Vedant Singh and Isha Choudhary
RECENT CYBER ATTACKS ON AUSTRALIA
Recently, a wide range of political plus the public sector organizations in Australia have come under a sophisticated cyber-attack, as confirmed by the Australian Prime Minister Scott Morrison. He said the digital assaults were across the board, covering “all the levels of government” as well as the fundamental administrations and organizations.
He declined to distinguish a particular state interference but that no significant individual information breaks had been made. The assaults have occurred over numerous months and are expanding. The Prime Minister’s declaration on Friday was planned to raise their awareness and to ask organizations to improve their securities. In any case, he focused on the “malevolent” action as being seen and occurred internationally, making it not extraordinary to Australia.
List of major Cyber Attacks on Australia
2020: Incidents reported across major Australian firms, including steelmaker BlueScope, logistics firm Toll Group, and state government agency Services New South Wales
- June: – The Australian National University revealed a “highly professional” group of up to 15 hackers gained access to student and staff details, as well as academic research, for about six months
- February: – Australia’s parliamentary computer network and political parties were subject of an attempted attack by a “state actor”
2017: Information about fighter planes and navy vessels was stolen from an Australian government contractor.
2015: Foreign spies attacked the Australian Bureau of Meteorology.”
These current incidents have again sparked the debate regarding the status of Cyber-attacks under the existing International Law. Cyber operation amounting to an attack on a country is a burning topic of debate among scholars with the question of the position of cyber operation under international law. This article covers various aspects of the views on both sides. The article addresses various issues like whether a cyber-attack be considered as a ‘Use of Force’ under the UN Charter, and most importantly, the enigma that exists regarding the attributability of such attacks.
This article argues that to solve the problem of uncertainty in this area, the use of cyber force must be treated as a Use of Force under UN Charter, and the threshold of caution while treating such type of force must be kept high. And if necessary, an amendment must be made in the UN charter to make room for the cyber force to be included as a wrongful act of state.
CYBER ATTACKS UNDER UN CHARTER
The UN Charter under its Article 2(4) prohibits any use of force by one nation on any other nation, and this has been regarded as jus cogens. The article states that:
“All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the purposes of the United Nations.”
This definition has been interpreted by ICJ and various authors to segregate it into three essentials i.e., firstly, the act needs to be attributed to a state inclusive of any private individual or an organization that doesn’t fall within the scope of the provision, not even when the damage is equivalent to the same done by a state. Secondly, the act must amount to either a ‘threat’ or a ‘Use of Force’. Thirdly, the threat or Use of Force must be exercised in the conduct of ‘international relations.’
Therefore, it can be concluded from Article 2(4) of the Charter that it does not define ‘force’. Therefore, for defining the term ICJ has, in various instances, applied the ordinary meaning test, which is a mode of interpretation under the VCLT. According to Black’s Law Dictionary, ‘force’ means power, violence, or pressure directed against a person or an object, Dictionary of Law, defines force as any compulsion or threat of violence by a state to another state breaching provisions of public international law, further, according to Law Lexicon, force is exercised when by an act of one, another country is compelled or pressurized to give up its sovereignty in decision making. Therefore, after looking at the meaning in these three widely used law dictionaries, we can safely say that ‘force’ is broad enough to include not only armed force but even intangible force such as a cyber-attack.
Tallinn Manual is currently the most appropriate source to understand the law regarding the cyber-attacks. According to Rule 32 of the manual, peacetime cyber espionage is not violative of international law per se but the method of doing so maybe. Cyber espionage, according to the manual is not limited to the use of cyber capabilities to surveil, monitor, capture, or exfiltrate electronically transmitted or stored communications, data, or other information, but extend to any act that puts any other nation in a position of confusion and threat. Therefore, any act of cyber espionage or attack that comes under the plain meaning of force then, that can be considered as ‘Use of Force’ under Article 2(4).
THE PROBLEM REGARDING ATTRIBUTING CYBER ATTACKS
Chapter two of the draft articles of state responsibilities enshrines that if the conduct is done by a state authority or a person controlled or directed by the state or done due to default of state officials then the conduct is attributable to the state. This essentially means that, if a state directly attacks another state through its functionaries or lets the non-state actors attack, willingly or negligently by not taking reasonable care, then only the state can be made liable for the attack.
This raises concerns for finding the appropriate threshold of reasonable care. If very high standards of reasonable care are imposed, the states would have to breach the privacy of the individuals resulting in a surveillance state and if the threshold is put too low then the instances of cyber-attacks will continue and there will be no one to be held accountable. Further, the extent of cyber technological advancements in the area of information technology will be a relevant factor while determining the standard of reasonable care for a country. For example, the standard of reasonable care should be much higher for Israel as compared to South Sudan. Therefore, there is no scope of making a universally applicable standard of reasonability.
The two main questions related to the attributability are – first, whether the attacks are initiated by a state or non-state actor and second, whether the state from where the attack originated, is responsible or not.
For an instance when the Chinese military hackers breached the firewalls of US department of defence servers to steal the blueprints of US Airforce jets, the US could not do anything at all because they could not prove that Chinese government was behind the attacks, or these attacks were just routed through Chinese servers. In another similar case, when there was a cyber-attack on Winter Olympic games of 2018 held in PyeongChang, South Korea, where according to US reports, the attackers were Russian military agency which routed the attack through a North Korean IP address to make it look like their belligerent neighbour launched the attack.
The attackers use techniques such as virtual private networks, proxies and the onion routing which is sending data with numerous encryption layers that get redirected to different servers all over the world with the decryption of each layer. In this way, it becomes practically impossible to trace the attacks to their origin with certainty but sometimes these attackers make mistakes because of which they get caught, for example, one of the hackers of the infamous Lazarus group hacker Park Jin Hyok who got identified and charged by the US Department of Justice for the “WannaCry” malware outbreak and attempt to hack US defence contractor Lockheed Martin among other charges because he opened his mail on the Lazarus group’s IP address. The US alleged that the Lazarus group including Park Jin Hyok is sponsored by the North Korean government under Article 4 of ARSIWA because Park Jin Hyok was the employee of a Government-owned company in North Korea but the same enigma of attributability would make it almost impossible to prove beyond a reasonable doubt that the group is run by or supported by the North Korean government in any way.
It is apparent from the analysis of various aspects of the international community that can get affected by the illegal use of cyber force, it can be said with utmost certainty that this topic needs to be answered with clarity as soon as possible by the nations. The technology today knows no bounds and can breach any level of security, so it becomes very pertinent for the nation-states to come together can formally enact a law that governs the use of cyber operations.
After extensive research in this area, we found various reasons as to why they use of cyber force should be regarded as a Use of Force under the UN charter, should be held violative of territorial sovereignty of a country, and right to self-defence must be present against cyber-force as this amounts to an armed attack. Reasons being the capability of today’s technology to cause harm to another nation much more than a conventional attack because stealing or destroying an enemy country’s data does not only cause harm at that point of time but also puts the victim country into a vulnerable state of uncertain future. Such cyber operations also can breach an individual’s right to privacy very easily, therefore, the threshold of caution while dealing with such cases must be higher. And to solve the enigma of attributability, objectivity in law would not work because of ‘n’ number of variables involved which might get overlooked, therefore we have to make laws which allow subjective assessment and investigation of the matter at hand.
Vedant Singh & Isha Choudhary are third year law students at National Law University, Jodhpur.