Cyber Terrorism & Various Legal Compliances
What is Terrorism?
By Federal Bureau of Investigation
The unlawful use of force or violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political and social objectives.
• Using force to intimidate or coerce government or civilians to further an agenda.
• Cyber-terrorism therefore defined as the use of computing resources to intimidate or coerce others.
• It makes more sense to classify Microsoft, the MPAA, RIAA, and the DMCA as cyber-terrorists rather than any al Qaeda cracker.
USC Title 22, Ch. 38, Sec. 2656 (f) d:
Terrorism is defined as premeditated, politically motivated violence perpetrated against noncombatant targets by sub national groups or clandestine agents, usually intended to influence an audience. The United States has employed this definition of terrorism for statistical and analytical purposes since 1983. U.S. Department of State, 2002, Patterns of Global Terrorism, 2003
What is Cyber Terrorism?
Security expert Dorothy Denning defines cyber terrorism as “... politically motivated hacking operations intended to cause grave harm such as loss of life or severe economic damage.
The Federal Emergency Management Agency (FEMA)
Unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives.
The U.S. National Infrastructure Protection Center:
A criminal act perpetrated by the use of computers and telecommunications capabilities, resulting in violence, destruction and/or disruption of services to create fear by causing confusion and uncertainty within a given population, with the goal of influencing a government or population to conform to particular political, social or ideological agenda.
Forms of Cyber Terrorism
Cyber terrorism as mentioned is a very serious issue and it covers vide range of attacks.
Here, the kind indulgence is asked toward the definition of Cyber Crime.
“Cyber Crime” is crime that is enabled by, or that targets computers. Cyber Crime can involve theft of intellectual property, a violation of patent, trade secret, or copyright laws. However, cyber crime also includes attacks against computers to deliberately disrupt processing, or may include espionage to make unauthorized copies of classified data.
Some of the major tools of cyber crime may be- Botnets, Estonia, 2007, Malicious Code Hosted on Websites, Cyber Espionage etc.
It is pertinent to mark here that there are other forms which could be covered under the heading of Cyber Crime & simultaneously is also an important tools for terrorist activities. Discussing these criminal activities one by one:
Attacks via Internet:
Unauthorized access & Hacking:-
Access means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network. Unauthorized access would therefore mean any kind of access without the permission of either the rightful owner or the person in charge of a computer, computer system or computer network
Every act committed towards breaking into a computer and/or network is hacking. Hackers write or use ready-made computer programs to attack the target computer. They possess the desire to destruct and they get the kick out of such destruction. Some hackers hack for personal monetary gains, such as to stealing the credit card information, transferring money from various bank accounts to their own account followed by withdrawal of money.
By hacking web server taking control on another person’s website called as web hijacking.
The program that act like something useful but do the things that are quiet damping. The programs of this kind are called as Trojans.
The name Trojan Horse is popular. Trojans come in two parts, a Client part and a Server part. When the victim (unknowingly) runs the server on its machine, the attacker will then use the Client to connect to the Server and start using the trojan. TCP/IP protocol is the usual protocol type used for communications, but some functions of the trojans use the UDP protocol as well.
Virus and Worm attack:-
A program that has capability to infect other programs and make copies of itself and spread into other programs is called virus.
Programs that multiply like viruses but spread from computer to computer are called as worms. The latest in these attacks is “Michael Jackson e-mail virus-Remembering Michael Jackson”. Once it infects the computer it automatically spread the worm into other internet users.
E-mail & IRC related crimes:-
Email spoofing refers to email that appears to have been originated from one source when it was actually sent from another source.
Email "spamming" refers to sending email to thousands and thousands of users - similar to a chain letter.
Sending malicious codes through email
E-mails are used to send viruses, Trojans etc through emails as an attachment or by sending a link of website which on visiting downloads malicious code.
E-mail "bombing" is characterized by abusers repeatedly sending an identical email message to a particular address.
5. Sending threatening emails
6. Defamatory emails
7. Email frauds
8. IRC related
Attack on Infrastructure:
Our banks and financial institutions; air, sea, rail and highway transportation systems; telecommunications; electric power grids; oil and natural gas supply lines—all are operated, controlled and facilitated by advanced computers, networks and software. Typically, the control centers and major nodes in these systems are more vulnerable to cyber than physical attack, presenting considerable opportunity for cyber terrorists.
There, could be other losses to infrastructure too as Kevin Coleman in his article on cyber-terrorism offered a scenario of possible consequences of a cyber-terrorism act against an infrastructure or business, with a division of costs into direct and indirect implications:
Direct Cost Implications
- Loss of sales during the disruption
- Staff time, network delays, intermittent access for business users
- Increased insurance costs due to litigation
- Loss of intellectual property - research, pricing, etc.
- Costs of forensics for recovery and litigation
- Loss of critical communications in time of emergency
Indirect Cost Implications
- Loss of confidence and credibility in our financial systems
- Tarnished relationships and public image globally
- Strained business partner relationships - domestic and internationally
- Loss of future customer revenues for an individual or group of companies
- Loss of trust in the government and computer industry.
Attacks on Human Life
• In case of an air traffic system that is mainly computerized and is set to establish the flight routes for the airplanes, calculating the flight courses for all the planes in the air to follow. Also, plane pilots have to check the course as well as the other planes being around using the onboard radar systems that are not connected to external networks, therefore it can be attacked by the cyber-terrorist.
• A different example would be the act of cyber-terrorism agains a highly-automated factory or plant production of any kind of product: food, equipment, vehicles etc. In case this organisation is highly reliant on the technological control, including a human control only in the end of production, not on the checkpoint stages, then any malfunction would be extremely hard to point out, fix and as a result to spot out a cyber-crime being committed
The law of privacy is the recognition of the individual's right to be let alone and to have his personal space inviolate. The right to privacy as an independent and distinctive concept originated in the field of Tort law. In recent times, however, this right has acquired a constitutional status [Rajagopal Vs State of TN [(1994) 6 SCC 632], the violation of which attracts both civil as well as criminal consequences under the respective laws. Modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury. Right to privacy is a part of the right to life and personal liberty enshrined under Article 21 of the Constitution of India. With the advent of information technology the traditional concept of right to privacy has taken new dimensions, which require a different legal outlook. To meet this challenge recourse of Information Technology Act, 2000 can be taken. The various provisions of the Act protect the online privacy rights of the net users. These rights are available against private individuals as well as against cyber terrorists. Section 1 (2) read with Section 75 of the Act provides for an extra-territorial application of the provisions of the Act. Thus, if a person (including a foreign national) contravenes the privacy of an individual by means of computer, computer system or computer network located in India, he would be liable under the provisions of the Act. This makes it clear that the long arm jurisdiction is equally available against a cyber terrorist, whose act has resulted in the damage of the property, whether tangible or intangible.
Secret information appropriation and data theft:
The information technology can be misused for appropriating the valuable Government secrets and data of private individuals and the Government and its agencies. A computer network owned by the Government may contain valuable information concerning defence and other top secrets, which the Government will not wish to share otherwise. The same can be targeted by the terrorists to facilitate their activities, including destruction of property. It must be noted that the definition of property is not restricted to moveable or immoveable alone. In R.K. Dalmia v Delhi Administration the Supreme Court held that the word "property" is used in the I.P.C in a much wider sense than the expression "movable property". There is no good reason to restrict the meaning of the word "property" to moveable property only, when it is used without any qualification. Whether the offence defined in a particular section of IPC can be committed in respect of any particular kind of property, will depend not on the interpretation of the word "property" but on the fact whether that particular kind of property can be subject to the acts covered by that section.
(III) Demolition of e-governance base:
The aim of e-governance is to make the interaction of the citizens with the government offices hassle free and to share information in a free and transparent manner. It further makes the right to information a meaningful reality. In P.U.C.L. V U.O.I the Supreme Court specified the grounds on which the government can withhold information relating to various matters, including trade secrets. The Supreme Court observed: " Every right- legal or moral- carries with it a corresponding objection. It is subject to several exemptions/ exceptions indicated in broad terms.
Laws in Various Countries on Cyber Terrorism
New laws allowing Singapore to launch pre-emptive strikes against computer hackers have raised fears that Internet controls are being tightened and privacy compromised in the name of fighting terrorism The city-state's parliament has approved tough new legislation aimed at stopping "cyber terrorism," referring to computer crimes that are endanger national security, foreign relations, banking and essential public services. Security agencies can now patrol the Internet and swoop down on hackers suspected of plotting to use computer keyboards as weapons of mass disruption. Violators of the Computer Misuse Act such as website hackers can be jailed up to three years or fined up to S$10,000 ($5,800).
A bill sponsored by state Sen. Michael Balboni, R-East Williston, that makes cyber terrorism a felony was approved by the legislative body earlier this month and sent to the State Assembly. Under the legislation, cyber terrorism, using computers to disrupt, terrorize or kill, would become a class B felony, carrying a prison term of up to 25 years.
Malaysia is to establish an international centre to fight cyber-terrorism, providing an emergency response to high-tech attacks on economies and trading systems around the globe, reports said. Prime Minister Abdullah Ahmad Badawi said during a visit to the United States that the facility, sited at the high-tech hub of Cyberjaya outside Kuala Lumpur, would be funded and supported by governments and the private sector.
The New Straits Times said the centre would be modelled on the Centre for Disease Control in Atlanta, which helps handle outbreaks of disease around the world.
Abdullah -- who announced the initiative at the close of the World Congress on Information Technology in Austin, Texas -- said the threat of cyber-terrorism was too serious for governments to ignore.
The Interpol, with its 178 member countries, is doing a great job in fighting against cyber terrorism. They are helping all the member countries and training their personnel. The Council of Europe Convention on Cyber Crime, which is the first international treaty for fighting against computer crime, is the result of 4 years work by experts from the 45 member and non-member countries including Japan, USA, and Canada. This treaty has already enforced after its ratification by Lithuania on 21st of March 2004.
The Association of South East Asia Nations (ASEAN) has set plans for sharing information on computer security. They are going to create a regional cyber-crime unit by the year 2005.
United Kingdom adopted Terrorism Act, 2000, which gives the definition of terrorism and also gives various provisions for Cyber terrorism.
Whoever commits the offence of cyber terrorism and causes death of any person shall be punishable with death or imprisonment for life,” according to the ordinance, which was published by the state-run APP news agency. The Prevention of Electronic Crimes law will be applicable to anyone who commits a crime detrimental to national security through the use of a computer or any other electronic device, the government said in the ordinance. It listed several definitions of a “terrorist act” including stealing or copying, or attempting to steal or copy, classified information necessary to manufacture any form of chemical, biological or nuclear weapon.
Although the term “cyber terrorism” is absent from the terminology of the Indian law, Section 69 of the Information Technology Act is a strong legislative measure to counter the use of encryption by terrorists. This section authorizes the Controller of Certifying Authorities (CCA) to direct any Government agency to intercept any information transmitted through any computer resource.
Constitution of India
Any person who fails to assist the Government agency in decrypting the information sought to be intercepted is liable for imprisonment up to 7 years.
Article 300A of Constitution of India states that all persons have a right to hold and enjoy their properties. In a specific case of Bhavnagar University v Palitana Sugar Mills Pvt. Ltd. Supreme Court applied the constitutional clause with the interpretation that anyone can enjoy his or her property rights in any manner preferred. This also includes property rights to information stored on computers or in any electronic format.
Articles 301 to 305 refer to the right for free trade. As long as an individual carries out a business in accordance with law, it cannot be interfered. Besides, free trade and any commercial activities cannot be visualized without technological rights, which mean that any distortion of those is illegal. In India these provisions have been effectively used to protect individual property rights against the actions of cyber-criminals.
A big deal of protection is also provided by Indian Penal Code. Section 22 of it gives a definition of a “movable property” stating that it also includes all corporal properties. It means that any information stored on a computer can be conveniently regarded as a movable property as it can definetely be moved from one place to another and is not attached.
Section 29A of the Code with Section 2(1)(t) of the Information Technology Act provides that “electronic record means data, record, or data generated, image or sound stored, received or sent in an electronic form or microfilm or computer generated microfiche”.
Cyber-terrorism and Human Rights.
Universal Declaration of Human Rights in its Preamble talks about a “freedom from fear and want”. Freedom from fear is mostly a term of psychological nature, however, it is being used very widely nowadays especially in cases of terrorism. Article 3 of the Declaration sets the right to “security of person”. As we know, term “person” also includes an environment (s)he exists in, different from the term “individual” which under one of the concepts imagines it as something abstract, apart from any other surrounding conditions. So protecting a personal security would also mean protecting his (her) social, economical and other connections, “threads” established with the environment. As long as in modern reality these are sometimes predominantly based on technology, computers or internet, cyber-terrorism protection also deals with “security of person”. Here I would also add Article 5 with it’s protection against “degrading treatment”. Personal harm is also a part of degradation and treating a person in a current way is something that may be provided by cyber-criminal act as it was proven above.
One important provision that I would like to pay special attention to is Article 12 of the Declaration. It states: “No one shall be subjected to arbitrary interference with his privacy, nor to attacks upon his honour or reputation”. “Privacy” is defined as “the quality or state of being apart from company or observation” which in combination with another definition of “freedom from unauthorized intrusion” given by the same source, also includes the privacy of computer-stored data and a right to enjoy it’s private state of non-interference without personal will of the possessor.
Article 17 sets a right to property and a restriction to deprive anyone from possessed property. Property is defined as “anything that is owned by a person or entity” , including two types of it: “real property” and “personal property”. Personal property or “personality” includes “movable assets which are not real property, money, or investments.
Article 19, however, plays a different role in this topic and is mostly associated with internet use by terrorists in general.
The judiciary can play its role by adopting a stringent approach towards the menace of cyber terrorism. It must, however, first tackle the jurisdiction problem because before invoking its judicial powers the courts are required to satisfy themselves that they possess the requisite jurisdiction to deal with the situation. Since the Internet "is a cooperative venture not owned by a single entity or government, there are no centralized rules or laws governing its use. The absence of geographical boundaries may give rise to a situation where the act legal in one country where it is done may violate the laws of another country. This process further made complicated due to the absence of a uniform and harmonised law governing the jurisdictional aspects of disputes arising by the use of Internet. It must be noted that, generally, the scholars point towards the following "theories" under which a country may claim prescriptive jurisdiction:
(a) a country may claim jurisdiction based on "objective territoriality" when an activity takes place within the country,
(b) a "subjective territoriality" may attach when an activity takes place outside a nation's borders but the "primary effect" of the action is within the nation's borders,
(c) a country may assert jurisdiction based on the nationality of either the actor or the victim,
(d) in exceptional circumstances, providing the right to protect the nation's sovereignty when faced with threats recognised as particularly serious in the international community.
In addition to establishing a connecting nexus, traditional international doctrine also calls for a "reasonable" connection between the offender and the forum. Depending on the factual context, courts look to such factors, as whether the activity of individual has a "substantial and foreseeable effect" on the territory, whether a "genuine link" exists between the actor and the forum, the character of the activity and the importance of the regulation giving rise to the controversy, the extent to which exceptions are harmed by the regulation, and the importance of the regulation in the international community. The traditional jurisdictional paradigms may provide a framework to guide analysis for cases arising in cyberspace [Dawson Cherie; “Creating Borders on the Internet- Free Speech, the United States and International Jurisdiction”, Virginia Journal of International Law, V-44, No-2 (Winter, 2004).]. It must be noted that by virtue of section 1(2) read with section 75 of the Information Technology Act, 2000 the courts in India have “long arm jurisdiction” to deal with cyber terrorism.
Therefore, cyber terrorism is becoming major tool for terrorists and thus it is getting more essential to frame policies to counter these attacks.
1. The Myth of Cyber Terrorism, By: J. D. Dayson, National Aeronautics & Space Administrations Jet Propulation Laboratory. Available at-
2. available at http://www.state.gov/s/ct/rls/pgtrpt/2001/html/10220.htm
3. Dorothy Denning, “Activism, Hactivism, and Cyber terrorism: The Internet as a tool for Influencing Foreign Policy,” in John Arquilla and David Ronfeldt, eds., Networks and Netwars, (Rand 2001), p. 241. Dorothy Denning, Is Cyber War Next? Social Science Research Council, November 2001, at http://www.ssrc.org/sept11/essays/denning.htm
4. ( Taken from - CRS Report of Congress; January 29.2008- http://www.fas.org/sgp/crs/terror/RL32114.pdf ).
5. Available at: http://www.fema.gov/pdf/onp/toolkit_app_d.pdf
6.Cyber Terrorism, Kevin Coleman, October 10, 2003
7. Merriam-Webster Online Dictionary, definition of “privacy”
8. Free Online Law Dictionary, definition of “property”
The author can be reached at: firstname.lastname@example.org