By Dr Samuli Haataja
Griffith Law School
In recent weeks there have been reports (here and here) of cyber attacks against the Australian Parliament’s computers and networks, and in the course of investigating this incident, it was revealed that the networks of Australia’s major political parties had also been compromised by who are believed to be Chinese actors. While it is unclear as to the type and extent of information compromised, these intrusions add to a growing list incidents involving malicious cyber attacks against states. In recent years these include the Russian interference in the 2016 United States presidential election and the NotPetya malware that was described by the US as ‘the most destructive and costly cyber-attack in history’, resulting in billions of US dollars’ worth of damage and major disruptions to global shipping and trade.
Part of the problem with these incidents is the uncertainty surrounding the application of international law to state activities in cyberspace. While states have agreed to certain norms of behaviour in the cyber context, there continues to be disagreement about the application of existing rules of international law in this context. It is generally in this ‘grey zone’ of uncertainty that many malicious cyber activities – like those recently against Australia – take place which often border between political espionage and interference in a state’s domestic affairs.
Despite lack of international agreement among states (such as a treaty) about international law in cyberspace specifically, a group of international law experts have authored the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. The Tallinn Manual is a comprehensive but non-binding account of the way in which existing international law applies to state activities in cyberspace. It provides rules prohibiting, for example, cyber attacks that constitute interventions into a state’s domestic affairs as well as those that result in physical effects and can be characterised as prohibited uses of force under international law. However, particularly problematic for the Tallinn Manual’s authors too were cyber attacks that compromise data and network security without undermining the functioning of computer systems or causing physical damage to hardware components. It is especially these kinds of cyber attacks and those with disruptive (but not destructive) effects that can be problematic under international law as they do not always fit neatly into the conceptual bounds of many existing legal principles and doctrines which are underpin by more traditional accounts of what constitutes harm and violence.
In my recent book I argue that we need to rethink the notion of violence that underpins existing international law in this context. This also involves reimagining the state as the entity subject to harm through cyber attacks. In this context I draw on the theory of information ethics (as developed by Luciano Floridi) to account for the ‘informational violence’ that cyber attacks can cause against states that increasingly rely on data and various digital technologies for their proper functioning. Information ethics is a novel ethical framework that adopts an environmental approach to thinking about what is good for the ‘infosphere’ – a concept that includes everything from natural environments to digital environments like cyberspace. This theory recognises that all entities – whether human beings or animals or data – can have some degree of moral value, and it provides moral principles to guide the behaviour of responsible and caring agents. Drawing on Floridi’s work, one of the central arguments of my book is that the non-physical effects of cyber attacks can be seen as a form of informational violence against the state, and that the ontology underpinning the law needs to be updated to enable it to better regulate the new forms of violence prevalent in cyberspace.