The intersection of cybercrime and terrorist activity

This post is an edited extract from ASPI’s Counterterrorism yearbook 2021. A full PDF of the yearbook, which includes notes and sources for each chapter, is available on ASPI’s website.

The risk of terrorism, like the risk of most criminal activities, can be evaluated as a combination of opportunity, capability and intent. Legislative measures that allow for the arrest, detention and incarceration of people who are found to be planning an attack and laws that make it illegal to travel to certain conflict zones to join terrorist groups address opportunity. Targeting terrorism financing, recruitment and training addresses capability.

But in a contemporary, low-tech terrorist environment—where a terrorist attack can be carried out by a single person with a simple weapon such as a knife, gun or vehicle with little or no planning, no financial investment and no special training— opportunity and capability are much more difficult to detect and prevent.

Indeed, the greatest dilemma for modern counterterrorism is intent. In a world where intent evolves in the dark spaces of the internet, where individuals draw inspiration from YouTube videos, social media posts and anonymous chatrooms, we desperately need a comprehensive approach to counterterrorism that incorporates prevention and early intervention strategies.

One of the most compelling reasons to assess threat and capability continuously is that terrorists and criminals always find new ways to do harm. Just as terrorism has pervaded our lives in ways that turn everyday items into weapons and everyday activities into platforms for recruitment and influence, we must also meet the new challenges of security by turning our expertise to the internet and information and communications technology.

Already, in response to law enforcement’s increasing awareness of terrorists’ use of social media, and measures to mitigate any continued threat, terrorists and criminal groups have migrated to the dark web and encryption services, where they can operate in obscurity.

Terrorists have been using the ‘darknet’ in the same way as they have been using the surface web—to recruit, radicalise and influence, as well as to finance and coordinate attacks. Since 2015, there has been a significant increase in the use of Telegram (an encrypted instant messaging platform) by terrorist actors. Telegram has become the preferred online platform for Islamic State supporters to distribute propaganda, coordinate and communicate, replacing social media applications such as Twitter and Facebook. Telegram was used to coordinate attacks inspired or directed by IS in Paris (2015), Brussels (2016), Berlin (2016) and Istanbul (2017).

In 2017, a crackdown on popular darknet markets AlphaBay and Hansa was a response to serious concerns about the use of those platforms to facilitate communication between terrorist actors. That followed the take-down of the Silk Road in 2013 and another operation in 2014 that seized around half a dozen darknet sites. Each time, the darknet has bounced back. The latest crackdown drove cybercriminals to migrate to messaging apps such as WhatsApp, Facebook Messenger and Telegram in order to trade stolen credit cards, account information, malware and drugs.

We’re also seeing a more coordinated integration of cybercrime and terrorism. In January 2015, evidence emerged of a terror cell using bitcoin to fund operations. In another instance, an Indonesia-based group collected bitcoin donations on the darknet and hacked a trading website using a stolen identity. The group collected around US$600,000 via a series of cybercrimes. In Australia, recent high-profile breaches of anti-money-laundering and counter-terrorism-financing (AML/CTF) provisions by two major banks and casino operators have shone light on systemic gaps in our legislative framework. The Commonwealth Bank of Australia was recently found to be in breach of AML/CTF laws in 52,700 instances and was fined $700 million for failing to report multiple deposits made for money-laundering purposes through its ATMs. In September, Westpac was fined $1.3 billion for breaching AML/CTF laws 23 million times.

In the past, cyber terrorism has been a contested concept, with no agreed-upon definition. It’s now generally accepted that cyber terrorism involves the use of computers to create a severe disruption to critical infrastructure, causing death or the spreading of fear. But the use of digital and online technologies to enable terrorism, whether by providing a platform to inspire, recruit, communicate and coordinate or to raise illegal funds, has not really been considered in that definition.

The interface of cybercrime and terrorism gives us a more practical way to conceptualise cyber terrorism in the modern context, and a more concrete target for focusing our efforts. To that end, I suggest a definition of cyber terrorism as ‘the use of cyberspace to enable, inspire, influence or direct a terrorist attack or to raise funds to facilitate such attacks’.

This approach to cyber terrorism would allow law enforcement practitioners and legislators to target online activities used in support of terrorism. For this reason, Australia needs to ensure that our AML/CTF laws are up to the task of preventing criminal syndicates and terrorist actors from exploiting our financial systems.

Australia also needs more trained experts in early detection, with more resources devoted to monitoring online behaviours that precede violent action. University courses that equip graduates with the understanding and skills to tackle cyber-enabled criminal activity of all types (including terrorism) need to be more widely available.

It’s imperative that our future law enforcement practitioners have a strong understanding of how the internet, in all its pervasiveness, has become a tool for opportunists who seek to exploit it for criminal purposes. Our future counterterrorism preparedness depends on it.