Critical technologies, including cyberspace, have had, and continue to have, a positive impact on international peace and stability. However, the ways in which critical technologies may be used to undermine international peace and stability are proliferating. International cooperation is vital to ensure critical technologies continue to support a peaceful and stable international environment.
Since the release of the 2017 International Cyber Engagement Strategy, states have continued to pursue activities in cyberspace that challenge the rules-based international order. We are seeing similar behaviour with critical technologies as states compete for strategic dominance in an increasingly competitive international environment.
The risks of malicious misuse of technologies can contribute to increasing strategic instability that, if unchecked, increases the risk of misperceptions and miscalculations between states that might escalate to conflict. Australia's focus in maintaining international peace and stability is on the use (or misuse) of critical technologies, rather than regulating the technologies themselves. Our endeavours in this regard recognise and consider the gender dimensions that underpin international peace and security.
The priority now is deepening understanding and practical implementation of this Framework, and ensuring accountability when states disregard their obligations and responsibilities.
Responsible state behaviour
Existing international law is applicable to state conduct in cyberspace – the focus of the international community is now on articulating how it applies.
Australia has articulated its views on how particular principles of international law apply to state conduct in cyberspace (2017; 2019) and published hypothetical legal case studies (2020) (Annex A to this Strategy combines those previously published positions). This forms part of Australia's efforts to publish our views on how international law applies to state conduct in cyberspace. To foster common understandings, we urge all countries to do the same; developing and articulating national positions on existing international law will equip states to exchange views and deepen common understandings of how existing international law applies in cyberspace.
Just as existing international law applies to cyberspace, existing international law – including the UN Charter in its entirety – applies to the design, development and use of critical technologies by states. Australia is committed to working with international partners, and with industry, civil society and the research community, to strengthen understanding of how international law applies to the development and use of critical technologies.
Australia is committed to supporting countries to develop national positions on how international law applies to the design, development and use of critical technologies as necessary, as well as to state conduct in cyberspace.
Australia reaffirms our commitment to act in accordance with the recommendations of UN Group of Governmental Experts, as endorsed by the General Assembly, and we call on all countries to do the same.
Dr Tobias Feakin, Ambassador for Cyber Affairs and Critical Technology, address to the UN Security Council Arria-Formula Meeting: Cyber Stability, Conflict Prevention and Capacity Building, May 2020.
NORMS OF RESPONSIBLE STATE BEHAVIOUR
International law does not stand alone. Recognising the unique attributes of cyberspace, in 2015 all states agreed to be guided in their use of ICTs by eleven voluntary and non-binding norms of responsible state behaviour in cyberspace. These norms complement, but do not replace states' existing legal obligations. Combined, they establish clear expectations of responsible behaviour. By signalling acceptable behaviour for states, international law and norms promote predictability, stability and security.
To be effective, the eleven agreed norms must be implemented by all countries. Practical guidance supported by coordinated capacity building, is needed so that all countries are in a position to implement the agreed norms. In support of this, Australia has published non-exhaustive examples of the ways in which Australia observes the eleven norms.
Australia – through our Cyber and Critical Technology Cooperation Program – will continue to support targeted capacity building to ensure that ASEAN and Pacific Island countries are able to respond to the challenges and embrace the opportunities that cyberspace and critical technologies provide. This includes: providing assistance to help countries identify and fill gaps in norm implementation, or to support active engagement in discussions on the articulation of norms in relation to critical technology; and supporting countries to implement CBMs.
UN GROUP OF GOVERNMENTAL EXPERTS AND UN OPEN ENDED WORKING GROUP
Australia is actively involved in two UN processes discussing responsible state behaviour in cyberspace – a sixth Group of Governmental Experts (GGE) [A/RES/73/266] and an inaugural Open Ended Working Group (OEWG) [A/RES/73/27]. Previous iterations of the GGE developed the Framework of Responsible State Behaviour in Cyberspace, which has been endorsed by all countries, by consensus, at the United Nations General Assembly. Australia's priorities for both this GGE and the OEWG are: to deepen understandings of how existing international law and agreed norms apply; agree practical guidance on how to implement the recommendations of previous GGE reports; and, develop recommendations to better coordinate and target cyber capacity building in support of implementation. We will continue to actively engage in these processes and any future iterations of multilateral discussions of responsible state behaviour in cyberspace.
As technology becomes increasingly critical to our way of life, consideration of what is acceptable state conduct will increase in importance. Australia considers that the elements of the Framework of responsible state behaviour in cyberspace could provide a model for articulating acceptable responsible state behaviour for the design, development and use of particular critical technologies. For instance, it may be appropriate, in particular contexts, for states to clarify how existing international law applies to states' use of a particular critical technology, or to consider the value of agreeing complementary voluntary non-binding norms with respect to that technology. Australia will support and shape these discussions in line with our values, national interests, the international rules-based order, and our commitment to maintaining a peaceful and stable international environment.
Deter and respond to unacceptable behaviour
Some state and state-sponsored actors increasingly flout international law and norms, in spite of the clear expectations set by the international community of responsible behaviour in cyberspace. In doing so, they threaten international peace and stability.
Deterring malicious cyber activity protects our national interests, maintains international stability and promotes continued global economic growth. The objective of Australia's cyber deterrence efforts is to prevent cyber activity that is damaging to Australia and detrimental to our interests, including those of our partners.
As responsible states that uphold the international rules-based order, we recognize our role in safeguarding the benefits of a free, open, and secure cyberspace for future generations. When necessary, we will work together on a voluntary basis to hold states accountable when they act contrary to this framework, including by taking measures that are transparent and consistent with international law. There must be consequences for bad behaviour in cyberspace.
Joint Statement on Responsible State Behaviour in Cyberspace, 23 September 2019
Australia's cyber deterrence posture consists of four core elements.
- Denial practices – Australia will ensure that we can discourage, detect, disrupt and contain malicious cyber behaviour thereby increasing the cost and reducing the benefits for perpetrators.
- Signalling – Australia will provide clear, consistent and credible messages to demonstrate our willingness and ability to impose costs on those who carry out malicious cyber activity.
- Responses – Australia will respond to malicious activity in cyberspace, just as we will to any other malicious activity against Australia's interests. Australia's responses to malicious cyber activity could comprise law enforcement or diplomatic, economic or military measures as appropriate. Australia will only respond when it is in our national interests to do so and responses will not always be public. The objective of responding is to promote responsible state behaviour, thereby protecting a peaceful and stable international environment.
- International cooperation – Australia will work with other states to strengthen global responses to unacceptable behaviour. Our ability to deter and respond to malicious cyber activities is stronger when we act in concert with our allies and partners. International coordination and information sharing on attribution, signalling and responses creates a force multiplier effect.
Australia's responses to malicious cyber activity could comprise law enforcement or diplomatic, economic or military measures as appropriate. Our ability to deter and respond to malicious cyber activity is founded on the strength of our cyber security posture. The Government's significant investment in this capability ensures Australia can discourage, detect, respond to and contain malicious cyber activity that affects our national security and interests (see Cyber Security on page 48).
Just as we act to deter and respond to malicious activity in cyberspace, so too will we work to prevent other technologies being used to undermine our national security and international peace and stability. Consistent with our established cyber deterrence posture, Australia will similarly develop and define our approach to deterring the irresponsible use of critical technology.
Confidence building measures
Australia will continue to develop and implement Confidence Building Measures (CBMs) to reduce the risk of conflict stemming from the malicious use of cyberspace by promoting trust and assurance among states, increasing inter-state cooperation, and promoting transparency, predictability and stability. We will expand this work to incorporate consideration of critical technologies.
This includes transparency measures such as participating in policy dialogues, discussion on the rights and obligations of states in the use of offensive cyber and critical technology capabilities. We will also encourage countries to develop and publish their own cyber and critical technology international engagement strategies.
Australia will continue to develop and promote risk reduction measures, to build confidence in states' ability to respond to specific instances of malicious cyber activity without escalation.
We will also continue to engage in cooperative measures, to promote collaboration between countries, based on a mutual commitment to improve resilience and reinforce a peaceful and stable online environment. This includes, for example, information exchange on best practices, such as through our Cyber Bootcamp Project for selected ASEAN and Pacific countries.