This article has been written by Sagnik Mukherjee pursuing the Diploma in Technology Law, Fintech Regulations and Technology Contracts  from LawSikho. This article has been edited by Prashant Baviskar (Associate, Lawsikho) and Smriti Katiyar (Associate, Lawsikho). 

Introduction 

Ava and Steve are two very different individuals, busy with their jobs, living a thousand miles apart, who have never met each other. Jane works as the chief strategist to an MP of the ruling party in Poland and Steve works as the Chief Engineer to a private company that is responsible for maintaining software stability and functioning of the sewage facilities in a state of the US. 

When we look from a third person’s perspective, we see that they don’t share any common links, however when we dig a little deeper into their social media, one can find that they are both part of an online forum that discusses various environmental issues. People from all over the world join and discuss the current state of the environment and share their two cents on how to tackle it. Both Ava and Steve have also done the same and have a lot of co-sympathizers in the forum with whom they regularly interact and share information, even outside the forum. 

However, what they do not know is that within this forum, there are members from rogue organizations who are actively collecting user credentials for their future use. A few weeks down the line both Ava and Steve receive a mail on their work email accounts stating it was some important file that needed to be looked into immediately. After downloading and opening the email they both see a document that has gibberish written all over it and they dismiss it as some prank by a colleague. What they do not realise is that they just downloaded an infected file that covertly installs itself and records every data to and fro from their workstation, sending it to the remote servers of the rogue organization. Soon enough, the principal opposition party of Poland gets hold of several classified government documents that puts the ruling party in a very tight spot and the software company has lost a significant part of its business after being unable to control a certain function of the sewage facility resulting in a serious monetary loss of the state government from toxic waste being dumped in public water bodies. 

A part of what you just read, although it sounds like a movie script,is actually based on real-life events, involving real governments, the general public, and real threats. In this article, we take a quick look at what constitutes Cyber terrorism and analysis of protection offered by the US and Europe from it. 

Ingredients of cyber terrorism 

The  ingredients that account for Cyber Terrorism are being defined variably from expert to expert, more so since the nation states around the world are themselves yet to come up with a comprehensive definition that can satisfy the wide interpretation and which acts can be labelled as terrorism. 

A certain section believes it is a group of politically motivated people with a specific set of intentions, who use the internet to project threats of violence, and another section believes any activities that can be placed in a set for activities that are generally categorised by the state or other nation states as terrorism, using the internet to facilitate in the progress of such work should be defined as cyber terrorism. 

However a middle ground could be found between the two sections of experts, and it is roughly agreed to be identified as the illegal disruption and damage of digital property to pressurise a government for fulfilment of a specific groups political, religious or ideological claims. For instance, in 1998, a Srilankan guerrilla faction sent about 800 emails a day to one of its government organs for a straight period of two weeks. The contents of the email read “We are the Internet Black Tigers and we’re doing this to interrupt your communications”^.  Cyber security experts recall this as the first known case of a terrorist organisation utilising the cyberspace to disrupt governmental activities for self-gain.             

Why is cyber terrorism the choice of the hour?

Cyber terrorism is picking up traction as a weapon of choice for various favourable factors. Consider the example of Steve in the introduction. By the mere act of gaining access to an employee’s workstation, millions of dollars of damage could be inflicted in a matter of a few weeks, using just a computer connected to an internet service. No need for expensive tools, guns, explosives or manpower. Possibly costing a fraction of a price than the kinds of funds required for traditional attacks. 

The second interest is discretion and anonymity. It is a well-known fact that Russia and China regularly initiate cyber attacks on other countries. A well-planned attack on a country’s cyber infrastructure could wreak havoc on the internal economy or policies and without the government having any idea who might be behind it.

For instance, there are strong suggestions that Russia (who never acknowledged) tinkered with the US election campaigns for its presidential candidates and managed to sway the public in a direction that would ultimately be favourable towards Russia, thereby indirectly influencing a nation state’s foreign policy.

The third interest is the scale and remoteness of the attack. The infiltration may have happened through only one machine but has the potential to infect a large number of machines around it, even overseas for that matter whereas traditional methods are limited to mostly the vicinity of the attack. Being able to conduct all these from a remote location or possible safe haven where attackers don’t have to physically infiltrate or cross guarded territory seems to be the cherry on the cake, increasing the chance of a successful attack by many folds.  

Development of protection against cyber terrorism in US and EU 

1. The United States of America –  

In the aftermath of the Cold War analysts from the various security agencies of the US started to research and propose the next possible attack on the US and draw attention to various exposures in the defence of its homeland. With the transmission of information technology on the rise revolutionizing the economy, it would make the most sense to attack and cripple it. Thus it was no surprise when the analysts in their reports feared that the next enemy would rather choose asymmetric engagements over the more traditional ones and try to hurt the country’s booming eco-cyber development. The unknown aggregate of possible security threats to the rising information systems and networks became a headache to the supervisory security bodies and was termed as “the major security challenge of the decade and possibly the next century”. 

Not much heed was paid to all the reports until 1997 when the Marsh Report begged the top wigs to take notice. The White House for the very first time took the possibility of a growing hole in its armour seriously and constituted a new administration that would specifically deal with cyberspace of the nation and develop a strategy for securing it.

In 1998, legislative tools under the Presidential Decision Directive (PDD-63) were introduced which allowed national agencies to take necessary steps to draw guidelines for addressing cyber vulnerabilities and continue the protection of critical infrastructures from attacks. Even though the PDD 63 came into effect at supersonic speed, a wholesome national policy took almost 3 years to be drawn up. However, with the 9/11 attack, the legislation went into overdrive and introduced a host of various legislative measures that would be used there on to tackle cyber terrorism, most notably the US Patriot Act of 2001 which allowed law and order agencies to intercept electronic communications related to computer offences and fraud. Since then the nation’s cybersecurity infrastructure has made gallant leaps and presently boasts of a robust network of intrusion detection mechanisms in place. 

1.1 Threat response bodies and available tools – 

1. National Cyber Incident Response Plan – This is used as a central drawing board by various security agencies in the nation to coordinate and respond to incidents at all levels.

2. National Cyber Security and Communications Integration Center – The NCCIC is led by the Department of Homeland and acts as a touchpoint for U.S Computer Readiness Team (U.S – C.E.R.T) and the National Coordination Center for Telecommunications (NCC) that help in maintaining the national cyber response systems in an operational status.  

3. A host of various resources in Critical Infrastructure sectors, such as the ICS-CERT which monitors the industrial sectors and ITSRA which is for the IT sector. 

4. Intergovernmental Partnerships and Private-Public-Partnership schemes.   

5. National Strategy for Trusted Identities in Cyberspace – The idea behind this draft is to secure the identities of individuals, services, devices and organizations during any online transaction. 

6. The Einstein Program – This is an AI-based program designed to alert the securities with a nearly early warning and identification of intrusions and malicious activities as well as to disrupt it before any possible harm is done to the networks and systems. 

7. Individual state laws. 

2.   Europe – 

One of the earliest encounters that the world had with the word Cyber terrorism was back in 1979 when Sweden in its report of threats recognized a possible future attack that could stem from the cybersphere. However, unlike America, which introduced a directive for the protection of its national assets from criminal, terrorist or state-sponsored attacks, the EU had a relatively difficult time harmonizing a blanket legislation for its nation-states. Mostly because of the kind of diversity it represents and the previous systemic problem of a universal recognition for ‘Terrorism’ as some states thrived and regularly indulged in activities aimed at disrupting the cyberspace of others thereby opposing any constructive solutions. 

However, the EU legislators worked around the obstacles to develop a cyber strategy that represents the comprehensive vision on prevention and responses to cyber disruption attacks. 

The EU legislators have formed three main pillars around which they plan to further develop their cyber security strategies. These are – 

• Increasing cyber security capabilities and cooperation among all member states of the EU and creating a seamless transmission of efficient cross border information exchange to collectively manage threats. 
• Mainstreaming cyber security policies in General EU policies by embedding cyber security laws specifically in context to developing technology sectors e.g Internet of things. 
• Making the EU a significant force in cyber security with radical developmental changes and associating with other nation-states to develop a robust protective mechanism and have a competitive advantage in the cyber sectors.  

2.1 Threat response bodies and available tools – 

1. The EU Agency for Network and Information Security was set up in 2004 with various goals such as to collect and analyse data on security incidents and emerging risks in EU, developing methods to capably handle threats, running pan EU mock cyber security breach drills.   

2. The EU Computer Emergency Response Team 2012 was set up to provide an efficient response to information threats for institutions and agencies of the EU. 

3. Directive on Network and Information Security (NIS Directives) 2013 were aimed at ensuring similar levels of cybersecurity over all the EU member states to tackle large scale cyber-attacks and their aftermath. 

4. European Agenda on Security 2015 sets out renewed stress on removing obstacles to investigations on cybercrimes, attacks against information systems, fraud and counterfeiting via digital means. 

5. Digital Single Market Strategy 2015 is developed as a Public-Private Partnership model and is instrumental in securing the protection of industrial resources in Europe of all scales from SMEs to Critical Resource Infrastructure Operators. 

Recognizing differences in US and EU’s offered protection 

Cyber security being a modern age pivotal issue in a nation-states advancement, no doubt the transatlantic bodies have applied their best mind in its R&D for the same, for personal as well as unified gains. However, a certain degree of differences appears in their approaches.    

Approach of EU	Approach of US
Achieve cyber resilience in all EU member states.	Protect critical infrastructure.
Reduce cybercrime.	2.   Improve threat identification and  reporting abilities.
Develop cyber security for industrial and technological sectors.	3.    Secure Federal Networks who in turn will work with various critical infra sectors.

While both the nations agree and acknowledge the importance of at least implementing minimum cyber security standards, they take yet another different outlook here too. EU strictly instils laws such as the NIS Directives which has to be abided by all its member states, whereas the US counterpart of NIS Directives which is NIST Framework is completely voluntary. It is dependent on the organizations if they shall choose to adopt it or not. Similarly, the EU has a blanket hallmark solution for cyber industries to identify if they are cyber-attack resilient by granting a standard cyber security certification. Again here, the US allows and relies on voluntary industry certifications.  

Conclusion 

It is evident that both countries have their individual needs and have morphed their cyber strategies to combat terrorism in the best way they thought is possible. Thereby a direct comparison of legislations and their worth would be futile. It is very evident from a glance at the robust mechanisms in place by both nations to understand how seriously the government has been working to bring forth updated laws to secure its cyber borders. However, this was a compact attempt to spot the few differences that still lie in this amalgamating war against cyber terrorism by the two nations. 

References 

1. https://ec.europa.eu/commission/presscorner/detail/en/IP_13_94
2. https://csis-website-prod.s3.amazonaws.com/s3fs-public/legacy_files/files/media/csis/pubs/0508
3. https://www.usip.org/sites/default/files/sr119.pdf
4. http://www.realinstitutoelcano.org/wps/portal/rielcano_en/contenido?WCM_GLOBAL_CONTEXT=/elcano/elcano_in/zonas_in/cybersecurity/ari47-2020-soesanto-cyber-terrorism-why-it-exists-why-it-doesnt-and-why-it-will.

---

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.