Australia’s International Cyber Engagement Strategy: consequences in cyberspace
4 Oct 2017|

The role of cyberspace in contemporary grand strategy is undeniable. US–Russian relations are now plagued by debates of online influence operations, while China is formulating plans to become a ‘cyber superpower’.

As the strategic significance of cyberspace increases, more groups are exerting power through it. The potential for cyber activities to create misperception, miscalculation and even conflict between states increases as those groups become further emboldened.

Today, Australia released its first International Cyber Engagement Strategy, which sets out our ambitious cyber affairs agenda for the next three years. Cyberspace is an enabler of digital benefits, such as economic growth through digital trade and the achievement of sustainable development goals. However, those wins can’t be attained unless cyberspace remains a domain for cooperation and collective benefit.

For this reason, a central ambition of Australia’s strategy is to maintain a stable and peaceful online environment.

The rules have been agreed. We have established clear expectations for state behaviour in cyberspace. International law has developed over centuries, and while the domain may be comparatively new, the rules are not. As agreed in 2013 by the UN Group of Government Experts, international law applies in cyberspace (PDF).

Our new strategy makes a strong statement about exactly how we think international law applies to cyberspace, and commits Australia to periodically publishing updates on this position as technology and the global discussion evolve.

Existing international law can be usefully complemented by agreed norms of behaviour. The 11 non-binding norms (PDF) agreed by the 2015 UN Group of Government Experts establish clear standards of conduct. In 2015, the G20 also agreed that no country should conduct or support ICT-enabled theft of intellectual property for competitive commercial advantage. Those norms promote predictability, stability and security.

Along with risk reduction and cooperation measures, increasing transparency is a useful way to build collective confidence that agreed norms are being adhered to. Australia advocates a more mature and transparent conversation about what states are doing in cyberspace.

The history of military affairs reflects the history of technological innovation, and it’s unsurprising that more and more states are looking to add cyber capabilities to their military tool kits. In and of itself that’s not a concern—provided that states acknowledge that military activities in cyberspace are governed by the same set of rules as military activities in the physical domains.

The strategy sets out information on the conduct and authorisation of Australia’s offensive cyber capability in support of military operations in more detail than ever before. Acknowledgement that Australia and other states are developing cyber capabilities doesn’t contradict our commitment to maintaining a peaceful and stable online environment. In fact, acknowledging the existence of those capabilities fosters the understanding that, just like in the physical domains, states’ activities in cyberspace don’t occur in a vacuum. States have rights, but they also have obligations.

Recognition that states have legitimate rights to develop and use cyber capabilities must go hand in hand with recognition that states are obliged to ensure that their use of cyber capabilities fits with international law and norms of acceptable behaviour.

It’s important that there be consequences for those who act contrary to this consensus. We need to deter and respond to unacceptable behaviour in cyberspace.

Ultimately, these rules of the road only work if they are adhered to. And, increasingly, states are testing the limits. Whether it be flagrantly breaching basic agreements or incrementally undermining goodwill online, malicious actors are pushing the boundaries. State use of proxies is blurring the borders between state and non-state actors online, and cybercrime is further complicating the landscape.

A strong cyber security posture ensures that Australia can discourage, detect, respond to and contain malicious cyber activity.

There’s also a need to develop an architecture for cooperation among states. In implementing the strategy, Australia will do just that. We will work with partners to strengthen and coordinate global responses to serious cyber incidents. We need to respond to malicious actors in a timely manner, within the framework of international law. Achieving that cooperation requires creative thinking to build a flexible range of existing and novel response tools, and a nimble coordination mechanism to implement them effectively.

Australia’s responses to malicious cyber activity could include law enforcement or diplomatic, economic or military measures, as appropriate for the circumstances. That could include, but isn’t restricted to, offensive cyber capabilities that disrupt, deny or degrade the computers or computer networks of adversaries. Regardless of context, Australia’s response would be proportionate to the circumstances, would comply with domestic law, and would be consistent with our support for the international rules-based order and our obligations under international law.

Australia’s new strategy puts us at the forefront of international efforts to promote and protect a peaceful and stable online environment—on which we all depend.

Well-known Australian individuals have lent their voices to amplify each theme of the strategy. The key messages of the international security chapter are outlined by Ambassador Feakin in a short explainer video, and echoed by Peter Jennings, our Chapter Champion for international security.