Tuesday, November 24, 2009


Cyber terrorism is a controversial term. Some authors choose a very narrow definition, relating to deployments, by known terrorist organizations, of disruption attacks against information systems for the primary purpose of creating alarm and panic. By this narrow definition, it is difficult to identify any instances of cyber terrorism. Cyber terrorism can also be defined much more generally, for example, as “The premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives or to intimidate any person in furtherance of such objectives.” This broad definition was created by Kevin G. Coleman of the Technolytics Institute.[1]

The National Conference of State Legislatures (NCSL), a bipartisan organization of legislators and their staff created to help policymakers of all 50 states address vital issues such as those affecting the economy or homeland security by providing them with a forum for exchanging ideas, sharing research and obtaining technical assistance defines cyber terrorism as follows:

“The use of information technology by terrorist groups and individuals to further their agenda. This can include use of information technology to organize and execute attacks against networks, computer systems and telecommunications infrastructures, or for exchanging information or making threats electronically. Examples are hacking into computer systems, introducing viruses to vulnerable networks, web site defacing, Denial-of-service attacks, or terroristic threats made via electronic communication.[2]

In May 2007 Estonia was subjected to a mass cyber-attack in the wake of the removal of a Russian World War II war memorial from downtown Talinn. The attack was a distributed denial-of-service attack in which selected sites were bombarded with traffic in order to force them offline; nearly all Estonian government ministry networks as well as two major Estonian bank networks were knocked offline.

The traditional concepts and methods of terrorism have taken new dimensions, which are more destructive and deadly in nature. In the age of Information and Communication Technology (ICT) terrorists have acquired an expertise to produce the most deadly combination of weapons and technology, which if not properly safeguarded in due course of time, will take its own toll. The damage so produced would be almost irreversible and most catastrophic in nature. In short, we are facing the worst form of terrorism popularly known as "Cyber Terrorism".

The definition of "cyber terrorism" cannot be made exhaustive as the nature of crime is such that it must be left to be inclusive in nature. The nature of "cyberspace " is such that new methods and technologies are invented regularly; hence it is not advisable to put the definition in a straightjacket formula or pigeons hole. In fact, the first effort of the Courts should be to interpret the definition as liberally as possible so that the menace of cyber terrorism can be tackled stringently and with a punitive hand. The law dealing with cyber terrorism in India is, however, not adequate to meet the precarious intentions of these cyber terrorists and requires a rejuvenation in the light and context of the latest developments all over the world.

The laws of India have to take care of the problems originating at the international level because the Internet, through which these terrorist activities are carried out, recognises no boundaries. Thus, a cyber terrorist can collapse the economic structure of a country from a place with which India may not have any reciprocal arrangements, including an "extradition treaty". The only safeguard in such a situation is to use the latest technology to counter these problems. Thus, a good techno-legal combination of the latest security technology and a law dealing with cyber terrorism is the need of the hour.

The most common method for cyber terrorism is the use of distributed denial of services attacks (DDOS) to overburden the Government and its agencies electronic bases. This is made possible by first infecting several unprotected computers by way of virus attacks and then taking control of them. Once control is obtained, they can be manipulated from any locality by the terrorists. These infected computers are then made to send information or demand in such a large number that the server of the victim collapses. Further, due to this unnecessary Internet traffic the legitimate traffic is prohibited from reaching the Government or its agencies computers. This results in immense pecuniary and strategic loss to the government and its agencies. It must be noted that thousands of compromised computers can be used to simultaneously attack a single host, thus making its electronic existence invisible to the genuine and legitimate netizens and end users.
The main aim of cyber terrorist activities is to cause networks damage and their disruptions. This activity may divert the attention of the security agencies for the time being thus giving the terrorists extra time and makes their task comparatively easier. This process may involve a combination of computer tampering, virus attacks, hacking, etc.

The menace of cyber terrorism in India can be effectively curbed, if not completely eliminated, if the three sovereign organs of the Constitution work collectively and in harmony with each other. Further, a vigilant citizenry can supplement the commitment of elimination of cyber terrorism.

The judiciary can play its role by adopting a stringent approach towards the menace of cyber terrorism. It must, however, first tackle the jurisdiction problem because before invoking its judicial powers the courts are required to satisfy themselves that they possess the requisite jurisdiction to deal with the situation. Since the Internet "is a cooperative venture not owned by a single entity or government, there are no centralized rules or laws governing its use. The absence of geographical boundaries may give rise to a situation where the act legal in one country where it is done may violate the laws of another country. This process further made complicated due to the absence of a uniform and harmonised law governing the jurisdictional aspects of disputes arising by the use of Internet.

Generally, the scholars point towards the following "theories" under which a country may claim prescriptive jurisdiction:

(a) a country may claim jurisdiction based on "objective territoriality" when an activity takes place within the country,

(b) a "subjective territoriality" may attach when an activity takes place outside a nation's borders but the "primary effect" of the action is within the nation's borders,

(c) a country may assert jurisdiction based on the nationality of either the actor or the victim,

(d) in exceptional circumstances, providing the right to protect the nation's sovereignty when faced with threats recognised as particularly serious in the international community.

In addition to establishing a connecting nexus, traditional international doctrine also calls for a "reasonable" connection between the offender and the forum. Depending on the factual context, courts look to such factors, as whether the activity of individual has a "substantial and foreseeable effect" on the territory, whether a "genuine link" exists between the actor and the forum, the character of the activity and the importance of the regulation giving rise to the controversy, the extent to which exceptions are harmed by the regulation, and the importance of the regulation in the international community. The traditional jurisdictional paradigms may provide a framework to guide analysis for cases arising in cyberspace.[3] It must be noted that by virtue of section 1(2) read with section 75 of the Information Technology Act, 2000 the courts in India have “long arm jurisdiction” to deal with cyber terrorism.

The menace of cyber terrorism is not the sole responsibility of State and its instrumentalities. The citizens as well as the netizens are equally under a solemn obligation to fight against the cyber terrorism. In fact, they are the most important and effective cyber terrorism eradication and elimination mechanism. The only requirement is to encourage them to come forward for the support of fighting against cyber terrorism.

The government can give suitable incentives to them in the form of monetary awards. It must, however, be noted that their anonymity and security must be ensured before seeking their help. The courts are also empowered to maintain their anonymity if they provide any information and evidence to fight against cyber terrorism.

The problem of cyber terrorism is multilateral having varied facets and dimensions. Its solution requires rigorous application of energy and resources. It must be noted that law is always seven steps behind the technology. This is so because we have a tendency to make laws when the problem reaches at its zenith. We do not appreciate the need of the hour till the problem takes a precarious dimension. At that stage it is always very difficult, if not impossible, to deal with that problem. This is more so in case of offences and violations involving information technology. A timely and appropriate legislation is always a good step forward to fight cyber terrorism. India has to cover a long gap before it can secure its traditional boundaries and cyber space.

[1] http://en.wikipedia.org/wiki/Cyberterrorism

[2] Id.

[3] Dawson Cherie; “Creating Borders on the Internet- Free Speech, the United States and International Jurisdiction”, Virginia Journal of International Law, V-44, No-2 (Winter, 2004).