Professor Nye, Excellencies, ladies and gentlemen
This panel is a continuation of an important conversation on international peace and security in cyberspace – a conversation in which Australia is an active participant through our Chairmanship in 2012-2013 of the UN Group of Governmental Experts (UN GGE), and through Australia’s work in the ASEAN Regional Forum on reducing the risk of conflict that may arise from unexplained cyber incidents. The objective of this work is to promote certainty and stability in cyberspace, recognising that states have legitimate interests and obligations in cyberspace.
There are at least three important strands to this work – building common understandings on norms of state behaviour in cyberspace, preventing the rise of conflict between states arising from cyber incidents, and developing capacity among states to deal with threats.
On taking forward international security within the overall cyberspace regime complex, it is often asserted that we need to conclude an international agreement of some kind on international security in cyberspace. Australia argues that an international agreement is premature; even the work of codifying key principles is in its infancy – the conversation has only just started and the technology is evolving rapidly. It is a challenge for policy makers just to keep up.
The quest for cyberspace stability reinforces other objectives for cyberspace including freedom and economic growth. We want to maintain an open, secure and peaceful internet. The internet must continue to be global and interoperable; its governance structure must continue to be a multi-stakeholder collaboration; and the infrastructure which underpins the internet should not be damaged or destroyed.
Through the UN GGE process, the international community has come to the conclusion that the existing framework and principles of international law apply to the behaviour of states in cyberspace. This should not be controversial.
For Australia, it follows that law on the use of force, international humanitarian law, international human rights law and international law regarding state responsibility apply to State conduct in cyberspace in a way that mirrors the application of these bodies of law to kinetic acts. This conclusion is a necessary first step to a discussion of norm building in relation to international security questions. Not all States share this view.
Australia acknowledges that the application of international law to State conduct in cyberspace is not easy – it requires a careful analysis of exactly how the rules of international law apply in a cyber setting. For example, questions on sovereignty in cyberspace require an elaboration of some of the fundamental concepts embodied in international law and underpinning the international order.
States – including Australia - are already asserting jurisdiction – over the physical infrastructure and components of the internet located in their territory. Once the question of jurisdiction goes beyond physical infrastructure and territory, the issues become more complex – take the vexed issue of taxing IT corporates for example.
Some see the sovereignty discussion aimed at putting the state at the centre of the internet and as a step on the path to endorsing State control of internet content. There are concerns about the ambitions of some States to have multilateral bodies – governments - take over the key internet institutions internationally. Australia does not share these positions: the internet flourishes because it is a multi-stakeholder operation and because states are but one of the stakeholders.
Respect for the principle of sovereignty in cyberspace goes hand in hand with other international obligations of States. For example, States have obligations under the law of State responsibility to ensure they do not aid or assist another State in the commission of an internationally wrongful act. Under the principle of due diligence, States have an obligation to not knowingly allow their territory to be used for acts contrary to the rights of other States. They also have obligations to protect human rights and to prevent acts of terrorism.
All states have an interest in developing the internet as a platform for economic activity – both economic growth and economic development. The internet facilitates trade and economic opportunities for businesses of all sizes. Even the smallest business enterprise is able to participate in the global economy and given its role in economic development, this is why building the capacity of states to prevent and reduce cyber threats is so important and why Australia is joining the Global Forum for Cyber Expertise at this Conference.
Controls on the internet which stifle innovation, investment, trade or other productive activity diminish these economic opportunities. State-dominated internet governance or breaking the global internet up into national internets would have precisely that effect. We need a global platform which is multi-stakeholder governed, decentralised and interoperable, and which encourages international trade.
To date, the effort in developing State norms in international security has focused on the application of rules in international law on the use of force and that governing armed conflict.
But the most damaging and threatening cyber activity occurs outside of situations of armed conflict, in peacetime. International effort now needs to focus on ensuring the internet continues to flourish as a central institution of economic activity.
Australia sees three priorities for peacetime norms.
The effective functioning of critical infrastructure underpins the global economy. States should prevent and refrain from online activity which damages or impairs critical infrastructure, whether it be in banking, telecos, energy structures. While states define their critical infrastructure sectors differently and harmonisation is important, agreeing that key sectors should be off limits is a priority for the international community.
Computer Emergency Response Teams – CERTs - have special status in cyberspace as responders to cybersecurity incidents. States should agree that they will facilitate, and not hinder, the critical work of national CERTs in protecting the online environment.
Cybercrime is a diversion of productive economic activity. The effective reduction of cybercrime would boost trust and confidence in the internet as an economic platform. States should live up to their responsibilities in investigating criminal activity, in collecting electronic evidence and in policing malicious online activity emanating from their territory. The performance indicators are state responsiveness to requests and in cooperative action. Because the actor behind malicious online activity is opaque – a criminal could be a proxy for a state - a significant reduction in cybercrime would have significant spin-offs for international peace and security, by eliminating actions which could be misread or which could lead to conflict.
Professor Nye I hand back the floor.
- Minister's office: (02) 6277 7500
- DFAT Media Liaison: (02) 6261 1555