Australia and the United Kingdom governments have issued a joint statement welcoming the Commonwealth Cyber Declaration, essentially calling on public and private sectors to work together for public good online, and countries globally to treat norms and laws that apply in the physical world in the same way when acting online.
This declaration specifically includes recognising the role of the private sector in implementing appropriate measures to protect themselves and their customers from cyber-threats, the coordination of approaches to the security of Internet-connected devices and associated services, the need to deepen cooperation to combat cyber-crime and a commitment to promote clear expectations of responsible state behaviour in cyberspace.
The two countries note their commitment to co-ordinate cyber-security capacity building efforts, particularly within the Asia Pacific Region, including through tangible support to the implementation plan of the Commonwealth Cyber Declaration.
Part of the aim is fostering international stability, affirming that the rules-based international order must be upheld online, just as it is offline. There is criticism of states and their proxies who pursue their objectives via malicious cyber-activities contrary to international law and identified norms of responsible state behaviour.
Instead the two countries call for a free, open, peaceful and secure cyberspace, saying that the foundation for responsible state behaviour in cyberspace is existing international law, including the law regarding the use of force, international humanitarian law, international human rights law and international law regarding state responsibility.
It contains a reaffirmation that the UN Charter applies in its entirety to state actions in cyberspace.
Particular attention is drawn to the prohibition of the use of cyber-tools to intentionally damage or impair the use and operation of critical infrastructure during peacetime and the obligation of states to respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another state emanating from their territory.
Australia and the UK say they will engage in practical cooperation to better deter, mitigate, attribute and counter malicious cyber activity by criminals, state actors and their proxies, and provide clear and consistent messaging of the consequences of such activity. The statement says:
“Our operational agencies, including the Australian Signals Directorate and Government Communications Headquarters and the Australian Cyber Security Centre (ACSC) and UK National Cyber Security Centre (NCSC), will continue to work closely together, taking practical measures to counter malicious cyber activity by states, criminals and others. We will share our respective areas of strength and improvement, and pilot new tactics, techniques and capabilities.
“We will develop a joint assessment identifying the most nefarious state and non-state actors affecting our shared cyber security. This assessment will help Australia, the UK and our partners prioritise operational, legal and diplomatic engagement to disrupt malicious cyber activity and strengthen our collective defences.
“We will deepen co-ordination on mitigation strategies against both Advanced Persistent Threats (APTs) and the widespread commodity hacking that affects the economic prosperity of our countries including through the development and implementation of automated technical measures such as Active Cyber Defence.
“We will deepen co-operation on tackling cyber-crime. This will cover the sharing of and building on best practice, and looking for creative ways in which greater pressure can be brought on to the organised criminal entities that cause us the most harm. We will also continue to promote the Budapest Convention on Cybercrime as the recognised global standard for tackling cyber-crime
“We will continue to call out unacceptable behaviour as we did in February condemning Russia's use of the ‘NotPetya' malware to attack critical infrastructure and businesses, and in December 2017 when we condemned North Korean actors' use of ‘WannaCry' ransomware to attack businesses and public institutions around the world.
“We will work with international partners to strengthen and coordinate global responses to malicious cyber-activity. Our responses will be proportionate to the circumstances of the incident and consistent with our support for the rules-based international order and our obligations under international law.”
It notes how in 2017 at the G20 meeting it was agreed that the rule of law applies equally online as it does offline. Plus it says how the two countries are committed to ensuring security and law enforcement agencies have the powers they need to keep the public safe while respecting human rights and data security.
The statement also notes how governments cannot meet the challenges of the digital age alone and will work together, in collaboration with industry, with social media, technology, and telecommunications companies.