Governments have long worried about terrorists using the Internet to launch cyberattacks, spread propaganda, recruit and radicalise individuals and raise funds. However, the Islamic State’s exploitation of social media has caused a crisis and generated questions about international law’s role in addressing terrorism in cyberspace. This article analyzes international law in connection with potential terrorist cyberattacks and terrorist use of cyber technologies for other purposes. International law is not well positioned to support responses to terrorist cyberattacks, but the lack of such attacks to date undermines incentives for states to develop international law against this threat. In terms of terrorists using the Internet and social media for propaganda, radicalisation, recruiting and fundraising, the crisis caused by the Islamic State’s online activities has not created consensus strong enough to support a prominent role for international law in countering cyber-facilitated terrorism.

1. Introduction

The Internet’s global emergence has long produced worries about terrorism in cyberspace. In the USA, President Bill Clinton feared terrorist cyberattacks against critical infrastructure in the late 1990s,1 and, reacting to the San Bernardino shootings in December 2015, politicians demanded action against terrorist exploitation of social media.2 Despite two decades of concerns, states have not developed much international law addressing terrorism in cyberspace. New developments, such as anxieties about terrorist use of encryption3 and military cyberattacks against terrorist online capabilities,4 are unlikely to generate new international law. Explaining this reality requires understanding that certain terrorist uses of information and communication technologies (ICTs) have not materialised, while others confound states in ways that produce little consensus about how to respond.

This article analyzes the international legal landscape of terrorism in cyberspace in order to explain how it emerged, what it includes and whether changing international law in this context is appropriate and feasible. After considering preliminary issues for international law in the relationship between terrorism and cyberspace (Section 2), the article examines international law in connection with terrorists launching cyberattacks (Section 3). It then explores the international legal implications of cyber-enabled terrorist activities, such as spreading propaganda and radicalisation (Section 4). What emerges is a conundrum—prospects for international law are least apparent where terrorism in cyberspace has become a global crisis.

2. Terrorism, Cyberspace and International Law: Preliminary Considerations

After the Cold War, governments fretted that terrorists would weaponise nuclear, biological, chemical and cyber technologies. These concerns arose with global technological dissemination and with shifts in terrorist motivations toward inflicting large-scale death and damage on civilians. Within high-tech terrorism, cyber technologies are distinct because they are:

  • more accessible, cheaper, less risky and more malleable than nuclear, biological and chemical materials; and

  • offer ways to attack across a spectrum of consequences, gather intelligence, communicate in planning and conducting operations, spread propaganda, engage in ‘virtual’ criminal activities and raise financial resources.

These attributes have provoked questions about what ‘cyber terrorism’ means,5 questions that did not arise with terrorism involving weapons of mass destruction (WMD). These questions converged with other controversies. States have not agreed on a definition of ‘terrorism’, opting to define criminal offences in specific contexts as part of addressing terrorist threats.6 This outcome reflects a desire by many states to retain discretion over what terrorism means and how to respond to it. Governments have used this discretion in characterising opposition to their policies, legitimacy and power as terrorism—behaviour criticised for repressing dissent, violating human rights and degrading prospects for democratic governance.7

The multifunctional nature of cyber technologies provides ammunition for defining ‘cyber terrorism’ narrowly and broadly. States worried about the domestic political consequences of Internet access tend to favor broad definitions of cyber terrorism. Conversely, the legitimacy of many cyber activities supports defining cyber terrorism narrowly—as terrorist attacks perpetrated through ICTs. Spreading propaganda and radicalising people through social media by the so-called Islamic State are cyber-enabled forms of terrorism that fall between these narrow and broad definitions. Islamic State propaganda can terrorise civilians by spreading fear through execution videos, incite terrorist violence by radicalising people, and inspire support by depicting efforts to build the caliphate.8

This relationship between terrorism and cyberspace means the range of international legal issues it touches is complex. Terrorists have always used new technologies, but policymakers did not single out, for example, ‘mobile phone terrorism’. The Internet’s impact has been more transformative. Similarly, approaches to preventing terrorists from weaponising other technologies do not work in the cyber context, which forces policy to pursue other strategies to thwart terrorist interest in cyber weapons.

Despite the implications of terrorism’s relationship with cyberspace, the applicable international law consists mainly of rules not developed for the challenges ICTs present. These legacy rules mean terrorist use of ICTs does not occur in a legal void. However, the trajectory of terrorism in cyberspace casts harsh light on international law and forces policymakers to ask whether they need to develop it to address terrorism in cyberspace effectively. Reform would confront challenges, including disagreements about how to define terrorism, lack of consensus on what key legal principles mean, and political competition over issues—such as Internet governance—not specific to terrorism. These challenges limit what might be possible in making international law more responsive to terrorism in cyberspace.

3. Cyberattacks by Terrorists and International Law

Preventing, protecting against and responding to terrorist attacks preoccupy counter-terrorism policy. The same is true for potential terrorist use of ICTs to attack cyber-enabled infrastructure, facilities or services. Fear of terrorist cyberattacks has grown as dependence on ICTs deepened and as the skills and means to launch such attacks disseminated.9 However, terrorists have not shown much interest in, or abilities to undertake, cyberattacks. Whatever else explains this state of affairs, international law deserves no credit for it.

Despite years of concern, states have adopted few international instruments addressing cyberattacks by terrorists. In countering conventional and WMD terrorism, states negotiated treaties that define terrorist offences, require parties to criminalise and exercise jurisdiction over the offences, and engage in law enforcement cooperation.10 Most of these treaties apply to conventional terrorism, but some cover attacks involving biological, chemical and nuclear agents that have rarely or not yet occurred.11 Of the multilateral treaties, only two on civil aviation (which are not in force) expressly include cyberattacks.12 The only regional terrorism agreement mentioning cyber comes from the Association of South East Asian Nations (ASEAN). It encourages cooperation on various forms of terrorism, including cyber terrorism,13 but the ASEAN agreement does not include cyberattacks as a criminal offence. Similarly, United Nations (UN) Security Council decisions that impose binding counter-terrorism duties do not mention cyberattacks.14

Existing international law on terrorism does not apply well to possible cyberattacks by terrorists. States could interpret certain multilateral treaties to apply to such attacks,15 but this approach produces limited coverage under agreements designed for noncyber forms of terrorism. Regional treaties often use the offences defined in the multilateral agreements,16 which extends this patchwork coverage into regional contexts. Security Council resolutions are broad enough to cover terrorist cyberattacks. However, neither the Security Council nor its Counter-Terrorism Committee (CTC)17 has focused much on the threat of such attacks.

While cyberattacks could qualify as offences in some treaties, cyber technologies raise challenges different from terrorism involving conventional weapons or WMD agents. The treaties apply a criminal law approach, which requires identifying those responsible for terrorist offences. Although identifying perpetrators of conventional terrorism can be difficult, attribution in the cyber context is more challenging.18 For example, the Islamic State’s so-called ‘Cyber Caliphate’ claimed responsibility for attacking a French television station, which French officials asserted was terrorism.19 France later indicated Russian hackers were to blame—at which point attribution remained unclear, as did whether the incident was terrorism.20

A second feature of cyber technologies is the range of consequences they permit attacks to achieve—from disruption to destruction. Offences in antiterrorism treaties typically require the act in question to result in, or be intended to produce, injury, death or serious property damage.21 These thresholds create the potential for terrorists to engage in cyberattacks underneath them and not commit a terrorist offence. The Cyber Caliphate claimed responsibility for temporarily disrupting social media channels of US Central Command. The US Government dismissed the incident as ‘cyber vandalism’.22 The USA would never classify a biological attack by terrorists on its military as ‘bio vandalism’, even if the attack only caused temporary, limited disruption. This incident highlights the range of consequences cyber technologies make possible and different perceptions about cyberattacks.

These consequences and perceptions raise questions whether certain cyberattacks, such as corrupting or deleting stored data without destroying physical property, qualify as damage in antiterrorism treaties. Such questions implicate treaty interpretation and could generate disagreements about applying these treaties to cyberattacks and prevent their use in responding to cyberattacks by terrorists (assuming attribution was feasible). These problems might counsel developing a treaty designed to address what cyber technologies enable terrorists to do.

Whether customary international law offers guidance with respect to terrorism has proved controversial. The Special Tribunal for Lebanon held customary international law recognises a crime of international terrorism,23 the elements of which could encompass terrorist cyberattacks.24 However, this ruling has been criticised.25 In addition, finding evidence the decision affected state behaviour is difficult, suggesting state practice does not support the tribunal’s reading of custom. Hence, the tribunal’s crime of international terrorism does not provide a strong basis in international law for addressing terrorist cyberattacks.

Beyond international law on terrorism, states could respond to terrorist cyberattacks by applying treaties on cybercrime, transnational organised crime, extradition and mutual legal assistance. Relying on such instruments would run counter to state preferences for distinguishing terrorism from other crimes. Existing cybercrime treaties are largely regional in membership with limited numbers of parties. The Council of Europe’s Convention on Cybercrime has the largest number of parties, but only 48 countries, predominantly European, have joined.26 The UN Convention against Transnational Organized Crime has 186 parties,27 but this regime has not focused on or deterred cybercrime. Extradition agreements and mutual legal assistance treaties (MLATs) are mainly bilateral, making their application to terrorist cyberattacks dependent on the politics of bilateral relations. MLATs are difficult to use effectively against crimes involving digital evidence,28 which would happen with investigating terrorist cyberattacks.

In terms of new treaty law, countries have been negotiating the proposed Comprehensive Convention on International Terrorism since the latter half of the1990s,29 a period corresponding to the rise of worries about terrorist cyberattacks. The offence defined in the draft text is broad enough to be applicable to cyberattacks.30 However, negotiations have not concluded after nearly 20 years, and the possibility of terrorist cyberattacks has not catalyzed conclusion of these talks, which remain deadlocked over issues having nothing to do with cyberspace.

Strategies used to keep dangerous materials away from terrorists have no counterparts when cyberattacks are the concern. States developed treaties to protect nuclear materials in transport31 and to mark plastic explosives32 as counter-terrorism measures, and nonproliferation agreements on nuclear, biological and chemical weapons are considered helpful in keeping WMD materials away from terrorists. Similarly, the Security Council mandated that UN Member States prevent terrorists from acquiring WMD materials.33 Transposing this approach to the cyber context is not promising. Unlike physical materials subject to antiterrorism protections, cyber weapons are software code.

Attempts to block exports of certain surveillance technologies and intrusion software to repressive governments on human rights grounds demonstrate the difficulties and controversies that arise with restricting access to digital information.34 Similar problems emerged with policy on handling exploitable flaws in software not identified by the vendor or users.35 Preventing terrorists from getting access to such ‘zero day’ vulnerabilities is difficult because the vulnerabilities are simply information rather than material that can be physically controlled. The best way to prevent access is to disclose and patch vulnerabilities as they are discovered, but disclosure does not always happen because undisclosed vulnerabilities have law enforcement, intelligence and military value.36 Further, software vulnerabilities, malware to exploit them, and skills to launch cyberattacks are globally distributed and accessible to terrorists.

Counter-terrorism policies also emphasise protecting societies from terrorist attacks, especially critical infrastructure. Cybersecurity thinking similarly stresses ‘hardening the target’, especially cyber-enabled critical infrastructure, against cyberattacks regardless of the source37—an ‘all hazards’ protection strategy.38 Governments can often pursue this objective without international law because most critical infrastructure is within their territorial jurisdictions. However, the need for critical infrastructure protection is producing international cooperation and international law. Regional organisations, such as ASEAN, the European Union (EU), and the Organization of American States (OAS),39 and security regimes, such as the North Atlantic Treaty Organization (NATO),40 promote cooperation on critical infrastructure protection. Within treaties that address critical infrastructure sectors—such as civil aviation,41 maritime transport42 and nuclear safety43—international organisations are paying more attention to cybersecurity. States in different geographical and political contexts are using international legal instruments to increase protection of cyber-enabled critical infrastructure.44 These activities are recent, so they are not responsible for the lack of terrorist cyberattacks. Whether these efforts produce better cybersecurity and, thus, deter attacks on critical infrastructure remains to be seen.

Counter-terrorism policies underscore the need for resilience—the ability to identify terrorist attacks, control the damage and recover. Cybersecurity policy also highlights resilience as critical, and resilience informs development of national computer incident or emergency response teams and cooperation among them. However, cooperation on cyber resilience before or after an incident happens without international legal obligations, which mirrors international law on terrorism. Apart from obligations on law enforcement cooperation, antiterrorism treaties do not include duties to provide assistance to parties attacked by terrorists. This state of affairs also reflects the lack of legal obligations on states to assist countries hit by natural disasters.45 Discussion of a duty to assist countries experiencing cyberattacks has framed the duty as a nonbinding, or ‘soft law’, responsibility.46

This analysis of counter-terrorism activities from antiterrorism treaties to post-attack resilience demonstrates international law is not well developed regarding terrorist cyberattacks. Thus, international law is a nonfactor in explaining why terrorists have not engaged in such attacks. Options for strengthening international law against terrorist cyberattacks exist, including clarification of the applicability of certain antiterrorism treaties, protection of cyber-enabled critical infrastructure, and negotiation of a treaty on terrorist cyberattacks. However, the absence of attacks weakens incentives for states to tackle this threat. International law on terrorism has largely developed through states reacting to terrorist violence. This pattern casts doubt on whether states would develop international law in the absence of terrorist cyberattacks. The most promising options arise where developing international law would pay dividends against cyber incidents regardless of their source. Strengthening cybersecurity in critical infrastructure would protect against intrusions by terrorists, spies, militaries and criminals. Unlike the disinterest terrorists have demonstrated, criminals, military forces and intelligence agencies pose clear dangers in cyberspace, providing incentives for states to use international law to advance ‘all hazards’ strategies for improving cybersecurity in the public and private sectors.

After the 9/11 attacks, states realised the reactive nature of counter-terrorism policy and law was insufficient, which led to emphasis on preventing terrorist violence. Some efforts focused on preventing incitement to terrorism (Section 4), while others sought to interdict terrorist plots before attacks happened. Preventive strategies generated controversies under international human rights law. Governments argued that stopping attacks required heightened surveillance to identify terrorist communications, networks and operations. For human rights advocates, expanded surveillance risked violating privacy and the freedoms of opinion, expression and association.47 Disclosure of surveillance programs by Edward Snowden heightened these concerns and prompted efforts to protect human rights against expansive surveillance.48 Human rights controversies surrounding counter-terrorism surveillance have not dissipated because new attacks, such as those in Paris and San Bernardino in 2015, repeatedly roil these waters. Government interest in surveillance applies equally to the desire to prevent terrorist cyberattacks, but this desire does not produce equilibrium between political demand for expansive surveillance and human rights opposition to it.

The lack of terrorist cyberattacks keeps some issues in the realm of speculation, including those related to the use of force. Conventional terrorism sparked debates about when actual or anticipated terrorist violence triggers a state’s right to use force in self-defense.49 Inserting terrorist cyberattacks into these debates does not resolve controversies about, for example, the ‘armed attack’ threshold, the preventive use of force against terrorist groups, and whether states have the right to use force against terrorists located in countries unable or unwilling to deal with them.

4. Cyber-Enabled Terrorist Activities and International Law

Before the Islamic State emerged, governments understood terrorists used cyberspace to communicate, spread propaganda, radicalise, recruit and fundraise.50 In addressing terrorist use of the Internet, states identified the need to improve surveillance of communications, facilitate intelligence and law enforcement cooperation, prevent incitement to terrorism, and stop terrorist recruiting and fundraising. However, the Islamic State’s unprecedented use of the Internet and social media has seriously challenged counter-terrorism policy and international law.

The Islamic State has taken cyber-enabled strategies and tactics farther than any previous terrorist group, which is why its behaviour in cyberspace has become a counter-terrorism crisis. This crisis suggests that policy and law, including international law, crafted before the Islamic State became a threat, failed to prevent the group from making cyberspace a strategic asset. This failure prompts the need for new approaches, but, at present, more disagreement than consensus exists among states—and even within states—on how to cope with the crisis.

In international law, the Islamic State’s cyber-enabled activities have least battered the rules on suppression of terrorist financing. Under treaty law and binding Security Council mandates, states have obligations to stop the financing of terrorism.51 However, the Islamic State’s finances rely primarily on funds generated within territories it controls, such as taxes, oil revenues and criminal schemes (eg ransom kidnapping, selling looted antiquities).52 Although the system to suppress terrorist financing limits the Islamic State’s ability to move large sums through formal channels, the Islamic State has managed to fund itself. The system is not necessarily broken,53 but it has limitations when terrorists have funding not vulnerable to foreign and global financial mechanisms.54

After 9/11 and other terrorist attacks, counter-terrorism policies began to target incitement of terrorism as a problem the Internet exacerbates. In May 2005, the Council of Europe adopted a treaty that requires parties to criminalise provocation to commit offences defined in the multilateral antiterrorism treaties.55 In Resolution 1624 (2005) adopted in September 2005, the Security Council encouraged (but did not mandate) UN Member States to prohibit incitement to commit terrorism, prevent incitement and deny safe-haven to persons guilty of incitement.56

This emphasis on incitement provoked human rights concerns.57 Human rights advocates worried governments would define ‘terrorism’ broadly in implementing Resolution 1624 (2005), repress speech and association, and violate privacy. Resolution 1624 (2005) does not link ‘incitement to terrorism’ to the offences in multilateral antiterrorism treaties, as the Council of Europe’s treaty does. In that respect, Resolution 1624 (2005) highlights the lack of a definition of ‘terrorism’ in international law and agitates criticisms of expansive counter-terrorism policies infringing on rights and liberties protected by international law.

Social media’s explosive development after Resolution 1624 (2005) made this tension between counter-terrorism and human rights worse. Founded in 2004, Facebook became open to anyone with an email address in 200658 and Twitter came online in 2006.59 Since establishment, these and other platforms grew to serve billions of users and expanded ways to share information, communicate and associate. However, social media became a law enforcement and national security concern because the platforms provided cheap, accessible, versatile and globally distributed capabilities for terrorist communications, recruitment, radicalisation and propaganda.

These worries were not unfounded, as the Islamic State’s use of social media to radicalise individuals demonstrates.60 However, law enforcement and national security rationales also informed how governments elastically define terrorism. Human rights principles were under pressure from both democratic governments trying to balance counter-terrorism with individual rights and authoritarian governments uninterested in protecting rights. Social media companies found themselves squeezed by Islamic State abuse of their services, demands from governments to curb such abuse, and their commitments to privacy and free expression for customers.

Policy discussions about the Islamic State’s use of social media focus on ‘counter content’ and ‘counter narrative’ approaches. Counter-content strategies seek to identify and remove terrorist online propaganda and activity. Counter-narrative policies disseminate information that challenges Islamic State propaganda, disrupts use of social media to radicalise individuals and offers alternative messages to those that provide the Islamic State attention and adherents. Counter-content and counter-narrative approaches represent ways to combat incitement to terrorism, including radicalisation and recruitment.

In terms of international law, counter-narrative approaches create few, if any, problems because they promote more speech rather than less. International law poses no barriers to governments developing or supporting counter-narrative campaigns against the Islamic State. However, counter-narrative efforts have struggled to demonstrate strategic value. Too often they are fragmented, uncoordinated, of questionable impact, and unable to match the scale, speed, and substance of Islamic State propaganda and radicalisation efforts. What role international law could play to improve counter-narrative activities is not clear. Creating obligations for governments to engage in counter-narrative campaigns would run headlong into critiques that government-led counter-messaging lacks legitimacy with the people counter-narrative efforts are intended to reach.61

Counter-content strategies generate issues under international law. First, government demands that social media companies located in other countries remove content replay jurisdictional problems experienced in other cyberspace contexts.62 Second, counter-terrorism demands from governments for content removal raise questions about what ‘terrorist content’ or ‘terrorist activity’ means when states have no agreed definition of terrorism.63 Third, counter-content strategies implicate international law that protects freedom of opinion, expression and association from government interference.64 Countries do not agree on what these obligations mean or how they apply, and even European democracies and the USA differ on when governments can limit expression. Fourth, limits on governmental power to restrict expression might encourage ‘outsourcing’ censorship through nonbinding mechanisms involving government requests for companies to remove content.65 Fifth, counter-content strategies provide repressive governments with cover for censorship based on broad definitions of terrorism unrelated to threats from the Islamic State or other terrorist groups.66

Questions about the effectiveness of counter-content and counter-narrative strategies also arise in connection with the Islamic State’s use of social media. While each story has unique features, social media appears as a common feature in radicalisation and recruitment efforts. In Resolution 2178 (2014) addressing foreign fighters traveling to join the Islamic State, the Security Council urged UN Member States to take measures and cooperate ‘to prevent terrorists from exploiting technology … to incite support for terrorist acts’.67 One year after the resolution’s adoption, the foreign fighter problem was worse,68 suggesting counter-content and counter-narrative actions had not helped reduce this threat.

Policymakers usually stress that addressing the Islamic State’s online activities must comply with international human rights law. However, the scale, brazenness and impact of these activities have provoked concerns that human rights limitations on surveillance and counter-content strategies impede effective responses to, protection against and prevention of cyber-enabled terrorism. With other terrorist groups, such as al-Shabaab in Somalia, Boko Haram in Nigeria and al Qaeda in the Islamic Maghreb, exploiting social media, pressure for robust surveillance and the ability to take down online terrorist content mounts as dangers from cyber-facilitated extremism grow. The gap between what international human rights law mandates and how states conduct counter-terrorism has, typically, cast harsh light on counter-terrorism practices rather than human rights law. However, with cyber-enabled terrorism, the law is under increased scrutiny and pressure.

Escalating controversies about encryption underscore this development. Following Snowden’s disclosures, technology companies began to incorporate stronger encryption in their services. This move triggered law enforcement and intelligence concerns that strengthened encryption would harm efforts to combat terrorists and criminals. Encryption would cause the Internet to ‘go dark’ for law enforcement and intelligence authorities. The private sector push for encryption continued as the Islamic State emerged. Although Islamic State-directed or -inspired attacks in Paris and San Bernardino in 2015 did not involve encrypted communications, these attacks renewed the encryption dispute as counter-terrorism became an urgent priority in the USA and Europe.

The UN Special Rapporteur on freedom of opinion and expression connected encryption with international law. He argued government restrictions on, or interference with, encryption must meet the legality, legitimate objective, necessity and proportionality requirements human rights law establishes under the right to freedom of opinion and expression.69 According to the Special Rapporteur, encryption provides ‘the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age’.70

However, making encryption critical to the enjoyment of human rights does not answer concerns that stronger encryption threatens to prevent law enforcement or intelligence officials from getting access to encrypted communications—even when such officials satisfy all legal and human rights criteria. In February 2016, US Government efforts to compel Apple Inc to provide assistance in unlocking an iPhone owned by one of the San Bernardino terrorists triggered national and international debates about the promise and perils of encryption in many contexts, including efforts to counter cyber-facilitated terrorism.71 Although anchored in US law, the Apple litigation has significant implications for law enforcement officials, intelligence agencies and human rights advocates around the world.72

From a counter-terrorism perspective, the questions raised by this controversy might become moot because terrorists are unlikely to rely on encryption provided by companies compelled by governments to provide keys for decryption. Encryption software not subject to lawful orders of the American or European governments exists and will continue to develop and be available to terrorists. The more terrorists operate in cyberspace through encryption, the more counter-terrorism efforts face disadvantages. This trajectory creates incentives for counter-terrorism officials to develop new ways to fulfill their responsibilities.73 In the USA, experts have argued that law enforcement and intelligence agencies need access to communication metadata as part of counter-acting strong encryption.74 Others have asserted that law enforcement and intelligence officials will have ample unencrypted data to access because of, for example, the development of the ‘Internet of Things’.75 Both approaches would encounter opposition within international law, as seen in human rights reactions to Snowden’s disclosures of metadata collection by the US and UK governments for counter-terrorism purposes and in privacy advocacy for encryption.

Terrorist use of cyber communications relates to problems in international law beyond encryption. In investigating possible terrorist crimes, counter-terrorism officials might want access to communications serviced by a company in another country. The traditional way governments obtain foreign-located information is through MLATs. However, MLATs are not working well in contexts involving requests for digital information needed to investigate criminal activities. The convergence of two factors often compounds this problem—the dominance of US companies as global providers of cyber services and restrictions US law imposes on US companies sharing content data with foreign governments. Efforts are underway to identify ways to reform MLATs.76 Experts have proposed changes to US law to facilitate greater sharing of information by companies in response to requests from foreign governments,77 and these ideas have informed US–UK negotiations on reforming their MLAT.78

In December 2015, the CTC held a technical and a special meeting on ‘Preventing Terrorists from Exploiting the Internet and Social Media to Recruit Terrorists and Incite Terrorist Acts, While Respecting Human Rights and Fundamental Freedoms’.79 These meetings signaled the Islamic State’s use of cyberspace has become a global crisis, which the Security Council has placed on the CTC’s agenda. The meetings emphasised the need for cooperation guided by the understanding that ‘the UN Charter and international human rights law form the basis for effective preventive and counter-terrorism measures’.80

What the CTC meetings failed to answer is why the UN Charter, Security Council resolutions on terrorism, international human rights law and other bodies of international law, did not prevent the Islamic State’s online onslaught, are not protecting countries from cyber-enabled terrorism and are not facilitating effective responses. The meetings did not reveal much consensus on proposals for preventing terrorist exploitation of social media while respecting human rights. Instead, the meetings highlighted ‘fault lines’ about how to respond to the Islamic State’s exploitation of the Internet and social media, including tensions in the following areas:

Strategic considerations

  • Friction between support for government-led strategies and preferences for multi-stakeholder approaches.

  • Interest in more counter-terrorism regulation of cyberspace, amidst warnings from human rights advocates about empowering governments to act under expansive notions of ‘terrorism’.

  • Identification of the need for global trust in fighting terrorism in cyberspace, against the backdrop of disagreements among governments—and between the public and private sectors—over Internet governance, cybersecurity, privacy and freedom of expression.

  • Interest in addressing online terrorism as a threat on its own terms, versus assertions that attacking the ‘root causes’ of terrorism is the only way to mitigate this problem.

Role of the USA and US companies

  • Recognition of the importance of the USA, complicated by concerns that strict US protection of freedom of speech, other restrictive federal laws, and the dominance of US social media companies inhibit international cooperation.

  • Frustration with US social media companies, countered by claims the companies are acting appropriately with all stakeholders.

Counter-content and counter-messaging approaches

  • Gaps among governments, and between governments and companies, about what criteria should guide taking down online content on counter-terrorism grounds.

  • Interest in more effective counter-messaging campaigns, versus skepticism collaboration in this area can be cohesive, consistent, or achieve the scale and speed needed to have strategic impact against the Islamic State.

Law enforcement issues

  • Consensus that MLATs need reform to support countering online terrorist activities, but without clear direction on how reform moves forward.

  • Statements from law enforcement officials that encryption threatens their efforts against terrorism and crime, versus support for encryption from civil society and companies.

These, and other, fault lines indicate that agreement on new policy and legal directions, initiatives, and instruments will be difficult to achieve and sustain as the CTC begins to address terrorist use of the Internet and social media.81

In February 2016, a new front opened in efforts against the Islamic State’s online activities. The USA acknowledged conducting offensive military cyberattacks against the Islamic State. President Obama instructed US Cyber Command (CYBERCOM) to use its offensive capabilities against the Islamic State after the terrorist violence in San Bernardino.82 CYBERCOM is targeting the Islamic State’s use of the Internet and social media to spread propaganda, radicalise and recruit, and its use of cyber technologies to command and control military operations in Iraq and Syria.83 These cyberattacks now form part of military activities against the Islamic State the US Government argues are justified under international law.84 Further, the law of armed conflict guides US military action against the Islamic State, meaning the Obama administration believes the cyber weapons and attacks comply with it.

In addition to their significance in the armed conflict with the Islamic State, these cyberattacks increase the prospects that counter-terrorism strategies will now include offensive cyber operations against terrorist online activities, including in contexts not involving armed conflict. How states will handle cyberattacks against terrorist online capabilities outside armed conflict under international law is not clear, especially because such attacks might not constitute armed attacks, uses of force, or coercive acts that violate the principle of nonintervention. The CYBERCOM attacks might be the precursor of growing state use of cyber coercion in counter-terrorism strategies frustrated by the limitations imposed on, and ineffectiveness of, surveillance, counter-messaging, counter–counter and law enforcement cooperation efforts.

5. Conclusion

This international legal analysis of terrorism in cyberspace reveals a conundrum. Plausible options for international legal action concerning terrorist cyberattacks exist, but, because such attacks have not occurred, states lack incentives to strengthen proactively the contribution international law can make. Options, especially improving cybersecurity in critical infrastructure, have appeal because they are ‘all hazards’ strategies against cyber intrusions. By contrast, credible options for international legal activities regarding terrorist exploitation of the Internet and social media are lacking, even though this problem has become a crisis and countries, companies, and civil society have incentives to mitigate it. This difficult context, which shows no signs of abating, might heighten interest in incorporating offensive cyberattacks in strategies to counter cyber-facilitated terrorism.

Faced with this situation, it is tempting to conclude that counter-terrorism in cyberspace should focus on the root causes of this problem. With the Islamic State, its success in cyberspace flows from what it has achieved on the ground in Syria, Iraq and elsewhere.85 Until the Islamic State’s material power in ‘real space’ is degraded, efforts to combat its cyber-enabled activities will not have sustainable impact. Given the disaster the Islamic State has been for the Middle East and global politics, this conclusion provides no comfort for those interested in international law’s contributions to human affairs.

1 Presidential Decision Directive/NSC-63 (The White House, Washington, 22 May 1998) <http://fas.org/irp/offdocs/pdd/pdd-63.htm> accessed 30 August 2016.
2 DP Fidler, ‘Cyber Policy after the Paris and San Bernardino Terrorist Attacks’ (Net Politics, 8 December 2015) <http://blogs.cfr.org/cyber/2015/12/08/cyber-policy-after-the-paris-and-san-bernardino-terrorist-attacks/> accessed 20 March 2016.
3 ‘Cyber-Security: The Terrorist in the Data’ The Economist (London, 29 November 2015) <www.economist.com/news/briefing/21679266-how-balance-security-privacy-after-paris-attacks-terrorist-data> accessed 20 March 2016.
4 DP Fidler, ‘Send in the Malware: U.S. Cyber Command Attacks the Islamic State’ (Net Politics, 9 March 2016) <http://blogs.cfr.org/cyber/2016/03/09/send-in-the-malware-u-s-cyber-command-attacks-the-islamic-state/> accessed 20 March 2016.
5 CA Theohary and JW Rollins, Cyberwarfare and Cyberterrorism: In Brief (Congressional Research Service, 27 March 2015) <http://fas.org/sgp/crs/natsec/R43955.pdf> accessed 20 March 2016.
6 B Saul, Defining Terrorism in International Law (OUP 2008).
7 Office of the UN High Commission for Human Rights, Human Rights, Terrorism, and Counter-Terrorism (Fact Sheet No 32, 2008) <www.ohchr.org/Documents/Publications/Factsheet32EN.pdf> accessed 20 March 2016.
8 C Winter, The ‘Virtual’ Caliphate: Understanding Islamic State’s Propaganda Strategy (Quillium Foundation 2015).
9 D Paletta, ‘FBI Director Sees Increasing Terrorist Interest in Cyberattacks against U.S.’ Wall Street Journal (New York City, 22 July 2015) <www.wsj.com/articles/fbi-director-sees-increasing-terrorist-interest-in-cyberattacks-against-u-s-1437619297> accessed 20 March 2016.
10 UN, International Instruments Related to the Prevention and Suppression of International Terrorism (UN 2008).
11 International Convention for the Suppression of Terrorist Bombings (adopted 15 December 1997, entered into force 23 May 2001) 2149 UNTS 256; International Convention for the Suppression of Acts of Nuclear Terrorism (adopted 13 April 2005, not yet entered into force) 2445 UNTS 89.
12 Protocol Supplemental to the Convention for the Suppression of Unlawful Seizure of Aircraft (10 September 2010) ICAO Doc 9959; Convention on the Suppression of Unlawful Acts Relating to International Civil Aviation (adopted 10 September 2010, not yet entered into force) ICAO Doc 9960.
13 ASEAN Convention on Counter Terrorism (13 January 2007) <www.asean.org/news/item/asean-convention-on-counter-terrorism> accessed 20 March 2016.
14 UNSC Res 1373 (28 September 2001) UN Doc S/RES/1373; UNSC Res 1540(28 April 2004) UN Doc S/RES/1540; UNSC Res 2178 (24 September 2014) UN Doc S/RES/2178.
15 B Saul and K Heath, ‘Cyber Terrorism’ in N Tsagourias and R Buchan (eds), Research Handbook on International Law and Cyberspace (Edward Elgar 2015) 147–67.
16 See, for example, ASEAN Convention on Counter Terrorism (n 13).
17 Security Council Counter-Terrorism Committee <www.un.org/en/sc/ctc/> accessed 20 March 2016.
18 N Tsagourias, ‘Cyber Attacks, Self-Defence and the Problem of Attribution’ (2012) 17(2) J Conflict & Secur L 229. On the topic of attribution in cyberspace, see K Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (in this volume) J Conflict & Secur L.
19 A Chrisafis and S Gibbs, ‘French Media Groups to Hold Emergency Meeting after ISIS Cyber-Attack’ The Guardian (London, 9 April 2015) <www.theguardian.com/world/2015/apr/09/french-tv-network-tv5monde-hijacked-by-pro-isis-hackers> accessed 20 March 2016.
20 J Lichfield, ‘TV5Monde Hack: “Jihadist Cyber Attack on French TV State Could Have Russian Link” ’ The Independent (London, 10 June 2015) <www.independent.co.uk/news/world/europe/tv5monde-hack-jihadist-cyber-attack-on-french-tv-station-could-have-russian-link-10311213.html> accessed 20 March 2016.
21 The draft Comprehensive Convention on International Terrorism reflects this pattern by defining offences as acts that cause death or seriously bodily injury, serious damage to property, or property damage that causes major economic loss. UNGA ‘Letter dated 3 August 2005 from the Chairman of the Sixth Committee addressed to the President of the General Assembly’ (12 August 2005) UN Doc A/59/894, app II (hereinafter Draft Comprehensive Convention).
22 US Department of Defense, ‘CENTCOM Acknowledges Social Media Sites “Compromised”’ (12 January 2015) <www.defense.gov/news/newsarticle.aspx?id=123956&source=GovDelivery> accessed 20 March 2016.
23 Special Tribunal for Lebanon (Interlocutory Decision on the Applicable Law) STL-11-01/I (16 February 2011).
24 ibid, para 85.
25 See, for example, B Saul, ‘Legislating from a Radical Hague: The United Nations Tribunal for Lebanon Invents an International Crime of Transnational Terrorism’ (2011) 24(3) Leiden J Intl L 677.
26 Convention on Cybercrime (23 November 2001) Council of Europe Treaty Series No 185; Convention on Cybercrime Status (as of 16 March 2016) <http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=1&DF=20/02/2015&CL=ENG> accessed 20 March 2016.
27 UN Convention against Transnational Organized Crime (15 November 2000, entered into force 29 September 2003) 2225 UNTS 209; UN Convention against Transnational Organized Crime: Status of Ratification (as of 16 March 2016) <https://treaties.un.org/Pages/ViewDetails.aspx?src=TREATY&mtdsg_no=XVIII-12&chapter=18&lang=en> accessed 20 March 2016.
28 AK Woods, Data Beyond Borders: Mutual Legal Assistance in the Internet Age (Global Network Initiative, January 2015) <http://csis.org/files/attachments/GNI%20MLAT%20Report.pdf> accessed 20 March 2016.
29 UNGA Res 51/210 ‘Measures to Eliminate International Terrorism' (17 December 1996) UN Doc A/RES/51/210.
30 Draft Comprehensive Convention (n 21).
31 Convention on the Physical Protection of Nuclear Material (adopted 26 October 1979, entered into force 8 February 1987) 1456 UNTS 124.
32 Convention on the Marking of Plastic Explosives for the Purpose of Detection (adopted 1 March 1991, entered into force 21 June 1998) 2122 UNTS 359.
33 Resolution 1540 (n 14).
34 Wassenaar Arrangement, List of Dual-Use Goods and Technologies and Munitions List, WA-LIST (13) 1 (4 December 2013); K Zetter, ‘Why an Arms Control Pact Has Security Experts Up in Arms’ Wired (New York City, 24 June 2015) <www.wired.com/2015/06/arms-control-pact-security-experts-arms/> accessed 20 March 2016.
35 P Stockton and M Golabek-Goldman, ‘Curbing the Market for Cyber Weapons’ (2013) 32 Yale L & Policy Rev 101; M Fidler, ‘Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis’ (2015) 11(2) J L & Pol Inform Soc 405.
36 D Sanger, ‘Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say’ New York Times (New York City, 13 April 2014).
37 National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 (12 February 2014) <www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf>.
38 DP Fidler, ‘Whither the Web? International Law, Cybersecurity, and Critical Infrastructure Protection’ (October 2015) Georgetown J Intl Aff 8.
39 CH Heinl, ‘Regional Cyber Security: Towards a Resilient ASEAN Cyber Security Regime’ (2013) RSIS Working Paper No 263; European Commission, ‘Critical Infrastructure’ <http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/crisis-and-terrorism-critical-infrastructure/index_en.htm> accessed 20 March 2016; OAS, ‘Critical Infrastructure Protection Programs: Cyber Security’ <www.oas.org/en/sms/cicte/programs_cyber.asp> accessed 20 March 2016.
40 M Edwards (ed), Critical Infrastructure Protection, NATO Science for Peace and Security Series 116 (IOS Press 2014).
41 R Benjamin, ‘Meeting a Global Threat with a Global Response: Aviation’s Collaborative and Multidisciplinary Actions on Cybersecurity’ (Autumn 2015) Cyber Secur Rev 38.
42 International Maritime Organization, ‘Maritime Security’ <www.imo.org/en/MediaCenre/HotTopics/priacy/Pages/default.aspx> accessed 20 March 2016.
43 International Atomic Energy Agency, Nuclear Security Plan 2014-2017 (3 August 2013) GOV/2013/42-GC(57)/19.
44 Council Directive 2008/114/EC of 8 December 2008 on the Identification and Designation of European Critical Infrastructure and the Assessment of the Need to Improve Their Protection [2008] OJ L/345/75; Shanghai Cooperation Organization, Agreement on Cooperation in the Field of International Information Security (16 June 2009) <https://ccdcoe.org/sites/default/files/documents/SCO-090616-IISAgreement.pdf> accessed 20 March 2016; African Union, Convention on Cyber Security and Personal Data Protection (27 June 2014) EX.CL/846(XXV).
45 DP Fidler, ‘Disaster Relief and Governance after the Indian Ocean Tsunami: What Role for International Law?’ (2005) 6 Melbourne J Intl L 458.
46 D Hollis and T Maurer, ‘A Red Cross for Cyberspace’ Time (New York City, 18 February 2015) <http://time.com/3713226/red-cross-cyberspace/> accessed 20 March 2016.
47 UNHRC Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression (16 May 2011) UN Doc A/HRC/17/27.
48 UN GA Res 68/167 ‘The Right to Privacy in the Digital Age' (18 December 2013) UN Doc A/RES/68/167; UNGA The Right to Privacy in the Digital Age: Report of the Office of the UN High Commissioner for Human Rights' (30 June 2014) UN Doc A/HRC/27/37.
49 C Tams, ‘The Use of Force against Terrorists’ (2009) 20(2) European J Intl L 359–97; D Bethlehem, ‘Principles Relevant to the Scope of a State’s Right of Self-Defense Against an Imminent or Actual Armed Attack by Nonstate Actors’ (2012) 106(4) American J Intl L 770.
50 UN Office on Drugs and Crime, The Use of the Internet for Terrorist Purposes (UN 2012).
51 International Convention for the Suppression of the Financing of Terrorism (adopted 9 December 1999, entered into force 10 April 2002) 2178 UNTS 197; Resolution 1373 (n 14).
52 A Swanson, ‘How the Islamic State Makes Its Money’ Washington Post (Washington, DC, 18 November 2015) <www.washingtonpost.com/news/wonk/wp/2015/11/18/how-isis-makes-its-money/> accessed 20 March 2016.
53 The Security Council has repeatedly reinforced the importance of countering terrorist financing. See, for example, UNSC Res 2253 (17 December 2015 ) UN Doc S/RES/2253.
54 For analysis on terrorist financing with information on the Islamic State, see Financial Action Task Force, Emerging Terrorist Financing Risks (October 2015) <www.fatf-gafi.org/publications/methodsandtrends/documents/emerging-terrorist-financing-risks.html> accessed 20 March 2016.
55 Convention on the Prevention of Terrorism (16 May 2005), Council of Europe Treaty Series No 196.
56 UNSC Res (14 September 2005) UN Doc S/RES/1624; UNCTC, ‘Global Survey of the Implementation by Member States of Security Council Resolution 1624 (2005)' (9 January 2012) UN Doc S/2012/16. See also Resolution 2178 (n 14).
57 See, for example, UNHRC ‘Report of the Special Rapporteur on the Promotion and Protection of Human Rights and Fundamental Freedoms While Countering Terrorism’, (22 February 2016) UN Doc A/HRC/31/65, paras 23–24.
58 S Phillips, ‘A Brief History of Facebook’ The Guardian (London, 25 July 2007) <www.theguardian.com/technology/2007/jul/25/media.newmedia> accessed 20 March 2016.
59 Twitter, ‘Twitter Milestones’ <https://about.twitter.com/company/press/milestones> accessed 20 March 2016.
60 JM Berger, ‘How ISIS Games Twitter’ The Atlantic (Washington, DC, 16 June 2014) <www.theatlantic.com/international/archive/2014/06/isis-iraq-twitter-social-media-strategy/372856/> accessed 20 March 2016.
61 Criticism of the US Government’s counter-narrative efforts has been harsh. G Harris and C Kang, ‘Obama Shifts Online Strategy on ISIS’ New York Times (New York City, 9 January 2016) A8.
62 DG Post, In Search of Jefferson’s Moose: Notes on the State of Cyberspace (OUP 2009).
63 US companies complained about proposed legislation designed to facilitate reporting online ‘terrorist activity’ to the US Government because, among other things, the legislation did not define ‘terrorist activity’. Internet Association, Reform Government Surveillance, and Internet Infrastructure Coalition, ‘Letter to US Senate Majority and Minority Leaders Concerning Section 603 of the Intelligence Authorization Bill for Fiscal Year 2016’ (5 August 2015) <http://internetassociation.org/wp-content/uploads/2015/08/080515-Joint-Letter-on-Section-603.pdf> accessed 20 March 2016.
64 International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171.
65 S Craig and E Llanso, ‘Pressuring Platforms to Censor Content is Wrong Approach to Combatting Terrorism’ (Center for Democracy and Technology, 5 November 2015) <https://cdt.org/blog/pressuring-platforms-to-censor-content-is-wrong-approach-to-combatting-terrorism/> accessed 20 March 2016.
66 Freedom House, ‘Freedom on the Net 2015’ <https://freedomhouse.org/sites/default/files/FOTN%202015%20Full%20Report.pdf> accessed 20 March 2016.
67 Resolution 2178 (n 14) para 17.
68 US Department of Homeland Security, Final Report of the Task Force on Combating Terrorist and Foreign Fighter Travel (September 2015).
69 UNHRC ‘Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression’ (22 May 2015) UN Doc A/HRC/29/32 para 56.
70 ibid.
71 E Lichtbau and K Benner, ‘Apple Fights Order to Unlock San Bernardino Gunman’s iPhone’ New York Times (New York City, 18 February 2016) A1.
72 H Farrell, ‘Called Out: The Global Consequences of Apple’s Fight with the FBI’ Foreign Affairs Snapshot (Washington, DC, 7 March 2016) <www.foreignaffairs.com/articles/united-states/2016-03-07/called-out> accessed 20 March 2016.
73 A Segal and A Grigsby, ‘How to Break the Deadlock over Data Encryption’ Washington Post (Washington, DC, 13 March 2016) <www.washingtonpost.com/opinions/how-to-break-the-deadlock-over-data-encryption/2016/03/13/e677fb78-d110-11e5-88cd-753e80cd29ad_story.html> accessed 20 March 2016.
74 PH Howell, ‘Former NSA Chief Says U.S. Can Get Around Encryption with Metadata, Argues against Backdoors’ (The Daily Dot, 5 January 2016) <www.dailydot.com/politics/michael-hayden-encryption-debate-clinton-bush/> accessed 20 March 2016.
75 Berkman Center for Internet & Society, ‘Don’t Panic: Making Progress on the ‘Going Dark’ Debate’ (1 February 2016) <https://cyber.law.harvard.edu/pubrelease/dont-panic/Dont_Panic_Making_Progress_on_Going_Dark_Debate.pdf> accessed 20 March 2016.
76 Woods (n 28).
77 J Daskal and AK Woods, ‘Cross-Border Data Requests: A Proposed Framework’ (Lawfare, 24 November 2015) <www.lawfareblog.com/cross-border-data-requests-proposed-framework> accessed 20 March 2016.
78 E Nakashima and A Peterson, ‘The British Want to Come to America—with Wiretap Orders and Search Warrants’ Washington Post (4 February 2016) <www.washingtonpost.com/world/national-security/the-british-want-to-come-to-america–with-wiretap-orders-and-search-warrants/2016/02/04/b351ce9e-ca86-11e5-a7b2-5a2f824b02c9_story.html> accessed 20 March 2016.
79 CTC <www.un.org/en/sc/ctc/news/2015-11-18_CTED_SpecialMeeting_ICT.html> accessed 20 March 2016. The author attended these meetings.
80 UN News Centre, ‘In Special Meeting, UN Weighs Measures to Prevent Terrorists from Exploiting the Internet, Social Media’ (17 December 2015) <www.un.org/apps/news/printnews.asp?nid=52850> accessed 20 March 2016.
81 One activity the CTC’s Executive Directorate is pursuing involves partnering with ICT4Peace, a nongovernmental organisation, to understand cyber-enabled terrorism, ‘particularly how industry is responding to terrorist use of ICTs, identify good practices, notably in the area of self- regulation, and potentially engage industry representatives in shaping a voluntary trust building mechanism such as a code of conduct to help mitigate the use of ICT products and services by terrorist groups’. ICT4Peace, ‘UN and ICT4Peace Launch Project to Counter use of ICTs for Terrorist Purposes in Cooperation with the Private Sector’ (12 February 2016) <http://ict4peace.org/un-and-ict4peace-launch-project-to-counter-use-of-icts-for-terrorist-purposes-in-cooperation-with-the-private-sector/> accessed 20 March 2016.
82 WJ Hennigan, ‘Pentagon Wages Cyberwar against Islamic State’ Los Angeles Times (Los Angeles, 29 February 2016) <www.latimes.com/nation/la-fg-isis-cyber-20160228-story.html> accessed 20 March 2016.
83 Fidler, ‘Send in the Malware’ (n 4).
84 S Preston, ‘Remarks on the Legal Framework for the United States’ Use of Military Force Since 9/11’ (Annual Meeting of the American Society of International Law, 10 April 2015) <www.defense.gov/News/Speeches/Speech-View/Article/606662/the-legal-framework-for-the-united-states-use-of-military-force-since-911> accessed 20 March 2016.
85 The Islamic State’s presence on Twitter exploded in conjunction with the territorial gains it made in 2014. JM Berger and J Morgan, ‘The ISIS Twitter Census: Defining and Describing the Population of ISIS Supporters on Twitter’ (2015) Brookings Institution, Analysis Paper No 20, 17.

Author notes

Section 3 of this article draws on the ILA Study Group’s work.