Annex A: Australia's position on how international law applies to state conduct in cyberspace
Existing international law provides the framework for state behaviour in cyberspace. This includes, where applicable, the law regarding the use of force, international humanitarian law (IHL), international human rights law, and international law regarding state responsibility.
In this respect, Australia notes that the centrality of international law and its application to states' use of cyberspace was affirmed in 2013 in the consensus report of the third United Nations Group of Governmental Experts (UNGGE) on Developments in the Field of Information and Telecommunications in the Context of International Security, which was chaired by Australia, and reaffirmed in the 2015 report of the UNGGE.
However, Australia recognises that activities conducted in cyberspace raise new challenges for the application of international law, including issues of sovereignty, attribution and jurisdiction, given that different actors engage in a range of cyber activities which may cross multiple national borders. This annex sets out Australia's views on these issues.
1. The United Nations Charter and the law on the use of force (jus ad bellum) apply to activities conducted in cyberspace.
The Charter of the United Nations requires states to seek peaceful settlements of disputes. This obligation extends to cyberspace and requires states to resolve cyber incidents peacefully without escalation or resort to the threat or use of force. This requirement does not impinge upon a state's inherent right to act in individual or collective self-defence in response to an armed attack, which applies equally in the cyber domain as it does in the physical realm.
In determining whether a cyber attack, or any other cyber activity, constitutes a use of force, states should consider whether the activity's scale and effects are comparable to traditional kinetic operations that rise to the level of use of force under international law. This involves a consideration of the intended or reasonably expected direct and indirect consequences of the cyber attack, including for example whether the cyber activity could reasonably be expected to cause serious or extensive ('scale') damage or destruction ('effects') to life, or injury or death to persons, or result in damage to the victim state's objects, critical infrastructure and/or functioning.
2. For cyber operations constituting or occurring within the context of an international or non-international armed conflict, the relevant international humanitarian law (jus in bello) will apply to the conduct of these cyber activities.
International humanitarian law (IHL) (including the principles of humanity, necessity, proportionality and distinction) applies to cyber operations within an armed conflict.
The IHL principle of proportionality prohibits the launching of an attack which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated.
The IHL principle of military necessity states that a combatant is justified in using those measures, not forbidden by international law, which are indispensable for securing complete submission of an enemy at the soonest moment. The principle cannot be used to justify actions prohibited by law, as the means to achieve victory are not unlimited.
The IHL principle of distinction seeks to ensure that only legitimate military objects are attacked. Distinction has two components. The first, relating to personnel, seeks to maintain the distinction between combatants and non-combatants or military and civilian personnel. The second component distinguishes between legitimate military targets and civilian objects.
All Australian military capabilities are employed in line with approved targeting procedures. Cyber operations are no different. Australian targeting procedures comply with the requirements of IHL and trained legal officers provide decision-makers with advice to ensure that Australia satisfies its obligations under international law and its domestic legal requirements.
For example, Australia considers that, if a cyber operation rises to the same threshold as that of a kinetic 'attack under IHL', the rules governing such attacks during armed conflict will apply to those kinds of cyber operations.
3. For cyber activities taking place outside of armed conflict, general principles of international law, including the law on state responsibility, apply.
It is a longstanding rule of international law that, if a state acts in violation of an international obligation, and that violation is attributable to the state, that state will be responsible for the violation.
The customary international law on state responsibility, much of which is reflected in the International Law Commission's Articles on the Responsibility of States for Internationally Wrongful Acts, apply to state behaviour in cyberspace.
To the extent that a state enjoys the right to exercise sovereignty over objects and activities within its territory, it necessarily shoulders corresponding responsibilities to ensure those objects and activities are not used to harm other states. In this context, we note it may not be reasonable to expect (or even possible for) a state to prevent all malicious use of ICT infrastructure located within its territory. However, in Australia's view, if a state is aware of an internationally wrongful act originating from or routed through its territory, and it has the ability to put an end to the harmful activity, that state should take reasonable steps to do so consistent with international law.
If a state is a victim of malicious cyber activity which is attributable to a perpetrator state, the victim state may be able to take countermeasures against the perpetrator state, under certain circumstances. However, countermeasures that amount to a use of force are not permissible. Any use of countermeasures involving cyberspace must be proportionate. It is acknowledged that this raises challenges in identifying and assessing direct and indirect effects of malicious cyber activity, in order to gauge a proportionate response. The purpose of countermeasures is to compel the other party to desist in the ongoing unlawful conduct.
Annex B: Norms for the responsible behaviour of states in cyberspace
From the report of the 2015 UN Group of Government Experts on Development in the Field of Information and Telecommunications in the Context of International Security (A/70/174).
- Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;
- In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;
- States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;
- States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;
- States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;
- A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;
- States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;
- States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;
- States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;
- States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure;
- States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.
Annex C: International cyber engagement strategy action plan
DIGITAL TRADE
| Australia's Actions | Lead Agency |
|---|---|
| AUSTRALIA’S PRIORITY Shape an enabling environment for digital trade including through trade agreements, harmonisation of standards, and implementation of trade facilitation measures |
|
| 1.01 Advocate for further digital trade liberalisation and facilitation through free trade agreements and through Australia's participation in the WTO, OECD, APEC and G20 ONGOING |
DFAT |
| 1.02 Support capacity building projects in the Indo-Pacific to encourage the harmonisation of international standards for digital goods, building trust and confidence in digital trade MEDIUM TERM |
DIIS DFAT (Standards Australia) |
| 1.03 Oppose barriers to digital trade and advocate for implementation of the WTO Trade Facilitation Agreement through bilateral representations and involvement with WTO committees and councils, APEC and the G20 ONGOING |
DFAT |
| 1.04 Design and trial an electronic Secure Trade Lane with New Zealand to provide benefits for trusted traders in both countries MEDIUM TERM |
DIBP |
| 1.05 Promote regulatory cooperation and coherence through Australia's bilateral exchanges, the Australian free trade agreement agenda, Aid for Trade activities, and engagement in the G20 and APEC ONGOING |
DFAT ASIC |
| 1.06 Support public-private engagement on emerging digital trade issues in multilateral forums, including the Business 20, G20, and the APEC Business Advisory Council ONGOING |
DFAT DIIS |
| 1.07 Support the G20, OECD and other international research to improve digital trade measurement and develop policy responses MEDIUM TERM |
DFAT DIIS |
| 1.08 Encourage transparency from bilateral partners on domestic legislation that could restrict trade, including through cyber policy dialogues ONGOING |
DFAT Austrade DIIS |
| AUSTRALIA’S PRIORITY Promote trade and investment opportunities for Australian digital goods and services |
|
| 1.09 Develop a guide to exporting in the digital economy, providing practical advice for maximising international opportunities for Australian businesses SHORT TERM |
Austrade DIIS |
| 1.10 Develop a national digital economy strategy, which will position Australia to embrace the opportunities presented by digital trade SHORT TERM |
DIIS Austrade |
CYBER SECURITY
| Australia's Actions | Lead Agency |
|---|---|
| AUSTRALIA’S PRIORITY Maintain strong cyber security relationships with international partners |
|
| 2.01 Strengthen and expand Australia's international cyber security information sharing partners and trusted networks ONGOING |
ACSC |
| 2.02 Strengthen and expand Australia's network of CERT relationships, especially in the Indo-Pacific ONGOING |
CERT Australia ACSC DoCA |
| 2.03 Be a prominent contributor to the APCERT community ONGOING |
CERT Australia ACSC |
| AUSTRALIA’S PRIORITY Encourage innovative cyber security solutions and deliver world leading cyber security advice |
|
| 2.04 Promote cyber security as a fundamental input in the design and delivery of ICT products, systems and services ONGOING |
ACSC |
| 2.05 Support the development of international standards that improve cyber security and encourage harmonisation of standards for digital products ONGOING |
(Standards Australia) ACSC |
| 2.06 Publish translations of ASD's Essential Eight strategies and companion implementation documents in the official languages of ASEAN members SHORT TERM |
ACSC DFAT |
| AUSTRALIA’S PRIORITY Develop regional cyber security capability |
|
| 2.07 Work with regional partners in the Pacific to establish the Pacific Cyber Security Operational Network (PaCSON) MEDIUM TERM |
CERT Australia |
| AUSTRALIA’S PRIORITY Promote Australia's cyber security industry |
|
| 2.08 Showcase Australia's cyber security capabilities to international customers and investors, including through delivery of an annual Australian Cyber Week LONG TERM |
(AustCyber) DIIS |
| 2.09 Promote and encourage cyber security start-ups through Landing Pads ONGOING |
Austrade (AustCyber) |
| 2.10 Partner with the private sector to host a workshop to co-design how Australia promotes its cyber security industry internationally SHORT TERM |
(AustCyber) Austrade DIIS |
CYBERCRIME
| Australia's Actions | Lead Agency |
|---|---|
| AUSTRALIA’S PRIORITY Raise cybercrime awareness in the Indo-Pacific |
|
| 3.01 Deliver cybercrime awareness training across the Indo-Pacific through public-private partnerships and the refreshed Cyber Safety Pasifika program SHORT TERM |
AFP |
| AUSTRALIA’S PRIORITY Assist Indo-Pacific countries to strengthen their cybercrime legislation |
|
| 3.02 Promote the Budapest Convention as a best practice model for legislative responses to cybercrime and support accession to the Convention across the Indo-Pacific ONGOING |
DFAT AGD AFP |
| 3.03 Be active in the negotiation of an Additional Protocol to the Budapest Convention on trans-border access to information MEDIUM TERM |
AGD |
| 3.04 Work with the Pacific Islands Law Officers' Network to help strengthen cybercrime legislation in the region ONGOING |
AGD DFAT |
| AUSTRALIA’S PRIORITY Deliver cybercrime law enforcement and prosecution capacity building in the Indo-Pacific |
|
| 3.05 Provide cybercrime training to law enforcement officers, prosecutors and judges across the Indo-Pacific ONGOING |
AFP DFAT AGD |
| AUSTRALIA’S PRIORITY Enhance diplomatic dialogue and international information sharing on cybercrime |
|
| 3.06 Seek further opportunities to participate in strategic-level engagement on combatting transnational cybercrime SHORT TERM |
DFAT |
| 3.07 Share cybercrime threat information and enhance operational collaboration with international partners to fight transnational crime ONGOING |
AFP ACIC AUSTRAC |
INTERNATIONAL SECURITY & CYBERSPACE
| Australia's Actions | Lead Agency |
|---|---|
| AUSTRALIA’S PRIORITY Set clear expectations for state behaviour in cyberspace |
|
| 4.01 Periodically publish Australia's position on the application of relevant international law to state conduct in cyberspace (the first such publication is in Annex A) ONGOING |
DFAT AGD |
| 4.02 Facilitate advanced policy development and promote informed public discussion on acceptable state behaviour in cyberspace through engagement with academics and experts in this field ONGOING |
DFAT AGD Defence |
| 4.03 Seek high-level reaffirmations from states that they will act in accordance with international law and identified norms of responsible state behaviour in cyberspace ONGOING |
DFAT |
| 4.04 Partner with countries in the Indo-Pacific to advance our combined understanding of how international law and norms of responsible state behaviour apply in cyberspace through bilateral engagement and regional and multilateral forums ONGOING |
DFAT |
| AUSTRALIA’S PRIORITY Implement practical confidence building measures to prevent conflict |
|
| 4.05 Develop a framework to exchange policy and diplomatic contacts, including bilaterally, to facilitate communication in times of crisis or tension arising from significant cyber incidents that have the potential to threaten international peace, security and stability MEDIUM TERM |
DFAT ACSC |
| 4.06 Work with regional organisations to conduct risk reduction workshops to enhance our capacity to manage and respond to cyber incidents that threaten international peace, security and stability, including exercising national and regional responses to severe cyber incidents SHORT TERM |
DFAT ACSC |
| 4.07 Hold cyber policy dialogues to discuss and work with partners to achieve priority goals on international cyber issues, including international law, norms of responsible state behaviour and confidence building measures ONGOING |
DFAT |
| 4.08 Foster recognition through diplomatic outreach and defence engagement that military offensive cyber capabilities are subject to the same limitations and obligations as any other military capability ONGOING |
DFAT Defence ASD |
| AUSTRALIA’S PRIORITY Deter and respond to unacceptable behaviour in cyberspace |
|
| 4.09 Review Australia's range of options to deter and respond to unacceptable behaviours in cyberspace, particularly those involving state actors and their proxies MEDIUM TERM |
PM&C DFAT AGD ASD |
| 4.10 Undertake diplomatic action to support an international cooperative architecture that promotes stability and responds to and deters unacceptable behaviour in cyberspace MEDIUM TERM |
DFAT |
INTERNET GOVERNANCE & COOPERATION
| Australia's Actions | Lead Agency |
|---|---|
| AUSTRALIA’S PRIORITY Advocate for a multi-stakeholder approach to Internet governance that is inclusive, consensus-based, transparent and accountable |
|
| 5.01 Advocate for an open, free and secure Internet, underpinned by a multi-stakeholder approach to Internet governance and cooperation ONGOING |
DFAT DoCA |
| 5.02 Support an annual community-led Australian Internet governance and cooperation forum SHORT TERM |
DoCA DFAT |
| 5.03 Outline Australia's strong commitment to fostering fair and effective competition online, emphasising a preference for general competition law ONGOING |
DoCA ACCC DFAT |
| AUSTRALIA’S PRIORITY Oppose efforts to bring the management of the Internet under government control |
|
| 5.04 Oppose efforts to bring the management of the Internet under government control ONGOING |
DoCA DFAT |
| AUSTRALIA’S PRIORITY Raise awareness across the Indo-Pacific of Internet governance issues and encourage engagement of regional partners in Internet governance and cooperation discussions |
|
| 5.05 Build the capacity of Indo-Pacific partners to engage in regional and international discussion on Internet governance and cooperation MEDIUM TERM |
DoCA DFAT |
HUMAN RIGHTS & DEMOCRACY ONLINE
| Australia's Actions | Lead Agency |
|---|---|
| AUSTRALIA’S PRIORITY Advocate for the protection of human rights and democratic principles online |
|
| 6.01 Advocate to uphold and protect human rights and democratic freedoms online ONGOING |
DFAT DoCA |
| 6.02 Share concerns about, and aim to prevent, undue restrictions of human rights online as well as cyber-enabled interference in democratic processes ONGOING |
DFAT |
| 6.03 Fund capacity building in the Indo-Pacific to raise awareness of states' human rights obligations online MEDIUM TERM |
DFAT |
| AUSTRALIA’S PRIORITY Support international efforts to promote and protect human rights online |
|
| 6.04 Support non-government organisations that defend human rights online MEDIUM TERM |
DFAT |
| AUSTRALIA’S PRIORITY Ensure respect for and protection of human rights and democratic principles online are considered in all Australian aid projects with digital technology components |
|
| 6.05 Provide guidance to ensure that human rights online are protected in Australian aid and non-government projects with digital technology components SHORT TERM |
DFAT |
TECHNOLOGY FOR DEVELOPMENT
| Australia's Actions | Lead Agency |
|---|---|
| AUSTRALIA’S PRIORITY Improve connectivity and access to the Internet across the Indo-Pacific, in collaboration with international organisations, regional governments and the private sector |
|
| 7.01 Partner with international organisations, regional governments, development banks and the private sector to improve Internet accessibility in the Indo-Pacific LONG TERM |
DFAT DoCA |
| 7.02 Work with partner countries in the Indo-Pacific to develop domestic regulatory, legal and institutional frameworks that support competitive telecommunications sectors MEDIUM TERM |
DFAT DoCA |
| 7.03 Promote digital inclusion across the Indo-Pacific through educational programs, leadership initiatives and strategic partnerships LONG TERM |
DFAT |
| AUSTRALIA’S PRIORITY Encourage the use of resilient development-enabling technologies for e-governance and the digital delivery of services |
|
| 7.04 Work with partner governments, the private sector and financial institutions across the Indo-Pacific to promote e-governance, online service delivery and innovative uses of technology for enhanced economic opportunity and sustainable development MEDIUM TERM |
DFAT Austrade |
| 7.05 Provide guidance to ensure that digital technologies used in, or provided to, Australian aid and non-government projects are safe and resilient SHORT TERM |
DFAT |
| AUSTRALIA’S PRIORITY Support entrepreneurship, digital skills and integration into the global marketplace |
|
| 7.06 Work with public and private sector partners to encourage businesses and entrepreneurs to find solutions to regional development challenges using innovative technologies SHORT TERM |
DFAT (AustCyber) Austrade CSIRO |
| 7.07 Partner with regional governments, multilateral forums and educational institutions to build digital-ready workforces and support digital upskilling across the Indo-Pacific SHORT TERM |
DFAT |
| 7.08 Support new technologies and tools for developing countries to facilitate digital trade, including improvements in policy and customs practices and better access to trade finance MEDIUM TERM |
DFAT DIIS |
| 7.09 Focus Australian Aid for Trade efforts on connecting small businesses and women entrepreneurs in developing countries to digital economy opportunities and global supply chains ONGOING |
DFAT Austrade |
COMPREHENSIVE & COORDINATED CYBER AFFAIRS
| Australia's Actions | Lead Agency |
|---|---|
| AUSTRALIA’S PRIORITY Enhance understanding of Australia's comprehensive cyber affairs agenda |
|
| 8.01 Promote Australia's vision of comprehensive cyber affairs through ongoing diplomatic engagement ONGOING |
DFAT |
| 8.02 Create a Cyber Affairs Curriculum for Australia's international representatives through DFAT's Diplomatic Academy SHORT TERM |
DFAT |
| AUSTRALIA’S PRIORITY Increase funding for Australia's international cyber engagement activities |
|
| 8.03 Fund new international cyber engagement projects in the Indo-Pacific through the Cyber Cooperation Program ONGOING |
DFAT |
| AUSTRALIA’S PRIORITY Coordinate and prioritise Australia's international cyber engagement activities |
|
| 8.04 Establish a quarterly whole-of-Government meeting, convened by the Ambassador for Cyber Affairs, to coordinate and prioritise Australia's international cyber activities SHORT TERM |
DFAT |
| 8.05 Establish an Industry Advisory Group that meets biannually to facilitate public-private collaboration on Australia's international cyber engagement SHORT TERM |
DFAT Austrade DIIS CERT Australia |