Protecting Australian cyberspace: are our international lawyers ready?

• Author: Tully, Stephen

Abstract

Cyberspace is an important element of Australia's critical national infrastructure. Recent policy developments within this field seek to maintain economic opportunity and protect national security. This article discusses four contemporary threats posed to the Australian military and civilian electronic information infrastructure: 'cyber war' conducted by hostile states, 'cyber conflicts' by foreign combatants, attacks committed by 'cyberterrorists' and the commission of 'cybercrimes'. This article reviews the existing international legal paradigms relevant to each and identifies the issues raised from a survey of the existing literature. It concludes that each paradigm is presently inadequate for addressing the nature of these threats and calls for further contributions from Australian government, military and international lawyers to articulate a distinctive national perspective on these questions.

I Introduction

The United States (US) Department of Defense has recently developed an offensive cyber war capability and a coordinated military-civilian strategy to defend against cyber attacks. (1) Cyber experts from the Centre for Strategic Counterterrorism Communications at the US State Department also routinely patrol social media including the internet and recently hacked Yemeni websites to replace al-Qaeda propaganda. (2) In Australia, the Director General of the Australian Security Intelligence Organisation ('ASIO'), has predicted that cyber attacks against Australia will increase from both state and non-state actors, including terrorists who use the internet for recruitment and to support operational activities. (3) More than 200 cyber intrusions against the Department of Defence were investigated in 2009. (4) The Department of Foreign Affairs and Trade is also subjected to daily cyber attacks. (5) Australian engineers have since received training at the Idaho National Laboratory, which designed the Stuxnet worm used to sabotage an Iranian nuclear facility. (6) And finally, 'Anonymous' conducted Operation 'Titstorm' to disable the websites of the Australian Parliamentary House and the Department of Broadband, Communications and the Digital Economy to protest at mandatory internet filtering. (7)

These developments raise a range of questions. What precisely is occurring, and where are cyber threats emanating from? Flow does cyber activity fit within the paradigms of international law so familiar to us, if at all? Should our international, military and government lawyers respond? If so, how? What are the available legal options and the policy choices relevant to each?

This article addresses several of these questions by surveying the existing literature and contrasting recent policy developments within Australia with that of other states, principally the US and the United Kingdom (UK). Part II will define cyberspace. Part III describes how cyberspace is conceptualised as critical national infrastructure. Parts IV to VII examine four threats to Australian cyberspace: 'cyber war' conducted by states, 'cyber conflicts' between combatants, 'cvberterrorism' targeting civilians, and finally the use of computer technology to commit offences ccybercrimesp. These parts will situate each threat within the relevant legal framework: international law on the use of force, international humanitarian law, anti-terrorism measures and criminal law enforcement. The adequacy of each regime for protecting Australia's electronic information infrastructure is assessed. Part VIII identifies challenges, risks and possible solutions, considers several cross-cutting themes and calls for further contributions which demonstrate a distinctive Australian perspective on these issues.

II Cyberspace Defined

'Cyberspace' may be defined as the interdependent network of information technology infrastructures. It includes the internet, telecommunications networks, computer processing systems and embedded industrial processors and controllers. (8) It is a domain characterised by electronics and the electromagnetic spectrum in which to store, modify and exchange data via networked systems as well as the associated physical infrastructure. (9) It is an environment within which various information operations occur.

On one view, cyberspace is borderless and transnational. The internet-based information infrastructure can accordingly be analogised to the global commons free from any one state's control and susceptible to appropriation. (10) However, the enabling physical infrastructure is clearly located within the territorial jurisdiction of a state. Thus cyberspace, like any other territorial domain (albeit artificially constructed), is subject to national interests. The UK has indicated that, '[j]ust as in the 19th century we had to secure the seas for our national safety and prosperity, and in the 20th century we had to secure the air, in the 21' century we also have to secure our advantage in cyber space'. (11) For the US, cyberspace is as relevant a field for defence activity as the naturally occurring domains of land, sea, air and space. (12) Like the UK, the US Department of Defense will strategically address cyberspace as an operational domain in which to organise, train and equip itself so as to take full advantage of cyberspace's potential. (13) However, cyberspace is not protected through a passive 'retreat behind a Maginot line of firewalls' but by deploying dynamic 'manoeuvre warfare' where new technology proactively locates and neutralises intrusions. (14)

In addition to protecting a cyber network against intrusions, security requires maintaining the confidentiality, availability and integrity of information, incident response and effective deterrence. Cyberspace threats are believed to pose one of the most serious economic and national security challenges of the 21st century for the US and its allies. (15) Threats particular to Australian cyberspace include lone hackers, online criminals, 'issue motivated groups', industrial espionage and foreign intelligence services. Such threats are real, evolving and continue to test Australian defences. (16) Australia has identified cyber security as a national security priority as government and society become increasingly dependent upon (and correspondingly vulnerable for) integrated information technology. (17) Protecting cyberspace became a top-tier policy objective because of its position within critical national infrastructure.

III Cyberspace as Critical National Infrastructure

'Critical national infrastructure' is made up of those systems and assets so vital to states that incapacity or destruction would debilitate national security, the economy, public health or safety. Attacks can disrupt power, water, traffic control and other critical systems by targeting the electronic mechanisms which control manufacturing plants, power generators, refineries and other infrastructure. For example, malicious activities against electronic systems in the US have crippled electric power stations and caused multi-city power outages. (18)

The international community has proposed establishing a 'global culture of cyber security' to protect critical information infrastructures. (19) National efforts are being reviewed to this end. (20) For example, the US acknowledges the need to protect computer systems and describes key portions of cyberspace as critical national infrastructure. (21) US financial institutions, credit systems, stock exchanges and the Federal Reserve depend upon functioning information networks. (22)

In 1997, President Clinton established the President's Commission on Critical Infrastructure Protection. The following year, US policy became taking 'all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems'. (23) An offensive capability against enemy computer networks became a policy directive under the administration of President George W Bush. (24)

During 2003, a 'National Strategy to Secure Cyberspace' encouraged greater public-private coordination and focused government initiatives on securing critical national infrastructure. The National Strategy presupposed that a healthy and functioning cyberspace was essential to the economy and national sccurity. (25) Additionally, it foreshadowed efforts to formulate defensive strategies within an operational military context. (26) 'Cyberspace' became defined as the interdependent network of information technology infrastructures, and included the internet, telecommunications networks, computer systems and embedded industrial processors. (27) The US government was also called upon to protect privately owned critical infrastructure from attack, intrusion or sabotage by foreign military forces, terrorists and criminals. (28) In 2008, the scope of government concern was extended beyond critical national infrastructure, although the principal focus was protecting government networks. (29) Despite these efforts, in 2009 the cyber security responsibilities of the US Department of Homeland Security were adjudged to remain unsatisfied (30) and a comprehensive review of US cyber strategy was initiated. (31)

This brief review of US policy clearly illustrates the governmental concern to protect critical national infrastructure, albeit with several policy tangents and mixed success. Australian policy has largely followed suit. Australia's infrastructure is considered vulnerable to criminal activity, natural disaster, terrorism and information warfare against civilian and military systems. (32) Australia's Cyber Security Strategy seeks to maintain a secure, resilient and trusted electronic operating environment with which to support national security and benefit the digital economy. (33) This strategy defines 'systems of national interest' as systems which, if rendered unavailable or compromised, could significantly...