Improved youth literacy juxtaposed with high unemployment rate plus fundamental historical and religious distrust makes a perfect recipe for cyber-terrorism to thrive. Cyber-terrorism has become the newest and biggest potential expression of terrorism globally. While 9/11 opened a new vista in international terrorism, the Stuxnet cyber-attack on Iranian nuclear facility (2010), Wannacry virus attack (2017) et al. demonstrates the latent capacity of the cyber-terrorist in achieving his devious purpose using technology. This paper explains some fundamentals of cyber-terrorism, its potential damaging effect on critical infrastructure and its possible deployment as an instrument of mass disruption and destruction. It also canvasses policy options to be considered to reduce the effect of an attack. Scholarly articles and commissioned papers were reviewed on the subject. This paper however, uniquely discusses the subject from a Nigerian cyber security policy, strategy and law perspective.
The term cyber means anything relating to computers or computer network. Therefore, cyber includes but not limited to computers- software, hardware and middleware; internet, telecommunication satellite etc. Reference to ‘cyber’ in this paper would relate mostly to the internet with clarifications made where necessary.
The internet has become the largest and most effective communication tool invented by man. The rate of global access to the information superhighway in recent times is phenomenal. Nigeria which used to be a laggard in the internet evolution and revolution has caught the bug. Nigeria is now a global leader in internet access population. The reason for this could be ascribed largely to the successful introduction of the global satellite mobile communication network (GSM). This was done after a world-acclaimed transparent bidding and licensing rounds. This singular success has a lot of multiplier effect in terms of capital inflow, technology transfer, opening up of Nigeria to the global technology market, popularisation of smartphones and increasing demand for internet access.
Nigeria, however, has been a country on the tethers right from its cradle of independence. The multi-ethnic, multi-religious setting has created room for mutual suspicion, envy, egotism, injustice, brigandage and a bloody civil war. A nation such as this is no stranger to internally and externally propelled terrorism. The vicious circle of deaths has been oft repeated simply because there is no sustained and genuine socio-political will to deal effectively with the malaise. Another underlying factor is the lack of aggregated academic thought on the problems of terrorism in Nigeria. This paper therefore, sets out to examine the problems of defining terrorism, the precipitators of terrorist activities and implications of terrorism on critical national information infrastructure. It further reviews a major cyber-terrorist attack on the Iranian Industrial complex. The country’s legal framework for tackling cyber-terrorism was analysed with the author’s suggested mitigation measures to curb Nigeria’s cyberspace vulnerabilities.
Virtually every terrestrial phenomenon now has its ‘cyber’ expression. Like terrorism, cyber law is also generating a lot of attention. Jay Dratler Jr., dismissed the hype about cyberlaw when he posited, much of the hoopla about ‘cyberspace law’ relates more to climbing the steep learning curve of [the Internet’s] technological complexities than to changes in fundamental legal principles. Cyber terrorism could also be looked at from this perspective. In this new vista, scholars are discovering how to grapple with what the terrorists have understood long ago. Cyberspace only offers a new technique for advancing their age-long philosophies of violence, hatred and division.
A lot of intellectual and material efforts have been expended by government and other stakeholders to have a comprehensive definition to terrorism, all to no avail.
An erudite author put the issue grimly when he wrote- “Above the gates of hell is the warning that all that enter should abandon hope. Less dire but to the same effect is the warning given to those who try to define terrorism”.
Alex P. Schmid made one of the earliest attempts to define terrorism in 1983 he said:
Terrorism is a method of combat in which random or symbolic victims serve as an instrumental target of violence. These instrumental victims share group or class characteristics that form the basis for their selection for victimization. Through the previous use of violence or the credible threat of violence, other members of that group or class are put in a state of chronic fear (terror). This group or class, whose sense of security is purposefully undermined, is the target of terror. The purpose of this indirect method of combat is either to immobilize the target of terror in order to produce disorientation and/or compliance or to mobilize secondary
targets of demands (e.g., a government) or targets of attention (e.g., public opinion) to change their attitude or behaviour favouring the short or long term interests of the users of this method of combat.
The author did not consider non-human targets such as a database, critical national information infrastructure or other key public assets like petroleum pipeline etc. These are key targets of terrorist attacks as being witnessed in the Niger Delta area pre and post Federal government amnesty. The Niger Delta militants understand that by disrupting the economic nerve of the country, it would get the attention of the government and international organisations since its activities has local and international dimensions. Another point of disputation with this definition is the common class characters of victims. The Boko Haram insurgents have disproved this point. While Hamas targets Israelis, one cannot categorise the targets of Boko Haram. They attack Christians, Muslims, Shiites, Sunnis, children and adults. They attack in Cameroun, Chad and Nigeria. This irrationality is what has made the group tick.
The US State Department defines terrorism as the premeditated, politically motivated violence perpetrated against non-combatant targets by subnational groups or clandestine agents, usually, intended to influence an audience.
Like Schmid’s definition, this description fails to consider attacks directed against property. Maybe to maintain political correctness it ascribes terrorists’ intents only to political motives. This is far from complete. Terrorists strike for political, religious, economic and other ideological motives. The definition also omits to mention acts of terrorism that are carried out by a government against its own people, or persons within its control. The current crisis in Syria is an example of government sponsored genocide against its own people.
Lord Carlile Berriew QC was appointed as an independent reviewer with the specific assignment of defining terrorism. He reviewed legislative and academic definitions from scores of countries and writers. Some are mentioned below. He submitted-
Terrorism is an anxiety-inspiring method of repeated violent action, employed by (semi-) clandestine individual, group or state actors, for idiosyncratic, criminal or political reasons, whereby – in contrast to assassination – the direct targets of violence are not the main targets.
This definition is in essence trying to classify common criminals as terrorists. Violent crimes are sufficiently dealt with by our criminal laws, but terrorism is of wider essence than regular crimes. Furthermore, this is more of a description of characteristics than a definition of the term.
The UN Resolution 1566  is one of the widest accepted definitions of terrorism. It has been adopted by many countries with mild variations.
Acts of terrorism are criminal acts, including against civilians, committed with the intent to cause death or serious bodily injury, or taking of hostages, with the purpose to provoke a state of terror in the general public or in a group of persons or particular persons, intimidate a population or compel a government or an international organisation to do or to abstain from doing any act, which constitute offences within the scope of and as defined in the international conventions and protocols relating to terrorism, are under no circumstances justifiable by considerations of a political, philosophical, ideological, racial, ethnic, religious or other similar nature…
Like most other definitions non-human targets where not put into consideration in this description.
The US Federal Bureau of Investigation defined international terrorism thus:
International terrorism involves violent acts or acts dangerous to human life that are a violation of the criminal laws of the United States or any state, or that would be a criminal violation if committed within the jurisdiction of the United States or any state. These acts appear to be intended to intimidate or coerce a civilian population, influence the policy of a government by intimidation or coercion, or affect the conduct of a government by assassination or kidnapping. International terrorist acts occur outside the United States, or transcend national boundaries in terms of the means by which they are accomplished, the persons they appear intended to coerce or intimidate, or the locale in which their perpetrators operate or seek asylum.
Some authors have settled for describing terrorism rather than defining it.
Paul Wilkinson said it is a “weapon of coercive intimidation designed to make established authority and governments to submit to demands”.
Bruce Hoffman summarised the character traits of terrorism, when he stated that acts of terrorism are-
- Ineluctably political in aims and motives;
- Violent, (or equally important, threatens violence);
- designed to have far-reaching psychological repercussions beyond the immediate victim or target;
- conducted by an organization with an identifiable chain of command or conspiratorial cell structure (whose members wear no uniform or identifying insignia); and
- perpetrated by a sub-national group or non-state entity (but could be sponsored by nations- state sponsored terrorism).
If defining terrorism could be so problematic, how then shall we define cyber terrorism? It is noted that one of the gaps in most definitions of terrorism is the absence of reference to non-human targets in terrorist acts. Defining cyber-terrorism must of necessity fill this gap.
The FBI, again, defined cyber terrorism as the premeditated, politically motivated attack against information, computer systems, computer programs and data which result in violence against non-combatant targets by sub-national groups and clandestine agents.
Professor Dorothy Denning defined cyber terrorism thus-
Cyber-terrorism is the convergence of terrorism and cyberspace. It is generally understood to mean unlawful attacks and threats of attack against computers, net-works and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination, or severe economic loss would be examples. Serious attacks against critical infrastructures could be acts of cyberterrorism, depending on their impact. Attacks that disrupt non-essential services or that are mainly a costly nuisance would not.
Statutory definition of cyber terrorism in Nigeria can be gotten by a combined reading of Section 18. (1) of the Cybercrimes Act 2015 and section 1(2) of the Terrorism Prevention Act of 2011.
Section 18. (1) of the Cybercrimes Act 2015 says- Any person that accesses or causes to be accessed any computer or computer system or network for purposes of terrorism, commits an offence and is liable on conviction to life imprisonment.
Section 1(2) of the Terrorism Prevention Act of 2011 is rendered thus-
(2) In this section, “act of terrorism” means an act which is deliberately done with malice, aforethought and which:
(a) may seriously harm or damage a country or an international organization;
(b) is intended or can reasonably be regarded as having been intended to—
(i) unduly compel a government or international organization to perform or abstain from performing any act;
(ii) seriously intimidate a population;
(iii) seriously destabilize or destroy the fundamental political, constitutional, economic or social structures of a country or an international organization; or
(iv) otherwise influence such government or international organization by intimidation or coercion…
From the foregoing, cyber terrorism can be summarily defined as the illegal use of computer or computer network as a tool or target to deliberately harm, damage, unduly compel, seriously intimidate, destabilise or coerce a government or international organisation to do or refrain from doing a particular thing in furtherance of the terrorists’ socio-economic, political or religious agenda.
Although a universal definition of terrorism is still far-fetched, there seems however to be a greater consensus on global terrorism standards. These standards include- violence or the threat of violence, people or property, audience, message, motivation, fear factor Irrationality.
Some authors opine that terrorism standards cannot be applied to cyber-terrorism strictly, because cyber-attacks usually transcend national boundaries and it does no direct harm to individuals.
Unlike conventional terrorism which may be a weapon of mass destruction or casualty, cyber-terrorism is usually a weapon of mass disruption. Weapons of mass disruption are weapons, or better put, terror tactics that aims at unhooking the socio-political and economic status quo of a society. Terrorists may disrupt the national elections by hacking into INEC voter register database; they can disrupt the banking system by hacking into and taking over the Bank Verification Number (BVN) platform. They can critically disrupt the national economy by cyber-jacking the Treasury Single Account (TSA) software etc. For the cyber-terrorist, guns, bombs and knives are obsolete.
Historically, terrorist activities arise out of various causative factors. Identifying these factors is critical to addressing terrorism whether traditionally or through the cyberspace. They include- Suppression of rights e.g., anti-apartheid struggle in South Africa; fight for equality and fair treatment; propagation of a religious or political ideology e.g., Boko Haram v. Nigeria; loss of confidence in judicial and governmental avenues for dispute resolution; allegiance to a particular foreign group or cause; unresolved historical, sociological conflicts and dissimilarities e.g., MASSOB v. Nigeria; fight for pride- to hurt the behemoth- Al-Qaida v. USA; gain sympathy and international audience- Palestine v. Israel.
The African National Congress of South Africa during the apartheid regime resorted to guerrilla tactics when it discovered its civil engagement method was not gaining traction. Major infrastructure were targeted and destroyed. The terrorists justified their action as being a fight for freedom. Oppressive regimes have faced these kinds of opposition at one time or the other. Many modern terrorist organisations have religious colouration. Boko Haram, ISIS, LRA etc. all claim to be furthering the cause of Islam or Christianity through their violent activities.
CRITICAL NATIONAL INFORMATION INFRASTRUCTURE
It is necessary to understand the implication and ramification of Critical National Information Infrastructure (CNII). Section 3 (1) of the Cybercrime Act empowers the President, on the recommendation of the National Security Adviser to designate certain computer systems, and/or networks, whether physical or virtual, and/or the computer programs, computer data and/or traffic data vital in Nigeria, that the incapacity or destruction of or interference with such system and assets would have a debilitating impact on security, national or economic security, national public health and safety, or any combination of those matters as constituting Critical National Information Infrastructure. This designation takes effect only upon being gazetted.
What constitutes critical national assets or sector varies depending on the peculiarities of the countries or region involved. Sectors such as- Power and Energy, ICT, Health, Finance, Transport, Chemical and Biotechnology, nuclear etc. have been so designated. The European Union (EU) for example designated eleven sectors.
The efforts of the drafters of the National Cyber-security Policy (NCP) must be commended for giving Nigeria a document we can work with. The NCP identified fifteen (15) critical national sectors including communications, manufacturing, dams, defence, information technology, government facilities, chemicals, power and energy etc. It is however, important to distinguish between Critical National Infrastructure (CNI) and Critical National Information Infrastructure (CNII). The focus of this paper is on CNII.
The nature and components of a CNII includes-
- a) Computer systems, cyber networks or traffic data.
- b) The infrastructure has been formally designated as a critical infrastructure.
- c) The infrastructure is vital to Nigeria.
- d) Incapacity or destruction of the CNII would affect security, public health and safety or any of its combination.
Some information infrastructure considered be critical to Nigeria include- Nigcomsat control centre; Galaxy Backbone providing data service to all Federal Government Agencies; Tier 3 data centres, intercontinental data cable providing internet to Nigeria, private telecoms operators infrastructure, Transmission Company of Nigeria control centre and base stations, internet exchange points etc.
The first issue to be addressed in a national anti-cyber-terrorism strategy is the designation of critical national infrastructure. This is not a walk-in-the-park assignment that could be dictated by a smart administrator ensconced in his cosy office. It takes a lot of technical, legal and administrative input from all stakeholders. To designate infrastructure as critical to the nation, it is best to identify our most critical sectors.
To be Continued…
Femi Daniel Esq. LL.M; B.L
Technology Lawyer; Author- COMPUTER LAW IN NIGERIA (2015)