The Threat of Cyber Terrorism and What International Law Should (Try To) Do about It

The specter of cyber terrorism is one that has been both bandied and seriously debated since at least the late 1990s. Certainly, by the end of 2017, it looked as if the era of hackers accessing and manipulating critical infrastructure for political purposes, the most likely mechanism for conducting a cyber-terrorist act, had truly arrived. Electrical blackouts had been caused in successive years in Ukraine,¹ North Korean hackers had breached an American energy utility,² and Russian hackers had penetrated not only a nuclear power plant but had obtained hands-on access to an American energy utility's control systems.³ More disturbingly in an escalation of these types of cyber-attacks, reports emerged of an advanced attack against a petrochemical company with a plant in Saudi Arabia, apparently designed to sabotage the firm's operations and trigger a lethal explosion.⁴ Similar (non-cyber related) explosions at petrochemical plants in China and Mexico resulted in the deaths of several employees, injured hundreds, and forced evacuations of surrounding communities. While all of the investigators involved in the matter believe the attack was most likely intended to cause a fatal explosion, they have all been tight-lipped about any suspected perpetrator of the attacks and even the company affected. The fact of the compromise of the widely used Schneider Triconex safety controllers raises uncomfortable speculation about who was behind the attack and for what purpose.

It is no secret that terrorist organizations such as the so-called Islamic State (IS or its Arabic acronym Daesh) have made great strides in utilizing information and communication technologies (ICTs) for encrypted communications, recruitment, propaganda, and fundraising. However, to date, no terrorist group appears to have utilized these technologies to directly launch an attack. In April 2015, it appeared that this pattern had changed. TV5Monde, a French television network, was attacked, shutting down broadcasting across eleven of the network's channels and hijacking their associated websites and social media accounts. A group calling itself the "Cyber Caliphate," an IS-associated group, claimed responsibility for the attack and made clear links to the terrorist attacks that had shaken France three months previously as well as the Charlie Hebdo killings.⁵ For a country already shaken by these kinetic terrorist attacks, the message was clearly intimidatory: "The CyberCaliphate continues its cyberjihad against the enemies of Islamic State." Social media profile pictures were replaced by pictures of a masked Islamist fighter. Posts imploring soldiers to save their families were accompanied by documents said to be identity cards belonging to relatives of French soldiers taking part in anti-ISIS operations.⁶ French officials proclaimed terrorism and the Paris prosecutor's office opened a terrorism investigation into the attack.⁷ Only it wasn't.

Subsequent forensic investigations led to an advanced persistent threat team dubbed APT28 or "Fancy Bear," widely alleged to be, or sponsored by, Russian military intelligence; despite investigation, the reason for the attacks remains unclear.⁸ These incidents illustrate some of the many difficulties that the international legal community is faced with in formulating a response to cyber terrorism. First is the lack of an agreed definition of what acts or conduct might be included in the term cyber terrorism. While domestic terrorism legislation generally contains very wide definitions of terrorist behavior,⁹ international law has no such general definition. Second, the international community has little to no agreement on what to do with acts committed by elements of the state that would amount to terrorism if committed by private individuals or organized groups.

Definitions

The international legal response to terrorism generally has had a difficult gestation. While states have attempted to agree on comprehensive treaties and reforms since the 1930s,¹⁰ entrenched disagreements have instead resulted in a patchwork of sectoral treaties dealing with different types of terrorist acts and specific threats (e.g., the hijacking of aircraft, hostage taking), regional treaties (e.g., the ASEAN Convention on Counter Terrorism), and UN Security Council decisions. The coverage is far from comprehensive even in relation to kinetic threats and has left unresolved...