Author: -Karampreet Kaur Malhotra
Designation:-Research Coordinator, GCTC
Area of Interest:-International laws and relations, Cyberwarfare, Corporate laws, Counter-Terrorism, Security laws, legal remedies.
The traditional concepts and methods of terrorism have taken new dimensions, which are more destructive and deadly in nature. In the age of information technology, the terrorists have acquired the expertise to produce the most deadly combination of weapons and technology, which if not properly safeguarded in due course of time, will take its own toll. The damage so produced would be almost irreversible and most catastrophic in nature. In short, we are facing the worst form of terrorism popularly known as “Cyber Terrorism”
Public interest in cyber-terrorism began in the late 1990s when the term was coined by Barry C. Collin, as “the intentional abuse of digital information system, network, or component toward an end that supports or facilitates a terrorist campaign or action”.
As 2000 approached, the fear and uncertainty about the millennium bug heightened, as did the potential for attacks by cyber terrorists. Although the millennium bug was by no means a terrorist attack or plot against the world or the United States, it did act as a catalyst in sparking the fears of a possible large-scale devastating cyber-attack. Commentators noted that many of the facts of such incidents seemed to change, often with exaggerated media reports.
The high-profile terrorist attacks in the United States on September 11, 2001, and the ensuing War on Terror by the US-led to further media coverage of the potential threats of cyber terrorism in the years following. Mainstream media coverage often discusses the possibility of a large attack making use of computer networks to sabotage critical infrastructures with the aim of putting human lives in jeopardy or causing disruption on a national scale either directly or by disruption of the national economy. The world was shocked by the despicable attacks and loss of innocent life on Sept 11, 2001, carried out by 19 airplane hijackers on a suicide mission. But that tragedy, horrific as it was, could be dwarfed by just one or two skilled Internet users who don’t even set foot in their target country. It is frightening to imagine the human and economic toll of computer systems.
The nature of cyber terrorism covers conduct involving computer or Internet technology that:
- is motivated by a political, religious, or ideological cause
- is intended to intimidate a government or a section of the public to varying degrees
- seriously interferes with infrastructure
The term “cyber terrorism” can be used in a variety of different ways, but there are limits to its use. An attack on an Internet business can be labeled cyber terrorism, however, when it is done for economic motivations rather than ideological it is typically regarded as cybercrime. Various definitions limit the label “cyber terrorism” to actions by individuals, independent groups, or organizations. Any form of cyber warfare conducted by governments and states would be regulated and punishable under international law.
The most widely cited paper on the issue of Cyber terrorism is Denning’s Testimony before the Special Oversight Panel on Terrorism (Denning, 2000). Here, she makes the following statement: “Cyber terrorism is the convergence of terrorism and cyberspace. It is generally understood to mean unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyber terrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyber terrorism, depending on their impact. Attacks that disrupt nonessential services or that are mainly a costly nuisance would not.”
While Denning’s definition is solid, it also raises some interesting issues. First, she points out that this definition is usually limited to issues where the attack is against “computers, networks, and the information stored therein”, which we would argue is ‘Pure Cyber terrorism’. Indeed, we believe that the true impact of her opening statement (“the convergence of terrorism and cyberspace”) is realized not only when the attack is launched against computers, but when many of the other factors and abilities of the virtual world are leveraged by the terrorist in order to complete his mission, whatever that may be. Thus, only one aspect of this convergence is generally considered in any discussion of cyber terrorism — an oversight that could be costly. Second, it is very different from the definition that appears to be operationally held by the media and the public at large.
The FBI defined Cyber Terrorism, “the premeditated, politically motivated attack against information, computer system, computer programs and data which results in violence against non-combatant targets by sub-national groups or clandestine agents”.”
Security expert Dorothy Denning defines cyber terrorism as ‘… politically motivated hacking operations intended to cause grave harm such as loss of life or severe economic damage.
NATO defines cyber terrorism as “a cyber-attack using or exploiting computer or communication networks to cause sufficient destruction or disruption to generate fear or to intimidate a society into an ideological goal.
The Federal Emergency Management Agency (FEMA) defines cyber terrorism as, “Unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives”.
The Technologies Institute defines cyber terrorism as “The premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives, or to intimidate any person in furtherance of such objectives.”
The United States National Infrastructure Protection Centre defined cyber terrorism as: “A criminal act perpetrated by the use of computers and telecommunications capabilities resulting in violence, destruction, and/or disruption of services to create fear by causing confusion and uncertainty within a given population, with the goal of influencing a government or population to conform to a political, social, or ideological agenda.”
These definitions tend to share the view of cyber terrorism as politically and/or ideologically inclined. One area of debate is the difference between cyber terrorism and hacktivism. Hacktivism is “the marriage of hacking with political activism”. Both actions are politically driven and involve using computers; however cyber terrorism is primarily used to cause harm. It becomes an issue because acts of violence on the computer can be labeled either cyber terrorism or hacktivism.
THE TERRORISM MATRIX
When terrorism is examined in view of these definitions, there are some pervasive elements: people (or groups), locations (of perpetrators, facilitators, and victims), methods/modes of action; tools, targets, affiliations, and motivations.
On examining these elements in terms of the definitions provided by the government agencies, we see there is congruence between the terrorism event and the definitions used by the various agencies tasked with providing protection. This congruence is a good thing, as it results in people tasked with defense being able to determine that certain functional tasks fit within the definitions used within their agencies/organizations. For example, as mentioned above, the United States Department of State (DOS) defines terrorism as “premeditated, politically motivated violence perpetrated against non-combatant targets by sub-national groups or clandestine agents”. Thus, the activities of both of these groups fit the DOS criteria for ‘terrorism’.
a.Forms of Cyber Terrorism
Cyber terrorism as mentioned is a very serious issue and it covers a wide range of attacks. Here, the kind of indulgence is asked toward the definition of Cyber Crime. “Cyber Crime” is a crime that is enabled by, or that targets computers. Cyber Crime can involve the theft of intellectual property, a violation of patent, trade secret, or copyright laws. However, cybercrime also includes attacks against computers to deliberately disrupt the processing or may include espionage to make unauthorized copies of classified data. Some of the major tools of cybercrime may be Botnets, Estonia, 2007, Malicious Code Hosted on Websites, Cyber Espionage, etc. It is pertinent to mark here that there are other forms that could be covered under the heading of Cyber Crime & simultaneously are also the important tools for terrorist activities. Discussing these criminal activities one by one area:
- Attack on Infrastructure
Our banks and financial institutions; air, sea, rail, and highway transportation systems; telecommunications; electric power grids; oil and natural gas supply lines-all are operated, controlled, and facilitated by advanced computers, networks, and software. Typically, the control centers and major nodes in these systems are more vulnerable to cyber than a physical attack, presenting a considerable opportunity for cyber terrorists. There, could be possible consequences of a cyber-terrorism act against an infrastructure or business, with a division of costs into direct and indirect implications:
i. Direct Cost Implications by cyber terrorism:
– Loss of sales during the disruption
– Staff time, network delays, irregular access for business users
– Increased insurance costs due to litigation
– Loss of intellectual property – research, pricing, etc.
– Costs of forensics for recovery and litigation
– Loss of critical communications in time of emergency
ii. Indirect Cost Implications by cyber terrorism:
– Loss of confidence and credibility in our financial systems
– Tarnished relationships and public image globally
– Strained business partner relationships – domestic and internationally
– Loss of future customer revenues for an individual or group of companies
– Loss of trust in the government and computer industry.
iii. Attacks on Human Life:
- In the case of an air traffic system that is mainly computerized and is set to establish the flight routes for the airplanes, calculating the flight courses for all the planes in the air to follow. Also, plane pilots have to check the course as well as the other planes being around using the onboard radar systems that are not connected to external networks; therefore it can be attacked by the cyber-terrorist.
- A different example would be the act of cyber-terrorism against a highly automated factory or plant production of any kind of product: food, equipment, vehicles, etc. In case this organization is highly reliant on technological control, including a human control only at the end of production, not on the checkpoint stages, then any malfunction would be extremely hard to point out, fix and as a result to spot out a cyber-crime being committed.
- Privacy violation
The law of privacy is the recognition of the individual’s right to be let alone and to have his personal space inviolate.’ The right to privacy as an independent and distinctive concept originated in the field of Tort law. In recent times, however, this right has acquired a constitutional status in Rajagopal v. State of Tamil Nadu; the violation of which attracts both civil as well as criminal consequences under the respective laws. Modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury. The right to privacy is a part of the right to life and personal liberty enshrined under Article 21 of the Constitution of India. With the advent of information technology, the traditional concept of the right to privacy has taken new dimensions, which require a different legal outlook. To meet this challenge recourse of the Information Technology Act, 2000 can be taken. The various provisions of the Act protect the online privacy rights of net users.
These rights are available against private individuals as well as against cyber terrorists. Section (2) read with Section 75 of the Act provides for an extraterritorial application of the provisions of the Act. Thus, if a person including a foreign national contravenes the privacy of an individual by means of a computer, computer system, or computer network located in India, he would be liable under the provisions of the Act. This makes it clear that the jurisdiction is equally available against a cyber-terrorist, whose act has resulted in the damage of the property, whether tangible or intangible.
- Secret information appropriation and data theft:
The information technology can be misused for appropriating the valuable Government secrets and data of private individuals and the Government and its agencies. A computer network owned by the Government may contain valuable information concerning defense and other top secrets which the Government will not wish to share otherwise. The same can be targeted by the terrorists to facilitate their activities, including the destruction of property. It must be noted that the definition of property is not restricted to moveable or immoveable alone.
In R.K. Dalmia v. Delhi Administration, the Supreme Court held that the word “property” is used in the I.P.C in a much wider sense than the expression “movable property”. There is no good reason to restrict the meaning of the word “property” to the moveable property only when it is used without any qualification. Whether the offense defined in a particular section of IPC can be committed in respect of any particular kind of property, will depend not on the interpretation of the word “property” but on the fact whether that particular kind of property can be subject to the acts covered by that section.
- Demolition of e-governance base
The aim of e-governance is to make hassle-free interaction of the citizens with the government offices and to share information in a free and transparent manner. It further makes the right to information a meaningful reality. In P.U.C.L. V. U.O.I the SC specified the grounds on which the government can withhold information relating to various matters, including trade secrets. The Supreme Court observed: “Every right, legal or moral carries with it a corresponding objection. It is subjected to several exemptions/ exceptions indicated in broad terms”.
In a nutshell, Cyber terrorists use various tools and methods to unleash their terrorism. Some of the major tools are as follows:
- Trojan Attacks
- Computer worms
- Computer viruses
- Denial of service attacks
- E-mail related crimes
b. Motives behind any Attacks are:
- Putting the public or any section of the public in fear; or
- Affecting adversely the harmony between different religious, racial, language or regional groups or castes or communities; or
- Coercing or overawing the government established by law; or
- Endangering the sovereignty and integrity of the nation.
c. The terrorism matrix
When terrorism is examined in view of these definitions, there are some pervasive elements: people (or groups), locations (of perpetrators, facilitators, and victims), methods/modes of action; tools, targets, affiliations, and motivations. When we examine the elements in these categories in terms of the definitions provided by the government agencies, we see there is congruence between the terrorism event and the definitions used by the various agencies tasked with providing protection. This congruence is a good thing, as it results in people tasked with defense being able to determine that certain functional tasks fit within the definitions used within their agencies/organizations. For example, as mentioned above, the United States Department of State (DOS) defines terrorism as “premeditated, politically motivated violence perpetrated against noncombatant targets by sub-national groups or clandestine agents”. Thus, the activities of both of these groups fit the DOS criteria for ‘terrorism’.
Interactions between human beings are complex; while the obvious solutions gravitate toward monitoring, we are concerned with the virtualization of interactions, which can lead to relative anonymity and desensitization. Topics of interest include methods to measure and diminish the impact of computer-mediated interactions on potential recruits and the ability for defenders to use virtual identities to influence intra- and inter-group dynamics (dissension, ‘behind the scenes’ communication, and destabilization).
Location exists as an element but is not a ‘required’ element in traditional terrorism in that an event does not have to occur in a particular location. Thus, whether an act is virtual/virtual, virtual/real-world, or real-world/virtual is of interest only as a factor in modeling solutions. In addition, the Internet has introduced globalization of the environments. Actions that take place in virtual environments have demonstrably had real-world consequences. An April Fool’s Day hoax posted to Usenet demonstrated this when claims of the resignation of Canadian Finance Minister Paul Martin resulted in the decrease in value of the Canadian dollar.
In traditional scenarios, terrorist scenarios typically are violent or involve threats of violence. While there have been many studies of violence in the physical world, more research is called for in terms of ‘violence’ as a virtual phenomenon. Violence in virtual environments is a relatively new field, with many unanswered questions. These open issues include the psychological effects of traditional real-world violence portrayed in virtual environments, possible behavior modification resulting from violence in virtual environments, physical trauma from virtual violence, and the use of virtual violence in military training. However, despite the prevalence of traditional violence portrayed in virtual environments, ‘cyber violence’ is still very much an unknown quantity. For example, the destruction of someone’s computer with a hammer constitutes a violent act. Should destruction of the data on that machine by a virus also be considered ‘violence’? Perhaps violence should be considered in terms of hostile action, or threat thereof!
There is an almost uncountable number of ways that the terrorist can use the computer as a tool. Facilitating identity theft, computer viruses, hacking, and use of malware, destruction, or manipulation of data all fall under this category. These uses of the computer, when combined with ‘computer as target’ form the ‘traditional’ picture of cyber terrorism.
There are a large number of potential targets that involve, either directly or indirectly, computers. Consider, for example, the impact of Personal Identity Theft. While the incidence of identity theft is comparatively low, the impact of theft upon the unfortunate soul whose ID is stolen can be large: terrorists could use the stolen identity to mask their work, carrying out certain operations under their target’s name, not their own. This would help evade detection by authorities, as well as potentially acting as a ‘signal’ that identity or operation had been compromised. The Internet, especially the essentially useless authentication provided by email, provides the perfect breeding ground for identity theft. Another interesting twist on this scenario is that of ‘virtual identity theft. For example, many users have multiple online personalities or profiles. Conceptually, there may be reasons why a terrorist would benefit from stealing a user’s online identity. Attacks could be as trivial as exploiting trusts relationships with other users when logged in as the stolen identity, to the planting of Trojans, etc., via ‘trusted’ email. Similarly, the rise of online stock trading and stock message boards has created an environment in which it is possible to deliberately manipulate a stock price (perhaps via a stolen identity). A terrorist could use such techniques as a funding source, or even attempt to move the markets towards chaos. Thus, a well-organized virtual attack upon a bank or corporation’s stock rather than the bank or corporation itself, could in fact prove to be highly effective. In the opinion of the authors, all of the attacks mentioned above are more likely to be successful when carried out against individual users or corporations rather than governments. However, governmental control currently relies heavily on the stability of the overall economy; thus economic destabilization is a viable attack against a government as well as the attacked third-party entity. Using the terrorism matrix, effective solutions for computers as ‘target’ can be conceptualized and designed, but these will be useless overall unless problems (technical, social, legal) arising from the interaction of computers with every cell of the terrorism matrix is addressed. If I can buy a ticket for an unknown ‘friend’ in Bulgaria to fly to London and blow up the London Eye, antivirus software on the computer controlling the London Eye is of little relevance.
It is possible for a person to read all about a given cause and chat with proponents of the cause without ever leaving the safety of his or her own home. New recruits can thus become affiliated with a terrorist group, commit to carrying out given actions, all without ever actually coming into contact with another human being. At the same time, these loose affiliations can complicate investigations and confuse media reports. Additionally, the introduction of computing technology facilitates alliances between groups with similar agendas; this type of affiliation can result in a strengthening of the individual organizations as they can immediately acquire access to the information resources of their allies.
Political, social, and economic changes are the motivations present in real-world terrorism. Combining a dependence on Internet-connected systems for banking and E-commerce with the ability of anyone with a desire and readily available tool to disrupt these areas, results in a situation that is all too clear: unless steps are taken to significantly reduce risks, disaster is inevitable. Even with the best risk reduction, there are still likely to be problems.
d. Pure Cyber Terrorism
The concept of ‘pure’ cyber terrorism, that is, terrorism activities that are carried out entirely (or primarily); in the virtual world is an interesting one. The Internet provides many different ways of anonymously meeting with ‘like-minded’ individuals in a safe way. Furthermore, a successful cyber terrorism event could require no more prerequisite than knowledge; something that is essentially free to the owner once acquired, and an asset that can be used over and over again. Thus, it would be possible that such an environment could facilitate the creation of entirely new terrorist groups no monies would be required for actions, and members could organize themselves quickly and easily in the anonymity of cyberspace. This is very different from certain examples given above, where the computer can aid the task of the terrorist, but ‘real’ resources are still required to execute the plan. It is this pure cyber terrorism that most writers mean when they discuss the dangers posed by the cyber-terrorist, and this compartmentalization poses a significant barrier to our ability to protect ourselves. One question that has not been adequately addressed is, what this terrorism might look like. At this time, there is much confusion, based largely upon a lack of agreement in definitions. However, using ‘traditional’ terrorism models should help make the situation more suited to analysis, and this is certainly a topic for future research.
e. Computers — The Weapons Of The Cyber Terrorist
Following on from the discussions above, it becomes obvious that the most likely ‘weapon’ of the cyber-terrorist is the computer. Thus, one might ask, are we arguing that one should restrict access to computers, just as access to explosives is restricted? Not actually in the same sense but close to it. It is believed that the stockpile of connected computers needs to be protected. There are many laws that define how one should protect a firearm from illegal/dangerous use. The mandatory use of trigger locks, though controversial, has been put forward to prevent danger should the gun end up in the wrong hands. Similarly, powerful explosives like C4 are not simply sold over the counter at the corner store. Explosives and guns are certainly not entirely analogous to computers. A better analogy might stem from the concept of an ‘attractive nuisance’. For example, a homeowner shares some responsibility for injury caused by a pool on his property, it is deemed an attractive nuisance, and as such, the innocent should be prevented from simply being attracted and harmed. Thus, there are many instances of laws that already discuss the damage done by or to a third party from the intentional/unintentional misuse of a piece of corporate or personal property. The application of these laws or the definition of ‘misuse’ with respect to computers seems unclear. However, there is a need for clear laws and standards that require operators of large networks of Internet-connected computers to exercise appropriate due diligence in their upkeep and security.
To this end, it was believed that there is an urgent need for a definition of a minimum standard of security for computer networks. The definition of such a standard has far-reaching implications not only for the usability of America’s technology foundation, but the security of corporations and indeed of the nation itself. By formalizing an industry best practice guideline, companies will have a clear understanding of what must be carried out. Clearly, such a guideline is a moving target, but its inception would allow the structuring of a valid and robust posture against both terrorist threats and other hostile entities.
Such a set of minimum standards would have to be easily and affordably supported by the security/application vendors themselves, rather than relying on individual user’s needs/requirements to drive the best practice guidelines. This is not exactly a novel concept. International standards have been developed in other areas where safety and security are a concern. Consider the airline industry. There are international guidelines for airport safety; in cases where these standards are not met, consequences range from warnings to prohibited travel. The needs for such changes, and how a due diligence standard could be created are subjects of future research. However, it seems clear that such standards are urgently needed.
The most popular weapon in cyber terrorism is the use of computer viruses and worms. That is why in some cases of cyber terrorism is also called ‘computer terrorism’. The attacks or methods on the computer infrastructure can be classified into three different categories.
Physical Attack– The computer infrastructure is damaged by using conventional methods like bombs, fire, etc.
Syntactic Attack– The computer infrastructure is damaged by modifying the logic of the system to introduce delay or make the system unpredictable. Computer viruses and Trojans are used in this type of attack.
Semantic Attack– This is more treacherous as it exploits the confidence of the user in the system. During the attack the information keyed in the system during entering and exiting the system is modified without the user’s knowledge to induce errors, Cybercrime isn’t just constrained to deadening PC foundations, yet it has gone a long way past that. It is additionally the utilization of PCs, the Internet and data portals to help the customary types of fear-based oppression like suicide bombings. Web and email can be utilized for sorting out a psychological militant assault too. Most regular utilization of the Internet is by planning and transferring sites on which false purposeful publicity can be glued. This goes under the classification of utilizing innovation for mental fighting.
Cyber terrorists use certain tools and methods to unleash this new age of terrorism. These are:
i. Hacking- The most popular method used by a terrorist. It is a generic term used for any kind of unauthorized access to a computer or a network of computers. Some ingredient technologies like packet sniffing, tempest attack, password cracking, and buffer outflow facilitates hacking.
ii. Trojans- Programmes which pretend to do one thing while actually the~ are meant for doing something different, like the wooden Trojan Horse of the 1z’ Century BC.
iii. Computer Viruses- It is a computer program, which infects other computer, programs by modifying them. They spread very fast.
iv. Computer Worm- The term ‘worm’ in relation to computers is a self-contained program or a set of programs that can spread functional copies of itself or its segments to other computer systems usually via network connections.
v. E-Mail Related Crime- Usually worms and viruses must attach themselves to a host program to be injected. Certain emails are used as hosts by viruses and worms. E-mails are also used for spreading disinformation, threats, and defamatory stuff.
vi. Denial of Service- These attacks are aimed at denying authorized persons access to a computer or computer network.
vii. Cryptology- Terrorists have started using encryption, high-frequency encrypted voice/data links, etc. It would be a Herculean task to decrypt the information terrorist is sending by using 512-bit symmetric encryption.
- Future Research
Certainly, there are many unanswered questions. Most people, governments included, consider cyber terrorism primarily as the premeditated, politically motivated attack against information, computer systems, computer programs, and data by sub-national groups or clandestine agents. However, as we have seen, the real impact of the computer on the terrorism matrix is considerably wider. By limiting our understanding of cyber terrorism to the traditional ‘computer as target’ viewpoint, we leave our nation open to attacks that rely on the computer for other aspects of the operation. Even when considering the purely virtual impact of cyber terrorism, the approach is not adequately thought out. For example, consider an act that incorporated a desire for political change with the release of an otherwise benign computer virus within which an anti-government message is embedded.
For example, if the Melissa virus had contained the message “The Clinton regime must be defeated”, would it have been the act of a terrorist instead of a misguided computer programmer, and would the ultimate punishment really fit the crime if that programmer were meted out the same punishment as the terrorists responsible for blowing up a US embassy? What role does incitement to violence play? A swastika emblazed on the WWW site of UK politician John Major may constitute some violation of a law, but probably does not constitute terrorism. But what if swastikas were digitally painted on the WWW sites of every Jewish organization in the country? What if a message was included inciting people to violence against their Jewish neighbors? Would these acts fall under the domain of ‘using violence’? What if these images and messages were put there by a known terrorist organization? Would the act take on the characteristic of the perpetrator? Would these acts be hate crimes or cyber terrorism? Given the lack of physical boundaries in the virtual community, does a group’s physical location have any bearing on whether or not they may be considered a sub-national group? What is a ‘national group’ in cyberspace anyway? Which government agency deals with that? What constitutes combatant targets in virtual environments? Consider the 1998 response by the Pentagon to civilian target computers as a response to Flood net protests. Is the system that automatically strikes back considered combatant? Are its owners moved from ‘non-combatant’ to ‘combatant’ based on an auto-response? Is the response perhaps engaging in ‘violence’? Some claim “terrorists and activists have bombed more than 600 computer facilities”. What specific components may be considered an element of a cyber system; what differentiates these incidents from conventional terrorism? Physical property, civil disorder, and economic harm are easily understood in the physical world; however, are there virtual equivalents that could lead to a broadening of the concept of cyber terrorism?
- Defending Against The New Terrorism
Defending against terrorism where a computer or the Internet plays an important part in the terrorism matrix is very similar to defending against terrorism that does not. The regular practices (deterrence, law, defense, negotiations, diplomacy, etc.) are still effective, except that the scope of certain elements is expanded. For example, traditional strikes against military bases, targeting of key leaders, and collective punishment have been effective in traditional terrorism and certainly have the potential for dealing with some aspects of cyber terrorism. These techniques are often presented and can be to be updated to include their ‘virtual counterparts. It should be noted, however, that differences in international law and culture could make this process a complex task. Crenshaw presented here at length, examines a summary of traditional counterterrorist techniques:
Governments can use their coercive capacity to make terrorism too costly for those who seek to use it. They can do this by military strikes against terrorist bases, assassinations of key leaders, collective punishment, or other methods. There are several drawbacks to this approach, however. On the one hand, it can lead to unacceptable human rights violations. In addition, groups may not come to government attention until movements are so well developed that efforts to contain them through deterrent methods are insufficient.
- CRIMINAL JUSTICE
Governments can treat terrorism primarily as a crime and therefore pursue the extradition, prosecution and incarceration of suspects. One drawback to this approach is that the prosecution of terrorists in a court of law can compromise government efforts to gather intelligence on terrorist organizations. In addition, criminal justice efforts (like deterrent efforts) are deployed mostly after terrorists have struck, meaning that significant damage and loss of life may have already occurred.
Governments can make targets harder to attack, and they can use intelligence capabilities to gain advanced knowledge of when attacks may take place. As targets are hardened, however, some terrorist groups may shift their sights to softer targets. An example is the targeting of US embassies in Kenya and Tanzania in August 1998 by truck bombs. Although the attacks are believed to have been coordinated by individuals with Middle Eastern ties, targets in Africa were chosen because of their relatively lax security compared with targets in the Middle East.
Governments can elect into negotiations with terrorist groups and make concessions in exchange for the groups’ renunciation of violence. While governments are often reluctant to do so at the beginning of terror campaigns, negotiations may be the only way to resolve some long-standing disputes.
For example, data gathering and monitoring operations of terrorist communications have typically been applied to signal intelligence and fieldwork. In a virtual environment, the ability to gather information from various sources is eminently achievable in a somewhat automated manner. Specific groups can be watched easily, and computers are comparatively simple to ‘bug’. All contacts that a particular user interacts with could then be tracked, and the network of communication mapped. Furthermore, much of this surveillance can be carried out over the very same network that the terrorists intend to use to facilitate their plot.
This extension, however, must be carried out with care. Consider, for example, the original US export regulations on the export of ‘strong encryption’ (ITAR). Under such regulations, certain encryption products were classified as munitions. While ITAR has since been replaced, the revamped ‘Export Administration Regulations’ (DOC, 2002), while somewhat more relaxed, continue to blacklist several countries from receiving encryption products, despite the fact that strong encryption technology is freely available via the Internet. While this law seems to be aimed at preventing the use of strong encryption by other potentially hostile governments and terrorist entities, strong encryption algorithms and implementations remain trivially available to pretty much anyone.
This classification of knowledge as munitions seems to be the ultimate and flawed extension of traditional anti-terrorist tactics into the virtual realm. Clearly, it is not sufficient to quickly draw analogies that are not, in fact, correct. A far better approach is to carefully consider the impact of the computer in the different cells of the terrorism matrix. For example, banning the export of encryption from just America is akin to banning the sale of C4 only on weekdays, the asset would be hard even an inconvenience to the would-be terrorists. A far better solution is to consider the safeguard in the context of the virtual world. When examined in this aspect, for example, it is reasonably clear that the original classification of encryption products as munitions is not likely to be effective. Similarly, while the use of export-grade encryption can result in the ability of officials to read some terrorist communiqués, a restrictive “export to here, not here” ban is unlikely to succeed in any meaningful way.
A forward-looking approach to terrorism that involves computers is therefore highly contextual in its basis. Traditional antiterrorism defenses must be deployed, but these countermeasures must fully take into account the virtual factors.