23 Jul Does self-defence apply in cyberspace?

 

The Council of Europe Convention on Cybercrime,[1] entered into force in July 2004, is the only binding international treaty on cybercrime. It serves as both a guide for nations developing comprehensive national legislation on cybercrime and as a framework for international co-operation between signatory countries.

Broadly speaking, the crime of unauthorised access introduced into national legal systems through the Convention is a re-interpretation of trespass property law. The question is, can the right to defend property be similarly translated to apply in the defence of property in cyberspace?

We believe that it is time for nations to convene again and agree on how provisions in national laws might be re-interpreted to confirm acceptable norms of behaviour in cyberspace.

In 2020 and 2021 we have, through the Active Cyber Defence Alliance,[2] been privileged to provide evidence to the Legislative Council of New South Wales on cyber security, to the Federal Government Parliamentary Joint Committee on Intelligence and Security for the Review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and Statutory Review of the Security of Critical Infrastructure Act 2018, and to the Department of Home Affairs, Cyber Policy and Strategy Branch.

 

Self-Defence

Some laws have universal application. Self-defence is one of these. Conduct which would otherwise amount to an offence is not an offence if it is done in self-defence.

In Australia self-defence is provided for in section 10.4 of the Criminal Code Act 1995 (Cth) [3] as follows:

(1) A person is not criminally responsible for an offence if he or she carries out the conduct constituting the offence in self-defence.  

(2) A person carries out conduct in self-defence if and only if he or she believes the conduct is necessary:

(a) …

(b) …

(c) to protect property from unlawful appropriation, destruction, damage or interference; or

(d) to prevent criminal trespass to any land or premises; or

(e) to remove from any land or premises a person who is committing criminal trespass; and

 the conduct is a reasonable response in the circumstances as he or she perceives them. [4]

Given that “Property” is defined in section 4 of the Criminal Code to include real property, personal property, money, and other intangible property, and “Person” includes a body corporate, the only re-interpretation required is in relation to (2)(e):

 “ to remove …”

References to “criminal trespass to any land or premises” have already been re-interpreted to mean unauthorised access to computers and networks[5] (criminal trespass).

What does “ to remove …” from computers and networks a person who is committing criminal trespass mean?

Will the application of ‘Active Cyber Defence’ assist in answering questions on proportionality, reasonableness, timing, intention, negligence and recklessness relevant to self-defence?

 

Active Cyber Defence  

Active defence is defined as “the taking of proactive defensive measures outside the defended cyber infrastructure”[6] or “the attempt to counter ongoing external threats and neutralize them before they are carried out.”[7]

 

Active Defence in Australia

The Australian Government’s 2016 Defence White Paper and Australia’s Cyber Security Strategy of 2016 confirmed the Government’s offensive capability and acknowledged the need for government and the private sector to work together in defending Australia but excluded specific references to active defence.

Australia’s Cyber Security Strategy 2020 does not use the term “active defence” or “active cyber defence”, but it does refer to “actively prevent cyber attacks”, “actively defend networks”, “actively defending the critical infrastructure” and “actively defending Australia”.

The Australian Cyber Security Centre (ACSC)[8] website records active defence as:

“The principle of proactively implementing a spectrum of security measures to strengthen a network or system to make it more robust against attack.”

The ACSC records “The term active defence is not synonymous with ‘hacking back’ and should not be used interchangeably.”

 

Other concepts and definitions of Active Defence

While the definitions prepared by the International Group of Experts at the Invitation of the NATO Cooperative Cyber Defence Centre of Excellence (Tallinn 1[9] and 2[10]) are informative, they apply in the context of public international law and include offence which is off limits to the private sector.

More helpful for the private sector, is the definition prepared by the Active Defense Task Force. Center for Cyber & Homeland Security (US): [11]

“Active defense is a term that captures a spectrum of proactive cyber security measures that fall between traditional passive defense and offense. These activities fall into two general categories, the first covering technical interactions between a defender and an attacker. The second category of active defense includes those operations that enable defenders to collect intelligence on threat actors and indicators on the Internet, as well as other policy tools (e.g. sanctions, indictments, trade remedies) that can modify the behaviour of malicious actors. The term active defense is not synonymous with ‘hacking back’ and the two should not be used interchangeably.”[12]

This definition is tailored to the private sector and excludes ‘hacking back’.  It accords closely with the ACSC.

 

ACTIVE DEFENCE: PROACTIVE CYBER SECURITY MEASURES BETWEEN TRADITIONAL PASSIVE DEFENCE AND OFFENSE[13]

 

Application

How does Active Defence apply in practice and where is it equal to self-defence? Let’s explore a scenario:

Company A has inserted beacons into protected documents. In the following situations, how will self-defence apply to the possible range of Active Defence responses in the diagram above?

1. 1. Attack imminent:

• • Scenario 1: Company A learns that Company B will soon breach its network and intends to exfiltrate valuable Intellectual Property. What pre-emptive actions can Company take?
    • Clue: Pre-emptive attacks are lawful.
    • Clue: Is there a duty to act?

1. 2. Attack live:

• • Scenario 2: The beacons signal that the documents are being exfiltrated. The attack was unexpected, immediate. The situation is live and fluid. What can Company A do?
    • Clue: Self-defence is lawful.
    • Clue: What about ‘hot pursuit’?

1. 3. Attack over:

• • Scenario 3: The beacons signal that the documents have been delivered to a fixed location with verified IP address. What can Company A do?
    • Clue: Retribution is not lawful
    • Clue: Possession is tantamount to ‘ownership’

 

In conclusion

There is not one right answer. Boards however, are called upon to make decisions, formulate strategy and set risk appetite, and in this regard we look forward to our continued involvement with Government in seeking legal clarity for current cyber threat challenges.

We invite responses from organisations to the questions raised – most particularly from owners and operators of critical infrastructure organisations – because critical infrastructure reform requires organisations to undertake ‘exercises’ of this nature.

 

 

Notes:

[1] https://www.europarl.europa.eu/meetdocs/2014_2019/documents/libe/dv/7_conv_budapest_/7_conv_budapest_en.pdf

[2] The ACDA is special interest group comprised of industry, academic and government stakeholders whose aim of is to foster awareness, adoption and capability in Active Cyber Defence practices across Australia with the goal of lifting Australia’s cyber resilience. Active Cyber Defence employs cyber intelligence, deception, active threat hunting and lawful countermeasures to detect and respond to malicious activity sooner and potentially more effectively than is possible with passive defence.

[3] The Criminal Code Schedule. General principles of criminal responsibility. Chapter 2. Circumstances in which there is no criminal responsibility. Part 2.3. Circumstances involving external factors Division 10. Only relevant provisions are quoted.

[4] This section does not apply if the person uses force that involves the intentional infliction of death or really serious injury to achieve (c), (d) or (e), or if the person is responding to lawful conduct knowing that the conduct was lawful. Other countries have similar provisions e.g. Singapore, New Zealand, Hong Kong, India.

[5] Criminal Code Act 1995 (Cth). Part 10.7 – Computer Offences.

[6] Michael N Schmidt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press, 2^nd ed, 2017).

[7] Lucas Kello, The Virtual Weapon and International Order (Yale University Press, 2018) 229.

[8] https://www.cyber.gov.au/acsc/view-all-content/glossary/active-defence.

[9] [9] Tallinn Manual on the International Law Applicable to Cyber Warfare (Michael N. Schmitt ed., 2013) (prepared by the International Group of Experts) (member of the International Group of Experts).

[10] Tallinn Manual on the International Law Applicable to Cyber Warfare (Michael N. Schmitt ed., 2013) (prepared by the International Group of Experts) (member of the International Group of Experts).

[11] George Washington University Center for Cyber and Homeland security, “Into the Gray Zone,” (2016) https://cchs.gwu.edu/gray-zone-active-defense-private-sector-against-cyber-threats https://creativecommons.org/licenses/by/4.0/

[12] US spelling retained.

[13] Diagram from the Project Report: Into the Gray Zone. The private sector and active defence against cyber threats. Centre for Cyber and Homeland Security. October 2016.