Cyber Policy After the Paris and San Bernardino Terrorist Attacks

President Obama’s address on the San Bernardino terrorist attack highlighted the challenges the United States faces in countering the Islamic State. With the exception of the U.S. debate about assault weapons, these challenges emerged for European countries after the Paris terrorist attacks. In both cases, the aftermath renewed interest in, and intensified controversies about, cyber policy. In his address, President Obama asserted that, after San Bernardino, his administration “will urge high-tech and law enforcement leaders to make it harder for terrorists to use technology to escape from justice.”

Surveillance of Electronic Communications

The Paris and San Bernardino attacks produced interest in expanding governmental power to conduct surveillance of electronic communications. This response to terrorist attacks is not new because it has been part of reactions to such attacks since 9/11. However, calls for expanded surveillance after Paris and San Bernardino arrive amidst unresolved debates in the United States and Europe about the effectiveness of enhanced surveillance for counter-terrorism and the damage heightened surveillance can inflict on privacy and the freedoms of opinion, expression, and association.

Encryption of Digital Communications

Although wrong, statements in the media that the Paris terrorists used encrypted communications agitated contentious discussions on both sides of the Atlantic about the threat encryption poses to law enforcement and intelligence agencies. Similarly, although no evidence has been made public that the perpetrators of the San Bernardino attack used encrypted communications, the attack has been inserted into the encryption policy maelstrom. The French government wants to act against encryption, and some suggest President Obama’s statement about making terrorist use of the Internet more difficult signals a harder line on encryption from the president. Any such move would reverse the administration’s decision not to pursue proposals to allow law enforcement and intelligence agencies access to encrypted communications.

Terrorist Use of Social Media

The Paris and San Bernardino attacks have again put the spotlight on the Islamic State’s use of social media to spread propaganda, radicalize individuals, recruit fighters for operations in Iraq and Syria, and encourage attacks by adherents in their home countries. Before these attacks, pressure was building for governments and companies to take more action against the Islamic State’s exploitation of social media. However, little consensus had emerged on what governments and corporations should do before the Paris and San Bernardino attacks underscored how serious yet confounding this problem is for democracies. U.S. government efforts to mount counter-narrative campaigns against Islamic State online activities have been criticized from within and outside the government as misguided and ineffective. The Paris and San Bernardino attacks can themselves be seen as evidence that actions by companies, such as more aggressive take down of content and accounts associated with the Islamic State, are not effective, while raising questions about the legitimacy and transparency of these activities.

Strategic Frameworks for Addressing Cyber Policy Challenges

The surveillance, encryption, and social media controversies demonstrate that cyber issues are embedded in counter-terrorism politics without agreement on how to address the cyber component of counter-terrorism policy. The Paris and San Bernardino attacks highlight the importance of debates about what strategic framework offers the best prospects for handling these cyber challenges. Briefly, there are three ways to frame these challenges strategically:

• We are at war with the Islamic State, and war requires extraordinary measures at home, abroad, and in cyberspace to defeat the enemy. This government-dominated approach supports expanded surveillance, denying terrorists the benefits of encryption, and heightened demands on social media companies to contribute more effectively to the fight against the Islamic State.
• We should approach the cyber elements of the conflict with the Islamic State as a counter-insurgency campaign against violent extremism. (I wrote about this idea in March, as did CFR adjunct senior fellow Jared Cohen in the most recent Foreign Affairs.) As Cohen argued, a “digital counterinsurgency” requires “a broad coalition to marginalize the Islamic State online: from governments and companies to nonprofits and international organizations.”
• We should defeat the Islamic State’s abuse of cyberspace by emphasizing the primary responsibilities of technology companies and their users for countering the online activities of violent extremists. This approach does not involve empowering governments to interfere with the online world or “militarizing” the cyber components of the conflict with the Islamic State. Instead, the onus rests on companies and consumers to work together to mitigate the manipulation of social media for terrorist purposes.

The Paris and San Bernardino attacks are still too recent for strategic and policy clarity to have emerged, so debates here and around the world will continue. The Counter-Terrorism Committee established by the UN Security Council after the 9/11 attacks is holding a special meeting on preventing terrorists from exploiting the Internet and social media on December 16-17 as part of this search for effective and legitimate ways to respond to violent extremism’s online offensive. Stay tuned.