Australia seeks rules for 'peacetime norms' in cyberspace

What cyber activities are legitimate to conduct in peacetime? What cyber activities should count as an act of war? Australia's defence minister wants some rules on cybering.
Written by Stilgherrian , Contributor

So many cybers! When Australian Defence Minister Kevin Andrews addressed the Australian Defence Magazine Cyber Security Summit in Canberra on Wednesday, his speech had 71 cybers in it. Admittedly, some of them were in the sub-headings, or in references to the Australian Cyber Security Centre (ACSC). But still, that's rather a lot of cybering by the minister.

He must be exhausted.

I hope he's OK.

Andrews' extended cybering aside, the speech is worth reading -- not because it says anything particularly new, but because the language it uses indicates a clear shift towards thinking of this cyberstuff as being a national security issue, requiring a national security response.

A militarised response.

You don't have to read between the lines. It's stated quite bluntly, mixed in with the now-usual scary-scary stuff, like "the internet is largely uncontrolled", and "of all the transnational security challenges we face, malicious cyber activity is likely to be the most persistent", and "offensive cyber attacks are a direct threat to the Australian Defence Force's war-fighting ability, given the ADF's reliance on information networks".

"Cybersecurity is a national security priority for the government... The first priority of this government is the safety and security of its citizens," Andrews said.

"That is why the prime minister has ministerial responsibility for cybersecurity, with his department is taking the lead for cyber policy."

Ah, the prime minister's office, the source of so much that is excellent!

In the second half of this year, the Australian government will be releasing a Defence White Paper, setting out its vision for the nation's defence strategy for the next 20 years. In that context, some of the minister's comments are particularly interesting.

"The White Paper will ... address the role Australia can play in supporting a rules-based approach to cyber issues internationally," Andrews said. "Our interest in the maintenance of a rules-based international order extends beyond maritime trade routes and includes cyber, space, and other domains."

It's an interest shared by "like-minded nations", however tautological that sounds.

"As most cyber incidents fall below the threshold of armed attack and armed conflict, we think it is important for the international community to give consideration to the development of peacetime norms."

In other words, Australia wants a cyber line in the sand.

In the physical world, for example, we can run an aerial electronic intelligence (ELINT) mission up to a nation's borders and listen to it, but we can't fly over that border without risking being shot down.

So, is scanning a nation's computer networks for vulnerabilities the same sort of thing? What about infiltrating spyware into another nation's networks? What about exfiltrating data?

At what point does this cross the line, from being the usual smoke-and-mirror games of the humanity's second-oldest profession, to an act of war?

This isn't a new question, of course. Three years ago, I heard the operational attorney for US Cyber Command, Robert Clark, discuss the legal regime surrounding cyberspace operations. A core example was Stuxnet, the malware that crippled Iran's uranium enrichment program. At that stage, its origins were still unclear.

Was the deployment of Stuxnet an act of war? Well, said Clark, it was nation state versus nation state, and it caused damage to a strategic asset. But Iran didn't call it out as an act of war, therefore it wasn't one.

At what point does something shift from being an act of cyber sabotage to an act of cyberwar?

Two years ago, Eugene Kaspersky told the National Press Club in Canberra that cyber espionage is extremely dangerous for international trust.

The Kaspersky Lab founder has been calling for international cyber arms agreements for some time. But a cyber research lab looks like any other office building -- and, indeed, is just any other office building, until the very moment its workers start manufacturing weapons. Trying to control that could result in an intrusive inspection regime affecting every business.

Indeed, the current discussions around the Wassennaar Agreement create the potential for exactly that.

Ten days ago, I wrote that cybersecurity is moving away from military language, or so it seemed. Maybe I was wrong. Very wrong.

That said, Andrews' speech was the defence minister talking to a defence conference, so it's only natural that defence language should dominate. But I notice that it contained precisely nothing about freedoms, privacy, or the development of norms relating to, say, human rights.

No, the internet was once again portrayed as something that was useful, but full of danger.

"Largely uncontrolled", Andrews said the internet is.

Does that worry you? It certainly worries me.

Disclosure: Stilgherrian travelled to Canberra as a guest of Kaspersky Lab.

Editorial standards