Cyberterrorism and International Legal Regulations

Cyber threats in the form of cyberterrorism are complicated by the overarching international laws, creating challenges for you as security consultants.  I have been asked to advise on the supremacy of legal jurisdictions unfortunately, there is no easy way to answer this.  The relationship between national and international laws is a complex one and you need to factor in whether countries are signatories to treaties, if domestic jurisdictions have ratified all articles of conventions – this is not a tick box exercise thus, legal assistance may often be required. 

Although the likelihood of a cyberterrorist attack is low because of the costs involved; that is not to say it is impossible. 

As you will be aware, cyberterrorism is defined as one of three possible threats, by the Centre for the Protection of National Infrastructure[1] (‘CPNI’), faced in the UK.  And, the UN believe a “global consensus”[2] is required when addressing terrorism online.  In reality this is based on the supposition that non-state actors will utilise other states to facilitate their activities, either through lack of clear boundaries between a state’s cyberspace and/or taking advantage of a particular state’s bias toward a group and their beliefs.  Specifically when identifying the international risk posed by terror networks the CPNI recognise, that it is important to maintain and develop relationships with both private and public entities abroad to collectively work to prevent such attacks[3].

When acting in the best interests of our client’s security, mitigation is key and the CPNI urge businesses to remain aware of security risks thereby reducing the risk; and by mitigation we mean:

“Businesses can reduce the risk to themselves, their employees and customers by remaining vigilant, being security minded and having good security measures in place. A small investment in security measures helps to protect businesses against crime and make the work of terrorists and hostile foreign states more difficult.” 

*From CPNI website: https://www.cpni.gov.uk/threat-scenarios-and-advice

Legal cases emanating from the International Court of Justice (‘ICJ’) demonstrate an obligation is placed on a state, to positively react to a threat and/or make a fellow state aware of a threat originating[4] from within ‘their’ state/cyberspace[5]; reinforcing CPNI’s position: we should all be aware of cybercrime and act proactively to prevent it and/or harden targets.  When we become aware of online security issues, we are all obliged to make the relevant authorities directly aware or follow an employer’s internal reporting protocol.  As roving security consultants; your ‘office’ is often ‘in the field’ however, your duties extend to you there (as you will be aware). 

The UK advocates a proactive stance on cyberterrorism, effectively promoting our national obligation to the wider global community and in particular, to “our allies”[6].  The ‘UK Cyber Security Strategy’[7] launched in 2011[8], is readily available online to assist our clients both practically and legally, and you can update your knowledge with the annual reports. 

Some threats may first appear as benign ‘glitch’; an attacker may hit our client’s systems with a vulnerability that is not intended to be discovered initially; but as work is done to rectify the glitch, a repetitive attack may be uncovered - thus demonstrating that both vigilance and reporting is critical.

There are arguments for and against an overarching international framework of governance for the Internet, in the absence of such a treaty we should remain live to the ‘Budapest Convention: The Convention on Cybercrime’ (‘the Convention’) as it reinforces the importance of fighting cybercrime for signatories.  The Convention is effectively reconciled against the backdrop of:  

“fundamental human rights as enshrined in the 1950 Council of Europe Convention for the Protection if Human Rights and Fundamental Freedoms”[9].

The Convention:

  • Applies internationally, where ratified*;
  • Contains helpful instructions and guidance to assist with both practical application of both members and non-members alike.

*those countries who have ratified the Convention are found easily online for you.

In the absence of clear virtual boundaries in cyberspace[10], there is an argument to adopt similar limitations as applied in the case of maritime law.  Many of you will be directly familiar with the United Nations Convention on the Law of the Sea[11] (‘UNCLOS’).  The idea is a simple one, conceptual boundaries in cyber-space, agreed by an overarching international organisation such as the UN.  In effect the notion of international zones depicting areas relating to territorial cyberspace.  This would serve to identify whether a cyberterrorist act is committed[12] by a state or non-state actor and allow for prosecution to be based on the boundaries as agreed.   

However in contrast, there is an argument that, as cyberspace exists supranationally, existing legal frameworks cannot be utilised.  Cyberspace, has borders that are not tangible and cannot be crossed and in addition, cyberspace is literally – above and beyond current “physical geographic borders”[13].

The aforementioned Convention, was launched by the European Community and has many non-member signatories and accessions; however the Convention does not apply globally and is not binding on all states.  When examining cyberterrorism and cultural variants[14], some states may be perceived as ‘soft’ option for certain networks and enable them to use their soil as a base[15] to launch cyberterrorist attacks.  

With this in mind; a UN treaty similar to UNCLOS could overcome these challenges by firstly harmonising[16] and consolidating a plethora of existing national[17] and international laws and; by creating an almost ‘physical’ set of boundaries/zones making individual states accountable for cyberterrorist attacks being developed on their soil. 

By growing accountability, both governance and liability could be effectively proportioned and prosecution of the same possible.  The UK recognise that prevention of “safe havens”[18] on foreign soils as crucial in the fight against cyberterrorism.  A treaty could establish governance and introduce a tribunal system as in the UNCLOS tribunal[19], acting as a mediator with international disputes regarding cyberspace and in an advisory capacity[20].  The ultimate challenge to overcome is drafting a constitution for the activities of cyberspace that is applicable to all cultures and legal jurisdictions[21].  This is overcome by ensuring that the framework[22] is reconciled against the existing international human rights law[23]

In conclusion, the fact that a number of non-member states’ signed up to the European Convention on cybercrime, would suggest that there is a requirement for such a global UN treaty.  Thus a pragmatic approach is recommended for policymakers to both pressurise the legislatures at international organisations and heed the inferences to be drawn from the ratification of the European Convention on cybercrime.

Those of you also working in this arena may be in the privileged position of speaking directly to the powers that be and, potentially lobbying for some advancement on this security concern.  Should further legal advice be required, please contact me directly. 

[1] Centre for the Protection of National Infrastructure.  (2010)  Protecting Against Terrorism (3rd ed).  England: Crown Copyright.  Retrieved: http://www.cpni.gov.uk/threats/terrorism/

[2] United Nations Security Council.  (2015). Implementation of Security Council Resolution 2178 (2014) by States affected by foreign terrorist fighters.   (S/2015/683).  Retrieved: http://www.un.org/en/sc/ctc/docs/2015/N1527297_EN.pdf

[3] Centre for the Protection of National Infrastructure.  (2010). Who We Work With. England: Crown Copyright.  http://www.cpni.gov.uk/about/Who-we-work-with/

[4]This would also include data clouds being located within a jurisdiction, see relevant case law (made available on request).

[5]Corfu Channel (United Kingdom of Great Britain and Northern Ireland v. Albania) [1949] (Summary) 1949/3 Judgment of 15 Dec 1949.   

[6] Ibid. 

[7] Cabinet Office.  (2011). UK Cyber Security Strategy: Protecting and promoting the UK in a digital world report 2010.  London: Crown copyright.  Retrieved: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf

[8] Following the NATO summit, Lisbon 2010 at para: 40 of the Declaration of the North Atlantic Treaty Organisation (NATO).  (2010). Lisbon Summit Declaration.  Lisbon: Public Diplomacy Division.  Retrieved: http://www.nato.int/nato_static_fl2014/assets/pdf/pdf_2010_11/2010_11_11DE1DB9B73C4F9BBFB52B2C94722EAC_PR_CP_2010_0155_ENG-Summit_LISBON.pdf

[9] Budapest Convention: The Convention on Cybercrime 2001 [CETS No. 185] see Preamble.

[10] The “borderless and anonymous nature of the internet” prevents attributable liability see: Cabinet Office.  (2011). UK Cyber Security Strategy: Protecting and promoting the UK in a digital world report 2010.  London: Crown copyright.  Retrieved: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf

[11] United Nations Convention on the Law of the Sea 1982 [Office of Legal Affairs, UN].   Retrieved: http://www.un.org/depts/los/convention_agreements/texts/unclos/unclos_e.pdf

[12] Op. cit. 9 at Section 3, Art 22 ‘Jurisdiction’.                                                                              

[13] K. M. Rogers., The Internet and the Law.  (2011; Palgrave Macmillan: Basingstoke). 

[14] The importance of remaining respectful of cultural differences see Cabinet Office.  (2011). UK Cyber Security Strategy: Protecting and promoting the UK in a digital world report 2010.  London: Crown copyright.  Retrieved: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf

[15] This is due to different jurisdictions possessing varying thresholds for interception by authorities see United Nations Security Council.  (2015). Implementation of Security Council Resolution 2178 (2014) by States affected by foreign terrorist fighters.   (S/2015/683).  Retrieved: http://www.un.org/en/sc/ctc/docs/2015/N1527297_EN.pdf

[16] ‘An integral and challenging component of any national Cybersecurity strategy is the adoption of regionally and internationally harmonized, appropriate legislations against the misuse of ICTs for criminal or other mischievous purposes’ found on International Telecommunications Unit.  (2016) Legal Measures: Legislation.  Retrieved: http://www.itu.int/en/ITU-D/Cybersecurity/Pages/Legal-Measures.aspx

[17] There are a number of statutes in the UK overarching the conduct of individuals’ when online see: The Computer Misuse Act 1990; Serious Crime Act 2015 and Serious Crime Act 2007. 

[18] Op. cit. 14.

[19] Statute of the International Tribunal for the Law of the Sea at Section 1, Art 1 onwards of Annex VI of the United Nations Convention on the Law of the Sea 1982 [Office of Legal Affairs, UN].  Retrieved: http://www.un.org/depts/los/convention_agreements/texts/unclos/unclos_e.pdf

[20] In particular, the Seabed Disputes Chamber acts in an advisory capacity see Section 5, Arts 186 – 191 of United Nations Convention on the Law of the Sea 1982 [Office of Legal Affairs, UN].   Retrieved: http://www.un.org/depts/los/convention_agreements/texts/unclos/unclos_e.pdf

[21] The UN believe that any “global commons” be regulated in a united manner and that includes “global communications” found: United Nations. (2016). Global Issues: International Law.  Retrieved: http://www.un.org/en/globalissues/internationallaw/  

[22] Cabinet Office.  (2011). UK Cyber Security Strategy: Protecting and promoting the UK in a digital world report 2010.  London: Crown copyright.  Retrieved: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf

[23] The Charter of the United Nations of 1945; in particular Art 2(4) and Art 51 retrieved: http://www.un.org/en/charter-united-nations/index.html

Comments

Write a Comment

You must be logged in to leave a comment. If you do not have an account with The Security Advisor you can signup here.