The prime minister’s announcement yesterday that a “sophisticated state actor” had hacked the computer networks of Australia’s major political parties again highlights the serious threat posed by cyber attacks.
This follows a breach of the Parliament House network earlier this year. Previous examples in Australia include the 2015 malware attack on the Bureau of Meteorology and breaches of the computer systems at the Australian National University in 2018.
Indeed, cyber measures targeting Australian government infrastructure have been described as the “new normal”.
Australia is not alone in facing this threat, and it is a significant one. The US Secretary of Homeland Security highlighted the seriousness of this challenge when she recently suggested that:
… cyber-attacks in terms of their breadth and scope of possible consequences now exceed the risk of physical attacks.
Technological advances continue to outpace legal developments. While intelligence officials have suggested the most recent attack came from a “nation state”, the reality is that the existing international law framework fails to provide timely or effective legal remedies.
The problem of attribution
One of the most significant hurdles is the problem of attribution. For a nation state to be held responsible under international law for a particular act, that act must be attributable to that state. There are a variety of ways this can occur. For example, the conduct of state organs (such as government departments and officials) will usually be attributable to the state.
But here’s a key problem: in the case of cyber attacks, states don’t generally operate through formal state bodies. Instead, they tend to use non-state actors who are less visible, more removed and offer plausible deniability. This creates problems of both factual and legal attribution.
The factual problem is that it is often extremely difficult to accurately identify the origin of a cyber attack. The lack of boundaries and anonymity that are characteristic of cyberspace make it hard for states to identify exactly who is responsible for a specific cyber attack.
Perpetrators are becoming increasingly effective at masking their true identities and locations. They may even deliberately make it look as though innocent third parties are responsible for an attack.
The legal problem of attribution arises from the fact that international law does not generally hold states responsible for the actions of non-state actors.
Responsibility will only be attributed if the state either acknowledges and adopts the conduct of the non-state actor as its own, or the state directs or controls the non-state actor.
The former is unlikely given the lengths that states go to mask their involvement in cyber attacks in the first place. The latter is also unlikely, given the high threshold set by international law to establish the required direction or control.
The International Court of Justice has held that a state must be shown to have had “effective control” over each specific act for which attribution is sought. Simply providing financial aid or equipment to support a cyber attack, or even providing a safe haven base for individual hackers, would likely not be enough to meet the “effective control” test.
Given these problems, it is highly unlikely that a state will ever be held publicly accountable under the existing legal framework.
It is one thing for intelligence officials to privately suggest China may be to blame for the most recent breach. But that is a long way from meeting the high threshold required to establish state responsibility under international law.
How can a state respond to a cyber attack?
Even if legal attribution could be established, that does not entirely resolve the legal complexities. International law has few mechanisms that allow a state to respond effectively to a cyber attack once it has occurred.
A state is allowed to use force in self-defence – but only in response to an armed attack. An armed attack in this context refers to only the most grave use of force. It is highly unlikely that acts of cyber espionage focused primarily on gathering intelligence or data could ever be characterised as an armed attack under this definition.
Similarly, while countermeasures (a broad category of temporary, reversible measures designed to induce a state to cease its wrongful conduct) are allowed under international law in certain circumstances, the conditions imposed on these mean they are of limited use in the context of cyber attacks. For example, in all but the most urgent circumstances, an injured state must notify the responsible state of the decision to take countermeasures and offer to negotiate with them before any countermeasures are actually taken. Such procedural requirements are simply impractical when responding to cyber attacks, given their potential speed and reach.
Cyber attacks by foreign states pose a real and growing threat to Australia. Unfortunately, the existing international law framework provides little effective protection or recourse. This makes it even more important for Australia to ensure we are doing everything possible to protect ourselves and our democratic institutions from cyber attacks.