The resolution specifically identified the importance of certain measures, which included -
“a. States should ensure that their laws and practice eliminate safe havens for those who criminally misuse information technologies.
b. Legal systems should protect the confidentiality, integrity and availability of data and computer systems from unauthorized impairment and ensure that criminal abuse is penalized.”
Two years later, on April 19, 2002, the Commission of the European Communities presented a proposal in the European Union for a Council Framework Decision on attacks against information systems. The Council of Europe Convention on Cybercrime is a historic milestone in the battle against cyber crime.
On the 17th of November 2004, at the ministerial meeting in Santiago, Chile, a joint statement was issued by the APEC leaders to strengthen the respective economies ability to combat cyber crime by enacting suitable domestic legislation consistent with the provisions of international legal instruments, including the Convention on Cybercrime (2001), and relevant United Nations General Assembly Resolutions.
The Fifth Meeting of Ministers of Justice in Washington D.C. from April 28 to April 30, 2004, approved conclusions and recommendations to the General Assembly of the OAS - “That Member States evaluate the advisability of implementing the principles of the Council of Europe Convention on Cybercrime (2001), and consider the possibility of acceding to that convention.”
While the international convention proposed by Stanford University calls for the creation of an international organisation for the known as the Agency for Information Infrastructure Protection (AIIP).[13] The AIIP is intended to serve as a formal structure in which interested groups will cooperate through experts in countries around the world in developing standards and practices concerning cyber security.[14] The constitution of the AIIP has also been very clearly defined, consisting of an Assembly, a Council, a Secretariat managed by a Secretary General, and such committees and other subordinate bodies as are necessary in the judgment of the Assembly or Council to implement this Convention's objectives.[15] The countries signatory to the convention are also required to annually report to the AIIP.[16] As far as dispute resolution is concerned, the countries are to attempt to resolve all disputes that arise under this Convention through negotiation and mediation, with the assistance of the AIIP Secretariat.[17]

However, this draft does not clearly define the different types of offences, though it does give a broad guideline as to what cyber crimes under it would amount to. However, the same is not true for the convention adopted by the Council of Europe, which from Articles 2-11, clearly defines the different types of cyber crimes, and in Article 14, even mentions “other criminal offences committed by means of a computer system” in the category of cyber crimes. In the Stanford draft, only Article 3 mentions very briefly what comes under the ambit of cyber crimes. However, while both the conventions call for mutual legal assistance of countries and extradition, if required, while the Stanford draft calls for an international organisation in the form of the AIIP, the convention of the Council of Europe creates the European Committee on Crime Problems (CDPC) and for settlement of disputes requires the countries to seek to settle dispute through negotiation or any other peaceful means of their choice, including submission of the dispute to the CDPC, to an arbitral tribunal whose decisions shall be binding upon the countries, or to the International Court of Justice, as agreed upon by the countries concerned.[18]

However, both the conventions seem to be silent about the nature of propaganda that can be posted on the internet. Although Article 14 of the Council of Europe convention does mention “other criminal offences committed by means of a computer system”, it leaves the scope for terrorist propaganda on the internet ambiguous. In my opinion, an international convention must be adopted which must create an international organisation like the proposed AIIP and a specific dispute resolution body with respect to cyber crime, like the WTO Dispute Settlement Board, though scope for alternate dispute resolution should be there. And, of course, there should be mutual cooperation between countries, including extradition, if required, the international convention must specifically declare propaganda against inciting people to violence against any race or religious group as amounting to cyber crime. Moreover, at least for governments with democratic regimes that are recognised by a fixed number of countries, online propaganda amounting to sedition against such governments should be declared as amounting to crime. Such a convention, if passed, brought into force and implemented, could help control the problem.

[1] Governing NCSL, available at http://www.ncsl.org/public/govern.htm accessed on 15th May 2008


[2] Cyberterrorism, available at http://www.ncsl.org/programs/lis/cip/cyberterrorism.htm accessed on 15th May 2008


[3] Naxal Revolution Archives, available at http://naxalrevolution.blogspot.com/2007/06/shocking-but-true-quotes-from.html accessed on 12th May 2008


[4] Comrade Chandrashekar - Immortal revolutionary of the people, available at http://naxalrevolution.blogspot.com/search/label/Martyrs accessed on 10th May 2008

[5] Ashish Pandey, Cyber Crimes – Detection and Prevention, p 5.4

[6]Ibid, p 5.5

[7] Supra note 5, p 5.1 -5.6

[8] SVJ Rao, Law of Cyber Crimes & Information Technology Law, p 62

[9] Ibid, p 62-63

[10]Ibid, p 63

[11] Ibid

[12] Supra note 8

[13] International Convention to Enhance Protection from Cyber Crime and Terrorism (proposed Stanford University draft), Art. 12

[14] Ibid

[15] Ibid

[16]Ibid, Art. 14

[17] Ibid, Art. 21

[18] Council of Europe-ETS No. 185 – Convention on Cybercrime, Art. 45