White Hat, Black Hat, Slouch Hat: Could Australia’s Military Cyber Capability be Deployed Under Commonwealth Call-Out Powers?
Published date | 01 June 2023 |
DOI | http://doi.org/10.1177/0067205X231166697 |
Author | Brendan Walker-Munro |
Date | 01 June 2023 |
Subject Matter | Articles |
Article
Federal Law Review
2023, Vol. 51(2) 182–204
© The Author(s) 2023
Article reuse guidelines:
sagepub.com/journals-permissions
DOI: 10.1177/0067205X231166697
journals.sagepub.com/home/flr
White Hat, Black Hat, Slouch Hat:
Could Australia’s Military Cyber
Capability be Deployed Under
Commonwealth Call-Out Powers?
Brendan Walker-Munro*
Abstract
In April 2016, then Prime Minister Malcolm Turnbull confirmed theexistence of Australia’s offensive
cyber capability. Said to constitute both a coordinating Information Warfare Division inside the
Australian Army as well as dedicated cyberoffensive capability inside the Australian Signals Direc-
torate, the unveiling of this capability was a watershed in Australian defence policy. Yet whilst the
literature has briefly examined whether Australia’s cyberoffensive capability is congruous with in-
ternational law , no such analy sis under Aust ralia’s domestic laws has been undertaken. This paper
seeks to partiallyaddress this gap in the researchby focusing on whetherthe Australian Defence Force
could legally launch cyberattacks agai nst domestic targets under Commonwealth call-out powers.
Accepted 3 May 2022
At a press conference on 21 April 2016, then Australian Prime Minister Malcolm Turnbull did what
no other Head of State in the world had ever done —he revealed the existence of his country’s
offensive cyber capability.
1
Housed within the obscurely named and highly secretive Australian
Signals Directorate (‘ASD’), and later supported by the newly formed Information Warfare Division
within the Australian Defence Force (‘ADF’),
2
both the existence of the capability and the Prime
Minister’s public acknowledgement of it marked a watershed shift in Defence policy.
Other nations soon followed suit with their own disclosures, with other nations of the Five Eyes
alliance including the United Kingdom (UK), United States (US) and Canada, admitting to the
existence of offensive cyber capabilities.
3
Evidence increasingly began to mount that adversarial
* The University of Queensland, Senior Research Fellow, Law and the Future of War Research Group, T C Beirne School of
Law, The University of Queensland, Australia. The author may be contacted at B.walkermunro@uq.edu.au. The author
received financial support from the Trusted Autonomous Systems Defence CRC.
1. Malcolm Turnbull, ‘Launch of Australia’s Cyber Security Strategy’(Speech, Sydney, 21 April 2016).
2. FergusHanson and Tom Uren, Australia’s Offensive Cyber Capability (Policy Brief, Australian Strategic Policy Institute,
10 April 2018) 5.
3. J eremy F lemi ng, ‘Director’s spe ech at Cyber UK 2018’(Speech at the CyberUK, 2018 Conference, Manchester, 12 April
2018) <https://www.gchq.gov.uk/pdfs/speech/director-cyber-uk-speech-2018.pdf> accessed 5 February 2023; United States Cyber
Command: Hearing Before the S. Comm. on Armed Services, 115th Cong. (2018) (statement of Admiral Michael S Rogers,
Commander, United States Cyber Command); Government of Canada, Strong, Secure, Engaged: Canada’s Defence Policy (2017) 41.
states such as China, Russia and North Korea —long rumoured to have military cyber capabilities
of their own —were also deploying these capabilities to devastating real-world effect.
4
Further announcements from Australia’s Commonwealth government demonstrated an ongoing
commitment to the deployment of a military cyber capability.
5
Most recently in 2021, Scott
Morrison announced the signing of AUKUS, a trilateral defence pact with the UK and US. One of
the major parts of AUKUS was the agreement to share technological developments in quantum
computing and cyber capabilities.
6
In almost every statement associated with these capabilities, we as members of the public have
been reassured that these operations will comply with Australia’s international obligations, in-
cluding international humanitarian law (‘IHL’). We have also all been told that such cyberattacks
will be limited to malicious actors and cybercriminals located overseas. But could they be used here
in Australia?
Surprisingly, there has been scant public or academic debate about the legitimacy of domestic
ADF cyberattack operations under Australian laws. This could be because it has never been
considered necessary, or the idea of using ADF cyberoffensive capabilities to protect Australian
assets or citizens domestically has not been fully contemplated. Yet in the increasingly connected
economy and society within which Australia operates, where cyberattacks can have devastating
real-world consequences,
7
the potential for the ADF to be deployed in response to such attacks is
seemingly inevitable.
Understanding the legislative underpinnings for domestic cyberattack operations is important not
only to ensure appropriate immunity exists for the ADF, but also to maintain public support for the
ADF by proving cyberattack operations are conducted pursuant to the rule of law. Cyberattacks that
are not compliant with Australian laws will, conversely, reduce Australia’s global reputation,
undermine community confidence in the ADF and may also provide grounds for criminal or civil
liability against the ADF, its officers or members. For these reasons, it is important that the cir-
cumstances under which Australian military cyber capabilities might be deployed can be appro-
priately articulated and explained.
This paper will contribute to the burgeoning literature on the legality of cyberattacks by ex-
amining the domestic legitimacy of the ADF and/or ASD being deployed to engage in cyberattacks
within the territorial boundaries of Australia. The focus of my examination will be on the call-out
powers contained in the Defence Act 1903 (Cth) (‘Defence Act’); however, there are also certain
ancillary pathways to the deployment of Australia’s cyberoffensive capability that will be
discussed —such as under the Intelligence Services Act 2001 (Cth) (‘IS Act’). Considerations of
IHL and international law,
8
though worthy of consideration, are not in scope.
4. EdCaesar, ‘The Incredible Rise of North Korea’s Hacking Army’,The New Yorker (online, 19 April 2021) <https://www.
newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army>.
5. Malcolm Turnbull, ‘Press Conference with The Rt Hon Theresa May MP, Prime Minister of the United Kingdom:
10 Downing Street, London: 10 July 2017’(Press Conference, 10 July 2017); Malcolm Turnbull, ‘Speech at the opening
of the Australian Cyber Security Centre Canberra’(Speech, 16 August 2018).
6. Scott Morrison, Boris Johnson, Joseph R. Biden, ‘Joint Leaders Statement on AUKUS’(Media Statement, 16 September
2021) <https://pmtranscripts.pmc.gov.au/release/transcript-44109>.
7. For example, Colonial Pipeline in the US was hit by a cyberattack in May 2021 which completely disabled the company
for nearly a week: Mary-Ann Russon, ‘US fuel pipeline hackers “didn’t mean to create problems”’,BBC News (online,
10 May 2021) <https://www.bbc.com/news/business-57050690>; see also Maskun Maskun et al, ‘Cyber-Attack: Its
Definition, Regulation, and ASEAN Cooperation to Handle with it’(2021) 4(2) Jambe Law Journal 131.
8. See, eg, Michael N Schmitt, TallinnManual 2.0 on the International Law Applicable to Cyber Operations (Cambridge
University Press, 2
nd
ed, 2017); Convention on Cybercrime, opened for signature 23 November 2001, CETS No 185
(entered into force 1 July 2004).
Walker-Munro 183
To continue reading
Request your trial