Munich Security Conference



Why New Laws Won’t Stop Cyber Terrorism

UK Prime Minister Theresa May has called for enactment of new international agreements to regulate the Internet in response to the spate of terrorist attacks in England in recent weeks. Her overture is long overdue, and she is right to push the world’s nations to enact such agreements. However long it takes, and whatever form such agreements may take, they will unfortunately be insufficient to address the spread of cyber terrorism.

The fundamental problem is that cyber terrorists operate anonymously and in a borderless world in which the rule of law does not apply. For laws to work, the individuals they seek to apprehend must, in the first instance, be identified, and as has been proven countless times in recent years, the perpetrators of cyber terrorism are as adept at hiding behind the Internet as their cybercriminal counterparts.

More often than not, neither the individuals nor groups nor governments who are responsible for cybercrimes and cyber terrorism are ever identified or apprehended. Just as quickly as a method of identifying them is deployed, the parties responsible adapt, change identity, adopt of new modus operandi, and continue their reign of terror.

The Prime Minister recognizes the importance of addressing the role that social media plays in how cyber terrorists communicate with one another, and their recruits. Social media companies have also now come to realize the critical role they play by unwittingly supporting cyber terrorism. Many of them want to do something about it and are at last devoting substantially greater resources in an effort to combat it.

There are a plethora of challenges standing in their way, however. Among them is the sheer volume of messages and videos generated — hundreds of millions each day. There are no algorithms currently available that can identify every potential terrorist message or video, and the social media firms are often reliant on their users to report problem messaging. By the time they are able to respond, the messages have been disseminated and consumed.

Even if such algorithms did exist, there is no realistic way for law enforcement and intelligence agencies to be able to act on all of them in a timely and effective manner. Even if they could, cyber terrorists change their IP addresses, locations, identities and personas with such regularity, and so quickly, that they can basically act at will, confident that they will never be caught.

There are good reasons why no meaningful laws exist to govern the Internet. If there were an easy way to address the problem, such laws would presumably have been implemented years ago. Cyberspace is a fast moving and ever-changing landscape that caters to criminality, and illegal and outrageous behavior. No set of laws is going to change that, but it would be wrong not to devote greater resources to strengthen the international legal regime in an attempt to do so. Failure to move in that direction will mean that the world’s nations will simply fall further and further behind the cyber curve.

It is ironic that this clarion call would come from the UK, which has come to epitomize the surveillance state. The British people have made a tacit agreement with their government: they agree to accept an intrusive surveillance regime in return for being kept safe. As good as the government is at doing its best to keep its side of the bargain, the chips are stacked against both the government and its people, for their enemy is as cunning, creative, adaptive and persistent as any enemy ever was.

While there is no alternative to implementing an even tougher range of security protocols in such an environment, the world should be realistic about what can be achieved, how quickly, and how effectively in this era of cyber terrorism. It would be nice to believe that passage of new legislation will make a substantial difference in this fight, but in truth, it probably will not.

This article was originally posted in the South China Morning Post.