As per its 2017 International Cyber Engagement Strategy (Strategy), Australia recognises that existing international law such as the United Nations Charter provides the framework for responsible state behaviour in cyberspace.
Due to the complexity of activities conducted in cyberspace, Australia acknowledges the challenges as to how international law applies, and aims to make its views on the applicability of international law public, including in its Strategy and supplementary material.
The United Nations Charter
The United Nations Charter (Charter) and associated international laws apply to activities conducted in cyberspace:
- Article 2(3) of the Charter requires states to seek the peaceful settlement of disputes
- Article 2(4) prohibits the threat or use of force by a state against the territorial integrity or political independence of another state, or in any manner inconsistent with the purposes of the UN.
When can force legally be used?
Whilst Australia recognises in its Strategy that it abides by the Charter, the complexity, rapidity and concealed nature of cyber attacks raises new challenges for the application of established principles.
These challenges have been raised by Australia in the context of self-defence against national security threats that have evolved as a result of technological advances.
As per the UN Charter, a use of force will be lawful when:
- The territorial state consents
- It is authorised by the Security Council under Chapter VII of the Charter
- When it is taken pursuant to a state’s inherent right of individual or collective self-defence in response to an armed attack, as recognised in Article 51 of the Charter.
Therefore, if a foreign cyber operation presents a significant threat equivalent to a traditional armed attack, then the inherent right to self-defence is engaged.
Harmful conduct in cyberspace that does not constitute a use of force may still constitute the right to intervene. An example is the use by a hostile State of cyber operations to manipulate the electoral system to alter the results of an election in another State.
Human rights considerations in cyberspace
International human rights law (IHRL) also applies to the use of cyberspace. In the supplement to its Strategy (Annex A), DFAT says that “States have obligations to protect relevant human rights of individuals under their jurisdiction, including the right to privacy, where those rights are exercised or realised through or in cyberspace.”
Therefore, if a cyber operation presents the same level of threat as a traditional attack, under IHRL, the rules governing such attacks during armed conflict will apply to those kinds of cyber operations.
Holding others accountable
In accordance with Australia’s compliance with international law, an important principle is working to hold foreign States accountable for malicious cyber activity. In making such decisions, Australia relies on the assessments of its law enforcement and intelligence agencies, and consultations with its international partners.
A recent example is the Australian Government’s attribution of cyber incidents to Russia. In an October 2018 media release, Prime Minister Scott Morrison stated that “By embarking on a pattern of malicious cyber behaviour, Russia has shown a total disregard for the agreements it helped to negotiate” and that “Australia’s International Cyber Engagement Strategy recognises that there must be consequences for those who act contrary to the consensus on international law and norms.”
Australia abides by international law including the UN Charter, in establishing its position regarding international cyber affairs. If Australia becomes a victim of malicious cyber activity by a foreign State, it may be able to take countermeasures which would otherwise be unlawful, to respond to the other States’ malicious activity.