Cyber Terrorism
The term terrorism can be traced back to France’s ‘reign of terror’ between 1793 and 1794 (Addicott, 2004, p. 1), with the terminologies appearance in literature gradually increased from the 1940s, with peaks in the late 1970s and 1980s, before increasing significantly after the 11th of September 2001 (Google, 2016). Yet despite the increased use of the term terrorism ‘there is no global consensus on a precise definition of terrorism’ (Addicott, 2004, p. 1). Since the French reign of terror the strategy of terrorism has slowly evolved as a ‘means of bringing about political change opposed by established governments’ (Crenshaw, 1990, p. 10), with terrorism adopting new methods over time that introduce new opportunities for dissent, including hostage taking (Crenshaw, 1990). Regardless of the method of dissent, the nature and rationality of terrorism has remained unchanged with extremists seeking ‘a radical change in the status quo’ in order to creates a new advantage, or ‘the defense of privileges they perceive to be threatened’ (Crenshaw, 1990, p. 10), with extremists turning to violent terrorist methods when other non-violent methods of dissent have failed (Crenshaw, 1990). Most common definitions do not clearly articulate that terrorism ‘may be used by insurgents and incumbent regimes’ (Wardlaw, 1982), with the definition of political terrorism summarized as ‘the use, or threat of use, of violence by an individual or a group, whether acting for or in opposition to established authority, when such action is designed to create extreme anxiety and/or fear-inducing effects in a target group larger than the immediate victims with the purpose of coercing that group into acceding to the political demands of the perpetrators’ (Wardlaw, 1982, p. 16). This academic definition underpins the legal definitions across most western nations, whereby a terrorist act ‘is carried out for the purpose of advancing a political, religious or ideological cause; is intended to intimidate a section of the public, or compel a government to do or abstain from doing any act; and involves serious violence against a person, property, or endangers life’ (Hardy & Williams, 2014, p. 5). In order for an act to be considered terrorism, it must meet the legal requirements of such an act.
The introduction of communication technology and its embedded nature in the fabric of society and economies creates a tool for any organisation to exploit. Technology is an enabler, allowing a labor force greater flexibility, access, speed and scale for productivity; whether for economic or social good, or for the conduct of war, armed conflict or terrorism. Advanced communications technology has created a new method for dissent in the same way that commercial air travel provides the opportunity for hijackings. The basic use of technology by criminal organizations, nation states or extremist organizations for nefarious purposes is considered the ‘misuse’ of technology rather than ‘cyberterrorism’ (Yannakogeorgos, 2014), with the use of technology to communicate, plan, organize, or promote an act of terrorism constitutes conspiracy and incitement within the Australian Criminal Code Act 1995. In order to meet the legal requirements, cyberterrorism must meet the legal requirement for terrorism along with being ‘conduct involving computer or internet technology that … intentionally causes serious interference with an essential service, facility or system, if such interference is likely to endanger life or cause significant economic or environmental damage’ (Hardy & Williams, 2014).
The role of technology or cyber as a method of conducting terrorism does not change the nature or rationale of terrorism because it does not alter the requirements of instilling fear within a group by threatening violence for the purpose of political coercion. The confusion over terminology and definitions is also underpinned by a belief that ignores the idea that terrorism is conduct by both insurgents and incumbent regimes; leading to disputes over the classification of Stuxnet: cyberterrorism or cyberattack?
With Stuxnet and the attack on the Natanz nuclear facility associated with the United States and Israel (Goodin, 2015), the language surrounding the incursion turns from terrorism to cyberattack simply because ‘terrorist acts fall within the canon only when conducted by official enemies’, given that when the ‘US and its clients are agents, they are acts of retaliation and self defense of democracy and human rights’ (Chomsky, 1991, p. 35). The discussion narrative around Stuxnet supports this, with most claims surrounding the United States right to self-defense against Iran producing enriched uranium for weapons in contravention to the Nuclear Non-Proliferation Treaty.
Under the United Kingdom Terrorism Act 2000, Stuxnet meets the legal requirements; with the use of action designed to influence a government, the use of action was made for the purpose of advancing a political cause, and it involved serious damage to property and was designed to seriously to interfere with or seriously disrupt an electronic system.
In the case of Stuxnet, the United States does not have a legitimate argument for self-defense, or pre-emptive self-defense under International Humanitarian Law. Article 51 of the UN Charter states that ‘Nothing … shall impair the inherent right of individual or collective self-defense if an armed attack occurs’, and Article 2 states that ‘members shall settle their international disputes by peaceful means in such a manner that international peace and security, and justice, are not endangered… [and] members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state’. While a limited right for pre-emptive self-defense exists under customary law with the Caroline Test, it requires that the threat be ‘imminent’ while ‘pursuing peaceful means is not an option’ with the response being proportionate to the threat. As an armed attack had not occurred against the United Sates, and the requirement for pre-emption must be ‘instant, overwhelming, leaving no choice of means, and no moment of deliberation’ (Arend, 2003), it is difficult to justify that the Iranian nuclear threat met this criteria, nor that peaceful means were no longer an option. While Stuxnet may have adhered to the basic principles of the Laws of Armed Conflict, the United States did not have a legal right to conduct an armed attack against Iran.
The strategy of terrorism as a method of dissent has not fundamentally changed with technology, with technology only increasing the means, access and scale in which attacks can be carried out. The majority of confusion around terminology and definitions stems from over-reliance on non-legal definitions, and a belief that state actors cannot conduct terrorism – of which Stuxnet is the perfect case study.