Malicious activity in cyberspace has the potential to threaten international peace, security and stability. A large scale cyber attack on critical infrastructure would have severe implications for international security. However, international peace, security and stability could be equally threatened by the cumulative effect of repeated low-level malicious online behaviour. It is the scale and effect of the activity, not necessarily the actor, means or method that determine its malicious nature.
Australia is committed to a peaceful and stable cyberspace. We recognise that, as more and more states seek to exert power through cyberspace, there is increased potential for activities in this domain to lead to misperception, miscalculation, escalation and, in the most extreme cases, conflict between states. Australia will be stronger when we manage these risks in cooperation with international partners.
Australia seeks a more mature and transparent conversation about what states are doing in cyberspace. In the face of clear evidence to the contrary, it is no longer plausible to simply deny that states are active in cyberspace. Recognition that states have legitimate rights to develop and use cyber capabilities must go hand in hand with recognition that states are obliged to ensure their use of cyber capabilities accords with international law and norms of acceptable behaviour.
Acknowledgement that states are developing cyber capabilities does not contradict Australia's commitment to maintaining a peaceful and stable online environment. Rather, acknowledging the existence of these capabilities fosters the understanding that, just like in the physical domains, states' activities in cyberspace do not occur in a vacuum. States have rights, but they also have obligations.
Good progress has been made in delineating the boundaries of what is and isn't acceptable behaviour by states in cyberspace. But some states are testing, and even crossing, those boundaries. It is important that there are consequences for those who act contrary to this consensus.
The 2016 Presidential Election in the United States focused the world's attention on the potential for cyber-enabled information operations to interfere with processes underpinning democracy. Such actions have particular implications for connected, open and democratic societies like Australia. This behaviour is unacceptable. We will guard against attempts to use such measures to interfere in Australia's domestic affairs or undermine our institutions. More broadly, Australia will cooperate with international partners to deter and respond to malicious cyber activity that endangers international peace, security and stability.
In parallel to Australia's engagement in international security and cyberspace, the Government is enhancing cooperation with international partners to detect and limit terrorist and other misuse of the Internet as a tool to recruit and radicalise. International efforts in this regard are led by Australia's Ambassador for Counter-Terrorism in close cooperation with the Attorney-General's Department's Countering Violent Extremism Centre.
International law has developed over centuries. It comprises rules and principles that, inter alia, govern relations between states. While the domain may be comparatively new, the rules are not. International law applies in cyberspace.
The unique attributes of cyberspace mean that existing international law can be usefully complemented by agreed norms of behaviour. Alongside states' international legal obligations, these non-binding norms establish clear expectations of proper state behaviour in cyberspace.
As observed above, international law applies to states' conduct in cyberspace just as it applies to states' conduct in the physical domains. The existing international legal framework helps reduce the risk of conflict by articulating clear obligations for how states interact.
In some instances, it is useful to clarify how particular rules, principles and bodies of international law apply to states' conduct in cyberspace. Much of the hard work is already done, but this continues to be a work in progress – particularly as digital technologies continue to evolve at a rapid pace.
The Australian Government defines cyber attack as a deliberate act through cyberspace to manipulate, disrupt, deny, degrade or destroy computers or networks, or the information resident on them, with the effect of seriously compromising national security, stability or economic prosperity.
This definition was developed in 2011 after extensive policy and legal consultation. It was subsequently used to affirm that the provisions of the ANZUS Treaty allow Australia and the United States to consult each other in the event of a cyber attack on either party.
Australia reaffirms that the United Nations (UN) Charter applies in its entirety to state actions in cyberspace, including the prohibition on the use of force (Article 2(4)), the peaceful settlement of disputes (Article 33), and the inherent right of states to act in individual or collective self-defence in response to an armed attack (Article 51). The international law on state responsibility applies to cyber operations, including the availability of the doctrine of countermeasures in response to internationally wrongful acts.
The cumulative reports of the UN Group of Governmental Experts on Developments in the Field of Information and Communication Technologies in the Context of International Security (UN Group of Governmental Experts) have contributed to our collective understanding of how international law applies to states' conduct in cyberspace. The Tallinn Manuals are also an important academic contribution to international legal dialogue in this area.
Australia encourages states to continue to exchange views on how particular rules and principles of international law apply to state conduct in cyberspace. This will facilitate the development of deeper understandings and expectations – not just among states, but also within the private sector, civil society and academia.
4.01 - Periodically publish Australia's position on the application of relevant international law to state conduct in cyberspace (the first such publication is at Annex A)
The stability of cyberspace benefits the private sector and governments, and our interests in maintaining a peaceful online environment are complementary. A significant proportion of the world's Internet infrastructure is owned and operated by the private sector. This means the private sector is well placed to contribute to discussions on the practicality of norms, and champion their implementation.
Norms establish clear expectations of behaviour in specific circumstances by specific groups. By signalling acceptable behaviour of states in cyberspace, norms promote predictability, stability and security. Norms must be developed consistent with international law.
Shared understandings of responsible behaviour also provide the basis for the international community to respond when these shared expectations are not met. Understanding of and adherence to norms by states increases the predictability of state actions, thereby reducing the risk of misunderstandings that could lead to conflict.
The 2015 Report of the UN Group of Governmental Experts set out 11 such norms (see Annex B). Also in 2015, G20 leaders agreed that 'no country should conduct or support ICT-enabled theft of intellectual property, including state secrets or other confidential business information, with the intent of providing competitive advantages to companies or the commercial sector.'
Australia affirms its commitment to act in accordance with these norms.
Australia and China 'agreed to support the work of the UN Group of Governmental Experts and to act in accordance with its reports…Australia and China agreed not to conduct or support cyber-enabled theft of intellectual property, trade secrets or confidential business information with the intent of obtaining competitive advantage.'Joint Statement Australia-China High-Level Security Dialogue, Sydney, 2017
Australia engages in multi-agency cyber policy and cyber security dialogues with countries including Canada, China, India, Indonesia, Japan, New Zealand, the Republic of Korea, the United Kingdom and the United States. These dialogues are an opportunity to deepen understanding of responsible state behaviour in cyberspace and foster cooperation to deter and respond to malicious cyber activities.
4.02 - Facilitate advanced policy development and promote informed public discussion on acceptable state behaviour in cyberspace through engagement with academics and experts in this field
4.03 - Seek high-level reaffirmations from states that they will act in accordance with international law and identified norms of responsible state behaviour in cyberspace
4.04 - Partner with countries in the Indo-Pacific to advance our combined understanding of how international law and norms of responsible state behaviour apply in cyberspace through bilateral engagement and regional and multilateral forums
Australia is committed to taking practical action to support international peace and security. Confidence building measures foster trust between states to prevent misunderstandings that could lead to conflict. They include transparency measures, risk reduction measures and cooperative measures. Confidence building measures are one of the most important tools in our diplomatic toolkit. Australia is committed to implementing these measures to maintain a peaceful and stable online environment.
Australia will look for opportunities for practical cooperation on cyber issues with ASEAN partners. Working together to harness the opportunities and address the shared challenges of cyberspace will be a key theme of the Australia-ASEAN Special Summit in March 2018.
Risk reduction measures build confidence in states' capacity to collaborate to respond to specific instances of malicious cyber activity without escalation to conflict.
An example of a risk reduction measure could be the development of a database of regional policy and diplomatic points of contact for use in the event of a cyber incident. Knowing who to call in times of tension reduces the risk of miscommunication and, in turn, this reduces the risk of escalation to conflict. The very act of compiling the directory of contacts can be a confidence building measure in and of itself.
A lot of good work has already been done in this field. A number of different bodies have identified practical confidence building measures that increase stability and reduce risk, including the UN Group of Governmental Experts, the ASEAN Regional Forum, the Organization for Security Cooperation in Europe and the Organization of American States.
The task now is to move from identifying risk reduction measures to operationalising them. In doing so, Australia will prioritise measures which have the greatest impact on reducing risk to international peace and security. Our focus will be on putting in place measures that enable states to cooperate in situations of tension or crisis.
4.05 - Develop a framework to exchange policy and diplomatic contacts, including bilaterally, to facilitate communication in times of crisis or tension arising from significant cyber incidents that have the potential to threaten international peace, security and stability
4.06 - Work with regional organisations to conduct risk reduction workshops to enhance our capacity to manage and respond to cyber incidents that threaten international peace, security and stability, including exercising national and regional responses to severe cyber incidents
Transparency measures provide insight into states' activities. They reduce the risk of miscommunication as well as the likelihood of overreaction.
Australia's 2016 Cyber Security Strategy, the 2016 Defence White Paper, the forthcoming Foreign Policy White Paper and this Strategy are all examples of transparency measures. Other examples include cyber policy dialogues, sharing Australia's national cyber governance structures (including cyber incident management arrangements), and outlining Australia's position on how international law applies to state conduct in cyberspace.
Another area where Australia encourages greater candidness is in relation to the military use of offensive cyber capabilities. Just as more and more states are embracing the opportunities of cyberspace to improve service delivery and drive economic growth, it is unsurprising that more and more states are exploring military applications of cyberspace. In and of itself this is not a concern – provided that states acknowledge that military activities in cyberspace are governed by the same sets of rules as military activities in the physical domains. These rules, developed over centuries, restrict and regulate unacceptable conduct.
Australia recognises that, just like other military capabilities, some details of cyber capabilities and operations will need to remain classified. By way of analogy, Australia is transparent about the rules that govern the use of conventional capabilities such as missiles on our warships; however, we do not discuss the specifics of the capability, nor would we reveal details of particular operations. We will take the same approach to discussing cyber capabilities. Acknowledgement of these capabilities does not contradict our commitment to a stable and peaceful online environment. Instead it fosters the understanding that states' activities in cyberspace have limitations and obligations, just as they do in the physical domains (see Conduct and Authorisation of Offensive Cyber Capability in Support of Military Operations).
Cooperative measures promote collaboration between states based on a mutual commitment to improve cyber resilience and reinforce a peaceful and stable online environment.
Cooperative measures could include exchanging information on best practices in responding to cyber incidents or capacity building programs like Australia's new Cyber Cooperation Program (see the Comprehensive & Coordinated Cyber Affairs chapter).
Australia's Cyber Cooperation Program facilitates the development of comprehensive, forward-leaning policies, legislative frameworks and cyber governance institutions to empower regional partners to safely embrace the benefits of connectivity. It will also provide opportunities for Australia to learn and adopt emerging best practices to strengthen our own cyber policy and security measures.
Development of robust cyber policy and well-resourced cyber governance institutions will mean that the collective capacity of states to respond to cyber incidents is enhanced, messaging to potential adversaries is consistent and security is strengthened overall. It will also empower Indo-Pacific states to participate in international discussions about the future of cyberspace in an inclusive manner.
4.07 - Hold cyber policy dialogues to discuss and work with partners to achieve priority goals on international cyber issues, including international law, norms of responsible state behaviour and confidence building measures
4.08 - Foster recognition through diplomatic outreach and defence engagement that military offensive cyber capabilities are subject to the same limitations and obligations as any other military capability
The international community has made good progress delineating the boundaries of what is and isn't acceptable behaviour in cyberspace – but some states are testing those boundaries. Like many others, Australia is concerned by the increased willingness of states and non-state actors to pursue their objectives by undertaking malicious cyber activities contrary to international law and identified norms of responsible state behaviour.
Having established a firm foundation of international law and norms, the international community must now ensure there are effective consequences for those who act contrary to this consensus. Australia is committed to countering, deterring and discouraging malicious cyber activity, especially by states and their proxies. We will work with partners to strengthen global responses to unacceptable behaviour in cyberspace.
An architecture for cooperation amongst states is needed. This includes mechanisms to respond to unacceptable behaviour in cyberspace in a timely and agile manner, within the existing framework of international law. Achieving this cooperation requires creative thinking to build a flexible range of existing and novel response tools, and a nimble coordination mechanism to implement them effectively.
Australia's responses to malicious cyber activity could comprise law enforcement or diplomatic, economic or military measures as appropriate for the circumstances. This could include, but is not restricted to, offensive cyber capabilities that disrupt, deny or degrade the computers or computer networks of adversaries. Regardless of the context, Australia's response would be proportionate to the circumstances of the incident, would comply with domestic law, and be consistent with our support for the rules-based international order and our obligations under international law.
Attribution of malicious activity is necessary to enable a range of response options. Depending on the seriousness and nature of an incident, Australia has the capability to attribute malicious cyber activity in a timely manner to several levels of granularity – ranging from the broad category of adversary through to specific states and individuals.
Australia's strong cyber security posture underpins our ability to deter and respond to serious incidents and unacceptable behaviour in cyberspace. It ensures that Australia can discourage, detect, respond to, and contain malicious cyber activity.
Australian offensive cyber capabilities are held by the Australian Signals Directorate (ASD). Australian offensive cyber operations are conducted by ASD personnel. Offensive cyber operations in support of Australian Defence Force (ADF) operations are planned and executed by ASD and Joint Operations Command under direction of the Chief of Joint Operations. All operations are conducted in accordance with international law and domestic law, including the Commonwealth Criminal Code Act 1995 and the Intelligence Services Act 2001.
Like any other military capability, use of this offensive cyber capability in support of military operations is governed by ADF Rules of Engagement (ROE). ROE are informed by and consistent with domestic and international law, including the Law of Armed Conflict (International Humanitarian Law). Offensive cyber capabilities are also subject to ASD's existing legislative and oversight framework, including independent oversight by the Inspector-General of Intelligence and Security.
The 2016 Cyber Security Strategy and the 2016 Defence White Paper boosted Australia's cyber security capabilities. Australia is strengthening the Australian Cyber Security Centre, establishing a multi-layered national cyber threat sharing network. The Australian Defence Force's (ADF) Information Warfare Division will shape the development of ADF cyberspace capabilities to secure and protect ADF networks and systems, and support the integration of cyber capabilities into ADF operations.
Australia has also established the Critical Infrastructure Centre to work cooperatively with owners and operators to manage the complex and evolving national security risks from foreign involvement in Australia’s critical infrastructure. The centre develops risk assessments to support Government decision-making on foreign investment in assets that may affect national security. Australia's overall goal is to harden our networks, deter unacceptable behaviour in cyberspace, and promote an open, free and secure online environment.
4.09 - Review Australia's range of options to deter and respond to unacceptable behaviour in cyberspace, especially those involving state actors and their proxies
4.10 - Undertake diplomatic action to support an international cooperative architecture that promotes stability, and responds to and deters unacceptable behaviour in cyberspace