The cyber threat has finally come of age. In light of high-profile cyber breaches such as the Russian cyberattacks during the 2016 US presidential election and private information published on WikiLeaks, cyberspace is now unmistakably the new frontier of political conflict.
Hacking is also fast becoming a tool in the arsenal of terrorist groups, creating a new type of cyber terror threat. That threat has manifested itself in two main ways—pure cyber terrorism: a direct attack on a victim’s cyber infrastructure (computers, networks, and the information stored therein) for political and social objectives. The other form is hybrid cyber terrorism, where the Internet is used to recruit, propagate, and inspire others to acts of terrorism.
Both types pose a serious threat and are of special concern to the Organization of Islamic Cooperation (OIC), the world’s second-largest intergovernmental body with fifty-seven member states.
‘Pure’ cyber terrorism
“Pure” cyber terrorism remains purely in the cyber sphere. Such attacks against OIC member states have increased in volume and brazenness. In 2012, a cyberattack against Saudi Arabia’s state-owned company Aramco destroyed 35,000 computers and the same virus attacked Qatar’s RasGas Company. In December 2016, the Saudi Civil Aviation Authority was subjected to a huge cyberattack.
With such attacks likely to rise, the OIC convened the Islamic world’s first cyber defense network from across twenty Muslim nations to collaborate on a joint Islamic-world cyber defense strategy in January. Participants were agreed on the Islamic word’s vulnerability to cyberattacks—a view shared by Eugene Kaspersky, chief executive officer (CEO) of Kaspersky Labs, who believes the Middle East is at high risk due to major events like the Olympics scheduled to be held in Dubai in 2020 and the soccer World Cup in Qatar in 2022.
The summit outlined the following ways to address the threat:
Deterrents and criminal justice system
The biggest challenge in utilizing the criminal sanction against cyber terrorists is that it requires harmonization of cybercrime laws across different legal jurisdictions. There was an attempt to achieve this through the Convention on Cybersecurity, a 2001 treaty drawn up by the Council of Europe with active participation of the Council of Europe’s observer states Canada, Japan, South Africa, and the United States. The convention sought to harmonize national laws on internet-related crimes. The treaty went into effect in 2004 and has over fifty signatories. But varying understandings of the right to privacy throughout OIC countries means that member states are not signatories to the treaty, which requires laws permitting real-time monitoring of data and government interception of data.
In fact, the legal structures of OIC member states are so unprepared to deal with the loose transnational nature of cyber terrorism that it falls on regional agreements to get governments to work together.
The OIC’s creation in 2006 of a Computer Emergency Response Team (CERT), a network representing Islamic world countries, has been an important step in that direction. CERT assists in cybersecurity emergencies within OIC member states. It also allows for the organic development of collaborative transnational protocols—an important foundation for the eventual establishment of a common regulatory framework.
The OIC’s next priority for strengthening cross-border cyber security regulation is the creation of a permanent cyber security center represented by nations across the breadth of the Islamic world. The OIC aims to establish this center by 2018.
Research and development
To truly combat cyber terrorism, governments must fund research to stay ahead of terrorists in the evolving race for technological supremacy. This is especially true given that most cyberattack vectors (the path by which a hacker accesses a computer or network—e.g., viruses, e-mail attachments, etc.) during 2016 were unknown. Best practices and encryption are only useful when the attack vector is known. This is where the OIC again plays a unique role in convening national CERTs to provide them with training and facilitate engagement with global experts.
The creation of an OIC cyber security center is also designed to enable permanent and ongoing collaboration between researchers and experts from across OIC countries to more effectively protect member countries from the threat of a cyberattack.
‘Hybrid’ cyber terrorism
The use of the Internet to recruit and plan for real terrorist attacks is where cyber terrorism has contributed to the greatest loss of life—particularly with the rise of the Islamic State of Iraq and al-Sham (ISIS).
Important work is already taking place through various social media channels to “help curb the spread of terrorist content online” by pooling deleted content into a single database that would enable extreme posts, including terror group recruitment videos, to be more quickly identified and removed.
By 2016, Twitter had suspended 360,000 accounts for violation of its policies regarding the promotion of terrorism. However, Twitter published a statement adding, “there is no one ‘magic algorithm’ for identifying terrorist content on the Internet.”
Countering extremist narratives online is more challenging than pure cyber terrorism. It requires not just the technical ability to locate and block extremist content and users, but also effective counter-messaging. ISIS’ biggest strengths lies in its ability to use the Internet to promote the group’s claims of Islamic legitimacy—often by cherry picking and decontextualizing Islamic scripture.
That is why the OIC has established an online counter-extremist messaging center in partnership with the International Islamic Fiqh Academy (IIFA). The center is designed to combine a cutting-edge social media strategy with the knowledge and credibility of some of the world’s most prominent Islamic scholars. Its purpose is to diminish the impact of ISIS propaganda during the first stage of online recruitment, where a potential recruit weighs whether to engage further.
In conclusion, the vastness of cyberspace and the consequently huge scope of extremist activity warrants multiple preemptive and reactive measures at the micro, national, and international levels.
The cyber terror threat is particularly dangerous because as technology evolves so does the nature of the threat. Research, specialist training, law enforcement, and criminal justice structures must keep up with that pace of change. The cyber arena is a space where counter-terrorist activity is as ideological and legal as it is technological.
Wajdi Homaid Al Quliti is director of information technology at the Organisation of Islamic Cooperation.