The multi-country condemnation today of cyber-attacks by Chinese state-sponsored agencies was a sign that there is growing frustration with recent behavior. However, it masks the true problem: international law isn’t strong enough or coherent enough to address this growing threat.
This coordinated announcement from several countries, including Australia, the United Kingdom, Australia, New Zealand, and the US, echos the latest threat assessment by the US intelligence community. Cyber threats from nation-states, and their surrogates, will continue to be acute in the foreseeable future.
New Zealand and other countries may not want to join the chorus against China. China has already called the claims “groundless” and “irresponsible”. The problem is real, however.
New Zealand’s Government Communications Security Bureau (GCSB), has just released a report that shows 353 cyber security incidents over the twelve months to the middle of 2020. This is compared to 339 incidents the previous year.
This is likely to be a small percentage of the total, as the emphasis is on high-impact events that target organizations of national importance. However, the GCSB estimates that state-sponsored attacks account for as much as 30% of all incidents in 2019-20.
Since then, there have been more serious incidents, including attacks on Waikato hospital and the stock exchange. These attacks are getting more sophisticated and causing greater damage.
There are warnings around the world that a major cyberattack could prove to be as devastating as a weapon of mass destruction. It is imperative to de-escalate.
Global solutions are missing
The attacks can be classified into two types: those carried out by criminals or those carried out by foreign governments. The line between these two types is blurred in reality.
It is easier to deal with foreign criminals than it is to combat attacks by other governments. Prime Minister Jacinda Arden recognizes the need for a global effort against cybercrime.
The government announced that New Zealand will join the Council of Europe’s Convention on Cybercrime. This global agreement was signed by 66 countries and is based on common legal standards, mutual aid, and extradition rules.
Unfortunately, many of the countries most suspected of allowing international criminal activity to occur within their borders are not parties to the agreement.
This includes Russia, China, and North Korea. They are now attempting to establish an alternative international cybercrime regime. This is in addition to several other countries that are not well-known for their tolerance of an open and free internet.
Cyberattacks are acts of war
It is more difficult to deal with attacks from other governments than criminals.
There are only a few principles that can be applied. These include the prohibition of countries using force or threat against any country’s territorial integrity or political independence and the obligation to behave friendly towards each other. One has the inherent right to self-defense if it is attacked.
Cyber activity sponsored by malign states, including ransoms, espionage, and breaches of privacy, might be considered unfriendly or in bad faith but are not acts of aggression.
Cyberattacks by other governments can be considered acts of war if they result in death, serious injury, or substantial damage to the target state. Cyberattacks on foreign elections could depend upon their impact, threaten peace.
Yet, despite these grave risks, there is not an international convention that governs state-based cyberattacks, in the same way, the Geneva Conventions regulate the rules of warfare and arms control conventions limit the weapons of mass destruction.
There are risks of retaliation
Despite the latest condemnation of Chinese-linked hacker attacks, the problem is not disappearing.
US President Joe Biden assured his Russian counterpart Vladimir Putin that the US would respond to any attack on its critical infrastructure during their recent meeting in Geneva. According to the administration, a new US agency that is aimed at countering ransomware would respond in “unseen ways”.
If there was no other way of resolving the conflict or repairing it, such responses would be legal and acceptable under international law. They could also be justified as necessary and appropriate.
The US may also call upon its allies and friends to assist it. New Zealand said that it was open to the idea that victim states could, in limited circumstances request assistance from other countries to apply proportionate countermeasures to someone who is acting in violation of international law.