ATbar Cyberizing Counter-terrorism Legislation and Policy: National and International Developments

Cyberizing Counter-terrorism Legislation and Policy: National and International Developments

25/09/2017 | by Housen-Couriel, Deborah (Adv.)  


Introduction

Recent years have seen interesting developments in the evolution of legal and policy counter-terrorism initiatives at both the national and international levels. These developments have been partially driven by an earlier lack of legal frameworks for responding effectively to the bitter experience of terrorist attacks that have taken lives around the globe.[1] The years since the watershed 9/11 attacks have also seen an upturn in counter-terrorism legislation at the national level and policy declarations at the international level, reflecting the expanding understanding on the part of lawmakers and political leaders that counter-terrorism efforts must be prioritized on legislative, policy and political agendas; supported by funding and personnel resources; and engaged with as a global strategic challenge.[2]

At the same time, both national and international counter-terrorism efforts have taken a mixed approach to the relatively new phenomenon of terrorist groups increasing significantly their utilization of cyberspace for the “infrastructure” purposes of recruitment, propaganda, the raising and transfer of finances, and operational communications during terrorist attacks.[3]  In some cases, such use overlaps with and leverages the exploitation of cyberspace by hacker and criminal elements, merging with the modus operandi of these actors while retaining the extremist and ideological motivations of terrorism.[4]

This increased sophistication, agility and organizational learning and adaptation on the part of terrorist groups adds many challenges to counter-terrorism efforts.[5] Yet, subject to the balancing required by the “intelligence dilemma”,[6] they also provide new and important opportunities for surveillance, intelligence-gathering and eventual apprehension of prosecution of terrorists and their supporters.[7]  For instance, in September 2016 a US district court convicted Ardit Ferizi, the “kill list hacker”, who was sentenced to twenty years in prison for accessing a protected computer without authorization and providing the names, e-mail addresses, passwords, locations and phone numbers of 1,351 military and other U.S. government personnel to ISIL.[8] Ferizi was convicted on the basis of the U.S. having included such cyber-enabled terrorist activity in its criminal code, thus eventually enabling his successful prosecution.[9]

In addition, understanding is growing on the part of decisionmakers of the severe destructive potential of acts of terror that may eventually be carried out through cyberspace, either against targets that consist exclusively of data, such as financial and health systems; or physical critical infrastructure targets that are cyber-based for their operation, such as water systems and air traffic (see Figure 1 below).[10] Such attacks have apparently not yet been initiated by terrorists as of this writing – although they have been carried out by both state and non-state actors – yet national and international leaders express concern that cyber-enabled terrorist attacks are “an increasing possibility”.[11] Such attacks on critical infrastructure and critical data are merely a question of time.  A central question thus arises as to the extent to which national and international legal systems are preparing to meet this oncoming challenge.[12]    

We explore below one aspect of the preparedness of national legal systems: that is, the degree to which countries are moving forward at present to include cyber-enabled terrorism in their definitions of prohibited terrorist acts. Legacy legislation in the field of counter-terrorism, even if it is relatively new in the post-9/11 era, may be insufficient to address this challenge. David Fidler, Richard Pregent and Alex Vandurme, writing in 2013, have suggested that:

 …moving from legacy rules to cyber-specific principles is not an adequate response in a number of ways, including that it does not change the reactive nature of the cyber threat approach or provide effective deterrence…[13]

Although national approaches have been mixed, several countries have in fact already legislated normative provisions that include cyber-specific definitions of terrorist acts, including Australia, Egypt, France, Singapore and the United Kingdom. Here, we briefly explore three approaches to the criminalization of such cyber-enabled terrorist activities through national laws. We conclude by comparing this process with selected developments on the international plane.[14] 

 

Three legislative strategies

The overall pattern which emerges is that of three legislative strategies at the national level for “cyberization” of counter-terrorist legislation: (1) a results-oriented approach; (2) the indirect categorization of already-criminalized acts as “terrorism”, resulting inter alia in increased severity of the punishment; and (3) “cyberized” definitions of terrorist acts. These approaches may be characterized as follows.

(a) Countries which have promulgated counter-terrorism laws and have defined acts of terrorism therein, yet have refrained from specifying a typology of such acts and have adopted a teleological or results-oriented approach. Thus, any criminal act that culminates in a specified result as defined by the law’s criteria will constitute an act of terrorism – whether cyber-enabled or not. Laws in this category of legislation refrain from stipulating terrorist acts that leverage cyberspace tools and measures in particular, but neither do they exclude them. 

One example is Israel’s Combatting Terrorism Law of 2016, which prohibits acts that have cause or may have caused “…[s]evere damage to infrastructure, systems or basic services, or severe interference with them, or severe damage to the national economy or ecosystem.”[15] Another is Canada’s Criminal Code, prohibiting action which “…causes serious interference with or serious disruption of an essential service, facility or system, whether public or private…”.[16] India and New Zealand have also taken a similar direction in their Prevention of Terrorism Act[17] and Suppression of Terrorism Act[18] (respectively). With this legislative approach, the means by which a terrorist causes such severe damage or interference – whether cyber-enabled, physical, a hybrid of the two, or some other as-yet-unforeseen tool – is immaterial to the prosecution of the terrorist for an act that results in damage to the broad list of targets identified. 

(b) The second group of countries have adopted an approach of indirect categorization of already-criminalized acts as “terrorism”.  In these cases, exemplified by the German and United States criminal codes, existing criminal acts are additionally categorized as acts of terror under a specific counter-terrorism provision increasing the severity of punishment when the act is committed in conformity with additional criteria, such as the intent to terrorize the public or to unlawfully coerce a public authority. Both the German and the US codes classify unauthorized access to computers and computer systems as such acts.[19]

(c) Thirdly, several countries have opted for legislative provisions that specifically address cyber-enabled terrorism – these are the “cyberized” definitions of terrorist acts. Examples of this third category include Australia, Egypt, France, Singapore and the United Kingdom. In these instances, certain types of interference with computer systems and electronic communications are explicitly defined as acts of terrorism.[20] By adopting such an approach, national laws expressly recognize the particular vulnerabilities of computerized infrastructure to terrorism. We will further compare and analyze these examples in the following section.

Shared characteristics of cyberized counter-terrorist legislation: Australia, Egypt, France, Singapore and the UK

The provisions of the five countries examined here are as follows (see the comparative table in Figure 2 below). Except for the French example, they share the characteristic of describing computer or electronic systems as a specific target of terrorism. Each country’s legislation does so to varying degrees, with the United Kingdom taking the most generalized approach (i.e. “an electronic system”).

  • Australia includes in its definition of a “terrorist act” any action (meeting other specified criteria) which “…seriously interferes with, seriously disrupts, or destroys, an electronic system including, but not limited to an information system, a telecommunications system; a financial system; a system used for the delivery of essential government services; a system used for, or by, an essential public utility, or a system used for, or by, a transport system.”[21]
  • France’s penal code defines a terrorist act to include “computer offenses” as defined in the code’s Section III.[22]
  • In Singapore’s United Nations (Anti-Terrorism) Measures of 2013 a terrorist act includes a use or threat of action where such action “…is designed to disrupt any public computer system or the provision of services directly related to communications infrastructure, banking and financial services, public utilities, public transportation or public key infrastructure…”.[23],
  • The United Kingdom’s Terrorism Act prohibits a terrorist act that “…is designed seriously to interfere with or seriously to disrupt an electronic system...”.[24]
  • Finally, Egypt’s Law on Combatting Terrorism of 2015 provides that “A terrorist act shall refer to [ …] any conduct committed with the intent to achieve, prepare, or instigate one of the purposes set out in the first paragraph of this article, if it is as such to harm communications, information, financial or banking systems…[25]

 

The review and analysis of additional examples of national laws incorporating express reference to vulnerable computerized systems, and in some instances the actual data stored on these systems, is a topic for further research. FIGURE 1: Comparative table of several countries’ cyberized counter-terrorism legislation

International developments

Countries have only recently approached the challenge of incorporation into their counter-terrorism legislation of means to deal with cyber-enabled terrorism in the three ways that are described above. On the international plane, the development of agreed norms among states for coping with cyber-enabled counter-terrorism is also at its earliest stages.[26] Multi-lateral treaties have yet to engage with this task in a comprehensive manner.[27] Nevertheless, there are indications that international law is beginning to engage with cyber-enabled counter-terrorism in a normative context. We briefly note two examples of this nascent trend.

First, several Security Council resolutions compelling state action under Chapter VII of the UN Charter have addressed cyber-enabled terrorist activity under the category of “Threats to international peace and security caused by terrorist acts”.[28] Resolution 2368 of July 2017 provides an example in the context of measures such as asset freezes, travel bans and arms embargoes that states are required to take against terrorist groups. The preamble to the Resolution notes that the Council expresses concern

at the increased use, in a globalized society, by terrorists and their supporters of new information and communications technologies, in particular the Internet, to facilitate terrorist acts, as well as their use to incite, recruit, fund, or plan terrorist acts…[29]

and continues in this respect in paragraphs 22 and 23, by requiring international cooperation to counter “the use of information and communication technology for terrorist purposes”[30]  As with other, similar resolutions, the Security Council requires national legislative and policy action on the part of states in order to fulfill these requirements.[31]

Secondly, the European Union has started this process in its promulgation of a counter-terrorism Directive in March 2017, requiring all 28 member states to adopt legislation that, inter alia, includes a common definition of terrorist offenses.[32]  Article 3 of the Directive provides that this definition include actions “…causing extensive destruction to …an infrastructure facility, including an information system…”; and “illegal system interference” or “illegal data interference” when such acts are committed against a critical infrastructure information system or, in the case of system interference, “cause[s] serious damage”. [33]

This final element – unauthorized interference with data - goes beyond the “cyberization” of national legislation reviewed above, by specifically including interference with data as a terrorist offense, and not only computer system infrastructure or operability. The relevant definition referred to (in the 2013 EU Directive on attacks against information systems) provides:

Member States shall take the necessary measures to ensure that deleting, damaging, deteriorating, altering or suppressing computer data on an information system, or rendering such data inaccessible, intentionally and without right, is punishable as a criminal offence, at least for cases which are not minor.[34]

In incorporating this offense into its counter-terrorism Directive, the EU has undertaken a significant departure from existing approaches.[35] It will require legislative changes by all EU member states, which must comply with this Directive by September 2018.  The challenges of such adaptations to include damage to data as an act of terrorism (given, of course, other relevant criteria such as seriously intimidating a population or seriously destabilizing a government), as well as their eventual enforcement, are deep and present a new and game-changing paradigm to counter-terrorism efforts. It is a development well worth monitoring.

Conclusion

Trends in counter-terrorism legislation at the national level show three overarching approaches to the challenge of defining terrorist acts: a results-oriented approach, the indirect terrorist categorization of already-criminalized acts, and cyberized definitions of terrorism. Several countries, including Australia, Egypt, France, Singapore, and the UK have adopted this last approach. Additional research is needed to examine whether these differences will have ramifications for enforcement and, eventually, effectiveness in the prosecution of terrorists. Moreover, the influence on the three approaches identified of nascent legal and policy developments at the international level should be followed closely. The European Union’s 2017 Directive on counter-terrorism is an especially important development, as it specifically characterizes data related to a critical infrastructure information system as a potential target of terrorist acts. The Directive’s entry into force towards the end of 2018 and its implementation by member states will provide yet another important opportunity for legal and policy discussions towards defining the parameters of cyber-enabled terrorism.

The eventual degree of success of the initiatives described above in improving the legal responses to acts of terrorism will of course depend upon several factors beyond the scope of this article, including as-yet-unachieved agreement on the part of states and international organizations regarding the norms applicable to counter-terrorism efforts at the international level. Likewise, information sharing around potential terrorist threat vectors in cyberspace, international and regional cooperation for enforcement, and improved forensics are all areas which require both further development and further study.   

 



[1] On the challenges to defining terrorist acts in national legislation and international treaties, see Boaz Ganor, “Defining Terrorism - Is One Man’s Terrorist Another Man’s Freedom Fighter?”, ICT Working Papers, January 1, 2010, < https://www.ict.org.il/Article/1123/Defining-Terrorism-Is-One-Mans-Terrorist-Another-Mans-Freedom-Fighter>.

[2] See, for example, the 2015 Report to the UN Secretary-General of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, at para. 6 (<http://www.un.org/ga/search/view_doc.asp?symbol=A/70/174>); the section entitled “Countering radicalization conducive to terrorism and the use of internet for terrorist purposes” of the G20 Leaders’ Statement on Countering Terrorism, July 2017; and the G7 Declaration on Responsible States Behavior in Cyberspace, April 2017. The United Nations Security Council has also passed several Chapter VII resolutions compelling states to implement counter-terrorist efforts. For a comprehensive listing, see the website of the Security Council Counter-Terrorism Committee (< https://www.un.org/sc/ctc/resources/security-council/resolutions/>).  

[3] For instance, the use of cyber capabilities for communication with terrorist operatives is detailed in Rukmini Callimachi, “Not Lone Wolves After All: How ISIS Guides Worlds’ Terror Plots from Afar” ”, New York Times, February 24, 2017, https://www.nytimes.com/2017/02/04/world/asia/isis-messaging-app-terror-plot.html?mcubz=0&_r=0>.

[4] As M.J. Warren has noted, “When viewed from the perspective of skills and techniques, there is little to distinguish cyber terrorists from the general classification of hackers. Both groups require and utilise an arsenal of techniques in order to breach the security of target systems. From a motivational perspective, however, cyber terrorists are clearly different, operating with a specific political or ideological agenda to support their actions. This in turn may result in more focused and determined efforts to achieve their objectives and more considered selection of suitable targets for attack.” (M.J. Warren, “Terrorism and the Internet”, Chapter 6 in Lech Janczewski and Andrew Colarik (ed.’s), Cyber Warfare and Cyber Terrorism, IGI Global, 2007, pp. 42-49).

[5] Nancy K. Hayden, “Innovation and Learning in Terrorist Organizations: Towards Adaptive Capacity and Resiliency”, August 16, 2013, Conference Proceedings of the 31st International Conference of the System Dynamics Society, <http://www.systemdynamics.org/conferences/2013/proceed/papers/P1407.pdf>.

[6] “The task of security is to shut down the network in such a way as to make the planned operation impossible. There is a huge tension here: Intelligence agents want to keep everyone involved under surveillance without revealing what they know; the security people want to capture those who are already known in order to disrupt planned operations and out of fear that in the course of surveillance, the operatives either could be lost or, worse yet, carry out the attack.” (George Freeman, “The Intelligence Dilemma”, Stratfor, August 13, 2004).

[7] See “Technology and Cyber Terrorism”, in David Fidler, Russel Buchan, Emily Crawford (Chair and Rapporteurs), ILA Study Group Report on Cybersecurity, Terrorism and International Law, International Law Association, July 31, 2016, pp. 10-12, < http://www.ila-hq.org/alaa/jooplug/index.php/component/content/2-uncategorised/34-?Itemid=230>.

[8] U.S. Department of Justice, “ISIL-Linked Kosovo Hacker Sentenced to 20 Years in Prison”, September 23, 2016, < https://www.justice.gov/opa/pr/isil-linked-kosovo-hacker-sentenced-20-years-prison>.

[9] See the Criminal Complaint for Case #1:15 -MJ-515, United States District Court for the Eastern District of Virginia, United States of America v. Ardit Ferizi, < https://www.justice.gov/opa/file/784501/download>. The three crimes with which Ferizi was charged were unauthorized access to a computer, aggravated identity theft, and providing material support to a designated foreign terrorist group.

[10] World Economic Forum, Understanding Systemic Cyber Risk, White Paper, October 2016, at p. 13.

[11] Should terrorists “…acquire attack tools, they could carry out disruptive ICT activities” (Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN Doc. A/68/98, June 24, 2013) and ““[t]he use of ICTs for . . . terrorist attacks against ICTs or ICT-dependent infrastructure, is an increasing possibility” (Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN Doc. A/70/174, July 22, 2015).

[12] “This international legal analysis of terrorism in cyberspace reveals a conundrum. Plausible options for international legal action concerning terrorist cyberattacks exist, but, because such attacks have not occurred, states lack incentives to strengthen proactively the contribution international law can make.” (David Fidler, “Cyberspace, Terrorism and International Law”, Journal of Conflict and Security Law, Vol. 21 (3), 2016, Pages 475–493).

[13] David Fidler, Richard Pregent and Alex Vandurme, “NATO, Cyber Defense, and International Law. Journal of International and Comparative Law, 4 (1) 2013, p. 15, at 16.

[14] Developments at the international level with respect to counter-terrorism in the cyberspace context are reviewed in ILA Study Group Report on Cybersecurity, Terrorism and International Law, note 8; and Fidler, note 13.

[15] Article 2A of the Combatting Terrorism Law, 5776-2016, >http://fs.knesset.gov.il/20/law/20_lsr_343902.pdf>. On the non-inclusion of cyber-specific considerations in Israel’s law, see Uri Ben-Ya’akov and Dror Harel, “Position Paper – Government Bill: Combatting Terrorism, ICT Position Paper, 10 March 2016, p.27 (in Hebrew), <https://www.ict.org.il/Article.aspx?ID=1634>. 

[16] Canadian Criminal Code, Part II.1, Section 83.01.

[17] India’s Prevention of Terrorism Act uses general language regarding the means used to commit the act of terrorism: “…by any other means whatsoever.” (Prevention of Terrorism Act, II (3)(1)).

[18] Terrorism Suppression Act of 2002, Article 5, http://www.legislation.govt.nz/act/public/2002/0034/43.0/DLM151491.html>.

[19] 18 U.S. Criminal Code § 2332 b (g) (5) defines as acts of terrorism acts meeting certain criteria that are violations of articles 1030(a)(1) (relating to protection of computers) and 1030(a)(5)(A) resulting in damage as defined in 1030(c)(4)(A)(i)(II) through (VI) (relating to protection of computers) – see 18 U.S. Criminal Code § 2332 b (g) (5). The German  Criminal Code refers to “computer sabotage” as an act of terror in its Section 129a(2)2.

[20] Respectively, Australia’s Criminal Code Act, 1995 , Division I, Subsection 2; Egypt’s Law on Combatting Terrorism, 2015, Article 2; France’s Code penale, 421 (1) (2); and the United Kingdom’s Terrorism Act, 2000, Section I, Parts 1 and 2.

[21] Australia’s Criminal Code Act, ibid.

[22] Code penale, Title II, Chapter 1, article 421 (1)(2), author’s translation. This is distinguished from the approach of the countries in group (b) above, which does not specify “computer offenses”.

[24] Terrorism Act of 2000, Section I, Part 2 (e), http://www.legislation.gov.uk/ukpga/2000/11/section/1>.

[25] Article 2, Law on Combatting Terrorism, 2015 (unofficial translation), No. 33 (bis) issued on 30 Shawwal 1436 AH, corresponding to 15 August 2015 AD, the 58th year, <http://www.atlanticcouncil.org/images/EgyptSource/Egypt_Anti-Terror_Law_Translation.pdf>.

[26] Fidler, note 13; and Reuven Young, “Defining Terrorism: The Evolution of Terrorism as a Legal Concept in International Law and its Influence on Definitions in Domestic Legislation”, Boston College International and Comparative Law Review, Vol. 29 (1), 2006, pp. 23-103.

[27] The ASEAN Treaty on Counterterrorism of 2007 refers in article VI (1) (j) to the strengthening of “capability and readiness” to deal with cyber terrorism, among other forms of terrorism. (<http://asean.org/?static_post=asean-convention-on-counter-terrorism>). The Council of Europe Convention on Cybercrime of 2001 refrained from including specific reference to cyber-enabled terrorism. See ILA Study Group Report on Cybersecurity, Terrorism and International Law, note 8; and Fidler, Pregent and Vandurme, note 14.

[28] Note 3.

[29] UNSC Res. 2368, S/RES/2368 (2017), <http://www.un.org/en/ga/search/view_doc.asp?symbol=S/RES/2368(2017)>.

[30] Ibid.

[31] See Fidler’s critique of the effectiveness of this and other Security Council resolutions (note 13, at pp. 478, 485, 488).

[32] Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA,  Official Journal of the European Union, L 88, 31 March 2017, < http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2017:088:FULL&from=EN>. The Directive was driven in part by UN Security Council Resolution 2178 of 24 September 2014 regarding the recruitment of foreign fighters to terrorist groups, <http://www.un.org/en/sc/ctc/docs/2015/SCR%202178_2014_EN.pdf>.).

[33] Reference is made here to two prior definitions on the part of the EU of “illegal system interference” and “illegal data interference” in the EU Directive from 2013 on attacks against information systems. See Articles 4 and 5 of Directive 2103/40/EU of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA, Official Journal L 218/8, 14.8.2013,<http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:218:0008:0014:en:PDF>.

[34] EU Directive 2013/40/EU of 12 August 2013 on attacks against information systems, L 218/8, 14.8.2013,< http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:218:0008:0014:en:PDF>.

[35] The Directive has also met with deep criticism on the part of human rights and civil rights advocates “EU Counterterrorism Directive Seriously Flawed”, Human Rights Watch, November 30, 2016, < https://www.hrw.org/news/2016/11/30/eu-counterterrorism-directive-seriously-flawed>; and  Nicolaj Nielsen, “EU Counter-terrorism laws ‘stripping rights’, says Amnesty”, EU Observer, 17 January 2016.