Small Wars Journal

Claiming Responsibility in Cyberspace: ISIL and a Strategic Redefinition of Terrorism

Sat, 05/12/2018 - 1:11am

Claiming Responsibility in Cyberspace: ISIL and a Strategic Redefinition of Terrorism


Jonathan Lancelot




This paper is designed to examine how ISIL has used the Internet to communicate their agenda, and how they can use cyberspace to commit acts of cyberterrorism. We will be looking at the strategic advantage of terrorist organizations claiming responsibility for attacks, and how the Western legal system’s definition of terrorism solidifies this advantage in cyberspace. In the anonymous environment of the Internet, what incentive does a terrorist organization have to give up the advantage of stealth and claim responsibility for a cyber-attack? If western governments are seeking to find a motivation in an attack to label the act as terrorism, and the public is in fear, it is the contention of the paper to show that claiming responsibility is a problematic strategy for cyber terrorists and waiting for confirmation from a terrorist organization to define an act of terrorism has been a questionable strategy for Western governments. In cyberspace, Western governments are prevented from enacting a legal deterrence strategy against cybercrimes and cyberterrorism because the burden of proof resides within proving the intent of cyberterrorism, and not the intent of cybercrime.

Thus, what is of supreme importance in war is to attack the enemy’s strategy.

 -Sun Tzu, The Art of War

The History of Claiming Responsibility: Defining Terrorism


Warfare in the Internet Age has expanded the possibility of a nation-state to receive a strike or suffer bombardment that does not require military weaponry and hardware, giving the world a new form of small war. Terrorist organizations have used networking technologies to spread their ideology and organize their attacks. “The US government has made efforts to better secure its own computer networks to prevent terrorists from hacking into computer systems in the Pentagon, FBI, and other government agencies. Increasingly, however, the government has been concerned that the private sector is vulnerable to cyberterrorism” (Powell, page. 1). In other words, there is a wide surface area for potential disruptions of our vital infrastructure, which can cause widespread panic and death. “Target actors can target government entities and multiple US critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors” (US Department of Homeland Security, page. 2). These target actors or cyber terrorists can attack with secrecy, anonymity, and organization, and what we must question the current definition of what constitutes cyberterrorist attack, the definition of terrorism, and the tradition of a terrorist organization claiming responsibility after an attack has occurred.


Historically, terrorist organizations claim responsibility when the attack is obvious, upfront, and destructive. For example, “the September 11, 2001, terrorist attacks on the United States heightened concerns about the vulnerabilities to future attacks” (Powell, page. 1), and this event was claimed yet it was not immediate. "Bin Laden did not claim responsibility for the 9/11 attacks until October 2004, when he appeared in a video released by Al Jazeera” (Counter Extremism Project, page, 4). Concurrently, it has been found that not every terrorist attack has been claimed, and it strikes at the heart of how terrorism has been defined. “Indeed, while lively literature continues to debate the definition of terrorism, one key feature of terrorism is widely accepted: terrorism is a public act intended to coerce an audience. However, if generating publicity and disrupting public life are critical elements of terrorism, why do so many contemporary attacks remain unclaimed by the perpetrators? These recent trends are theoretically troubling given the historical behavior if terrorists” (Wright, page. 2). It is the position of this paper that cyberspace and its anarchic nature allow terrorists to commit a discrete attack that causes terror, and not claiming responsibility which would be a strategic choice based on guerrilla warfare tactics like deception.


The common assumption is “perpetrators of most criminal offenses try to remain anonymous to avoid detection and arrest. In contrast, terrorism is often characterized by post-attack claims of responsibility in which the attackers justify their motives or threaten more violence” (Rorie, page. 1). Therefore, when there is an attack, and no responsibility is claimed, under the legal or political definition, it could be either a crime or an instance of terror. For example, in Finland, there was a winter cyberattack on a central heating system, endangering community residents in the middle of winter. “Valtia CEO Simo Rounela confirmed to English language news outlet that the central heating system and hot water system in both buildings had become a target of DDoS attacks” (Kumar page. 2). There was no responsibility taken for this cyber-attack, yet it could have potentially caused a massive number of casualties. The question is the definition of terrorism, which “refers, on the one hand, to a doctrine about the presumed effectiveness of a special form or tactic of fear-generating, coercive political violence and, on the other hand, to a conspiratorial practice of calculated, demonstrative, direct violent action without legal or moral restraints, targeting mainly civilians and non-combatants, performed for its propagandistic and psychological effects on various audiences and conflict parties” (Schmid, page. 158), and how claiming responsibility determines the difference between a cybercrime or cyberterrorism under international law.


Adding to the complication of determining the nature of a cyber-attack, there is no universal definition of terrorism within international law. “Terrorism is a contested concept. While there are many national and regional definitions, there is no universal legal definition approved by the General Assembly of the United Nations (the one proposed by the Security Council in Res. 1566 (2004) is non-binding, lacking legal authority in international law)” (Schmid, page. 158). In the case of Finland, if responsibility is not claimed, can we determine the activity of a cyber-attack to be terrorism, and what determines it with the variable of responsibility missing? In the Internet Age, anonymity is built into the network, and terrorist organizations have used it to spread propaganda and issue cyberattack. In the view of this paper, claiming responsibility is no longer required for a terrorist organization to make its mark, as in the past.  ISIL is a prime example of a terrorist organization that has utilized and leveraged cyberspace to their advantage.


ISIL and Cyberterrorism: Redefining Terrorism


ISIL has proved itself to be a dangerous adversary on land, and online. “While ISIL forces have made impressive territorial gains in Iraq and maintained a viable resistance to Syria’s Assad government, it is now extending its reach into the digital domain, cyberspace, to further its ambitions in intelligence collection, propaganda, and recruitment” (Anderson, page. 93). They have become a threat to major infrastructures and networks across the international spectrum. “ISIL is perhaps the first violent insurgent or terror group to seriously consider developing modest cyber-attack capabilities as well as developing strength in sophisticated computing and communications technologies designed to defend the identity of its adherents and the security of their digitally mediated interactions” (Anderson, page. 93). The organization has used cyberspace for spreading fear and their ideology internationally. Campaigns were successful, and major news networks picked up the story and spread the fear into every household. For example, ISIL creates internet content which includes beheadings and other brutal acts which served not only as a tool for fear, it also served as a tool for recruitment. “The analysis of foreign terrorist fighters’ recruitment/mobilization has become important given the rapid development of ISIL. A key feature of ISIL is the way in which individuals join this organization on their own” (Orozobekova, page. 84). Computer networking systems have given ISIL the capacity to organize and recruit in an asymmetrical and at a rapid rate. The ability to commit cyber-attacks has increased ISIL destructive capabilities.


ISIL and the Specter of Stuxnet


The Stuxnet Worm and the cyberattack on Iran's nuclear centrifuges could have been seen as an act of war if the nation-state that perpetuated the attack was identified, even if it downgrades it to a diplomatic crisis. "As a senior researcher for Kaspersky Lab, a leading computer security firm based in Moscow, Roel Schouwenberg spent his days (and many nights) here at the lab's US headquarters in Woburn, Mass., battling the most insidious digital weapons ever, capable of crippling water supplies, power plants, banks, and the very infrastructure that once seemed invulnerable to attack" (Kushner, page. 1). This piece of malware was a dangerous weapon. Even if a nation-state had been identified, it would not have been wise for the Iranian authorities to confirm that the attack came from the governing authorities of the nation-state in question, and not a rogue citizen or proxy server. To declare a cyber event as an act of war can prove to be difficult as cybercriminals and cyberterrorists can act anonymously to disguise an attack to make it look like a nation-state is responsible.  For example, "before committing US military force abroad, decision-makers must make a number of fundamental policy determinations. The President and the national civilian leadership must be sensitive to the legal, political, diplomatic, and economic factors inherent in a decision to further national objectives through the use of force" (Bovarnick, page.31). Who determines the attacker matters as well, and the accuser must have credibility. Otherwise, the source of an attack will remain hidden, and the problem will continue. The rules of engagement must be established, and the laws of war are not evident in cyberspace. For a nation-state authority to 'jump the gun' and attack a nation based on flimsy evidence or hearsay will prove to be most dangerous.


To determine a pure act of war is to look at the exact definition of war, and the level of damage done by a terrorist attack. Terrorist organizations like ISIL can manipulate this weakness and employ a Stuxnet style cyber-attack on a significant infrastructure network grid and dispense with the tradition of claiming responsibility to maximize stealth, and the fear factor. “Think of it this way: The most sophisticated cyber-attacks, like Stuxnet, rarely leave clear fingerprints: bioweapons, too, are famously difficult to trace back to a perpetrator” (Hoffman, page. 78). Theoretically and conclusively, Cyberterrorism combined with minimal claims of responsibility has redefined terrorism, and a significant deterrence to any cyber-attack is required to defend against it.  


The combination of technological innovation and the capacity of terrorist organizations have created a situation where the international community had to face a new reality of small war, as cyber-attacks increase, and traditional lawmakers struggle to understand the depth of new threats to national security. “Financially, ISIL is ‘self-sufficient’ and has its own system for collection and distributing money” (Orozobekova, page. 86), and this gives them the resources to acquire a Stuxnet style worm to use for cyber-attack. This presents a significant challenge to the status quo in policymaking and law enforcement organizations across the world.




Anderson, G. S., & Bronk, C. (2017). Encounter Battle Engaging ISIL in Cyberspace. The Cyber Defense Review,2(1), 93-108.

Bovarnick, J. A., Marsh, J. J., Musselman, G. S., Reese, J. B., Reeves, S. R., Barnsby, R. E., . . . Pedden, I. (2011). Law of War Deskbook. Charlottesville, VA: International and Operational Law Department The Judge Advocate General's Legal Center and School, US Army.

Hoffman, D. E. (2011). The New Virology. Washingtonpost.Newsweek Interactive, LLC,77-80.

Kumar, M. (n.d.). The Hacker News. Retrieved from 1 

The Hacker News

Kushner, D. (2013). The Real Story of Stuxnet: How Kaspersky Lab tracked down the malware that stymied Iran's nuclear-fuel enrichment program. 1-10.

Orozobekova, A. (2016). The Mobilization and Recruitment of Foreign Fighters The Case of Islamic State 2012-2014. Partnership for Peace Consortium of Defense Academies and Security Studies Institutes,15(3), 83-100.

Osama Bin Laden. (n.d.). Retrieved April 20, 2018, from 

Counter Extremism Project

Powell, B. (2001). Is Cybersecurity a Public Good? Evidence from the Financial Services Industry. The Independent Institute,1-16.

Rorie, M. L. (2008). Communicating Through Violence: An Application of Rational Choice Theory to Terrorist Claim of Responsibility. Graduate School of the University of Maryland,1-84.

The United States of America, Department of Homeland Security, NCCIC. (2018). Russian Government Cyber Activity Targets Energy and Other Critical Infrastructure Sectors(pp. 1-22).

Schmid, A. P. (2012). The Revised Academic Consensus Definition of Terrorism. Perspective on Terrorism,6(2), 158-159.

Tzu, S. (1963). The Art of War(S. Griffith, Trans.). London: Oxford University Press.

Wright, A. L. (2011). Why Do Terrorists Claim Credit? Princeton University,1-27.


About the Author(s)

Jonathan Lancelot is an independent Foreign and Cyber Policy Advisor at CyberDetente LLC, where Jonathan leads in consulting organizations on cybersecurity risk management, including advising on the geopolitical implications of cyberspace on US foreign policy and build cyber organizational systems. His research interests are in blockchain technology, Lex Cryptographica, and how it will affect governance in the future.

Jonathan graduated from Norwich University with a Master’s in Diplomacy with a sharp focus on cyber-diplomacy, and published the widely shared paper “Russia Today, Cyberterrorists Tomorrow: US Failure to Prepare Democracy for Cyberspace,” with is published on Embry-Riddle Aeronautical University’s Journal of Digital Forensic, Security and Law, and a contributor at Small Wars Journal. Jonathan also is an experienced computer technician that was trained and certified by Apple engineers and worked at the US Senate and the Department of Defense.

Follow Jonathan on Twitter @lancelotpolitic.