National position of Australia (2020)

Introduction
This is the national position of Australia on international law applicable to cyber operations. Australia presented its position on the application of relevant international law to State conduct in cyberspace in its International Cyber Engagement Strategy in 2017. The position was further elaborated in 2019 through an "International Law Supplement" to be read in conjunction with the 2017 Strategy. The following position to the 2020 International Cyber and Critical Technology Engagement Strategy combines the two positions providing some updates.

Applicability of international law
"The United Nations Charter (UN Charter) and associated rules of customary international law apply to activities conducted in cyberspace. Article 2(3) of the UN Charter requires States to seek the peaceful settlement of disputes and Article 2(4) prohibits the threat or use of force by a State against the territorial integrity or political independence of another State, or in any manner inconsistent with the purposes of the UN. These obligations – and the UN Charter in its entirety – apply in cyberspace as they do in the physical realm. They require States to resolve cyber incidents peacefully without escalation or resort to the threat or use of force. The obligation to seek peaceful settlement of disputes does not impinge upon a State's inherent right to act in individual or collective self-defence in response to an armed attack. This right applies equally in the cyber domain as it does in the physical realm."

Use of force
 "In determining whether a cyber activity constitutes a use of force, States should consider whether the activity's scale and effects are comparable to traditional kinetic operations that rise to the level of use of force under international law. This involves a consideration of the intended or reasonably expected direct and indirect consequences of the cyber activity, including for example whether the activity could reasonably be expected to cause serious or extensive ('scale') damage or destruction ('effects') to life, or injury or death to persons, or result in damage to the victim State's objects, critical infrastructure and/or functioning.

A use of force will be lawful when the territorial State consents, when it is authorised by the Security Council under Chapter VII of the UN Charter, or when it is taken pursuant to a State's inherent right of individual or collective self-defence in response to an armed attack, as recognised in Article 51 of the Charter." 

Self-defence and armed attack
 "Australia considers that the thresholds and limitations governing the exercise of self-defence under Article 51 apply in respect of cyber activities that constitute an armed attack and in respect of acts of self-defence that are carried out by cyber means. Thus, if a cyber activity – alone or in combination with a physical operation – results in, or presents an imminent threat of, damage equivalent to a traditional armed attack, then the inherent right to self-defence is engaged. Any use of force in self-defence must be necessary to repel the actual or imminent armed attack and be a proportionate response in scope, scale and duration. Any reliance on Article 51 must be reported directly to the UN Security Council.

The rapidity of cyber activities, as well as their potentially concealed and/or indiscriminate character, raises new challenges for the application of established principles. These challenges have been noted by Australia in explaining its position on imminence and the right of self-defence in the context of national security threats that have evolved as a result of technological advances. For example, in a speech to the University of Queensland in 2017, then Attorney-General, Senator the Hon. George Brandis QC, explained that:

'[A] state may act in anticipatory self-defence against an armed attack when the attacker is clearly committed to launching an armed attack, in circumstances where the victim will lose its last opportunity to effectively defend itself unless it acts. This standard reflects the nature of contemporary threats, as well as the means of attack that hostile parties might deploy. Consider, for example, a threatened armed attack in the form of an offensive cyber operation, ...which could cause large-scale loss of human life and damage to critical infrastructure. Such an attack might be launched in a split-second. Is it seriously to be suggested that a state has no right to take action before that split-second?'" 

Prohibition of intervention
 "Harmful conduct in cyberspace that does not constitute a use of force may still constitute a breach of the duty not to intervene in the internal or external affairs of another State. This obligation is encapsulated in Article 2(7) of the Charter and in customary international law.

A prohibited intervention is one that interferes by coercive means, either directly or indirectly, in matters that a State is permitted by the principle of State sovereignty to decide freely. Such matters include a State's economic, political, social systems and foreign policy. Coercive means are those that effectively deprive the State of the ability to control, decide upon or govern matters of an inherently sovereign nature. Accordingly, the use by a hostile State of cyber activities to manipulate the electoral system to alter the results of an election in another State, intervention in the fundamental operation of Parliament, or in the stability of States' financial systems would constitute a violation of the principle of non-intervention." 

International humanitarian law (jus in bello)
 "International humanitarian law (IHL) (including the principles of humanity, necessity, proportionality and distinction) applies to cyber activities within an armed conflict.

Australia considers that, if a cyber activity rises to the same threshold as that of a kinetic 'attack' (or act of violence) under IHL, the rules governing such attacks during armed conflict will apply to those kinds of cyber activities. Applicable IHL rules will also apply to cyber activities in an armed conflict that do not constitute or rise to the level of an 'attack', including the principle of military necessity and the general protections afforded to the civilian population and individual civilians with respect to military operations.

The IHL principle of proportionality prohibits the launching of an attack which may be expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated.

The IHL principle of military necessity states that a combatant is justified in using those measures, not forbidden by international law, which are indispensable for securing complete submission of an enemy at the soonest moment. The principle cannot be used to justify actions prohibited by law, as the means to achieve victory are not unlimited.

The IHL principle of distinction seeks to ensure that only legitimate military objects are attacked. Distinction has two components. The first, relating to personnel, seeks to maintain the distinction between combatants and non-combatants or military and civilian personnel. The second component distinguishes between legitimate military targets and civilian objects.

All Australian military capabilities are employed in line with approved targeting procedures. Cyber activities are no different. Australian targeting procedures comply with the requirements of IHL and trained legal officers provide decision-makers with advice to ensure that Australia satisfies its obligations under international law and its domestic legal requirements." 

Human rights law
 "International human rights law (IHRL) also applies to State conduct in cyberspace. Under IHRL, States have obligations to protect relevant human rights of individuals under their jurisdiction, including the right to privacy, where those rights are exercised or realised through or in cyberspace. Subject to lawful derogations and limitations, States must ensure without distinction individuals' rights to privacy, freedom of expression and freedom of association online." 

State responsibility
 "The customary international law on State responsibility, much of which is reflected in the International Law Commission's Articles on the Responsibility of States for Internationally Wrongful Acts, applies to State behaviour in cyberspace. Under the law on State responsibility, there will be an internationally wrongful act of a State when its conduct in cyberspace – whether by act or omission – is attributable to it and constitutes a breach of one of its international obligations." 

Sovereignty
 "To the extent that a State enjoys the right to exercise sovereignty over objects and activities within its territory, it necessarily shoulders corresponding responsibilities to ensure those objects and activities are not used to harm other States." 

Due diligence
 "To the extent that a State enjoys the right to exercise sovereignty over objects and activities within its territory, it necessarily shoulders corresponding responsibilities to ensure those objects and activities are not used to harm other States. In this context, we note it may not be reasonable to expect (or even possible for) a State to prevent all malicious use of ICT infrastructure located within its territory. However, in Australia's view, if a State is aware of an internationally wrongful act originating from or routed through its territory, and it has the ability to put an end to the harmful activity, that State should take reasonable steps to do so consistent with international law." 

Attribution
<section begin=AU_2020 attribution /> "Australia will, in its sole discretion, and based on its own judgement, attribute unlawful cyber activities to another State. In making such decisions, Australia relies on the assessments of its law enforcement and intelligence agencies, and consultations with its international partners. A cyber activity will be attributable to a State under international law where, for example, the activity was conducted by an organ of the State; by persons or entities exercising elements of governmental authority; or by non-State actors operating under the direction or control of the State." <section end=AU_2020 attribution />

Countermeasures
<section begin=AU_2020 countermeasures /> "If a State is a victim of malicious cyber activity, which is attributable to a perpetrator State, the victim-State may be able to take countermeasures (whether in cyberspace or through another means) under certain circumstances. Countermeasures are measures, which would otherwise be unlawful, taken to secure cessation of, or reparation for, the other State's unlawful conduct.

Countermeasures in cyberspace cannot amount to a use of force and must be proportionate. States are able to respond to other States' malicious activity with acts of retorsion, which are unfriendly acts that are not inconsistent with any of the State's international obligations." <section end=AU_2020 countermeasures />

Remedies
<section begin=AU_2020 remedies /> "If a State is the victim of harmful conduct in cyberspace, that State could be entitled to remedies in the form of restitution, compensation or satisfaction. In the cyber context, this may mean that the victim-State could, for example, seek replacement of damaged hardware or compensation for the foreseeable physical and financial losses resulting from the damage to servers, as well as assurances or guarantees of non-repetition." <section end=AU_2020 remedies />