JOURNAL OF DEFENCE STUDIES

Cybersecurity and Threats: Cyberterrorism and the Order Today

The author is a final year law student at Guru Gobind Singh Indraprastha University, Delhi.
  • Share
  • Tweet
  • Email
  • Whatsapp
  • Linkedin
  • Print
  • April-June 2021
    Volume: 
    15
    Issue: 
    2
    Focus

    The ever-growing dependence of man on cybernetworks has unbridled a modish genre of cyberthreat called cyberterrorism. The pervasive cyberspace has provided an advantageous operational frontier to the terrorists for executing cyberattacks on critical infrastructures, spreading hate propaganda over the Internet and using it for recruitment, planning and effecting terror attacks. Furthermore, it has proliferated terror configurations and metamorphosed terror operations. There is the most urgent need to secure our cyberspace from such formidable cyberthreats. Formulating a cybersecurity strategy through international cooperation is a desideratum to confront mushrooming cyberterrorism which poses a severe threat to global security and current economic scenario. This article examines cyberterrorism as a component of cyberthreats and further analyses the constitutional obligation of the state to protect cyberspace.

    The Internet is a prime example of how terrorists can behave in a truly transnational way; in response, States need to think and function in an equally transnational manner.1

    —Ban Ki-moon

    INTRODUCTION

    The development of cyberspace has been one of the greatest technological achievements of mankind. These technological advances entrust mankind with incredible benefits in diverse fields, yet they always influence the nature of security threats in society. Amongst contemporary security vulnerabilities, cyberthreats have emerged as a critical threat to our society.2 Cyberthreat is an amorphic change in the nature of threats that is capable of convulsing the economic3 and social order of the world.4 These threats are hard to detect and difficult to investigate because of their anonymity.5 Since the Internet has developed as an unregulated, open architect, the globally integrated transnational character6 of cyberspace has favoured the growth of cyberthreats. It has been ideal for offenders wanting to anonymously carry out criminal activities in the cyberworld beyond territorial borders, thereby amplifying the scope of crime and stimulating it to move beyond mental torture, anguish and physical assault. Today, the criminals target the Web to derange the global order and virtual life of people.

    Based on the perpetrators and their motives, cyberthreats can be disaggregated into four types.

    Cybercrime

    Cybercrimes are criminal activities carried out through a computer network, wherein a computer might be the target or used in the commission of an offence. Thus, it is the use of information technology for criminal activities.7 Cybercrime has evolved in unexpected ways,8 with cyber criminals embracing innovative and highly inventive techniques for executing diverse cyber offences.9 The voluminous, expansive use of the Internet has led to a large online population, not only exposing many people and businesses to cybercrimes but also causing several vulnerabilities, including towering economic losses.10  

    Cyber-Espionage

    The act of using a computer network to gain unlawful access to confidential information from another computer is called cyber-espionage. It is executed to extract classified information from the government and other crucial organisations. Cyber-espionage cases are intensifying, where cyber-enabled illegal abstraction of data, intellectual properties (IPs)11 and trade secrets worth billions of dollars is being accomplished.12 Besides being inexpensive and easy to commit, cyber-espionage is hard to prove with certitude.13 The most gripping instance of cyber-espionage in India was the hacking of Prime Minister’s Office website in 201114 and the breach of 12,000 sensitive email accounts of government officials in 2012.15 Overseas Indian missions have also reported several instances of cyberattacks.16

    Cyberwarfare

    Cyberwarfare is the use of cyberspace to conduct acts of warfare against other countries.17 It includes attacks like distributed denial of services,18 defacing of websites and so on. Cyberspace is considered the fifth dimension of warfare, after land, ocean, air and space. In fact, the Pentagon and North Atlantic Treaty Organization (NATO) have designated cyberspace as an ‘operational domain’, just like air, land and sea.19 The United States (US) cybersecurity doctrine provides for the right to military action against cyberattacks.20 The US has also elevated the United States Cyber Command to the status of a ‘Unified Combatant Command’.21

    Presently, states are working in an environment of threat and detriment in cyberspace.22 This has triggered a response to prepare themselves for defending their networks against the growing sophistication of cyberattacks they face. More than 140 countries have developed or are in the process of developing their patenting and proficiency in cyberwarfare.23

    Cyberterrorism

    Cyberterrorism, a term first coined by Barry Collin in the 1980s,24 is the convergence of terrorism and cyberspace. It involves an attack over a computer network(s) for the political objectives of terrorists to cause massive destruction or fear among the masses and target the government(s). Cyberterrorism aims to invade cybernetworks responsible for the maintenance of national security and destroy information of strategic importance. It is one of the biggest threats to the security of any country,25 capable of causing loss of life and humanity, creating international economic chaos26 and effecting ruinous environmental casualties by hacking into various critical infrastructure (CI) systems. The notable characteristic of cyberterrorism is to use its economic competence to clinch inordinate effects of terror over cyber and real world through cyber-crafted means, like destruction of cybernetwork, denial of service attacks and data exfiltration.

    Dangers created by cyberterrorism warrant immediate global consideration. However, states have been ineffective in advancing a consensual approach by which varied acts of terrorism in cyberspace can be brought under the nomenclature of cyberterrorism. Currently, no universally agreed definition for cyberterrorism exists,27 even though it has been acknowledged internationally as a major risk to global peace. It is probably because of the saying, ‘one man’s terrorist is another man’s freedom fighter’. Subsequently, different perspectives over the elemental constituents and definitions of cyberterrorism will be contemplated.

    DEFINITIONS OF CYBERTERRORISM

    Cyberterrorism is unlawful attacks and threat of attacks against computers, networks, and information stored therein, that is carried out to intimidate or coerce a government or its people in furtherance of some political or social objectives.28 It is the ‘premeditated, politically motivated attacks by sub-national groups or clandestine agents against information, computer systems, computer programs and data that results in violence against non-combatant targets.’29 It aims at seriously affecting information systems of private companies and government ministries and agencies by gaining illegal access to their computer networks and destroying data.30 Cyberterrorism, as a small landmass of the vast territory of terrorism, uses cyberspace as a target or means, or even a weapon, to achieve the predetermined terrorist goal. In other words, it is the unlawful disruption or destruction of digital property to coerce or intimidate governments or societies in the pursuit of religious, political or ideological goals.31 It is an act of politically influenced violence involving physical damage or even personal injury, occasioned by remote digital interference with technology systems.32

    Cyberterrorism not only damages systems but also includes intelligence gathering and disinformation. It even exists beyond the boundaries of cyberspace and incorporates physical devastation of infrastructure. The NATO defines cyberterrorism as ‘cyberattack using or exploiting computer or communication networks to cause sufficient destruction or disruption to generate fear or intimidate a society into an ideological goal’.33 The most acknowledged definition of cyberterrorism is of Professor Dorothy E. Denning, as an unlawful attack against computer networks to cause violence against any property or person(s), intending to intimidate a government.34

    Scope of the Definition(s) of Cyberterrorism

    While studying cyberterrorism, it is imperative to discern  the two aspects of usage of cyber technology by terrorists: (i) to facilitate their terror activities; and (ii) to use cyberspace as a weapon to target the virtual population or execute terror activities.

    It is clear from the discussion here that cybercrime and cyberterrorism are not coterminous. Most definitions of cyberterrorism establish a restricted functional framework for the scope of cyberterrorism.35 For a cyberattack to qualify as an act of cyberterrorism, it must be politically motivated; cause physical or other forms of destructions or disruptions, like attacks affecting the unity, integrity and sovereignty of a country; cause loss of life (such as use of cybernetworks in 26/11 Mumbai terror attack);36 and result in grave infrastructural destruction or severe economic losses. The use of cyberspace and information and communication technologies (ICTs) by terror outfits to facilitate their functional activities (like organisational communications) should be considered as cybercrime. Reckoning the ‘facilitating part’ under the definition of cyberterrorism would intensify the scope of cyberterrorism and augment the problem to be rectified.

    THREATS POSED BY CYBERTERRORISM

    Cyberterrorism poses critical security threats to the world. The CIs, like nuclear installations, power grids, air surveillance systems, stock markets and banking networks, are dependent upon cyberspace. This functional dependence has made CIs vulnerable to cyberterror attacks and increased the scope for cyberterror footprints exponentially.37 Most CIs globally are poorly protected.38 Therefore, cyberterror attacks on CIs can cause egregious damages to the society. Further, today there is a persistent threat of sensitive information of national interests being stolen by terrorists, destruction of computer networks or systems superintending the functioning of CIs.39

    Objectives of Cyberterror Attack

    Cyberterrorism is based on specific objectives, such as:

    1. Target CIs40 of the country, like air traffic, military networks, financial and energy systems, telecommunications and others, to cause physical devastation.
    2. Cause disruptions sufficient to compromise the industrial and economic operations of a country. A cyberterror attack thwacks a large part of the world population and causes monetary disorder and loss of data.41
    3. Cause physical injuries, loss of lives, explosions, crashing of aircraft and other aerial vehicles, 42 theft of technology and privileged information.43
    4. Move beyond the realms of destruction and send a signal of ferocious disruption and fear to governments.44  

    Possible Targets of Cyberterrorists

    Cyberattacks by terrorists majorly focus on two domains: control systems45 and data in cyberspace. Consequently, the security challenges against cyberterror attacks generally vary across these two scopes. The first possibility is that terror outfits, such as Al-Qaeda and the Islamic State (IS), would exploit the information space to launch a cyberattack to ruin the CI facility of a particular state (Kudankulam Nuclear Power Plant cyberattack).46 In the second instance, the Internet is abused to attack webspace or other trivial frameworks for their political intents, coalesced with the likeliness that such virtual attacks could turn adamantly grave to the point of being catalogued as a cyberterror attack.47

    Exploitation of Cyberspace by Terrorists

    Terrorist organisations use cyberspace for recruitment,48 command and control49 and spreading their ideology.50,51 Internet being the largest reservoir of knowledge has fuelled terror outfits to use this quality to set up virtual training camps in cyberspace. In 2003, Al-Qaeda established its first online digital repository, providing information on matters ranging from bomb-making to survival skills.52 Today, the Internet is used by multiple self-radicalised patrons as a resource bank.53 Cyberspace has emerged as a new operational domain54 for terror and extremist establishments, appending new dimensions to cybersecurity of precluding online jihadist recruitment,55 radicalisation56 and raising of funds.57 The terror outfit of IS has manoeuvred this stratagem and used it proficiently for itself.58 The militant group was able to recruit 30,000 fighters through social media.59 Social media subsequently helped the group to establish its franchises and expand its base in different countries.60 Additionally, terrorists use Internet proficiency to reach out to masses to inspire acts of terror as well as disseminate their messages.61

    Cyberterrorism versus Conventional Terror Attacks

    Cyberspace offers anonymity, easy access and convenience to terrorists to reach the masses without much monetary expenditure. The ubiquitous cyberworld enables terrorists to launch cyberattacks having far-reaching impacts and causing staggering damages, more critical than physical attacks.62 Traditional terror attacks are restricted to the physical limits of the place of attack. Also, while people outside the territorial limits of the attack do read and observe such incidents, they do not get affected directly. A cyberterror attack, however, encompasses the potential of affecting millions without any territorial limitations; at times, it is more enigmatic to find the perpetrator and trace the point of origin of cyberterror attacks.63 Hence, cyberspace facilitates cyberterrorists by enabling them to have a far greater reach than ever before. Further, global interconnectivity of cyberspace results in proliferation of potential targets for terrorists to attack, making it more dangerous than other terror attacks. Such unmatched capabilities of cyberterrorism give terrorists extraordinary leverage to engender more harm to society.

    Thus, different factors make cyberattacks a capitative choice of terrorists:

    1. Cyberterrorism constitutes a low-cost asymmetric warfare element for terrorists as it requires fewer resources in comparison to physical terror attacks. The terror groups can inflict more damage to people and society with the same amount of funds. Thus, the benefit–cost ratio for a cyberterror attack is very high.64
    2. Cyberspace provides anonymity, thereby enabling cyberterrorists to hide their identity. The Indian government had admitted in Rajya Sabha that attackers compromise the computer systems situated in different locations of the globe and use masquerading techniques and hidden servers to hide the identity of the computer system from which the cyberattacks are propelled.65 It is the anonymous nature of cyberspace that makes it arduous to attribute cyberattacks to any state.66
    3. The CIs and other valuable state resources are not fully protected and thus become an obvious target of cyberterrorists. After designation of the target, the cyberattack can be launched without any unwarranted delay and need for further preparation.67
    4. The Internet enables cyberterrorists to initiate a cyberattack on any distinct part of the world. Unlike physical terror attacks, there are no physical barriers or checkpoints that block cyberterrorists in the execution of predetermined cyberattacks on designated targets. Likewise, cyberterrorism involves less risk than physical terrorism.
    5. Cyberspace provides broad avenues for disseminating terror organisation propaganda. It provides a larger audience for cyberterror attacks, whose impact goes beyond cyberspace to diverse systems.68

    INITIATIVES TAKEN TO MITIGATE CYBERTERROR ATTACKS WORLDWIDE

    The mushrooming menace of cyberterrorism has stimulated states and international organisations to reform the global cybersecurity architecture for combating cyberterrorism.

    International Forums

    Convention on Cybercrime

    The European Union’s Convention on Cybercrime, also called the Budapest Convention,69 is the sole binding international convention on cybercrimes.70 It aims at harmonising domestic laws,71 including an international cooperative framework,72 and also proposes to improvise investigation techniques on cybercrimes for member states. India is not part of this treaty.

    United Nations (UN)

        • UN Global Counter-Terrorism Strategy:73 The strategy manifests the commitment of all UN member states to eliminate terrorism in all forms. The resolution aims to expand international and regional cooperation and coordination among states, private players and others in combating cyberterrorism, and also seeks to counter the proliferation of terrorism through cybernetworks. The 2018 resolution over the sixth review of the strategy asks member states to ensure that cyberspace is ‘not a safe haven for terrorists’.74 It urges member states to counter terrorists’ propaganda, incitement and recruitment, including through cyberspace.
        • United Nations Office of Counter-Terrorism (UNOCT) : The UNOCT was set up on 15 June 2017, vide United Nations General Assembly (UNGA) resolution,75 following the Secretary-General’s report over UN’s role to assist member states in implementing UN counterterrorism strategy.76 The UNOCT supplements the efforts of member states against terrorism, including cyberterrorism. It provides multi-stakeholder cooperation in securing the cyberspace of respective countries from cyberterror attacks.77 It has initiated various projects aimed at building and upgrading capacity among states to combat cyberattacks and raising awareness against cyberterrorism among masses.78
        • United Nations Security Council (UNSC): In 2017, UNSC adopted a resolution for the protection of CI.79 The resolution asks the member states to establish cooperation with all stakeholders at international and regional levels to prevent, protect, respond and recover from cyber-enabled terror attacks over the state CI. It also asks the states to share operational intelligence over the exploitation of communication technologies by terror outfits.80 The UNSC presidential statement in May 2016 recognised the requirement of global effort to stop terror outfits from exploiting cybernetworks.81

    Brazil, Russia, India, China and South Africa (BRICS) Counter-Terrorism Strategy

    The strategy aims to counter international terrorism and its funding, enhance cooperation in mutual legal assistance and extradition against terrorists, improve practical cooperation among security agencies through intelligence sharing, etc. The strategy resolves to ‘counter extremist narratives conducive to terrorism and the misuse of the Internet and social media for the purposes of terrorist recruitment, radicalization and incitement and providing financial and material support for terrorists.’82

    Shanghai Cooperation Organisation (SCO)

    The SCO has adopted several significant steps to counter the menace of cyberterrorism.83 It established the Regional Anti-Terrorist Structure (RATS) in 2001 against terrorism.84 The 22nd session of SCO RATS council approved various proposals to combat cyberterrorism,85 and also discussed the proposal to establish a cyberterrorism centre.86 In 2019, SCO member states conducted anti-cyberterrorism drills to prepare for future cyberterror crisis.87 Further, in 2015, SCO submitted to UNGA an International Code of Conduct for Information Security,88 proposing a secured and rule-based order in cyberspace.89 The code suggests international cooperation among states to combat exploitation of ICTs for terror-related operations.90 Furthermore, it specifies a code of conduct,91 responsibilities of states92 and rights of individuals93 in cyberspace.

    The US

    Cybersecurity and Infrastructure Security Agency (CISA) Act

    The act establishes that the CISA will secure American cybernetworks and CIs, devise US cybersecurity formations and develop potential to defend cyberattacks. Further, it secures the federal government’s ‘.gov’ domain network. It also houses the National Risk Management Center (NRMC), which addresses most strategic threats to the country’s CI and crucial functions whose disruption can have devastating impacts over American national interests, like security and economy.94 In 2017, the US President issued an executive order (EO 13800) to modernise US cybersecurity proficiencies against intensifying cybersecurity threats over CIs and other strategic assets.95

    National Cyber Strategy of the US

    The strategy, released in 2018,96 strengthens the US cyberspace to respond against cyberattacks. It focuses on securing federal networks and CIs, as well as combating cyberattacks. The cyber strategy primarily aims to protect American people, preserve peace and advance American interests.97 It also provides for military action to combat cyberattacks.98

     Israel

    Israel launched its first-ever National Cybersecurity Strategy in 2017. The policy document expounds the country’s plan to advance its cyber robustness, systemic resilience and civilian national cyber defence.99 The objective is to develop an international collaboration against global cyberthreats, which certainly includes cyberterror threats.100 It also prioritises to defend Israeli economic, business and social interests in cyberspace.101 

    The Israel government passed several resolutions, like 3611,102 2443 and 2444, to expand institutional capacity for cybersecurity framework by establishing National Cyber Directorate.103 Israel’s cybersecurity framework focuses on four priority areas:

    • Improving domestic capabilities to confront futuristic and present-day cybersecurity challenges.
    • Continuously upgrading and enhancing defence of CIs in the country.
    • Fostering the republic’s standing as an international hub for the development of ICTs.
    • Promoting effective coordination and cooperation among the government, academia and private players.

    The United Kingdom (UK)

    The UK introduced the National Cyber Security Programme in 2015 to protect its computer networks from cyberattacks. A five-year National Cyber Security Strategy was also revealed in 2016 to make UK’s cyberspace resilient from cyberattacks and more secure by 2021.104 Further, in 2017, National Cyber Security Centre was opened to respond to high-end cyberattacks.105

    INITIATIVES TAKEN IN INDIA

    Information Technology Act: Cyberterror Law of India

    The Information Technology Act (hereafter the Act) sanctions legal provisions concerning cyberterrorism. Section 66F106 of the Act enacts legislative framework over cyberterrorism. It provides for punishment, extending to life imprisonment, for cyberterrorism,107 along with three essential elements for an act to constitute as cyberterrorism:

    • Intention: The act must intend to afflict terror in people’s mind or jeopardise or endanger the unity, integrity, security or sovereignty of India.
    • Act: The act must cause:

     

    (i) unlawful denial of access to any legally authorised person from accessing any online or computer resource or network;108 or

    (ii) unauthorised attempt to intrude or access any computer resource;109 or

    (iii) introduce or cause to introduce any computer contaminant.110

    3. Harm: The act must also cause harm, like death, injuries to people, adverse or destructive effect on the critical information infrastructure (CII), damage or destruction of property or such disruptions likely to cause disturbances in such services or supplies which are essential to life

    Further, Section 66F also applies to instances where a person without any authorisation or by exceeding his legitimate authorisation intentionally penetrates or accesses a computer resource and obtains access to such data, or information or computer base which has been restricted for Indian security interests, or whose disclosure would affect the sovereign interests of India, etc.111 Protected Systems and CII

    The Act has a provision of ‘protected systems’, empowering the appropriate government to declare any computer resource that either directly or indirectly affects the facility of CII as ‘protected system’.112 Section 70(3) sanctions punishment up to 10 years with fine in case a person secures or attempts to secure access to a protected system.113 The explanation clause of Section 70 defines CII as: ‘The computer resource, incapacitation or destruction of which, shall have a debilitating impact on national security, economy, public health or safety.’114

    The central government, under Section 70A of the Act, has designated National Critical Information Infrastructure Protection Centre (NCIIPC)115 as the National Nodal Agency in respect of CII protection.116 The union government has also established Defence Cyber Agency117 to deal with matters of cyberwarfare and cybersecurity.118

    Indian Computer Emergency Response Team (CERT-In)

    Section 70B of the Act provides for the constitution of CERT-In to maintain India’s cybersecurity and counter cybersecurity threats against it. The CERT-In is expected to protect India’s cyberspace from cyberattacks, issue alert and advisories about the latest cyberthreats, as well as coordinate counter-measures to prevent and respond against any possible cybersecurity incident.119 It acts as the national watch and alert system and performs functions like:

    (a) Collect, analyse and disseminate information on cybersecurity incidents;

    (b) Forecast and issue alerts on cyber-incidents;

    (c) Emergency measures to handle cybersecurity incidents;

    (d) Coordinate cyberattack response activities;

    (e) Issue guidelines, advisories, over cybersecurity measures, etc.120

    India has established domain-specific computer emergency response teams(CERTs) to counter domain-specific cyberthreats and create a more secured cybersecurity ecosystem in respective domains, like power grids and thermal energy.121 Further, sectoral CERTs in the cybersecurity fields of finance and defence have been constituted to cater to such critical domain’s cybersecurity requirements.122

    National Cyber Security Policy

    The National Cyber Security Policy of India, released in 2013, aims to secure Indian cyberspace and concretise its resilience from cyberthreats in all sectors.123 It aims at developing plans to protect India’s CII and mechanisms to respond against cyberattacks effectively. It further focuses on creating a safe and dependable cyber ecosystem in India. The policy has facilitated the creation of a secure computing environment and developed remarkable trust and confidence in electronic transactions. Furthermore, a crisis management plan has been instituted to counter cyber-enabled terror attacks.124 The Parliament also amended the National Investigation Agency (NIA) Act in 2019, empowering the NIA to investigate and prosecute acts of cyberterrorism.125

    Moreover, technology and threat Intelligence play major roles to counter terrorism and cyberterrorism. The multi-agency centre (MAC) at the national level, set up after the Kargil intrusion, along with subsidiary MACs (SMACs) at state levels, have been strengthened and reorganised to enable them to function on 24x7 basis. Around 28 agencies are part of the MAC and every organisation involved in counter-terrorism is a member of this mechanism. This is yet another important element of national initiative.

    RECOMMENDATIONS AND ANALYSES

    Legislative Reforms

    The Information Technology Act

    India, as a fast-developing economy, aspires to control the global supply chain and internationalise its economy.126 This vision automatically attracts a big responsibility to protect cyberspace from possible cyberthreats, including acts of cyberterrorism. India, however, has been rather vulnerable to cyberthreats.127 Currently, with major economic activities transpiring through digital platforms during the COVID-19 pandemic, the dreadful impact of cyberterrorism has intensified.128 The purpose of cyberterrorists is to cripple the CI of a nation and certain services, like telecommunications, banking, finance, military complexes129 and emergency services, are most vulnerable to cyberterror attacks.130 Thus, it is necessary to comprehend the potential threat of cyberterrorism to a nation like India, keeping in mind that the vulnerability of Indian cyberspace to cyberterror attacks has proliferated enormously.131 In 2018 too, the then Home Secretary admitted to India’s exposure to cyberthreats and its inadequacy in countering them.132 Therefore, reforming and modernising the existing machinery to counter the strategic challenge of cyberterrorism and providing efficient explications acknowledging global pandemic is peremptory. Though the Act enacts provisions regarding cyberterrorism, in order to make it a more focused legislation to combat cyberterrorism, the following modifications are suggested:

    1. The Act was originally enacted to validate e-commerce activities. However, its preamble today must not remain limited to e-commerce only. It must additionally include the objective of combating cyberterrorism.
    2. The scope of the definition for cyberterrorism should be made more extensive by including ‘the usage of cyberspace and cyber communication’. The section does not cover cyberspace use for communication and related purposes to fulfil and execute terrorist objectives. The Act should incorporate provisions to cover such acts to prevent acts of cyberterrorism.  
    3. To focus the orientation of the Act to combat cyberterrorism, it must have a dedicated chapter on cyberterrorism, which would deal with all intricate elements and dimensions of the acts amounting to cyberterrorism in detail.  

    Indian Cybersecurity Act

    In 2008, the Information Technology Act was amended to incorporate provisions concerning cyberterrorism. However, from 2008 to 2021, exploitation of cyberspace by terrorists has undergone a systematic transformation. The conglomeration of time and evolution of destructive technologies has made cyberterrorism intricately complex and devastatingly lethal to deal with. Cyberterrorists use innovative methods to exploit cyberspace for youth radicalisation and to propel cyberattacks causing massive destruction. The evolution of destructive technological order aiding cyberterrorism warrants a new modernised legal order, with empowered law enforcement agencies, to protect Indian cyberspace against possible cyberthreats and preserve its cyber sovereign interest.

    India must consider enacting a new cybersecurity legislation,133 Indian Cybersecurity Act, dedicated to deal with present-day cybersecurity challenges and regulate all aspects of cybersecurity, including cyberterrorism. Further, in view of the future consolidation of cyberterror attacks, a new legislation would additionally provide more effective, deterrent and stringent legal framework against cyberterrorism.

    Administrative Reforms

    Multiplicity of Organisations

    Multiple government organisations handle cybersecurity operations of India,134 resulting in overlapping jurisdictions and operations among organisations. Some reformatory steps—like creating the National Cyber Security Coordinator under National Security Council Secretariat (NSCS) and bringing central agencies under its control—have been adopted. However, it is important to provide the exigent task of cybersecurity exclusively to three central agencies, namely, CERT-In, NCIIPC and Defence Cyber Agency, with well-delineated and defined jurisdictional limits of operations and responsibilities. Instead of creating a parallel hierarchical structure which results in unwarranted overlapping of work, the jurisdictional limits of operations must be detailed through legislation to the extent possible.

    Further, there must be a regular review of the jurisdictions of organisations to keep India’s cybersecurity mechanism updated as per the continuously evolving cyberspace. Since what today is not a CI might become intrinsically critical for preserving national security tomorrow, the National Cyber Security Coordinator must proactively coordinate the activities of the cybersecurity agencies to intensify capabilities of India to counter cyberterrorism.

    Awareness Programmes

    The government, like UNOCT, must undertake cybersecurity awareness programmes in the country and establish an informative environment in the country against possible cyberthreats (including cyberterrorism) in cyberspace. The government must consider launching a cyber literacy programme (initially in areas vulnerable to cyberattacks) on lines with ‘Sarva Shiksha Abhiyan’ to familiarise people about the cybersecurity threats in a time-bound manner. This is particularly important during the COVID-19 pandemic when most businesses are running digitally through online mediums.

    Indian Cybersecurity Service

    India cannot reform and strengthen its gigantic cybersecurity framework from one central place. Cybersecurity threats are the new normal for people, including those living in distant parts of India. Therefore, India must establish Indian Cybersecurity Service as an all-India civil service. It will provide India with the best professionals (posted in different parts of the country at the grassroots level) to deal with all aspects of cybersecurity, including cyberterrorism. An all-India civil service would further equip the state governments with talented cybersecurity experts to protect their cyber operations and deal with breaches under their jurisdiction. The proposed civil service could also assist the state police in solving cyber-related offences more effectively and expeditiously, thereby improving the administration of justice in cybercrimes.

    As these cybersecurity officials will get an opportunity to work in different parts of the country in various capacities, like officers from other all-India services, it will broaden their vision and first-hand operational experience  of cybersecurity issues faced by the people at grassroots level, as opposed to the current paradigm (where majority of the officers and their work remains restricted to headquarters). Therefore, just like officers from other all-India civil services get a significant say in the decision making due to their extensive groundwork and direct first-hand experiences bestowing them with actual ground realities, Indian cybersecurity officials will also get a far greater say over most policy decisions concerning cyberthreats, cybersecurity interests and others. Further, cyberspace is ubiquitous and interacts closely with major economic and other operations in society. Therefore, affording greater say to cybersecurity officials in India will make cybersecurity central to our major policy decisions and strengthen our cybersecurity framework on a continuous basis.

    Infrastructural Investments

    Massive infrastructural investment is obligated to secure Indian cyberspace from possible cyberterror attacks. Considering the excessive use of cybernetworks during the global pandemic in order to avoid physical contact, many sectors of the economy have been thrown open to cyber-enabled terror attack. Therefore, India must establish sectoral CERTs in new sectors of operations, including research and development (R&D), to protect against loss of valuable IP from possible cyberterror attacks during the ongoing pandemic.135 In addition to protecting IP, trade secrets and preserving India’s data sovereignty, it is imperative to secure financial transactions and communications (including strategic and confidential communications of private entities or government) taking place during the pandemic through cybernetworks. Thus, sectoral CERTs must be operationalised in more fields to protect, preserve and maintain the safety of Indian cyberspace. Additionally, the government must undertake structural reforms and develop disaster recovery capabilities against cyberterror attacks. It must also conduct cybersecurity drills in line with the cybersecurity drills conducted by the SCO.

    The state must also change its deterrence strategy against cyber-enabled terror attacks. The security forces must deal with the launchers of cyberterror attacks as cyber militants and the government must consider creating a ‘Centre for Cyber Militancy’, where qualitative training to counter cyber-enabled terror attacks from these militants can be imparted to security personnel. Furthermore, a long-term cyberspace safety fund, on the lines of ‘Rashtriya Rail Sanrakshan Kosh’,136 must be established to meet all cybersecurity contingencies of India.

    Judicial and Educational Training

    Centrally funded scheme to train judicial and legal officers on law and cyberthreats, with special emphasis on cyberterrorism, must be undertaken by the government. Cybersecurity must be introduced in the curriculum of schools and colleges; and more universities must provide opportunities to undertake specialisations in information or cybersecurity studies. This would increase awareness among the general masses and augment our capacity to produce a greater number of cybersecurity experts to meet future requirements of protecting the cyberworld from cyberterrorist activities.

    Constitutional Obligation of State against Cyberterrorism

    Defence against Cyberterrorism

    Cyberterrorism is detrimental to both global peace and India. It threatens various dimensions of security, like energy, nuclear, water (through dams) and cyber-enabled strategic communications. A cyber-enabled terror attack may not always be an unarmed physical terror attack but, it certainly amounts to an unmanageable terror attack which impairs the virtual life of the people, including critical technological functions and nation’s cyberspace. Therefore, it is beyond doubt that a cyberterror attack, when launched outside the territorial limits of India, amounts to external aggression and is capable of causing internal disturbance in the country.137 A cyberterror attack patently threatens the unity and integrity of the republic. The union government thus is constitutionally bound under Article 355 of the Indian Constitution to protect states from cyberterrorism amounting to external aggression and internal disturbances. The term ‘aggression’ under Article 355 not only comprehends armed aggression but also includes bloodless aggression.138 It is an all-comprehensive word having wide meaning with complex dimensions.139

    The Supreme Court (SC) ruled in Sarbananda Sonowal v. Union of India140 that:

    The foremost duty of the Central Government is to defend the borders of the country, prevent any trespass and make the life of the citizens safe and secure. The Government has also a duty to prevent any internal disturbance and maintain law and order141…The word ‘aggression’ is not to be confused only with ‘war’. Though war would be included within the ambit and scope of the word ‘aggression’ but it comprises many other acts which cannot be termed as war.142

    Analysing the judgement, it is a well-established constitutional norm that the union government has the principal function to defend India’s sovereign borders, prevent any trespass and make the life of individual citizens safe and secure. In this information age, the Indian cyberspace is not less than India’s sovereign territorial domain and therefore, defence against cyber trespass and cyberterror attacks on India’s cyberspace, which certainly infringe the security and safety of Indian citizens, is the primary function of the central government. Thus, it is the constitutional obligation of the Union Government under Article 355 of the constitution to secure and protect the Indian Cyberspace from any possible cyberthreats, including cyberterrorism and cyber trespass.

    Further, in the current paradigm with significant threats to the republic’s sovereignty emanating from cyberspace, it becomes the sovereign duty of the union under the principles of state sovereignty , to protect the Indian cyberspace to secure India’s sovereign cyber interests. Moreover, after recognition of the cyberspace as an operational domain of warfare, the union is constitutionally obliged to defend India’s operational war domains just like land, air and water.143 Maintenance of territorial integrity and political independence is a recognised facet of international customary law. Thus, protection of India’s sovereign and territorial frontiers, including Indian cyberspace, is the sacrosanct and inherent duty of the Indian government, as enshrined in constitutional, jurisprudential and international law provisions.

    Right to Trade and Business and Cybersecurity

    Cyber operations have developed tremendously in the past few years. Today, the use of Internet is not limited to its classic functions, like communications or entertainment, and has expanded manifold in different fields, such as education, healthcare, economy, trade and transportation. This wide operational scope of utility of cyberspace has empowered it to have an undeniable level of impact on the economy. The Internet has become the backbone of everything in society; in fact, it is the lifeblood of the economy and basic infrastructure of everything due to extensive datafication.144

    Presently, due to the impact of COVID-19 pandemic, most businesses and other offices are running through cybernetworks,145 thereby designating cyberspace as their operational place of work.146 This leads us to the question: what is the constitutional responsibility of the state in this regard? Article 19(1)(g) of the Indian Constitution grants the right to trade and occupation to Indian citizens, that is, every individual has the right to practise any profession or carry on any occupation, trade or business.147

    Let us look at some judgements of the SC in this regard. The SC, while discussing Article 19(1)(g) in Sodan Singh v. New Delhi Municipal Committee,148 ruled:

    The guarantee under Article 19(1)(g) extends to practice any profession, or to carry on any occupation, trade or business. The object of using four analogous and overlapping words in Article 19(1)(g) is to make the guaranteed right as comprehensive as possible to include all the avenues and modes through which a man may earn his livelihood. In a nutshell the guarantee takes into its fold any activity carried on by a citizen of India to earn his living.149

    The SC also ruled in Anuradha Bhasin v. Union of India:150

    Moreover, fundamental rights itself connote a qualitative requirement wherein the State has to act in a responsible manner to uphold Part III of the Constitution and not to take away these rights in an implied fashion or in casual and cavalier manner151…the internet is also a very important tool for trade and commerce. The globalization of the Indian economy and the rapid advances in information and technology have opened up vast business avenues…the freedom of trade and commerce through the medium of the internet is also constitutionally protected under Article 19(1)(g)152…We declare that the freedom of speech and expression and the freedom to practice any profession or carry on any trade, business or occupation over the medium of internet enjoys constitutional protection under Article 19(1)(a) and Article 19(1)(g).153

    The SC, while discussing fundamental rights in State of West Bengal v. Committee for Protection of Democratic Rights,154 ruled:

    Individuals possess basic human rights independently of any constitution by reason of basic fact that they are members of the human race. These fundamental rights are important as they possess intrinsic value. Part-III of the Constitution does not confer fundamental rights. It confirms their existence and gives them protection.155

    Furthermore, while discussing the obligation of the state to guarantee fundamental rights to everyone, the SC ruled in another case: ‘If the film is unobjectionable and cannot constitutionally be restricted under Article 19(2), freedom of expression cannot be suppressed on account of threat of demonstration and processions or threats of violence…’.156 The SC similarly ruled in Municipal Council, Ratlam v. Shri Vardhichand157 that the Municipal Council cannot demonstrate its inability to maintain public health owing to budgetary constraints.

    In the context of Article 19(1)(g) of Indian Constitution,158 all these cases manifest that the fundamental right to trade and business is an assurance of liberty and a recognition of the autonomy inherent in every citizen. The state is constitutionally obliged to act responsibly to ensure that all avenues and modes admissible under law through which an individual may earn his livelihood are available to every citizen. Thus, in the current context of ongoing COVID-19 pandemic, since most businesses and companies operate through digital platforms, it is conclusive that the state is constitutionally duty-bound to secure India’s cyberspace from cyberterror attacks. Today, businesses can only survive under secured cyberspace as every business operation is happening through the digital medium. This makes cybersecurity during COVID-19 pandemic a non-negotiable facet of the right to carry out business and trade.159 Therefore, the foremost obligation of the state to secure the right to occupation in an economy operating through cybernetworks is to guard its cyberspace against all possible attacks. Also, in this regard, the state cannot plead its inability in securing cyberspace from cyberterror attacks on any ground, including budgetary constraints. Since, as ruled in Rangarajan and Ratlam case, the State cannot run away from its primary duty, which in the given case is to secure India’s cyberspace and allow the Indian citizens to use secured cyberspace to conduct business operations.

    Further, the right to occupation also includes the right to a safe environment in the workplace.160 The government has recognised the right to safe and healthy working conditions as part of fundamental rights.161 It is matter of general prudence that in a digital workplace, secured cyberspace patently amounts to a secured workplace. Therefore, Indian citizens have the fundamental right to work in a safe and secured cyberspace as part of their right to trade and occupation.

    Moreover, Article 19(1)(g) when examined with the Anuradha Bhasin judgement of the Supreme Court enacts that, the fundamental right to free trade and occupation itself connote a qualitative requirement where the state is constitutionally obligated to act in a responsible manner and uphold the fundamental right to occupation for people working in the cyberspace. Thus, to guarantee the right to trade and business to every Indian citizen, the State is under a compulsive constitutional obligation to secure India’s Cyberspace from cyberterror attacks. The Supreme Court ruling in Sodan Singh, Anuradha Bhasin and Rangarajan case (in reference to the Right to trade and business in cyberspace), indisputably mandates that Right to carry out trade, occupation and businesses through cyberspace is a constitutionally protected fundamental right. Hence, due to increasing use of cyberspace in trade and commerce there emerges a new constitutional necessity for the state in India to protect its cyberspace from new formidable cyberthreats including, cyberterror attacks to guarantee every individual his fundamental right to trade and occupation.

    To conclude, the complete realisation of right to trade and business in the cyberspace shall occur pursuant to a secured cyberspace only. It is the obligated duty of the state under the Indian constitution to ensure that fundamental rights are guaranteed to every individual, including those operating their business, trade and employment through cyberspace. This fundamental right is a constitutional guarantee of liberty against the state, it cannot be supressed on any ground including, cyberterror attacks. Therefore, to fulfil the constitutional necessity established under the law in the given context that is, ensure that citizens are able to earn their living legitimately (without any form of unlawful obstruction from formidable cyberthreats) through cyberspace, the state is under a compulsive constitutional obligation to ensure provisioning of a secured cyberspace in India. The emergence of this constitutional obligation is due to the modernisation and advances occurring in the cyberspace, economy and society at large.

    Cybersecurity and Ease of Doing Business Index

    Today, cyberspace is providing boundless economic and business opportunities. The Internet’s contribution towards the economy, as well as integration with the monetary framework, has increased stupendously.162 In the current scenario, businesses are running effectively through cyberspace; several start-ups are internet-based; and the e-commerce industry is flourishing globally.163 Consider the UK, where digital economy amounted to 7.7 per cent of its economy in 2018.164 In the US, it exceeded the federal government percentage of gross domestic product (GDP) and accounted about 10 per cent of the total GDP ($2.1 trillion).165 In 2019, the Internet economy was predicted to be one of the top six industry sectors in China (30 per cent of GDP);166 and South Korea too was expected to show a similar growth.167 The digital economy contributes significant share to the national GDPs of US, Brazil, Japan, India and others.168 Further, its share during global restrictions mushroomed enormously.169

    It is evident that the rapidly proliferating e-commerce industry has made an enormous contribution to the national GDP of many countries. Moreover, as most commercial and financial operations today operate digitally, data is considered as the new oil which is driving modern economy. Internet has, thus, become an intrinsic and a non-negotiable element to run businesses and economy in this information age. Digitalisation of economy and secured digital operations to effectuate economic development in the country are imperative. The contribution of e-commerce industry does not merely manifest the important role of cyberspace in economic operations but also reflects the indispensable role of the Internet in generating employability in the country. The presence of a secured cyberspace directly aids in the development of economy, businesses and employability in the country. Thus, cybersecurity must be regarded as one of the parameters to decide the ease of doing business index by the World Bank. This would stimulate all the countries to make structural reforms in securing their cyberspace from all possible cyberthreats, including cyberterrorism. Further, it would significantly aid in effectively securing economic and business operations in the cyberworld. Incorporation of this parameter would act as a catalyst in establishing a secured and rule-based cyberworld in the near future. At the national level, the Indian government can include cybersecurity as one of the parameters to decide ease of doing business index for the Indian states.

    International Cybersecurity Cooperation: Harmonisation of Domestic Laws

    The transnational character of cyberspace warrants a global cooperative effort to counter cyberterrorism.170 To thwart the menace of potentially ruinous cyberterrorism, countries must work towards developing a universally acceptable and effective strategy of defence and counter-measures for cyberterrorism. Many countries have progressively effectuated their cyber defences and adopted deterrence strategies to supplement their cyber defences. However, it becomes difficult to counter the threats of cyberterrorism merely on strategic national policies since cyberspace is globally homogenised and attacks may emerge overseas. International cooperation between states, therefore, is an effective cornerstone to develop an effective combat mechanism and legal framework to counteract cyberterrorism. Inadequate international regulations and uncoordinated legal mechanisms of states on cyberterrorism act as the biggest deterrent in devising an effective global strategy against cyberterrorism.

    Considering the risks, cyberterrorism warrants immediate global consideration. However, as mentioned earlier, despite being acknowledged internationally as a precarious risk to global peace, no universally agreed definition for cyberterrorism exists today.171 The next section discusses how dissension over a universal definition of cyberterrorism makes domestic interpretation of cyberterrorism in each state differ from the other. 172

    CYBERTERROR LAW OF OTHER COUNTRIES173

    The UK

    The Terrorism Act, 2000 is the UK legislative instrument enacting provisions about terrorism, including cyberterrorism. Section 1 of the Act enlists three requirements to constitute an act as terrorism: intention, motive and harm. The Act provides that the act committed must intend to influence the government or international governmental organisation, or intimidate public or a section of it.174 Also, the act should aim to advance a political, religious, radical or ideological cause.175 Section 1(2) further lists alternative harms that an act may cause to constitute an act of terrorism. It covers terrorist acts which seriously interfere with or disrupt an electronic system.176 The term ‘electronic system’ can include Internet service providers, computer providers, financial exchanges, etc.177

    The UK law thus provides a broad definition of terrorism. It includes cases of cyberattack over non-essential infrastructure. It can be applied to a cyberattack threat in the same manner as an actual cyberattack. It even regards cases of cyberattacks designed merely to ‘influence’ a government as cyberterrorism, thereby eliminating the requirement of higher intentions, like coercing or intimidating a government.

    Australia

    Australia enacted anti-terror laws after 9/11 terror attack, as a cluster of five legislations. The Security Legislation Amendment (Terrorism) Act, 2002 inserted the definition of terrorism in Part 5.3 of the Australian Criminal Code. Section 100.1 of the Criminal Code defines terrorism. Australian law sets higher standards for an act to be construed as terrorism than the UK terror law. So, cyberattacks intending to influence only the government do not constitute cyberterrorism in Australia. The Australian law necessitates that to constitute cyberterrorism, a person by his act must intend to coerce or influence a government by intimidation.178 Thus, the cyberattack must be coercive or intimidatory. The application of the Australian terror law in cases of cyberattacks is restricted only to attacks amounting to serious interference, disruption or destruction of electronic systems.179 The law also includes ‘political protest exemption’. It enacts that any form of protest, dissent or other will not constitute terrorism if it does not intend to cause death, or serious physical harm or endanger life, etc.180 Thus, unlike its English counterpart, the Australian Criminal Code recognises a narrower range of cyberattacks as cyberterrorism.

    Canada

    Section 83.01 of the Canadian Criminal Code defines terrorism as an act or omission done in or outside Canada for a political, religious or ideological objective, to intimidate public or segment of people, causing serious bodily harm, death, endangering a person’s life, etc.181 Further, the Canadian law also incorporates the exemption to political protests like Australia. However, it sets very high standards for an act of terrorism since it provides that such acts should ‘compel’ a government to act or refrain from acting in a particular way.182 The scope of terrorism in Canadian law extends to attacks against domestic and international organisations.183 This establishes a wider operational area against ‘international government organisations’ as in British law. The Canadian law also comprehends attack against an individual as an act of terrorism.184 Further, it provides that to constitute cyberterrorism, an act should intend and cause actual interference with the essential system, service or facility.185 This establishes another high standard in the law to operationalise the definition of terrorism in an incident of cyberattack.

    Comparing the Indian Law with Other Jurisdictions

    The definition of cyberterrorism put forth by Indian legislation includes a larger scope of cyber-enabled terror activities, unlike the Canadian terror law. The presence of terms ‘attempting to penetrate’,186‘likely to cause’187 and ‘knowingly or intentionally’,188 under Section 66F, provides larger operational scope to the definition of cyberterrorism in India. However, unlike Britain and Canada, the range of cyberterror activities in India does not go beyond the scope of unity, security, integrity and sovereignty of India. Also, cyber-espionage acts are covered within the ambit of cyberterrorism under Section 66F(1)(B) of the Act. The Indian law, unlike the UK and Canada, does not expressly provide for cyberattacks against international organisations as cyberterrorism. Further, the standards for an act to qualify as an act of cyberterrorism in India are much higher than in the UK terror law.

    Thus, different countries provide different definitions for the act of cyberterrorism. This diversity among terror laws hinders global cooperation as these varied definitions provide different standards for an act to qualify as cyberterrorism. So, what would amount to cyberterrorism in the UK might not always amount to cyberterrorism in Canada. Therefore, to overcome this hindrance in global cooperative cybersecurity strategy, the following steps must be adopted:

    1. States must accept a universally acceptable definition of cyberterrorism. This would ensure that the standards for an act amounting to cyberterrorism would be same in the domestic laws of every country. Thus, an act amounting to cyberterrorism in one nation would also amount to cyberterrorism in another. Hence, if a country becomes a victim of a cyberterror attack originating from other nation, then the country attacked could use the legal instruments of the other country to punish the culprit(s) or even extradite the designated culprit(s).
    2. States must also harmonise their domestic terror laws with each other. It would provide common procedures for prosecution and investigation of cyberterrorism and help in the global fight against cyberterrorism. This would lead to an effective, efficient and transparent mechanism for investigation and information sharing related to cyberterrorism. In addition to cooperation in investigations, it would also enable accelerated cooperation between law enforcement agencies of different countries for other purposes, like capacity-building programmes and training of officials.
    3. Supplementarily, states must accelerate global prevention against cyberterrorism through more aligned synergy in intelligence sharing, cybersecurity governance, cooperation in building cybersecurity preparedness and resilience, through mutual treaties and other instruments. Each state must denominate international cooperative cybersecurity framework as a priority area in their foreign policy.
    4. Efforts must also be made to evolve a universally binding and practically implementable international instrument on cyberterrorism to cease the acts of cyberterrorism globally. In order to protect its strategic cyberspace, India must strengthen international cooperation among other states and take steps to internationalise its domestic laws on cyberterrorism.

    CONCLUSION

    Cyberspace has developed as a decentralised network of communication, without any restriction over geographical boundaries of any country. Therefore, international regulation and cooperative cybersecurity framework is essential to deal with cyberterrorism effectively. Since the current framework is incapable of dealing with the menace,189 it is time to strengthen international law to equip it to deal with cyberterrorism. India must also think about reforming its legal framework or legislating exclusive cybersecurity legislation, which may provide provisions for cyberterrorism.190

    With the prime minister advocating the use of technology for development and administration,191 and also due to the global pandemic, cyberspace has been integrated into various fields, like governance, public administration and trade and business operations. In addition, there is continuous integration of cyberspace with CI. Thus, a multidimensional cybersecurity framework must be introduced. The outbreak of COVID-19 has also accelerated the digitisation of economic businesses and other activities. Cyberattacks by terrorists can virtually paralyse the financial and economic operations (including Indian Goods and Services Tax [GST] network192) of the country. Hence, to boost the adoption of counter-measures by states against cyberterrorism and strengthen the cybersecurity framework, the World Bank must consider ‘cybersecurity’ as one of the parameters to decide ease of doing business index. India must also try to reduce overlapping among cybersecurity organisations and harmonise its process and laws as per the international best practices.

    Further, the accelerated digital operations of business due to the pandemic has made the state constitutionally bound to protect the cyberspace of India. Article 19(1)(g) of the Constitution, read with Sodan Singh and Anuradha Bhasin cases, grants the right to practice or do any form of livelihood within the realms of law. Thus, the state must make sure that the constitutionally protected fundamental right of occupation in cyberspace of Indian citizens is protected in the current scenario. It must be noted that any business can survive and flourish in a digital platform only when there is secured cyberspace in place. Thus, the government is constitutionally bound to protect India’s cyberspace from cyberthreats, including cyberterrorism.

    Cyberspace, today, interacts with significant economic, business and other interests of India. So as to secure India’s strategic, sovereign, economic and business interests in cyberspace, the union must incorporate stringent deterrent strategies and cybersecurity reforms at all levels of operation. It is important to look at the big picture while analysing cyberterror threats; and new mechanisms must be developed and reformatory steps need to be introduced with focus on the constitutional obligation of the state under Article 19(1)(g) and Article 355 of the Indian Constitution.

    AttachmentSize
    Download Complete [PDF]303.75 KB

    Top