Governments have long worried about terrorists using the Internet to launch cyberattacks, spread propaganda, recruit and radicalise individuals and raise funds. However, the Islamic State’s exploitation of social media has caused a crisis and generated questions about international law’s role in addressing terrorism in cyberspace. This article analyzes international law in connection with potential terrorist cyberattacks and terrorist use of cyber technologies for other purposes. International law is not well positioned to support responses to terrorist cyberattacks, but the lack of such attacks to date undermines incentives for states to develop international law against this threat. In terms of terrorists using the Internet and social media for propaganda, radicalisation, recruiting and fundraising, the crisis caused by the Islamic State’s online activities has not created consensus strong enough to support a prominent role for international law in countering cyber-facilitated terrorism.
The Internet’s global emergence has long produced worries about terrorism in cyberspace. In the USA, President Bill Clinton feared terrorist cyberattacks against critical infrastructure in the late 1990s,1 and, reacting to the San Bernardino shootings in December 2015, politicians demanded action against terrorist exploitation of social media.2 Despite two decades of concerns, states have not developed much international law addressing terrorism in cyberspace. New developments, such as anxieties about terrorist use of encryption3 and military cyberattacks against terrorist online capabilities,4 are unlikely to generate new international law. Explaining this reality requires understanding that certain terrorist uses of information and communication technologies (ICTs) have not materialised, while others confound states in ways that produce little consensus about how to respond.
This article analyzes the international legal landscape of terrorism in cyberspace in order to explain how it emerged, what it includes and whether changing international law in this context is appropriate and feasible. After considering preliminary issues for international law in the relationship between terrorism and cyberspace (Section 2), the article examines international law in connection with terrorists launching cyberattacks (Section 3). It then explores the international legal implications of cyber-enabled terrorist activities, such as spreading propaganda and radicalisation (Section 4). What emerges is a conundrum—prospects for international law are least apparent where terrorism in cyberspace has become a global crisis.
2. Terrorism, Cyberspace and International Law: Preliminary Considerations
After the Cold War, governments fretted that terrorists would weaponise nuclear, biological, chemical and cyber technologies. These concerns arose with global technological dissemination and with shifts in terrorist motivations toward inflicting large-scale death and damage on civilians. Within high-tech terrorism, cyber technologies are distinct because they are:
more accessible, cheaper, less risky and more malleable than nuclear, biological and chemical materials; and
offer ways to attack across a spectrum of consequences, gather intelligence, communicate in planning and conducting operations, spread propaganda, engage in ‘virtual’ criminal activities and raise financial resources.
These attributes have provoked questions about what ‘cyber terrorism’ means,5 questions that did not arise with terrorism involving weapons of mass destruction (WMD). These questions converged with other controversies. States have not agreed on a definition of ‘terrorism’, opting to define criminal offences in specific contexts as part of addressing terrorist threats.6 This outcome reflects a desire by many states to retain discretion over what terrorism means and how to respond to it. Governments have used this discretion in characterising opposition to their policies, legitimacy and power as terrorism—behaviour criticised for repressing dissent, violating human rights and degrading prospects for democratic governance.7
The multifunctional nature of cyber technologies provides ammunition for defining ‘cyber terrorism’ narrowly and broadly. States worried about the domestic political consequences of Internet access tend to favor broad definitions of cyber terrorism. Conversely, the legitimacy of many cyber activities supports defining cyber terrorism narrowly—as terrorist attacks perpetrated through ICTs. Spreading propaganda and radicalising people through social media by the so-called Islamic State are cyber-enabled forms of terrorism that fall between these narrow and broad definitions. Islamic State propaganda can terrorise civilians by spreading fear through execution videos, incite terrorist violence by radicalising people, and inspire support by depicting efforts to build the caliphate.8
This relationship between terrorism and cyberspace means the range of international legal issues it touches is complex. Terrorists have always used new technologies, but policymakers did not single out, for example, ‘mobile phone terrorism’. The Internet’s impact has been more transformative. Similarly, approaches to preventing terrorists from weaponising other technologies do not work in the cyber context, which forces policy to pursue other strategies to thwart terrorist interest in cyber weapons.
Despite the implications of terrorism’s relationship with cyberspace, the applicable international law consists mainly of rules not developed for the challenges ICTs present. These legacy rules mean terrorist use of ICTs does not occur in a legal void. However, the trajectory of terrorism in cyberspace casts harsh light on international law and forces policymakers to ask whether they need to develop it to address terrorism in cyberspace effectively. Reform would confront challenges, including disagreements about how to define terrorism, lack of consensus on what key legal principles mean, and political competition over issues—such as Internet governance—not specific to terrorism. These challenges limit what might be possible in making international law more responsive to terrorism in cyberspace.
3. Cyberattacks by Terrorists and International Law
Preventing, protecting against and responding to terrorist attacks preoccupy counter-terrorism policy. The same is true for potential terrorist use of ICTs to attack cyber-enabled infrastructure, facilities or services. Fear of terrorist cyberattacks has grown as dependence on ICTs deepened and as the skills and means to launch such attacks disseminated.9 However, terrorists have not shown much interest in, or abilities to undertake, cyberattacks. Whatever else explains this state of affairs, international law deserves no credit for it.
Despite years of concern, states have adopted few international instruments addressing cyberattacks by terrorists. In countering conventional and WMD terrorism, states negotiated treaties that define terrorist offences, require parties to criminalise and exercise jurisdiction over the offences, and engage in law enforcement cooperation.10 Most of these treaties apply to conventional terrorism, but some cover attacks involving biological, chemical and nuclear agents that have rarely or not yet occurred.11 Of the multilateral treaties, only two on civil aviation (which are not in force) expressly include cyberattacks.12 The only regional terrorism agreement mentioning cyber comes from the Association of South East Asian Nations (ASEAN). It encourages cooperation on various forms of terrorism, including cyber terrorism,13 but the ASEAN agreement does not include cyberattacks as a criminal offence. Similarly, United Nations (UN) Security Council decisions that impose binding counter-terrorism duties do not mention cyberattacks.14
Existing international law on terrorism does not apply well to possible cyberattacks by terrorists. States could interpret certain multilateral treaties to apply to such attacks,15 but this approach produces limited coverage under agreements designed for noncyber forms of terrorism. Regional treaties often use the offences defined in the multilateral agreements,16 which extends this patchwork coverage into regional contexts. Security Council resolutions are broad enough to cover terrorist cyberattacks. However, neither the Security Council nor its Counter-Terrorism Committee (CTC)17 has focused much on the threat of such attacks.
While cyberattacks could qualify as offences in some treaties, cyber technologies raise challenges different from terrorism involving conventional weapons or WMD agents. The treaties apply a criminal law approach, which requires identifying those responsible for terrorist offences. Although identifying perpetrators of conventional terrorism can be difficult, attribution in the cyber context is more challenging.18 For example, the Islamic State’s so-called ‘Cyber Caliphate’ claimed responsibility for attacking a French television station, which French officials asserted was terrorism.19 France later indicated Russian hackers were to blame—at which point attribution remained unclear, as did whether the incident was terrorism.20
A second feature of cyber technologies is the range of consequences they permit attacks to achieve—from disruption to destruction. Offences in antiterrorism treaties typically require the act in question to result in, or be intended to produce, injury, death or serious property damage.21 These thresholds create the potential for terrorists to engage in cyberattacks underneath them and not commit a terrorist offence. The Cyber Caliphate claimed responsibility for temporarily disrupting social media channels of US Central Command. The US Government dismissed the incident as ‘cyber vandalism’.22 The USA would never classify a biological attack by terrorists on its military as ‘bio vandalism’, even if the attack only caused temporary, limited disruption. This incident highlights the range of consequences cyber technologies make possible and different perceptions about cyberattacks.
These consequences and perceptions raise questions whether certain cyberattacks, such as corrupting or deleting stored data without destroying physical property, qualify as damage in antiterrorism treaties. Such questions implicate treaty interpretation and could generate disagreements about applying these treaties to cyberattacks and prevent their use in responding to cyberattacks by terrorists (assuming attribution was feasible). These problems might counsel developing a treaty designed to address what cyber technologies enable terrorists to do.
Whether customary international law offers guidance with respect to terrorism has proved controversial. The Special Tribunal for Lebanon held customary international law recognises a crime of international terrorism,23 the elements of which could encompass terrorist cyberattacks.24 However, this ruling has been criticised.25 In addition, finding evidence the decision affected state behaviour is difficult, suggesting state practice does not support the tribunal’s reading of custom. Hence, the tribunal’s crime of international terrorism does not provide a strong basis in international law for addressing terrorist cyberattacks.
Beyond international law on terrorism, states could respond to terrorist cyberattacks by applying treaties on cybercrime, transnational organised crime, extradition and mutual legal assistance. Relying on such instruments would run counter to state preferences for distinguishing terrorism from other crimes. Existing cybercrime treaties are largely regional in membership with limited numbers of parties. The Council of Europe’s Convention on Cybercrime has the largest number of parties, but only 48 countries, predominantly European, have joined.26 The UN Convention against Transnational Organized Crime has 186 parties,27 but this regime has not focused on or deterred cybercrime. Extradition agreements and mutual legal assistance treaties (MLATs) are mainly bilateral, making their application to terrorist cyberattacks dependent on the politics of bilateral relations. MLATs are difficult to use effectively against crimes involving digital evidence,28 which would happen with investigating terrorist cyberattacks.
In terms of new treaty law, countries have been negotiating the proposed Comprehensive Convention on International Terrorism since the latter half of the1990s,29 a period corresponding to the rise of worries about terrorist cyberattacks. The offence defined in the draft text is broad enough to be applicable to cyberattacks.30 However, negotiations have not concluded after nearly 20 years, and the possibility of terrorist cyberattacks has not catalyzed conclusion of these talks, which remain deadlocked over issues having nothing to do with cyberspace.
Strategies used to keep dangerous materials away from terrorists have no counterparts when cyberattacks are the concern. States developed treaties to protect nuclear materials in transport31 and to mark plastic explosives32 as counter-terrorism measures, and nonproliferation agreements on nuclear, biological and chemical weapons are considered helpful in keeping WMD materials away from terrorists. Similarly, the Security Council mandated that UN Member States prevent terrorists from acquiring WMD materials.33 Transposing this approach to the cyber context is not promising. Unlike physical materials subject to antiterrorism protections, cyber weapons are software code.
Attempts to block exports of certain surveillance technologies and intrusion software to repressive governments on human rights grounds demonstrate the difficulties and controversies that arise with restricting access to digital information.34 Similar problems emerged with policy on handling exploitable flaws in software not identified by the vendor or users.35 Preventing terrorists from getting access to such ‘zero day’ vulnerabilities is difficult because the vulnerabilities are simply information rather than material that can be physically controlled. The best way to prevent access is to disclose and patch vulnerabilities as they are discovered, but disclosure does not always happen because undisclosed vulnerabilities have law enforcement, intelligence and military value.36 Further, software vulnerabilities, malware to exploit them, and skills to launch cyberattacks are globally distributed and accessible to terrorists.
Counter-terrorism policies also emphasise protecting societies from terrorist attacks, especially critical infrastructure. Cybersecurity thinking similarly stresses ‘hardening the target’, especially cyber-enabled critical infrastructure, against cyberattacks regardless of the source37—an ‘all hazards’ protection strategy.38 Governments can often pursue this objective without international law because most critical infrastructure is within their territorial jurisdictions. However, the need for critical infrastructure protection is producing international cooperation and international law. Regional organisations, such as ASEAN, the European Union (EU), and the Organization of American States (OAS),39 and security regimes, such as the North Atlantic Treaty Organization (NATO),40 promote cooperation on critical infrastructure protection. Within treaties that address critical infrastructure sectors—such as civil aviation,41 maritime transport42 and nuclear safety43—international organisations are paying more attention to cybersecurity. States in different geographical and political contexts are using international legal instruments to increase protection of cyber-enabled critical infrastructure.44 These activities are recent, so they are not responsible for the lack of terrorist cyberattacks. Whether these efforts produce better cybersecurity and, thus, deter attacks on critical infrastructure remains to be seen.
Counter-terrorism policies underscore the need for resilience—the ability to identify terrorist attacks, control the damage and recover. Cybersecurity policy also highlights resilience as critical, and resilience informs development of national computer incident or emergency response teams and cooperation among them. However, cooperation on cyber resilience before or after an incident happens without international legal obligations, which mirrors international law on terrorism. Apart from obligations on law enforcement cooperation, antiterrorism treaties do not include duties to provide assistance to parties attacked by terrorists. This state of affairs also reflects the lack of legal obligations on states to assist countries hit by natural disasters.45 Discussion of a duty to assist countries experiencing cyberattacks has framed the duty as a nonbinding, or ‘soft law’, responsibility.46
This analysis of counter-terrorism activities from antiterrorism treaties to post-attack resilience demonstrates international law is not well developed regarding terrorist cyberattacks. Thus, international law is a nonfactor in explaining why terrorists have not engaged in such attacks. Options for strengthening international law against terrorist cyberattacks exist, including clarification of the applicability of certain antiterrorism treaties, protection of cyber-enabled critical infrastructure, and negotiation of a treaty on terrorist cyberattacks. However, the absence of attacks weakens incentives for states to tackle this threat. International law on terrorism has largely developed through states reacting to terrorist violence. This pattern casts doubt on whether states would develop international law in the absence of terrorist cyberattacks. The most promising options arise where developing international law would pay dividends against cyber incidents regardless of their source. Strengthening cybersecurity in critical infrastructure would protect against intrusions by terrorists, spies, militaries and criminals. Unlike the disinterest terrorists have demonstrated, criminals, military forces and intelligence agencies pose clear dangers in cyberspace, providing incentives for states to use international law to advance ‘all hazards’ strategies for improving cybersecurity in the public and private sectors.
After the 9/11 attacks, states realised the reactive nature of counter-terrorism policy and law was insufficient, which led to emphasis on preventing terrorist violence. Some efforts focused on preventing incitement to terrorism (Section 4), while others sought to interdict terrorist plots before attacks happened. Preventive strategies generated controversies under international human rights law. Governments argued that stopping attacks required heightened surveillance to identify terrorist communications, networks and operations. For human rights advocates, expanded surveillance risked violating privacy and the freedoms of opinion, expression and association.47 Disclosure of surveillance programs by Edward Snowden heightened these concerns and prompted efforts to protect human rights against expansive surveillance.48 Human rights controversies surrounding counter-terrorism surveillance have not dissipated because new attacks, such as those in Paris and San Bernardino in 2015, repeatedly roil these waters. Government interest in surveillance applies equally to the desire to prevent terrorist cyberattacks, but this desire does not produce equilibrium between political demand for expansive surveillance and human rights opposition to it.
The lack of terrorist cyberattacks keeps some issues in the realm of speculation, including those related to the use of force. Conventional terrorism sparked debates about when actual or anticipated terrorist violence triggers a state’s right to use force in self-defense.49 Inserting terrorist cyberattacks into these debates does not resolve controversies about, for example, the ‘armed attack’ threshold, the preventive use of force against terrorist groups, and whether states have the right to use force against terrorists located in countries unable or unwilling to deal with them.
4. Cyber-Enabled Terrorist Activities and International Law
Before the Islamic State emerged, governments understood terrorists used cyberspace to communicate, spread propaganda, radicalise, recruit and fundraise.50 In addressing terrorist use of the Internet, states identified the need to improve surveillance of communications, facilitate intelligence and law enforcement cooperation, prevent incitement to terrorism, and stop terrorist recruiting and fundraising. However, the Islamic State’s unprecedented use of the Internet and social media has seriously challenged counter-terrorism policy and international law.
The Islamic State has taken cyber-enabled strategies and tactics farther than any previous terrorist group, which is why its behaviour in cyberspace has become a counter-terrorism crisis. This crisis suggests that policy and law, including international law, crafted before the Islamic State became a threat, failed to prevent the group from making cyberspace a strategic asset. This failure prompts the need for new approaches, but, at present, more disagreement than consensus exists among states—and even within states—on how to cope with the crisis.
In international law, the Islamic State’s cyber-enabled activities have least battered the rules on suppression of terrorist financing. Under treaty law and binding Security Council mandates, states have obligations to stop the financing of terrorism.51 However, the Islamic State’s finances rely primarily on funds generated within territories it controls, such as taxes, oil revenues and criminal schemes (eg ransom kidnapping, selling looted antiquities).52 Although the system to suppress terrorist financing limits the Islamic State’s ability to move large sums through formal channels, the Islamic State has managed to fund itself. The system is not necessarily broken,53 but it has limitations when terrorists have funding not vulnerable to foreign and global financial mechanisms.54
After 9/11 and other terrorist attacks, counter-terrorism policies began to target incitement of terrorism as a problem the Internet exacerbates. In May 2005, the Council of Europe adopted a treaty that requires parties to criminalise provocation to commit offences defined in the multilateral antiterrorism treaties.55 In Resolution 1624 (2005) adopted in September 2005, the Security Council encouraged (but did not mandate) UN Member States to prohibit incitement to commit terrorism, prevent incitement and deny safe-haven to persons guilty of incitement.56
This emphasis on incitement provoked human rights concerns.57 Human rights advocates worried governments would define ‘terrorism’ broadly in implementing Resolution 1624 (2005), repress speech and association, and violate privacy. Resolution 1624 (2005) does not link ‘incitement to terrorism’ to the offences in multilateral antiterrorism treaties, as the Council of Europe’s treaty does. In that respect, Resolution 1624 (2005) highlights the lack of a definition of ‘terrorism’ in international law and agitates criticisms of expansive counter-terrorism policies infringing on rights and liberties protected by international law.
Social media’s explosive development after Resolution 1624 (2005) made this tension between counter-terrorism and human rights worse. Founded in 2004, Facebook became open to anyone with an email address in 200658 and Twitter came online in 2006.59 Since establishment, these and other platforms grew to serve billions of users and expanded ways to share information, communicate and associate. However, social media became a law enforcement and national security concern because the platforms provided cheap, accessible, versatile and globally distributed capabilities for terrorist communications, recruitment, radicalisation and propaganda.
These worries were not unfounded, as the Islamic State’s use of social media to radicalise individuals demonstrates.60 However, law enforcement and national security rationales also informed how governments elastically define terrorism. Human rights principles were under pressure from both democratic governments trying to balance counter-terrorism with individual rights and authoritarian governments uninterested in protecting rights. Social media companies found themselves squeezed by Islamic State abuse of their services, demands from governments to curb such abuse, and their commitments to privacy and free expression for customers.
Policy discussions about the Islamic State’s use of social media focus on ‘counter content’ and ‘counter narrative’ approaches. Counter-content strategies seek to identify and remove terrorist online propaganda and activity. Counter-narrative policies disseminate information that challenges Islamic State propaganda, disrupts use of social media to radicalise individuals and offers alternative messages to those that provide the Islamic State attention and adherents. Counter-content and counter-narrative approaches represent ways to combat incitement to terrorism, including radicalisation and recruitment.
In terms of international law, counter-narrative approaches create few, if any, problems because they promote more speech rather than less. International law poses no barriers to governments developing or supporting counter-narrative campaigns against the Islamic State. However, counter-narrative efforts have struggled to demonstrate strategic value. Too often they are fragmented, uncoordinated, of questionable impact, and unable to match the scale, speed, and substance of Islamic State propaganda and radicalisation efforts. What role international law could play to improve counter-narrative activities is not clear. Creating obligations for governments to engage in counter-narrative campaigns would run headlong into critiques that government-led counter-messaging lacks legitimacy with the people counter-narrative efforts are intended to reach.61
Counter-content strategies generate issues under international law. First, government demands that social media companies located in other countries remove content replay jurisdictional problems experienced in other cyberspace contexts.62 Second, counter-terrorism demands from governments for content removal raise questions about what ‘terrorist content’ or ‘terrorist activity’ means when states have no agreed definition of terrorism.63 Third, counter-content strategies implicate international law that protects freedom of opinion, expression and association from government interference.64 Countries do not agree on what these obligations mean or how they apply, and even European democracies and the USA differ on when governments can limit expression. Fourth, limits on governmental power to restrict expression might encourage ‘outsourcing’ censorship through nonbinding mechanisms involving government requests for companies to remove content.65 Fifth, counter-content strategies provide repressive governments with cover for censorship based on broad definitions of terrorism unrelated to threats from the Islamic State or other terrorist groups.66
Questions about the effectiveness of counter-content and counter-narrative strategies also arise in connection with the Islamic State’s use of social media. While each story has unique features, social media appears as a common feature in radicalisation and recruitment efforts. In Resolution 2178 (2014) addressing foreign fighters traveling to join the Islamic State, the Security Council urged UN Member States to take measures and cooperate ‘to prevent terrorists from exploiting technology … to incite support for terrorist acts’.67 One year after the resolution’s adoption, the foreign fighter problem was worse,68 suggesting counter-content and counter-narrative actions had not helped reduce this threat.
Policymakers usually stress that addressing the Islamic State’s online activities must comply with international human rights law. However, the scale, brazenness and impact of these activities have provoked concerns that human rights limitations on surveillance and counter-content strategies impede effective responses to, protection against and prevention of cyber-enabled terrorism. With other terrorist groups, such as al-Shabaab in Somalia, Boko Haram in Nigeria and al Qaeda in the Islamic Maghreb, exploiting social media, pressure for robust surveillance and the ability to take down online terrorist content mounts as dangers from cyber-facilitated extremism grow. The gap between what international human rights law mandates and how states conduct counter-terrorism has, typically, cast harsh light on counter-terrorism practices rather than human rights law. However, with cyber-enabled terrorism, the law is under increased scrutiny and pressure.
Escalating controversies about encryption underscore this development. Following Snowden’s disclosures, technology companies began to incorporate stronger encryption in their services. This move triggered law enforcement and intelligence concerns that strengthened encryption would harm efforts to combat terrorists and criminals. Encryption would cause the Internet to ‘go dark’ for law enforcement and intelligence authorities. The private sector push for encryption continued as the Islamic State emerged. Although Islamic State-directed or -inspired attacks in Paris and San Bernardino in 2015 did not involve encrypted communications, these attacks renewed the encryption dispute as counter-terrorism became an urgent priority in the USA and Europe.
The UN Special Rapporteur on freedom of opinion and expression connected encryption with international law. He argued government restrictions on, or interference with, encryption must meet the legality, legitimate objective, necessity and proportionality requirements human rights law establishes under the right to freedom of opinion and expression.69 According to the Special Rapporteur, encryption provides ‘the privacy and security necessary for the exercise of the right to freedom of opinion and expression in the digital age’.70
However, making encryption critical to the enjoyment of human rights does not answer concerns that stronger encryption threatens to prevent law enforcement or intelligence officials from getting access to encrypted communications—even when such officials satisfy all legal and human rights criteria. In February 2016, US Government efforts to compel Apple Inc to provide assistance in unlocking an iPhone owned by one of the San Bernardino terrorists triggered national and international debates about the promise and perils of encryption in many contexts, including efforts to counter cyber-facilitated terrorism.71 Although anchored in US law, the Apple litigation has significant implications for law enforcement officials, intelligence agencies and human rights advocates around the world.72
From a counter-terrorism perspective, the questions raised by this controversy might become moot because terrorists are unlikely to rely on encryption provided by companies compelled by governments to provide keys for decryption. Encryption software not subject to lawful orders of the American or European governments exists and will continue to develop and be available to terrorists. The more terrorists operate in cyberspace through encryption, the more counter-terrorism efforts face disadvantages. This trajectory creates incentives for counter-terrorism officials to develop new ways to fulfill their responsibilities.73 In the USA, experts have argued that law enforcement and intelligence agencies need access to communication metadata as part of counter-acting strong encryption.74 Others have asserted that law enforcement and intelligence officials will have ample unencrypted data to access because of, for example, the development of the ‘Internet of Things’.75 Both approaches would encounter opposition within international law, as seen in human rights reactions to Snowden’s disclosures of metadata collection by the US and UK governments for counter-terrorism purposes and in privacy advocacy for encryption.
Terrorist use of cyber communications relates to problems in international law beyond encryption. In investigating possible terrorist crimes, counter-terrorism officials might want access to communications serviced by a company in another country. The traditional way governments obtain foreign-located information is through MLATs. However, MLATs are not working well in contexts involving requests for digital information needed to investigate criminal activities. The convergence of two factors often compounds this problem—the dominance of US companies as global providers of cyber services and restrictions US law imposes on US companies sharing content data with foreign governments. Efforts are underway to identify ways to reform MLATs.76 Experts have proposed changes to US law to facilitate greater sharing of information by companies in response to requests from foreign governments,77 and these ideas have informed US–UK negotiations on reforming their MLAT.78
In December 2015, the CTC held a technical and a special meeting on ‘Preventing Terrorists from Exploiting the Internet and Social Media to Recruit Terrorists and Incite Terrorist Acts, While Respecting Human Rights and Fundamental Freedoms’.79 These meetings signaled the Islamic State’s use of cyberspace has become a global crisis, which the Security Council has placed on the CTC’s agenda. The meetings emphasised the need for cooperation guided by the understanding that ‘the UN Charter and international human rights law form the basis for effective preventive and counter-terrorism measures’.80
What the CTC meetings failed to answer is why the UN Charter, Security Council resolutions on terrorism, international human rights law and other bodies of international law, did not prevent the Islamic State’s online onslaught, are not protecting countries from cyber-enabled terrorism and are not facilitating effective responses. The meetings did not reveal much consensus on proposals for preventing terrorist exploitation of social media while respecting human rights. Instead, the meetings highlighted ‘fault lines’ about how to respond to the Islamic State’s exploitation of the Internet and social media, including tensions in the following areas:
Friction between support for government-led strategies and preferences for multi-stakeholder approaches.
Interest in more counter-terrorism regulation of cyberspace, amidst warnings from human rights advocates about empowering governments to act under expansive notions of ‘terrorism’.
Identification of the need for global trust in fighting terrorism in cyberspace, against the backdrop of disagreements among governments—and between the public and private sectors—over Internet governance, cybersecurity, privacy and freedom of expression.
Interest in addressing online terrorism as a threat on its own terms, versus assertions that attacking the ‘root causes’ of terrorism is the only way to mitigate this problem.
Role of the USA and US companies
Recognition of the importance of the USA, complicated by concerns that strict US protection of freedom of speech, other restrictive federal laws, and the dominance of US social media companies inhibit international cooperation.
Frustration with US social media companies, countered by claims the companies are acting appropriately with all stakeholders.
Counter-content and counter-messaging approaches
Gaps among governments, and between governments and companies, about what criteria should guide taking down online content on counter-terrorism grounds.
Interest in more effective counter-messaging campaigns, versus skepticism collaboration in this area can be cohesive, consistent, or achieve the scale and speed needed to have strategic impact against the Islamic State.
Law enforcement issues
Consensus that MLATs need reform to support countering online terrorist activities, but without clear direction on how reform moves forward.
Statements from law enforcement officials that encryption threatens their efforts against terrorism and crime, versus support for encryption from civil society and companies.
In February 2016, a new front opened in efforts against the Islamic State’s online activities. The USA acknowledged conducting offensive military cyberattacks against the Islamic State. President Obama instructed US Cyber Command (CYBERCOM) to use its offensive capabilities against the Islamic State after the terrorist violence in San Bernardino.82 CYBERCOM is targeting the Islamic State’s use of the Internet and social media to spread propaganda, radicalise and recruit, and its use of cyber technologies to command and control military operations in Iraq and Syria.83 These cyberattacks now form part of military activities against the Islamic State the US Government argues are justified under international law.84 Further, the law of armed conflict guides US military action against the Islamic State, meaning the Obama administration believes the cyber weapons and attacks comply with it.
In addition to their significance in the armed conflict with the Islamic State, these cyberattacks increase the prospects that counter-terrorism strategies will now include offensive cyber operations against terrorist online activities, including in contexts not involving armed conflict. How states will handle cyberattacks against terrorist online capabilities outside armed conflict under international law is not clear, especially because such attacks might not constitute armed attacks, uses of force, or coercive acts that violate the principle of nonintervention. The CYBERCOM attacks might be the precursor of growing state use of cyber coercion in counter-terrorism strategies frustrated by the limitations imposed on, and ineffectiveness of, surveillance, counter-messaging, counter–counter and law enforcement cooperation efforts.
This international legal analysis of terrorism in cyberspace reveals a conundrum. Plausible options for international legal action concerning terrorist cyberattacks exist, but, because such attacks have not occurred, states lack incentives to strengthen proactively the contribution international law can make. Options, especially improving cybersecurity in critical infrastructure, have appeal because they are ‘all hazards’ strategies against cyber intrusions. By contrast, credible options for international legal activities regarding terrorist exploitation of the Internet and social media are lacking, even though this problem has become a crisis and countries, companies, and civil society have incentives to mitigate it. This difficult context, which shows no signs of abating, might heighten interest in incorporating offensive cyberattacks in strategies to counter cyber-facilitated terrorism.
Faced with this situation, it is tempting to conclude that counter-terrorism in cyberspace should focus on the root causes of this problem. With the Islamic State, its success in cyberspace flows from what it has achieved on the ground in Syria, Iraq and elsewhere.85 Until the Islamic State’s material power in ‘real space’ is degraded, efforts to combat its cyber-enabled activities will not have sustainable impact. Given the disaster the Islamic State has been for the Middle East and global politics, this conclusion provides no comfort for those interested in international law’s contributions to human affairs.