The international community recognises that existing international law – and in particular the UN Charter in its entirety – is applicable to State conduct in cyberspace and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment. This includes, where applicable, the law regarding the use of force, international humanitarian law (IHL), international human rights law (IHRL), and the international law of State responsibility. The 2013 and 2015 reports of the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE), as adopted by the UN General Assembly, reflect this recognition.
Australia presented its position on the application of relevant international law to State conduct in cyberspace in its International Cyber Engagement Strategy (2017). This was further elaborated in 2019 through an 'International Law Supplement' to be read in conjunction with the 2017 Strategy. This Annex to the 2020 International Cyber and Critical Technology Engagement Strategy combines those positions and provides some updates.
In 2020, Australia also submitted a non-paper to the UN Open Ended Working Group on Developments in the Field of ICTs in the Context of International Security (OEWG) containing a series of case studies on the application of international law in cyberspace.
The case studies seek to demonstrate that existing treaties and customary international law provide a comprehensive and robust framework to address the threats posed by state-generated or sponsored malicious cyber activity. In particular, international law provides victim States with a 'tool kit' to identify breaches of international legal obligations, attribute those acts to the responsible State, seek peaceful resolution of disputes and, where the victim State deems appropriate, take lawful measures in response. In this way, the application of existing international law to cyberspace can enhance international peace and security by increasing the predictability of State behaviour, reducing the possibility of conflict, minimising escalation and preventing misattribution. The case studies should be read in conjunction with this Annex.
Australia recognises that activities conducted in cyberspace raise new challenges for the application of international law, including issues of sovereignty, attribution and jurisdiction, given that different actors engage in a range of cyber activities which may cross multiple national borders. To deepen understandings and set clear expectations, Australia encourages States to be transparent in how they interpret existing international law as it applies to State conduct in cyberspace. This Annex forms part of Australia's ongoing effort to make public its views on the application of international law.
1. The United Nations Charter, the law on the use of force (jus ad bellum) and the principle of non-intervention
The United Nations Charter (UN Charter) and associated rules of customary international law apply to activities conducted in cyberspace. Article 2(3) of the UN Charter requires States to seek the peaceful settlement of disputes and Article 2(4) prohibits the threat or use of force by a State against the territorial integrity or political independence of another State, or in any manner inconsistent with the purposes of the UN. These obligations – and the UN Charter in its entirety – apply in cyberspace as they do in the physical realm. They require States to resolve cyber incidents peacefully without escalation or resort to the threat or use of force.
The obligation to seek peaceful settlement of disputes does not impinge upon a State's inherent right to act in individual or collective self-defence in response to an armed attack. This right applies equally in the cyber domain as it does in the physical realm.
In determining whether a cyber activity constitutes a use of force, States should consider whether the activity's scale and effects are comparable to traditional kinetic operations that rise to the level of use of force under international law. This involves a consideration of the intended or reasonably expected direct and indirect consequences of the cyber activity, including for example whether the activity could reasonably be expected to cause serious or extensive ('scale') damage or destruction ('effects') to life, or injury or death to persons, or result in damage to the victim State's objects, critical infrastructure and/or functioning.
A use of force will be lawful when the territorial State consents, when it is authorised by the Security Council under Chapter VII of the UN Charter, or when it is taken pursuant to a State's inherent right of individual or collective self-defence in response to an armed attack, as recognised in Article 51 of the Charter.
Australia considers that the thresholds and limitations governing the exercise of self-defence under Article 51 apply in respect of cyber activities that constitute an armed attack and in respect of acts of self-defence that are carried out by cyber means. Thus, if a cyber activity – alone or in combination with a physical operation – results in, or presents an imminent threat of, damage equivalent to a traditional armed attack, then the inherent right to self-defence is engaged. Any use of force in self-defence must be necessary to repel the actual or imminent armed attack and be a proportionate response in scope, scale and duration. Any reliance on Article 51 must be reported directly to the UN Security Council.
The rapidity of cyber activities, as well as their potentially concealed and/or indiscriminate character, raises new challenges for the application of established principles. These challenges have been noted by Australia in explaining its position on imminence and the right of self-defence in the context of national security threats that have evolved as a result of technological advances. For example, in a speech to the University of Queensland in 2017, then Attorney-General, Senator the Hon. George Brandis QC, explained that:
'[A] state may act in anticipatory self-defence against an armed attack when the attacker is clearly committed to launching an armed attack, in circumstances where the victim will lose its last opportunity to effectively defend itself unless it acts. This standard reflects the nature of contemporary threats, as well as the means of attack that hostile parties might deploy. Consider, for example, a threatened armed attack in the form of an offensive cyber operation, ...which could cause large-scale loss of human life and damage to critical infrastructure. Such an attack might be launched in a split-second. Is it seriously to be suggested that a state has no right to take action before that split-second?'
Harmful conduct in cyberspace that does not constitute a use of force may still constitute a breach of the duty not to intervene in the internal or external affairs of another State. This obligation is encapsulated in Article 2(7) of the Charter and in customary international law.
A prohibited intervention is one that interferes by coercive means, either directly or indirectly, in matters that a State is permitted by the principle of State sovereignty to decide freely. Such matters include a State's economic, political, social systems and foreign policy. Coercive means are those that effectively deprive the State of the ability to control, decide upon or govern matters of an inherently sovereign nature. Accordingly, the use by a hostile State of cyber activities to manipulate the electoral system to alter the results of an election in another State, intervention in the fundamental operation of Parliament, or in the stability of States' financial systems would constitute a violation of the principle of non-intervention.
2. International humanitarian law (jus in bello) and international human rights law
International humanitarian law (IHL) (including the principles of humanity, necessity, proportionality and distinction) applies to cyber activities within an armed conflict.
Australia considers that, if a cyber activity rises to the same threshold as that of a kinetic 'attack' (or act of violence) under IHL, the rules governing such attacks during armed conflict will apply to those kinds of cyber activities. Applicable IHL rules will also apply to cyber activities in an armed conflict that do not constitute or rise to the level of an 'attack', including the principle of military necessity and the general protections afforded to the civilian population and individual civilians with respect to military operations.
The IHL principle of proportionality prohibits the launching of an attack which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated.
The IHL principle of military necessity states that a combatant is justified in using those measures, not forbidden by international law, which are indispensable for securing complete submission of an enemy at the soonest moment. The principle cannot be used to justify actions prohibited by law, as the means to achieve victory are not unlimited.
The IHL principle of distinction seeks to ensure that only legitimate military objects are attacked. Distinction has two components. The first, relating to personnel, seeks to maintain the distinction between combatants and non-combatants or military and civilian personnel. The second component distinguishes between legitimate military targets and civilian objects.
All Australian military capabilities are employed in line with approved targeting procedures. Cyber activities are no different. Australian targeting procedures comply with the requirements of IHL and trained legal officers provide decision-makers with advice to ensure that Australia satisfies its obligations under international law and its domestic legal requirements.
International human rights law (IHRL) also applies to State conduct in cyberspace. Under IHRL, States have obligations to protect relevant human rights of individuals under their jurisdiction, including the right to privacy, where those rights are exercised or realised through or in cyberspace. Subject to lawful derogations and limitations, States must ensure without distinction individuals' rights to privacy, freedom of expression and freedom of association online.
3. General principles of international law, including the law on State responsibility
The customary international law on State responsibility, much of which is reflected in the International Law Commission's Articles on the Responsibility of States for Internationally Wrongful Acts, applies to State behaviour in cyberspace. Under the law on State responsibility, there will be an internationally wrongful act of a State when its conduct in cyberspace – whether by act or omission – is attributable to it and constitutes a breach of one of its international obligations.
To the extent that a State enjoys the right to exercise sovereignty over objects and activities within its territory, it necessarily shoulders corresponding responsibilities to ensure those objects and activities are not used to harm other States. In this context, we note it may not be reasonable to expect (or even possible for) a State to prevent all malicious use of ICT infrastructure located within its territory. However, in Australia's view, if a State is aware of an internationally wrongful act originating from or routed through its territory, and it has the ability to put an end to the harmful activity, that State should take reasonable steps to do so consistent with international law.
Australia will, in its sole discretion, and based on its own judgement, attribute unlawful cyber activities to another State. In making such decisions, Australia relies on the assessments of its law enforcement and intelligence agencies, and consultations with its international partners. A cyber activity will be attributable to a State under international law where, for example, the activity was conducted by an organ of the State; by persons or entities exercising elements of governmental authority; or by non-State actors operating under the direction or control of the State.
If a State is a victim of malicious cyber activity, which is attributable to a perpetrator State, the victim-State may be able to take countermeasures (whether in cyberspace or through another means) under certain circumstances. Countermeasures are measures, which would otherwise be unlawful, taken to secure cessation of, or reparation for, the other State's unlawful conduct.
Countermeasures in cyberspace cannot amount to a use of force and must be proportionate. States are able to respond to other States' malicious activity with acts of retorsion, which are unfriendly acts that are not inconsistent with any of the State's international obligations.
If a State is the victim of harmful conduct in cyberspace, that State could be entitled to remedies in the form of restitution, compensation or satisfaction. In the cyber context, this may mean that the victim-State could, for example, seek replacement of damaged hardware or compensation for the foreseeable physical and financial losses resulting from the damage to servers, as well as assurances or guarantees of non-repetition.