In its International Cyber Engagement Strategy (Strategy), Australia recognises that existing international law such as the United Nations Charter and associated norms provide the framework for responsible state behaviour in cyberspace.
Annex B to the Strategy covers key norms for the responsible behaviour of states in cyberspace, taken from the report of the 2015 UN Group of Government Experts on Development in the Field of Information and Telecommunications in the Context of International Security.
Norms for responsible behaviour in cyberspace
A summary of the key norms is provided below:
- States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;
- In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;
- States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;
- States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats;
- States, in ensuring the secure use of ICTs, should promote and protect human rights and privacy on the Internet;
- A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure to provide services to the public;
- States should take appropriate measures to protect their critical infrastructure from ICT threats;
- States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts;
- States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products;
- States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure;
- States should not conduct or knowingly support activity to harm the information systems of the authorised emergency response teams of another State, and should not use their own teams to engage in malicious international activity.
The right to self-defence
Whilst the above norms to not directly address the ability of a State to retaliate against another hostile State in cyberspace, the UN Charter provides that:
- States should seek the peaceful settlement of disputes
- Threat or use of forceby one State against another is prohibited, in any manner inconsistent with the purposes of the UN.
Whilst this seemingly leaves a lot open to interpretation, additional provisions of the Charter highlight that a use of force will be lawful in instances of self-defence where there is a significant national security threat equivalent to a traditional armed attack.
The United Nations contributes to the development of international law and norms which help to shape Australia’s approach to cyber affairs, as well as those of many other countries. It is important for States to be compliant with these measures to protect national and international security, to protect human rights and privacy, and to ensure that they are not engaging in malicious cyber activity.