This is Part 2 of 2 of an article exploring State responsibility for cyberattacks based on the sic utere maxim. Part 1 set out the evidentiary difficulties and principles relevant to the topic. Part 2 continues the analysis in Part 1 by considering how the principles described in that Part might apply to reported cyberattacks on Optus and the Australian parliament, including what might be forensically necessary to establish a claim based on a breach of the sic utere maxim in those contexts.
As set out in Part 1 of this article, on 22 September 2022, Optus, an Australian telecommunications company, was the subject of a massive data breach which affected over 9 million of its customers. While the attack on Optus was likely conducted by a lone actor, other incidents, like a cyberattack on the Australian Parliament’s computer systems, are likely sponsored or conducted by other States.
Unsurprisingly, not all of the details of the Optus cyberattack or the cyberattack on the Australian Parliament’s computer systems are known to the public. Nevertheless, we can conceptualise what might be necessary to establish a claim based on the sic utere principle for each event. If Australia:
- knew from its own investigations that the hacker or hackers responsible for each event were located in another State (assuming this was the case, and it could be proven with lay and expert evidence);
- could prove that the State of origin possessed a police force with the technology and powers available to at least attempt to identify and apprehend the individuals responsible (a matter of lay or expert evidence, or possibly even judicial notice);
- could prove that the State of origin knew or ought to have known of the risk or actual occurrence of the relevant attack (a matter of lay or expert evidence, or potentially inference from circumstantial facts); and
- knew that the original attack or subsequent malicious activity took place after this time, then there may be a sufficient factual basis to pursue a claim.
This is, of course, a difficult set of circumstances to prove, but it is nevertheless an easier task than trying to prove the relationship between an attacker and the State in which they reside: evidence that may be impossible for an affected State to collect if the State of origin is not fully cooperative.
As foreshadowed in Part 1 of this article, it may be that only an extremely sophisticated surveillance State would know of a cyberattack before it occurs, but once a cyberattack is a matter of public knowledge (or communicated privately by the Australian government to the government of the State of origin), then liability for any subsequent harm (like the sale of customer details in the case of the Optus cyberattack) may arise. Depending, of course, on the details of incidents that are largely obscured by national security measures, if the State of origin did possess notice of a cyberattack, and subsequent harm nevertheless occurred, then Australia could potentially argue by inference that the State of origin failed to exercise due diligence to prevent harm. Failure or reticence on behalf of the State of origin to cooperate are factual matters which would further support such an inference.
Assuming Australia possessed the evidence described above, it would then need to characterise the cyberattack in a way that is legally actionable. Recalling the decision in Corfu Channel detailed in Part 1 of this article, the concept described by the majority as an act ‘contrary to the rights’ of another State is likely the same as that referred to by the Tribunal in Trail Smelter as an ‘injurious act’. Yet as the Tribunal observed, ‘the real difficulty often arises rather when it comes to determine what, pro subjecta materie, is deemed to constitute an injurious act’ (at [1963]). According to the Tribunal’s reasoning, whether an act is relevantly ‘injurious’ – and therefore the starting point when applying the sic utere principle in cyberspace or otherwise – is a matter to be determined by reference to whether the act, if perpetrated by a State, would be unlawful.
Whether malicious cyber activity is internationally unlawful depends significantly on the scope and effect of such activity. Relevantly for the Optus cyberattack, the exfiltration of personal data of individuals through the exercise of power or effective control over certain infrastructure may arguably give rise to a breach of the international human right to privacy (potentially actionable by articles 41 to 43 of the International Covenant on Civil and Political Rights). Certain kinds of cyber espionage may be similar. Such arguments find support in the Human Rights Committee’s observation that a State might infringe the right to privacy of individuals by its conduct of extra-territorial fibre-optic cable tapping, regardless of those individuals’ location or nationality (see the 2014 Concluding Observations on the USA). However, such a position is not without controversy, and it is unlikely that it applies equally to any international cyber surveillance which does not involve the interference with physical infrastructure or equipment. Accordingly, it is unlikely that the Optus cyberattack would constitute an internationally wrongful act in this context.
Further, the use of methods of coercion through cyber means to intervene directly or indirectly in the internal and external affairs of another State may constitute a prohibited intervention (see the Declaration on the Principles of International Law Concerning Friendly Relations and Cooperation among States in accordance with the Charter of the United Nations, principle 3). While the Optus cyberattack does not appear to have had any political motive, it is possible that the cyberattack on the Australian Parliament’s computer systems did. If sufficient contextual evidence could be gathered to establish that the latter attack had a ‘coercive’ quality, then it is arguable that it constituted a prohibited intervention.
Otherwise, and unrelated to the case examples in this article, cyberattacks causing loss of life or destruction of infrastructure may arguably constitute a violation of the prohibition on the use of force in contravention of article 2(4) of the Charter of the United Nations. Further, cyber activities that: have a physical effect or involve physical trespass (e.g. a transboundary computer virus that causes an electricity grid to lose power, or a computer virus delivered by a foreign entrant via a USB in the territory of another State, respectively), originate from one State and interfere with the exclusive jurisdiction of another State without the latter’s express or implied consent, and take effect in the territory of that other State, may constitute a violation of territorial sovereignty (see, inter alia, Netherlands v United States of America (Award) (1928) 2 RIAA 829 at 838, France v Turkey [1927] PCIJ (Ser A) No 10 at [45], Nicaragua v USA at [212]; Costa Rica v Nicaragua; Nicaragua v Costa Rica (Judgment) (2015) ICJ Rep 667 at [93], and article 2(1) of the Charter of the United Nations).
Full and detailed consideration of each of these legal topics – and the specific remedies that might be sought in respect of each – are beyond the scope of this article. Nevertheless, the foregoing analysis demonstrates that there are ample scenarios in which a host State’s liability may possibly be enlivened by its failure to exercise due diligence to prevent malicious cyber activity from within its territory or jurisdiction taking effect in that of another. Arguably, at least one real world example – the cyberattack on the Australian Parliament’s computer systems – would constitute an act contrary to Australia’s rights. In circumstances where this and other such malicious cyber activity shows no sign of slowing down, States will hopefully receive greater clarity on the legality, or otherwise, of such activity in the not-too-distant future.
Angus Fraser is an Australia-based lawyer practising in commercial litigation. He graduated from the University of Queensland in 2018 with First Class Honours and has previously published on public international law and information technology and the law.