Security icon

International Peace & Stability

Australia will: shape the development and use of critical technology, including cyberspace, to support international peace and stability

Australia will do this by:

Action 15. Setting clear expectations for responsible state behaviour
Action 16. Deterring malicious activity enabled by critical technologies, including cyberspace, and responding when it is in our national interests
Action 17. Cooperating with other states to hold to account those that engage in unacceptable behaviour
Action 18. Implementing practical confidence building measures to promote international peace and stability and prevent conflict

Critical technologies, including cyberspace, have had, and continue to have, a positive impact on international peace and stability. However, the ways in which critical technologies may be used to undermine international peace and stability are proliferating. International cooperation is vital to ensure critical technologies continue to support a peaceful and stable international environment.

Since the release of the 2017 International Cyber Engagement Strategy, states have continued to pursue activities in cyberspace that challenge the rules-based international order. We are seeing similar behaviour with critical technologies as states compete for strategic dominance in an increasingly competitive international environment.

The risks of malicious misuse of technologies can contribute to increasing strategic instability that, if unchecked, increases the risk of misperceptions and miscalculations between states that might escalate to conflict. Australia's focus in maintaining international peace and stability is on the use (or misuse) of critical technologies, rather than regulating the technologies themselves. Our endeavours in this regard recognise and consider the gender dimensions that underpin international peace and security.

Universal endorsement of the Framework for Responsible State Behaviour in Cyberspace represents good progress towards promoting international peace and stability in cyberspace; states should consider the structure of this Framework when agreeing on responsible states' use of critical technologies. If adhered to, existing international law, complemented by voluntary norms of responsible state behaviour, CBMs and capacity building, provides a robust framework to address the threats posed by state-generated and state-sponsored malicious cyber activity.

The priority now is deepening understanding and practical implementation of this Framework, and ensuring accountability when states disregard their obligations and responsibilities.

WOMEN, PEACE AND SECURITY

As a global leader on the Women, Peace and Security (WPS) agenda, Australia strongly advocates for the meaningful participation of women in all stages of conflict prevention, crisis management and peacebuilding, bringing their unique experiences of conflict and crises to promote stability, social cohesion and sustainable peace.

 

Responsible state behaviour

INTERNATIONAL LAW

Existing international law is applicable to state conduct in cyberspace – the focus of the international community is now on articulating how it applies.

Australia has articulated its views on how particular principles of international law apply to state conduct in cyberspace (2017; 2019) and published hypothetical legal case studies (2020) (Annex A to this Strategy combines those previously published positions). This forms part of Australia's efforts to publish our views on how international law applies to state conduct in cyberspace. To foster common understandings, we urge all countries to do the same; developing and articulating national positions on existing international law will equip states to exchange views and deepen common understandings of how existing international law applies in cyberspace.

Just as existing international law applies to cyberspace, existing international law – including the UN Charter in its entirety – applies to the design, development and use of critical technologies by states. Australia is committed to working with international partners, and with industry, civil society and the research community, to strengthen understanding of how international law applies to the development and use of critical technologies.

Australia is committed to supporting countries to develop national positions on how international law applies to the design, development and use of critical technologies as necessary, as well as to state conduct in cyberspace.

Australia reaffirms our commitment to act in accordance with the recommendations of UN Group of Governmental Experts, as endorsed by the General Assembly, and we call on all countries to do the same.

Dr Tobias Feakin, Ambassador for Cyber Affairs and Critical Technology, address to the UN Security Council Arria-Formula Meeting: Cyber Stability, Conflict Prevention and Capacity Building, May 2020.

NORMS OF RESPONSIBLE STATE BEHAVIOUR

International law does not stand alone. Recognising the unique attributes of cyberspace, in 2015 all states agreed to be guided in their use of ICTs by eleven voluntary and non-binding norms of responsible state behaviour in cyberspace. These norms complement, but do not replace states' existing legal obligations. Combined, they establish clear expectations of responsible behaviour. By signalling acceptable behaviour for states, international law and norms promote predictability, stability and security.

To be effective, the eleven agreed norms must be implemented by all countries. Practical guidance supported by coordinated capacity building, is needed so that all countries are in a position to implement the agreed norms. In support of this, Australia has published non-exhaustive examples of the ways in which Australia observes the eleven norms.

Australia – through our Cyber and Critical Technology Cooperation Program – will continue to support targeted capacity building to ensure that ASEAN and Pacific Island countries are able to respond to the challenges and embrace the opportunities that cyberspace and critical technologies provide. This includes: providing assistance to help countries identify and fill gaps in norm implementation, or to support active engagement in discussions on the articulation of norms in relation to critical technology; and supporting countries to implement CBMs.

UN GROUP OF GOVERNMENTAL EXPERTS AND UN OPEN ENDED WORKING GROUP

Australia is actively involved in two UN processes discussing responsible state behaviour in cyberspace – a sixth Group of Governmental Experts (GGE) [A/RES/73/266] and an inaugural Open Ended Working Group (OEWG) [A/RES/73/27]. Previous iterations of the GGE developed the Framework of Responsible State Behaviour in Cyberspace, which has been endorsed by all countries, by consensus, at the United Nations General Assembly. Australia's priorities for both this GGE and the OEWG are: to deepen understandings of how existing international law and agreed norms apply; agree practical guidance on how to implement the recommendations of previous GGE reports; and, develop recommendations to better coordinate and target cyber capacity building in support of implementation. We will continue to actively engage in these processes and any future iterations of multilateral discussions of responsible state behaviour in cyberspace.

As technology becomes increasingly critical to our way of life, consideration of what is acceptable state conduct will increase in importance. Australia considers that the elements of the Framework of responsible state behaviour in cyberspace could provide a model for articulating acceptable responsible state behaviour for the design, development and use of particular critical technologies. For instance, it may be appropriate, in particular contexts, for states to clarify how existing international law applies to states' use of a particular critical technology, or to consider the value of agreeing complementary voluntary non-binding norms with respect to that technology. Australia will support and shape these discussions in line with our values, national interests, the international rules-based order, and our commitment to maintaining a peaceful and stable international environment.

Deter and respond to unacceptable behaviour

Some state and state-sponsored actors increasingly flout international law and norms, in spite of the clear expectations set by the international community of responsible behaviour in cyberspace. In doing so, they threaten international peace and stability.

Deterring malicious cyber activity protects our national interests, maintains international stability and promotes continued global economic growth. The objective of Australia's cyber deterrence efforts is to prevent cyber activity that is damaging to Australia and detrimental to our interests, including those of our partners.

As responsible states that uphold the international rules-based order, we recognize our role in safeguarding the benefits of a free, open, and secure cyberspace for future generations. When necessary, we will work together on a voluntary basis to hold states accountable when they act contrary to this framework, including by taking measures that are transparent and consistent with international law. There must be consequences for bad behaviour in cyberspace.

Joint Statement on Responsible State Behaviour in Cyberspace, 23 September 2019

AUSTRALIA'S STATEMENT OF PRINCIPLES ON CYBER DETERRENCE

We work to actively prevent cyber attacks, minimise damage, and respond to malicious cyber activity directed against our national interests. We deny and deter, while balancing the risk of escalation. Our actions are lawful and aligned with the values we seek to uphold and will therefore be proportionate, always contextual and collaborative. We can choose not to respond.

Australia's cyber deterrence posture consists of four core elements.

  1. Denial practices – Australia will ensure that we can discourage, detect, disrupt and contain malicious cyber behaviour thereby increasing the cost and reducing the benefits for perpetrators.
  2. Signalling – Australia will provide clear, consistent and credible messages to demonstrate our willingness and ability to impose costs on those who carry out malicious cyber activity.
  3. Responses – Australia will respond to malicious activity in cyberspace, just as we will to any other malicious activity against Australia's interests. Australia's responses to malicious cyber activity could comprise law enforcement or diplomatic, economic or military measures as appropriate. Australia will only respond when it is in our national interests to do so and responses will not always be public. The objective of responding is to promote responsible state behaviour, thereby protecting a peaceful and stable international environment.
  4. International cooperation – Australia will work with other states to strengthen global responses to unacceptable behaviour. Our ability to deter and respond to malicious cyber activities is stronger when we act in concert with our allies and partners. International coordination and information sharing on attribution, signalling and responses creates a force multiplier effect.

Australia's responses to malicious cyber activity could comprise law enforcement or diplomatic, economic or military measures as appropriate. Our ability to deter and respond to malicious cyber activity is founded on the strength of our cyber security posture. The Government's significant investment in this capability ensures Australia can discourage, detect, respond to and contain malicious cyber activity that affects our national security and interests (see Cyber Security on page 48).

Just as we act to deter and respond to malicious activity in cyberspace, so too will we work to prevent other technologies being used to undermine our national security and international peace and stability. Consistent with our established cyber deterrence posture, Australia will similarly develop and define our approach to deterring the irresponsible use of critical technology.

PUBLIC ATTRIBUTIONS BY AUSTRALIA

Public attribution of malicious cyber activities to states is one tool in Australia's toolkit of responses. Since 2017, Australia has worked with international partners and attributed malicious cyber activity to state actors on nine occasions:

  • December 2017, Australia attributed the 'WannaCry' ransomware campaign to the Democratic People's Republic of Korea
  • February 2018, Australia attributed the 'NotPetya' malware attacks on critical infrastructure and businesses to Russia
  • April 2018, Australia attributed the worldwide targeting of Cisco routers to Russian state-sponsored actors
  • August 2018, Australia called-out Iran for a spear-phishing campaign against Australian universities. This followed an earlier attribution by the United Kingdom and the United States
  • October 2018, Australia attributed a pattern of malicious cyber activities and, separately, cyber operations against OPCW and MH17 investigations to Russia
  • December 2018, Australia attributed to China a global campaign of malicious cyber activity targeting Managed Service Providers, including in Australia
  • February 2020, Australia attributed to Russia a malicious cyber operation targeting Georgia
  • July 2020, Australia attributed to Russian actors malicious cyber activity targeting organisations involved in COVID-19 vaccine development.
  • April 2021, Australia attributed to Russian state actors malicious cyber activity targeting US software firm, Solarwinds.

Confidence building measures

Australia will continue to develop and implement Confidence Building Measures (CBMs) to reduce the risk of conflict stemming from the malicious use of cyberspace by promoting trust and assurance among states, increasing inter-state cooperation, and promoting transparency, predictability and stability. We will expand this work to incorporate consideration of critical technologies.

This includes transparency measures such as participating in policy dialogues, discussion on the rights and obligations of states in the use of offensive cyber and critical technology capabilities. We will also encourage countries to develop and publish their own cyber and critical technology international engagement strategies.

CONFIDENCE BUILDING MEASURES – PROMOTING TRANSPARENCY ON OFFENSIVE CYBER CAPABILITIES

Australia recognises the legitimate right of countries to develop offensive cyber capabilities. Many countries already have, and more are in the process of developing, these capabilities. Australia is one of a few countries that has publicly declared that we develop and use such capabilities. Australian cyber operations comply with Australian law and are conducted in accordance with international law – including the UN Charter in its entirety – as well as agreed norms of responsible state behaviour.

We recognise that, similar to other military capabilities, details of specific capabilities and operations will need to remain classified. However, Australia is transparent about the existence of our offensive cyber capabilities in order to foster a more mature conversation about the rights and obligations that govern their use, particularly the cumulative reports of the UN GGEs, as endorsed by consensus by the UN General Assembly [A/RES/65/41; A/RES/68/243; A/RES/70/237].

Australia encourages other countries to be similarly transparent about their capabilities and unequivocal in their commitment to act in accordance with the agreed Framework for Responsible State Behaviour – transparency breeds accountability, predictability and stability.

Australia will continue to develop and promote risk reduction measures, to build confidence in states' ability to respond to specific instances of malicious cyber activity without escalation.

We will also continue to engage in cooperative measures, to promote collaboration between countries, based on a mutual commitment to improve resilience and reinforce a peaceful and stable online environment. This includes, for example, information exchange on best practices, such as through our Cyber Bootcamp Project for selected ASEAN and Pacific countries.

THE UNITED NATIONS (UN) FRAMEWORK FOR RESPONSIBLE STATE BEHAVIOUR IN CYBERSPACE

All members of the UN have agreed, by consensus, that existing international law – in particular, the Charter of the UN in its entirety – is applicable in cyberspace and essential to maintaining peace and stability and promoting an open, secure, stable, accessible and peaceful ICT environment [see UNGA resolutions A/RES/68/243; A/RES/70/237]. All states have also endorsed 11 voluntary non binding norms of responsible state behaviour, and recognised the need for confidence building measures (CBMs) and coordinated capacity building. Combined, these measures (international law, norms, CBMs and capacity building) provide the basis for a secure, stable and prosperous cyberspace, and are often referred to as the UN Framework for Responsible State Behaviour (the Framework). Each element of the Framework is mutually reinforcing and no one element should be considered in isolation.

UN GROUP OF GOVERNMENTAL EXPERTS ON LETHAL AUTONOMOUS WEAPONS SYSTEMS (LAWS)

The open-ended UN Group of Governmental Experts (GGE) process underway within the Convention on Certain Conventional Weapons (CCW) was established in 2016 to examine emerging technologies in the area of lethal autonomous weapons systems (LAWS) in the context of the objectives and purposes of the CCW. This process reflects international recognition that the peace and stability dimensions of incorporating emerging technologies such as Artificial Intelligence and robotics into military capabilities must be considered by the international community. Australia welcomes the affirmation by the GGE on LAWS that international humanitarian law continues to apply fully to all weapons systems, including LAWS. We will continue to support processes that strengthen understandings of the responsible use of specific technologies in the context of international peace and stability.

PUBLIC ATTRIBUTIONS BY AUSTRALIA

Public attribution of malicious cyber activities to states is one tool in Australia's toolkit of responses. Since 2017, Australia has worked with international partners and attributed malicious cyber activity to state actors on nine occasions:

  • December 2017, Australia attributed the 'WannaCry' ransomware campaign to the Democratic People's Republic of Korea
  • February 2018, Australia attributed the 'NotPetya' malware attacks on critical infrastructure and businesses to Russia
  • April 2018, Australia attributed the worldwide targeting of Cisco routers to Russian state-sponsored actors
  • August 2018, Australia called-out Iran for a spear-phishing campaign against Australian universities. This followed an earlier attribution by the United Kingdom and the United States
  • October 2018, Australia attributed a pattern of malicious cyber activities and, separately, cyber operations against OPCW and MH17 investigations to Russia
  • December 2018, Australia attributed to China a global campaign of malicious cyber activity targeting Managed Service Providers, including in Australia
  • February 2020, Australia attributed to Russia a malicious cyber operation targeting Georgia
  • July 2020, Australia attributed to Russian actors malicious cyber activity targeting organisations involved in COVID-19 vaccine development.
  • April 2021, Australia attributed to Russian state actors malicious cyber activity targeting US software firm, Solarwinds.

ASEAN REGIONAL FORUM POINT-OF-CONTACT DATABASE

Australia and Malaysia's proposal for an ASEAN Regional Forum (ARF) cyber points of contact directory was approved by Ministers in 2020. The directory is a simple, voluntary confidence building measure, consisting of relevant points of contact from participating ARF members. The directory is a foundational risk reduction measure which seeks to facilitate near real time communication in the event of ICT security incidents of potential regional security significance.

Latest News

Foreign Minister’s Foreword

Australia Joins International Partners in Attribution of Malicious Cyber Activity to China

19 Jul 2021

JOINT MEDIA STATEMENT

 

The Hon Karen Andrews MP, Minister for Home Affairs

Senator The Hon Marise Payne, Minister for Foreign Affairs, Minister for Women

Foreign Minister’s Foreword

Minister Payne Statement: Attribution of Cyber Incident to Russia

16 Apr 2021

The Australian Government joins international partners to support the US statement of 15 April 2021 to hold Russia to account for its harmful cyber campaign against US Software firm, SolarWinds.

In consultation with…

Democratic Principles
Human Rights
Ethics of Critical Technology
Diversity and Gender Equality
International Peace and Stability
Disinformation & Misinformation
Cyber Security
Cyber Crime
Online Harms & Safety
Regional Connectivity
Digital Trade
Markets and Supply Chains
Critical Technology Standards
Research, Industry and Innovation
Internet Governance
International
Indo-Pacific
South East Asia
Pacific
Indonesia
India
Papua New Guinea
ASEAN
Attribution
United Nations
Artificial Intelligence
Ambassador for Cyber Affairs and Critical Technology
Incident response
Critical Technology
Cyber Affairs
Multilateral engagement
Bilateral engagement
Partnerships and agreements
Standards
5G
Connectivity
International law and norms
Confidence building measures
Values
Security
Prosperity
Regulation and governance
Quantum computing
Blockchain
Online safety
Electoral integrity
Cyber and Critical Technology Cooperation Program
Digital Trade
2017 International Cyber Engagement Strategy
Grant
Capacity building
Women in Cyber
News and announcements
Media