PROPOSAL FOR A DECLARATORY CYBER POLICY
To: Prime Minister
From: Secretary, Department of the Prime Minister and Cabinet
Proposal:
1. The Australian Government should adopt a declaratory cyber policy consisting of:
a. Demonstrated consequences for malicious breaches of Australia’s cyber security; and
b. Public statements regarding Australia’s cyber defensive and offensive capabilities, and the circumstances of their use.
Executive Summary:
2. A declaratory cyber policy will deter cyber threats and shape international cyber norms in Australia’s interests. It will identify the types of cyber activity unacceptable to Australia and outline the range of responses available to Australia to impose costs on malicious cyber actors. The responses outlined in the recommendations are proportional to the malicious activity and targeted so as to be most effective against
the particular type of malicious cyber actor. The policy will also provide a platform for Australia to engage with other nations to promote wider adoption of cyber norms that align with Australian interests.
Background:
3. Australia currently faces an unprecedented level of threats to its cyber security. These threats will continue to increase as cyberspace becomes more integral to Australian Government and society.
4. The norms that define acceptable behavior in cyberspace are still evolving. Actors in
cyberspace see this is an opportunity to push boundaries, including malicious interference in the networks of Australia and other states.
5. Threats to Australia’s cyber security come from three different types of actors: statesponsored; organised criminals; and issue motivated groups and individuals.
6. Cyber security incidents in Australia have been increasing year-on-year. This trend will continue. Australian cyber defences have been unable to prevent the loss of sensitive national security and commercial information.
7. Previous Government statements have made limited reference to cyber policy but a comprehensive declaratory cyber policy does not exist.
Comment:
8. Following extensive consultations across the public service, the Department of Prime Minister and Cabinet has developed a declaratory cyber policy for your approval. This policy consists of the public statement at attachment A, as well as the list of actions contained in the recommendations below.
9. Effective deterrence can reduce cyber threats to Australia. Australia’s current cyber policy is not sufficient to deter malicious cyber threats. There is no significant public information on Australia’s cyber capability, defensive or offensive. Malicious cyber actors have no prior warning of the consequences of their actions.
10. Australia’s security will be increased if foreign state-sponsored adversaries adhere to norms that limit the types of malicious activity they conduct in cyberspace. As a respected international actor with significant (if unannounced) cyber capability, Australian cyber policy has an untapped potential to shape currently forming international cyber norms of behavior.
11. The key norms that will enhance Australian cyber interests are:
a. Non-targeting of critical civilian infrastructure or the networks of financial institutions with cyber-attacks;
b. No use of cyber espionage for the economic benefit of commercial entities;
c. The application of present international law, including international humanitarian law and the law of war principles of military necessity, proportionality and distinction, to actions in cyberspace; and
d. Greater transparency about states offensive cyber capability.
12. A declaratory cyber policy would deter malicious cyber threats and have the potential to shape still forming international norms by:
a. Demonstrating consequences for breaches of Australia’s cyber security; and
b. Setting an example for the use of cyber capability through public statements about Australia’s own capability, and the acceptable circumstances of its use.
Deterrence:
13. Public exposure has the potential to deter malicious cyber actors. Advances in cyber forensics mean that Australia can now reliably attribute malicious cyber activity. Australia should make this capability known in order to effectively deter malicious cyber actors.
14. Exposure of actors has international sensitivities, as the majority come from either China or Russia. Where no international sensitivities exist, Australia should expose malicious cyber actors as an example. Actors that can be exposed to demonstrate Australia’s cyber attribution capability without provoking an international incident include those associated with terrorist groups. The Australian Security Intelligence
Organization (ASIO) has identified 13 such actors associated with ISIS.
15. Deterrence of actors where international sensitivities exist can be achieved by privately threatening public exposure. This should be limited to key Australian interests, such as significant organized crime or incidents of cyber espionage for economic purposes.
16. The US is currently developing a sanctions program against individuals and companies responsible for malicious cyber activity. Consideration should be given to the development of a similar Australian program.
17. Australia can enhance deterrence of a significant cyber-attack by asserting its right to respond with offensive cyber capability and the use of lethal military force in traditional domains.
Norm development:
18. A declaratory cyber policy will encourage the development of cyberspace norms that
support Australia’s interests.
19. Public acknowledgment of Australia’s offensive cyber capability will promote transparency regarding cyber weapons. It will allow Australia to demonstrate the limitations we have placed on the use of this capability. This will provide an opportunity to reinforce the norms of non-targeting of critical civilian infrastructure and financial networks, no use of cyber espionage for economic benefits and the application of existing international law to cyberspace.
20. Following such an acknowledgment, Australia can work with other like-minded states to promote similar statements.
Risks:
21. Providing information about Australia’s cyber capability could lead malicious cyberactors to develop effective counter-measures. The statement at attachment A incorporates advice from the Australian Signals Directorate (ASD) to reduce this risk. Information on our capability is limited to general or publically available information.
22. As discussed above, identifying foreign nationals as malicious cyber actors could damage Australia’s relationships with those states.
23. No other state has officially acknowledged conducting offensive cyber-attacks. Moving first in this area carries diplomatic risk. However, it is widely known that a number of states, including Australia, have this capability. There are several publically documented examples of the use of this capability, such as the US attack on Iran’s reactor program with the stuxnet virus.
24. This policy may have international legal implications for our treaty obligations
regarding mutual defence in the event of a cyber-attack. If you approve this policy, formal advice should be sought from the Attorney General’s Department prior to any public announcement.
Alternatives:
25. If you do not agree to this policy, an alternative is to improve Australia’s cyber defences through greater allocation of funds to ASD and ASIO, and further cyber education of Australian businesses. This policy can also be implemented in conjunction with those measures.
Financial implications:
26. Nil.
Publicity:
27. A draft public statement is at attachment A.
Recommendations:
That you:
a. Agree to the adoption of a declaratory cyber policy.
Agreed / Not agreed
b. Agree to publicly identify and charge 13 ISIS associated malicious cyber actors
with cyber-crimes.
Agreed / Not agreed
c. Agree to privately inform officials from states with malicious cyber actors that the
Australian Government will consider public exposure of such actors.
Agreed / Not agreed
d. Agree that consideration should be given to a sanctions program for malicious cyber
activity.
Agreed / Not agreed
e. Approve the public statement at Attachment A.
Approved / Not approved.
Attachment A – Public Statement on Declaratory Cyber Policy
The information revolution has given Australia untold opportunities to innovate, driving future economic growth and productivity increases that were unimaginable a generation ago. However, such opportunities come with challenges, particularly as threats from malicious
actors in cyberspace have increased. That is why, today, I am announcing a new cyber policy to safeguard Australian interests in cyberspace. I am accompanied by the Commissioner of the Australian Federal Police and the Director of the Australian Signals Directorate. Australia is a global leader in cyberspace capability. With recent advances in technology and techniques, cyberspace is no longer the anonymous playground of malicious cyber actors. Australian officials can, and will, quickly identify perpetrators of malicious activity on Australian systems. Australia reserves the right to publicly identify these actors and, where appropriate, lay charges against them. Today, the Commissioner of the AFP will be announcing the identification and charging of 13 malicious cyber actors associated with the terrorist group ISIS. Australia’s capability in cyberspace is not limited to defensive operations and identification. Through the Australian Signals Directorate, Australia has developed significant offensive cyber capability. This capability is used to support the general operations of the Australian Defence Force and, where appropriate, can be used separately in specific operations. However, there are important limitations to the use of Australia’s cyber capability. I want to make clear that when conducting cyber operations, the law of war principles of military necessity, proportionality and distinction apply. Australia will not use its cyber capabilities to damage critical civilian infrastructure or the networks of financial institutions. Australia also does not and will not engage in cyber espionage for the economic benefit of commercial entities. Australia’s response to malicious cyber activity also extends beyond actions in cyberspace and law enforcement. Australia considers an attack on its interests in cyberspace no different to an attack in other domains. Australia reserves the right to use all avenues of response, including economic, diplomatic and, where a cyber incident poses a significant threat to our national security, military. Military responses to cyber-attacks could include aforementioned offensive cyber operations as well as operations in the more traditional land, sea and air domains. The Director of ASD is here to provide an example of the use of Australia’s cyber capability. He will do so now, before the Commissioner of the AFP makes a brief statement. Further details are provided in the press-packs being handed out. I will take questions after the Director and the Commissioner have finished speaking.
