Annex A: Australia's position on how international law applies to state conduct in cyberspace

Existing international law provides the framework for state behaviour in cyberspace. This includes, where applicable, the law regarding the use of force, international humanitarian law (IHL), international human rights law, and international law regarding state responsibility.

In this respect, Australia notes that the centrality of international law and its application to states' use of cyberspace was affirmed in 2013 in the consensus report of the third United Nations Group of Governmental Experts (UNGGE) on Developments in the Field of Information and Telecommunications in the Context of International Security, which was chaired by Australia, and reaffirmed in the 2015 report of the UNGGE.

However, Australia recognises that activities conducted in cyberspace raise new challenges for the application of international law, including issues of sovereignty, attribution and jurisdiction, given that different actors engage in a range of cyber activities which may cross multiple national borders. This annex sets out Australia's views on these issues.

1. The United Nations Charter and the law on the use of force (jus ad bellum) apply to activities conducted in cyberspace.

The Charter of the United Nations requires states to seek peaceful settlements of disputes. This obligation extends to cyberspace and requires states to resolve cyber incidents peacefully without escalation or resort to the threat or use of force. This requirement does not impinge upon a state's inherent right to act in individual or collective self-defence in response to an armed attack, which applies equally in the cyber domain as it does in the physical realm.

In determining whether a cyber attack, or any other cyber activity, constitutes a use of force, states should consider whether the activity's scale and effects are comparable to traditional kinetic operations that rise to the level of use of force under international law. This involves a consideration of the intended or reasonably expected direct and indirect consequences of the cyber attack, including for example whether the cyber activity could reasonably be expected to cause serious or extensive ('scale') damage or destruction ('effects') to life, or injury or death to persons, or result in damage to the victim state's objects, critical infrastructure and/or functioning.

2. For cyber operations constituting or occurring within the context of an international or non-international armed conflict, the relevant international humanitarian law (jus in bello) will apply to the conduct of these cyber activities.

International humanitarian law (IHL) (including the principles of humanity, necessity, proportionality and distinction) applies to cyber operations within an armed conflict.

The IHL principle of proportionality prohibits the launching of an attack which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated.

The IHL principle of military necessity states that a combatant is justified in using those measures, not forbidden by international law, which are indispensable for securing complete submission of an enemy at the soonest moment. The principle cannot be used to justify actions prohibited by law, as the means to achieve victory are not unlimited.

The IHL principle of distinction seeks to ensure that only legitimate military objects are attacked. Distinction has two components. The first, relating to personnel, seeks to maintain the distinction between combatants and non-combatants or military and civilian personnel. The second component distinguishes between legitimate military targets and civilian objects.

All Australian military capabilities are employed in line with approved targeting procedures. Cyber operations are no different. Australian targeting procedures comply with the requirements of IHL and trained legal officers provide decision-makers with advice to ensure that Australia satisfies its obligations under international law and its domestic legal requirements.

For example, Australia considers that, if a cyber operation rises to the same threshold as that of a kinetic 'attack under IHL', the rules governing such attacks during armed conflict will apply to those kinds of cyber operations.

3. For cyber activities taking place outside of armed conflict, general principles of international law, including the law on state responsibility, apply.

It is a longstanding rule of international law that, if a state acts in violation of an international obligation, and that violation is attributable to the state, that state will be responsible for the violation.

The customary international law on state responsibility, much of which is reflected in the International Law Commission's Articles on the Responsibility of States for Internationally Wrongful Acts, apply to state behaviour in cyberspace.

To the extent that a state enjoys the right to exercise sovereignty over objects and activities within its territory, it necessarily shoulders corresponding responsibilities to ensure those objects and activities are not used to harm other states. In this context, we note it may not be reasonable to expect (or even possible for) a state to prevent all malicious use of ICT infrastructure located within its territory. However, in Australia's view, if a state is aware of an internationally wrongful act originating from or routed through its territory, and it has the ability to put an end to the harmful activity, that state should take reasonable steps to do so consistent with international law.

If a state is a victim of malicious cyber activity which is attributable to a perpetrator state, the victim state may be able to take countermeasures against the perpetrator state, under certain circumstances. However, countermeasures that amount to a use of force are not permissible. Any use of countermeasures involving cyberspace must be proportionate. It is acknowledged that this raises challenges in identifying and assessing direct and indirect effects of malicious cyber activity, in order to gauge a proportionate response. The purpose of countermeasures is to compel the other party to desist in the ongoing unlawful conduct.

Annex B: Norms for the responsible behaviour of states in cyberspace

From the report of the 2015 UN Group of Government Experts on Development in the Field of Information and Telecommunications in the Context of International Security (A/70/174).

  1. Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;
  2. In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;
  3. States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;
  4. States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;
  5. States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;
  6. A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;
  7. States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;
  8. States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;
  9. States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;
  10. States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure;
  11. States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.

Annex C: International cyber engagement strategy action plan

DIGITAL TRADE

Australia's Actions Lead Agency
AUSTRALIA’S PRIORITY

Shape an enabling environment for digital trade including through trade agreements, harmonisation of standards, and implementation of trade facilitation measures
1.01 Advocate for further digital trade liberalisation and facilitation through free trade agreements and through Australia's participation in the WTO, OECD, APEC and G20

ONGOING
DFAT
1.02 Support capacity building projects in the Indo-Pacific to encourage the harmonisation of international standards for digital goods, building trust and confidence in digital trade

MEDIUM TERM
DIIS
DFAT
(Standards Australia)
1.03 Oppose barriers to digital trade and advocate for implementation of the WTO Trade Facilitation Agreement through bilateral representations and involvement with WTO committees and councils, APEC and the G20

ONGOING
DFAT
1.04 Design and trial an electronic Secure Trade Lane with New Zealand to provide benefits for trusted traders in both countries
MEDIUM TERM
DIBP
1.05 Promote regulatory cooperation and coherence through Australia's bilateral exchanges, the Australian free trade agreement agenda, Aid for Trade activities, and engagement in the G20 and APEC

ONGOING
DFAT
ASIC
1.06 Support public-private engagement on emerging digital trade issues in multilateral forums, including the Business 20, G20, and the APEC Business Advisory Council

ONGOING
DFAT
DIIS
1.07 Support the G20, OECD and other international research to improve digital trade measurement and develop policy responses

MEDIUM TERM
DFAT
DIIS
1.08 Encourage transparency from bilateral partners on domestic legislation that could restrict trade, including through cyber policy dialogues

ONGOING
DFAT
Austrade
DIIS
AUSTRALIA’S PRIORITY

Promote trade and investment opportunities for Australian digital goods and services
1.09 Develop a guide to exporting in the digital economy, providing practical advice for maximising international opportunities for Australian businesses

SHORT TERM
Austrade
DIIS
1.10 Develop a national digital economy strategy, which will position Australia to embrace the opportunities presented by digital trade

SHORT TERM
DIIS
Austrade

CYBER SECURITY

Australia's Actions Lead
Agency
AUSTRALIA’S PRIORITY

Maintain strong cyber security relationships with international partners
2.01 Strengthen and expand Australia's international cyber security information sharing partners and trusted networks

ONGOING
ACSC
2.02 Strengthen and expand Australia's network of CERT relationships, especially in the Indo-Pacific

ONGOING
CERT Australia
ACSC
DoCA
2.03 Be a prominent contributor to the APCERT community

ONGOING
CERT Australia
ACSC
AUSTRALIA’S PRIORITY

Encourage innovative cyber security solutions and deliver world leading cyber security advice
2.04 Promote cyber security as a fundamental input in the design and delivery of ICT products, systems and services

ONGOING
ACSC
2.05 Support the development of international standards that improve cyber security and encourage harmonisation of standards for digital products

ONGOING
(Standards Australia)

ACSC
2.06 Publish translations of ASD's Essential Eight strategies and companion implementation documents in the official languages of ASEAN members

SHORT TERM
ACSC
DFAT
AUSTRALIA’S PRIORITY

Develop regional cyber security capability
2.07 Work with regional partners in the Pacific to establish the Pacific Cyber Security Operational Network (PaCSON)

MEDIUM TERM
CERT Australia
AUSTRALIA’S PRIORITY

Promote Australia's cyber security industry
2.08 Showcase Australia's cyber security capabilities to international customers and investors, including through delivery of an annual Australian Cyber Week

LONG TERM
(AustCyber)
DIIS
2.09 Promote and encourage cyber security start-ups through Landing Pads

ONGOING
Austrade
(AustCyber)
2.10 Partner with the private sector to host a workshop to co-design how Australia promotes its cyber security industry internationally

SHORT TERM
(AustCyber)
Austrade
DIIS

CYBERCRIME

Australia's Actions Lead
Agency
AUSTRALIA’S PRIORITY

Raise cybercrime awareness in the Indo-Pacific
3.01 Deliver cybercrime awareness training across the Indo-Pacific through public-private partnerships and the refreshed Cyber Safety Pasifika program

SHORT TERM
AFP
AUSTRALIA’S PRIORITY

Assist Indo-Pacific countries to strengthen their cybercrime legislation
3.02 Promote the Budapest Convention as a best practice model for legislative responses to cybercrime and support accession to the Convention across the Indo-Pacific

ONGOING
DFAT
AGD
AFP
3.03 Be active in the negotiation of an Additional Protocol to the Budapest Convention on trans-border access to information

MEDIUM TERM
AGD
3.04 Work with the Pacific Islands Law Officers' Network to help strengthen cybercrime legislation in the region

ONGOING
AGD
DFAT
AUSTRALIA’S PRIORITY

Deliver cybercrime law enforcement and prosecution capacity building in the Indo-Pacific
3.05 Provide cybercrime training to law enforcement officers, prosecutors and judges across the Indo-Pacific

ONGOING
AFP
DFAT
AGD
AUSTRALIA’S PRIORITY

Enhance diplomatic dialogue and international information sharing on cybercrime
3.06 Seek further opportunities to participate in strategic-level engagement on combatting transnational cybercrime

SHORT TERM
DFAT
3.07 Share cybercrime threat information and enhance operational collaboration with international partners to fight transnational crime

ONGOING
AFP
ACIC
AUSTRAC

INTERNATIONAL SECURITY & CYBERSPACE

Australia's Actions Lead
Agency
AUSTRALIA’S PRIORITY

Set clear expectations for state behaviour in cyberspace
4.01 Periodically publish Australia's position on the application of relevant international law to state conduct in cyberspace (the first such publication is in Annex A)

ONGOING
DFAT
AGD
4.02 Facilitate advanced policy development and promote informed public discussion on acceptable state behaviour in cyberspace through engagement with academics and experts in this field

ONGOING
DFAT
AGD
Defence
4.03 Seek high-level reaffirmations from states that they will act in accordance with international law and identified norms of responsible state behaviour in cyberspace

ONGOING
DFAT
4.04 Partner with countries in the Indo-Pacific to advance our combined understanding of how international law and norms of responsible state behaviour apply in cyberspace through bilateral engagement and regional and multilateral forums

ONGOING
DFAT
AUSTRALIA’S PRIORITY

Implement practical confidence building measures to prevent conflict
4.05 Develop a framework to exchange policy and diplomatic contacts, including bilaterally, to facilitate communication in times of crisis or tension arising from significant cyber incidents that have the potential to threaten international peace, security and stability

MEDIUM TERM
DFAT
ACSC
4.06 Work with regional organisations to conduct risk reduction workshops to enhance our capacity to manage and respond to cyber incidents that threaten international peace, security and stability, including exercising national and regional responses to severe cyber incidents

SHORT TERM
DFAT
ACSC
4.07 Hold cyber policy dialogues to discuss and work with partners to achieve priority goals on international cyber issues, including international law, norms of responsible state behaviour and confidence building measures

ONGOING
DFAT
4.08 Foster recognition through diplomatic outreach and defence engagement that military offensive cyber capabilities are subject to the same limitations and obligations as any other military capability

ONGOING
DFAT
Defence
ASD
AUSTRALIA’S PRIORITY

Deter and respond to unacceptable behaviour in cyberspace
4.09 Review Australia's range of options to deter and respond to unacceptable behaviours in cyberspace, particularly those involving state actors and their proxies

MEDIUM TERM
PM&C
DFAT
AGD
ASD
4.10 Undertake diplomatic action to support an international cooperative architecture that promotes stability and responds to and deters unacceptable behaviour in cyberspace

MEDIUM TERM
DFAT

INTERNET GOVERNANCE & COOPERATION

Australia's Actions Lead
Agency
AUSTRALIA’S PRIORITY

Advocate for a multi-stakeholder approach to Internet governance that is inclusive, consensus-based, transparent and accountable
5.01 Advocate for an open, free and secure Internet, underpinned by a multi-stakeholder approach to Internet governance and cooperation

ONGOING
DFAT
DoCA
5.02 Support an annual community-led Australian Internet governance and cooperation forum

SHORT TERM
DoCA
DFAT
5.03 Outline Australia's strong commitment to fostering fair and effective competition online, emphasising a preference for general competition law

ONGOING
DoCA
ACCC
DFAT
AUSTRALIA’S PRIORITY

Oppose efforts to bring the management of the Internet under government control
5.04 Oppose efforts to bring the management of the Internet under government control

ONGOING
DoCA
DFAT
AUSTRALIA’S PRIORITY

Raise awareness across the Indo-Pacific of Internet governance issues and encourage engagement of regional partners in Internet governance and cooperation discussions
5.05 Build the capacity of Indo-Pacific partners to engage in regional and international discussion on Internet governance and cooperation

MEDIUM TERM
DoCA
DFAT

HUMAN RIGHTS & DEMOCRACY ONLINE

Australia's Actions Lead
Agency
AUSTRALIA’S PRIORITY

Advocate for the protection of human rights and democratic principles online
6.01 Advocate to uphold and protect human rights and democratic freedoms online

ONGOING
DFAT
DoCA
6.02 Share concerns about, and aim to prevent, undue restrictions of human rights online as well as cyber-enabled interference in democratic processes

ONGOING
DFAT
6.03 Fund capacity building in the Indo-Pacific to raise awareness of states' human rights obligations online

MEDIUM TERM
DFAT
AUSTRALIA’S PRIORITY

Support international efforts to promote and protect human rights online
6.04 Support non-government organisations that defend human rights online

MEDIUM TERM
DFAT
AUSTRALIA’S PRIORITY

Ensure respect for and protection of human rights and democratic principles online are considered in all Australian aid projects with digital technology components
6.05 Provide guidance to ensure that human rights online are protected in Australian aid and non-government projects with digital technology components

SHORT TERM
DFAT

TECHNOLOGY FOR DEVELOPMENT

Australia's Actions Lead
Agency
AUSTRALIA’S PRIORITY

Improve connectivity and access to the Internet across the Indo-Pacific, in collaboration with international organisations, regional governments and the private sector
7.01 Partner with international organisations, regional governments, development banks and the private sector to improve Internet accessibility in the Indo-Pacific

LONG TERM
DFAT
DoCA
7.02 Work with partner countries in the Indo-Pacific to develop domestic regulatory, legal and institutional frameworks that support competitive telecommunications sectors

MEDIUM TERM
DFAT
DoCA
7.03 Promote digital inclusion across the Indo-Pacific through educational programs, leadership initiatives and strategic partnerships

LONG TERM
DFAT
AUSTRALIA’S PRIORITY

Encourage the use of resilient development-enabling technologies for e-governance and the digital delivery of services
7.04 Work with partner governments, the private sector and financial institutions across the Indo-Pacific to promote e-governance, online service delivery and innovative uses of technology for enhanced economic opportunity and sustainable development

MEDIUM TERM
DFAT
Austrade
7.05 Provide guidance to ensure that digital technologies used in, or provided to, Australian aid and non-government projects are safe and resilient

SHORT TERM
DFAT
AUSTRALIA’S PRIORITY

Support entrepreneurship, digital skills and integration into the global marketplace
7.06 Work with public and private sector partners to encourage businesses and entrepreneurs to find solutions to regional development challenges using innovative technologies

SHORT TERM
DFAT
(AustCyber)
Austrade
CSIRO
7.07 Partner with regional governments, multilateral forums and educational institutions to build digital-ready workforces and support digital upskilling across the Indo-Pacific

SHORT TERM
DFAT
7.08 Support new technologies and tools for developing countries to facilitate digital trade, including improvements in policy and customs practices and better access to trade finance

MEDIUM TERM
DFAT
DIIS
7.09 Focus Australian Aid for Trade efforts on connecting small businesses and women entrepreneurs in developing countries to digital economy opportunities and global supply chains

ONGOING
DFAT
Austrade

COMPREHENSIVE & COORDINATED CYBER AFFAIRS

Australia's Actions Lead Agency
AUSTRALIA’S PRIORITY

Enhance understanding of Australia's comprehensive cyber affairs agenda
8.01 Promote Australia's vision of comprehensive cyber affairs through ongoing diplomatic engagement

ONGOING
DFAT
8.02 Create a Cyber Affairs Curriculum for Australia's international representatives through DFAT's Diplomatic Academy

SHORT TERM
DFAT
AUSTRALIA’S PRIORITY

Increase funding for Australia's international cyber engagement activities
8.03 Fund new international cyber engagement projects in the Indo-Pacific through the Cyber Cooperation Program

ONGOING
DFAT
AUSTRALIA’S PRIORITY

Coordinate and prioritise Australia's international cyber engagement activities
8.04 Establish a quarterly whole-of-Government meeting, convened by the Ambassador for Cyber Affairs, to coordinate and prioritise Australia's international cyber activities

SHORT TERM
DFAT
8.05 Establish an Industry Advisory Group that meets biannually to facilitate public-private collaboration on Australia's international cyber engagement

SHORT TERM
DFAT
Austrade
DIIS
CERT Australia
8. Comprehensive & coordinated cyber affairs