How to tackle cyberterrorism and
preserve liberty?

By Jamie Brooke

The speed and force with which the Draft Communications Data Bill was forced on Parliament has been the source of significant disapproval. The value of ensuring British cybersecurity both to industry and national security cannot be downplayed, a stance which unites those on all sides of the political spectrum, but since Nick Clegg withdrew his support for the so called snoopers’ charter at the demands of civil rights bodies it was destined to land on the legislative scrapheap alongside a whole host of other attempts at patrolling cyberspace’s darkest corners.

Since 1999 there have been moves towards finding a level of international harmony in the area, the UN Manual on the Prevention and Control of Computer Related Crime as subsequently buttressed by the UN Resolution on Combating the Criminal Misuse of Information Technologies being foremost amongst them. 

The Convention that has gained the most momentum to date and the one which is most associated with the aspiration of a unifying position is the Cybercrime Convention 2001 with 42 European signatories. It has the notable support of North American nations, specifically receiving ratification from George Bush during his time as President. The UK has not ratified it choosing instead to retain legislative sovereignty, a stance which is understandable despite its repeated failures, but does in some ways ignore the transnational nature of cybercrime. 

The argument around the celerity of the British bill’s passing is something of a side issue and has distracted all but the best informed from discussing its contents causing lasting disengagement. Although Britain is somewhat behind other nations in recognising the importance of cybersecurity, opting instead to acquire bunker busters and adjudging to focus on a more tangible old fashioned defence industry, the standing of cybersecurity has been bumped up the agenda as of late making its way into second place in the National Security Strategy’s priorities, S.0.18. 

Many scare stories are concocted or subjected to hyperbolic trope in the field of cybersecurity; take the ‘millennium bug’ for example (made analogous to the biblical plagues but ultimately amounting to nothing; on a side note the most damaging malware of that year was the BO2K remote access Trojan, the acronym meaning ‘Back Orifice 2000’), where it is not simply magnified dicta the cost can be devastating; the stakes justifying the outlay to businesses and the taxpayer alike. 

Whilst it goes without saying that the nation’s key infrastructure faces near perpetual physical menace; to prevent the cracking of supervisory control and data acquisition systems used to monitor and adjust technical mechanisms has become one of the thorniest and most pressing of modern day security concerns. This is accompanied by two other classifications of methods; the denial of service or the illegal acquisition of data; to form the bulk of the, if not massive then surely sizeable, national security aspect of cybersecurity. These categories of offence have become known as cyberterrorism and are punishable under the Terrorism Act 2000. 

There has been talk of its review what with the great deal of recent social media output of a radical nature, that created with the intention to intimidate the public or that which aspires to exert immoderate influence on governmental actions on religious or extremist political grounds, also falling under the catch-all ‘cyberterrorism’ umbrella. Those of a liberal disposition defend large sections of this content as free speech, making the argument that an impassioned combative speech is an impassioned combative speech regardless of whether it’s at a press conference or from a remote desert cave.  Protecting the integrity of the freedom of speech ought to be at the forefront of any amendments to legislation, so the focus ought to remain on tangible attacks on infrastructure, perhaps with the introduction of a separate discriminable offence. 

Britain is not renowned for intolerance, so the creation of a lasting sturdy legislative model is integral if mouthy activists on the anarchistic left talking nonsense, the rantings of the radical right or those of exceptionally strong orthodox religious opinions, are not to face a proverbial orange jump suit and sack cloth over the head without due cause. The violence criteria is the most contentious in international legislation in terms of defining what constitutes terrorism. The US federal definition states that it is ‘premeditated, politically motivated violence perpetrated against non-combatant targets’.

There are few examples of genuine acts of cyberterrorism with the violence parameter, as opposed to say hacktivism, socially ostracised teenagers with too much time on their hands  or simple nuisance, currently falling under the offence of ‘malicious mischief’ domestically under 63D 2(C) of the Terrorism Act 2000. One of the few genuine examples of potential cyberterrorism being the Australian case of R v Boden in which a disgruntled employee released millions of litres of untreated sewage into Queensland’s rivers. Whilst faecal substances do pose a biological and chemical danger the case for it being an act of terrorism was not properly made. 

The international reach of  computer networks merged with the simmering political discontented shunning the mainstream in favour of shady outfits is a cocktail for unsteadiness over the next few years. The US has taken steps in asserting its reach around the world posing questions of jurisdiction in extraterritorial cases. President Obama strongly endorsed the broad reaching Cybersecurity Act 2012, recognising it as one of the main threats to the USA, backing the sentiment of Senator Lieberman that ‘it’s not just that there’s a theoretical or speculative threat of cyber attack against our country — it’s real’. 

Whilst America’s steps have been met with a relatively warm reception from many Westernised states since the terrorist attacks of September 11th , to implement it in its fullness would mean making some uncomfortable bedfellows. Arrangements such as the Treaty on Extradition between Australia and the United States of America go a long way to handling the difficult question of jurisdiction and might be seen as a desirable route to pursue in the future when non-doms are involved. The debate surrounding the applicability of a traditional understanding of territorial integrity rages on, with disputation as to degrees of  competence and jurisprudence rife what with the necessity of territoriality in established criminal law.

Article 22 of the Cybercrime Convention recognises four categorisations of jurisdictional importance; where an offence is committed within its own territory posing no questions of territoriality, territorial assertion over a flagged ship or aircraft, the principle of nationality, and the most commonly opposed principle of objective territoriality. Whilst the first two mentioned are immediately comprehensible to a layman, the second two deserve a closer look as they pose questions of rendition. Whilst universal jurisdiction only applies to piracy, genocide and war crimes; Art. 22. 1(d) establishes jurisdiction over a criminal act carried out by one of its nationals no matter where it takes place. This is especially valuable in circumstances where nationals seek to travel abroad to take part in conflicts.

The defensive territoriality mindset requisite for endorsing the objective category envisaged within the convention is not currently met with significant support leading to much hesitance with ratification. Its implementation occurs where conduct from outside the jurisdiction has a substantial affect within the jurisdiction. A compromise of sorts adopted by the Council of Europe is known as the protective principle whereby an offence is committed only where there is the intention of damaging fundamental instruments of state as opposed to an access offence, which when accompanied by extradition treaties could prove practicable in the longer term. 

Where a level of overlap emerges between cyberterrorism and cybercrime is in its financing. The global body for compliance standards in money laundering is the Financial Action Task Force, which recognises the relationship between financiers, those prepared to engage in terrorist activity and legitimate financial institutions or non-profit organisations. Suspicious Transaction Reports have made little to no impact as the flow of black market munitions etc. has barely been stemmed in the last decade; supported intentionally or inadvertently by some of the biggest names in banking. Industry observers have acknowledged that commercial institutions need to be as aware as government institutions when it comes to discouraging and preventing the theft of funds for potential terrorist purposes. 

Every year on September 11th the sombre ritualistic routine is replayed mourning the demise of  the thousands of victims of  terrorist activity and the subsequent deaths of hundreds of thousands from the ensuing conflicts. The scenes of fatality and morbidity; those seen, workers falling to a certain death; or unseen, the firemen, paramedics and office workers engulfed by flames, are etched into the American psyche forever and the urge to seek out those who are to blame by whatever means; the facilitators, endorsers, protagonists, financiers, and to dissuade the supporters; keeping them forever vigilant, remains a just cause. 

The mechanisms and methods used to flush out those who pose a threat to the Western world are evolving over time just as the methods used to induce fear alter. As the nature of the threat changes so must the response from the Western world, but to sell out the values of liberty in the name of expediency is intrinsically wrong if it is liberty that is being portrayed as so at stake. A robust British stance is becoming more and more necessary but it is not as binary as has been made out to date.