Some thoughts about the #cyberattack against Australia
: facts, assessment under international law and Australia's response options.
*THREAD*
/1
![Flagge von Australien 🇦🇺](https://abs.twimg.com/emoji/v2/72x72/1f1e6-1f1fa.png)
*THREAD*
/1
First, the facts:
state actor (most likely
, but
will not say)
persistent & ongoing campaign
targeted are all levels of gov't, political orgs, OES and other CI operators
systems were penetrated, but no info about disruptive or destructive effects
/2
![Pfeil nach rechts ➡️](https://abs.twimg.com/emoji/v2/72x72/27a1.png)
![Flagge von China 🇨🇳](https://abs.twimg.com/emoji/v2/72x72/1f1e8-1f1f3.png)
![Flagge von Australien 🇦🇺](https://abs.twimg.com/emoji/v2/72x72/1f1e6-1f1fa.png)
![Pfeil nach rechts ➡️](https://abs.twimg.com/emoji/v2/72x72/27a1.png)
![Pfeil nach rechts ➡️](https://abs.twimg.com/emoji/v2/72x72/27a1.png)
![Pfeil nach rechts ➡️](https://abs.twimg.com/emoji/v2/72x72/27a1.png)
/2
With this in mind, did this cyber operation breach international law? Let's look at:
use of force
non-intervention
sovereignty
I omit due diligence, because attribution to a state actor is assumed.
/3
![Tastenkappe Ziffer 1 1⃣](https://abs.twimg.com/emoji/v2/72x72/31-20e3.png)
![Tastenkappe Ziffer 2 2⃣](https://abs.twimg.com/emoji/v2/72x72/32-20e3.png)
![Tastenkappe Ziffer 3 3⃣](https://abs.twimg.com/emoji/v2/72x72/33-20e3.png)
I omit due diligence, because attribution to a state actor is assumed.
/3
![Tastenkappe Ziffer 1 1⃣](https://abs.twimg.com/emoji/v2/72x72/31-20e3.png)
![Flagge von Australien 🇦🇺](https://abs.twimg.com/emoji/v2/72x72/1f1e6-1f1fa.png)
/4
![Tastenkappe Ziffer 2 2⃣](https://abs.twimg.com/emoji/v2/72x72/32-20e3.png)
![Pfeil nach rechts ➡️](https://abs.twimg.com/emoji/v2/72x72/27a1.png)
![Pfeil nach rechts ➡️](https://abs.twimg.com/emoji/v2/72x72/27a1.png)
/5
Although governmental systems and critical infrastructure were affected, it seems that the actions were not coercive. Penetration of systems and exfiltration of data, without more, does not affect Australia's ability to decide freely on sovereign matters. So, no intervention.
/6
/6
![Tastenkappe Ziffer 3 3⃣](https://abs.twimg.com/emoji/v2/72x72/33-20e3.png)
![Pfeil nach rechts ➡️](https://abs.twimg.com/emoji/v2/72x72/27a1.png)
![Flagge des Vereinigten Königreiches 🇬🇧](https://abs.twimg.com/emoji/v2/72x72/1f1ec-1f1e7.png)
![Flagge der Vereinigten Staaten 🇺🇸](https://abs.twimg.com/emoji/v2/72x72/1f1fa-1f1f8.png)
![Pfeil nach rechts ➡️](https://abs.twimg.com/emoji/v2/72x72/27a1.png)
![Flagge der Niederlande 🇳🇱](https://abs.twimg.com/emoji/v2/72x72/1f1f3-1f1f1.png)
![Pfeil nach rechts ➡️](https://abs.twimg.com/emoji/v2/72x72/27a1.png)
![Flagge von Frankreich 🇫🇷](https://abs.twimg.com/emoji/v2/72x72/1f1eb-1f1f7.png)
/7
Here,
sovereignty would only be breached under the
approach. As there have been no reports that the penetrated systems and data thereon have been manipulated or destroyed (other than malware installation), this is not enough for usurpation of govt functions.
/8
![Flagge von Australien 🇦🇺](https://abs.twimg.com/emoji/v2/72x72/1f1e6-1f1fa.png)
![Flagge von Australien 🇦🇺](https://abs.twimg.com/emoji/v2/72x72/1f1e6-1f1fa.png)
/8
So far, Australia has not made its own views on sovereignty in cyberspace publicly known, so we don't know how they would assess the cyber attacks. Maybe this would be a good moment to develop a position on this issue.
/9
/9
Next, what are Australia's response options? Lets look at:
criminal indictments
public attribution
sanctions
countermeasures
/10
![Tastenkappe Ziffer 1 1⃣](https://abs.twimg.com/emoji/v2/72x72/31-20e3.png)
![Tastenkappe Ziffer 2 2⃣](https://abs.twimg.com/emoji/v2/72x72/32-20e3.png)
![Tastenkappe Ziffer 3 3⃣](https://abs.twimg.com/emoji/v2/72x72/33-20e3.png)
![Tastenkappe Ziffer 4 4⃣](https://abs.twimg.com/emoji/v2/72x72/34-20e3.png)
/10
![Tastenkappe Ziffer 1 1⃣](https://abs.twimg.com/emoji/v2/72x72/31-20e3.png)
![Flagge von Australien 🇦🇺](https://abs.twimg.com/emoji/v2/72x72/1f1e6-1f1fa.png)
/11
![Tastenkappe Ziffer 2 2⃣](https://abs.twimg.com/emoji/v2/72x72/32-20e3.png)
![Flagge von Australien 🇦🇺](https://abs.twimg.com/emoji/v2/72x72/1f1e6-1f1fa.png)
/12
![Tastenkappe Ziffer 3 3⃣](https://abs.twimg.com/emoji/v2/72x72/33-20e3.png)
![Flagge von Australien 🇦🇺](https://abs.twimg.com/emoji/v2/72x72/1f1e6-1f1fa.png)
/13
![Tastenkappe Ziffer 4 4⃣](https://abs.twimg.com/emoji/v2/72x72/34-20e3.png)
![Flagge von Australien 🇦🇺](https://abs.twimg.com/emoji/v2/72x72/1f1e6-1f1fa.png)
/14
Here, only a breach of sovereignty under the French penetration-based approach would qualify. Under all other approaches, there has been no breach of sovereignty.
/15
/15
Could
hack back? IMO yes, but the justification and scope varies depending on the approach towards sovereignty.
Under
- yes, because there is no rule of sovereignty to be breached.
Under
- yes, provided no phys. effects or usurpation of inherently govt functions.
/16
![Flagge von Australien 🇦🇺](https://abs.twimg.com/emoji/v2/72x72/1f1e6-1f1fa.png)
Under
![Tastenkappe Ziffer 1 1⃣](https://abs.twimg.com/emoji/v2/72x72/31-20e3.png)
Under
![Tastenkappe Ziffer 2 2⃣](https://abs.twimg.com/emoji/v2/72x72/32-20e3.png)
/16
Under
- yes, as a countermeasure to induce the responsible state to stop, provided proportionality and other requirements are met. Many states argue that in the cyber context, prior notification is not required if it would jeopardise the success of the countermeasure.
/17
![Tastenkappe Ziffer 3 3⃣](https://abs.twimg.com/emoji/v2/72x72/33-20e3.png)
/17
And that's it. Let's see how this thing develops and how the cyber attacks will affect Australia's position on IL (esp. sovereignty) in cyberspace, if at all.
Thanks for reading! Now I'm going back to grading exams *sigh*.
All copied text from here: https://www.dfat.gov.au/publications/international-relations/international-cyber-engagement-strategy/aices/chapters/2019_international_law_supplement.html
/END
Thanks for reading! Now I'm going back to grading exams *sigh*.
All copied text from here: https://www.dfat.gov.au/publications/international-relations/international-cyber-engagement-strategy/aices/chapters/2019_international_law_supplement.html
/END
There's a typo (flagpo?) in this tweet:
Of course I meant the French approach. https://twitter.com/Roguski_P/status/1273936037652451328
Of course I meant the French approach. https://twitter.com/Roguski_P/status/1273936037652451328