This article is by Professor Dan Svantesson of Bond University and first appeared in The Conversation.
In response to the Russian cyber attacks that have accompanied its invasion of Ukraine, the Ukrainian government has begun recruiting what it calls an “IT army”.
Perhaps a more accurate term would be a “cyber militia”, given it will consist of civilian volunteers. In any case, it aims to repel Russian hackers’ attacks, and launching cyber counterstrikes of its own.
Ukrainian Vice Prime Minister Mykhailo Fedorov, who is also the country’s digital transformation minister, has called “digital talents” to join the resistance effort.
Reports suggest more than 275,000 volunteers from around the world have already answered the call, although verifying an exact figure is impossible at the moment.
A will to help – but are we allowed?
Russia’s war on Ukraine is half a world away from Australia. But many Australians recognise the importance of helping Ukraine, on both humanitarian grounds and because of the wider geopolitical ramifications.
While countries such as the United Kingdom, Canada and Denmark have opened the door for their citizens to enlist in Ukraine’s international territorial defence legion, the Canberra government has so far advised Australians not to do so.
But in an interconnected world, volunteers who are unwilling or unable to physically help Ukraine could potentially join its cyber militia.
However, there’s one snag as far as Australians are concerned: Australia’s criminal law makes it illegal to engage in many of the activities that might be required of members of a foreign-organised cyber militia. Put simply, “hacking” is a crime.
A proposed ‘cyber militia bill’
The Australian government has not publicly expressed a view on whether Australians should be barred outright from joining Ukraine’s cyber fight.
One way the government could address this would be to introduce specific legislation aimed at creating legal safeguards for genuine members of a foreign state-run cyber militia, within a narrowly defined set of circumstances.
Such people would need protection from being held to have violated the hacking-related provisions of Australia’s criminal law. And they would also need legal safeguards against civil liability and against being extradited.
This protection should apply unless the person has acted in violation of international law.
Of course, such legislation would need to be carefully designed, and its implications rigorously considered.
Policing the cyber army
One problem with cyber attacks is the issue of attribution. It can be hard to identify who is responsible for the attack with the level of confidence required under international law. This means cyber attackers often have a crucial advantage over those seeking to defend against them.
“Non-state actors” such as hacker groups might be willing to attack targets that are off-limits for state agents, such as hospitals or other civilian infrastructure. This can cause conflicts to escalate dangerously.
Consequently, it is vital that any proposed legal protection for cyber combatants would be conditional on governmental oversight. In my proposal, this is achieved by the involvement of both the Australian government and that of the foreign power in direct control over the cyber militia.
More specifically, this means the Australian government should have the discretion to designate that a specific country’s cyber militia (and not those of other countries) as being governed by the new rules.
I suggest the government should consider exercising that discretion where:
- a foreign state has established the cyber militia;
- that foreign state has invited foreigners to join its cyber militia; and
- that foreign state is under armed attack by another state.
Only members of such a designated cyber militia would be protected. That ensures Australia can prescribe the situations in which it deems it acceptable for Australian citizens to engage in cyber warfare as part of a foreign cyber militia.
Further to this, participants should only enjoy legal safeguards where they have acted on specific orders issued by the foreign state in control of the militia. This is the second method of ensuring state control, and in the current situation, that control would be exercised by the Ukraine.
Another important question is how to strike a balance between offensive and defensive activities. To minimise the risk of Australia being seen to violate international law, I propose that only “defensive activities” - such as measures safeguarding vital computer systems in Ukraine - would be legalised for Australian members of a foreign cyber militia, and these “defensive activities” should be defined very carefully.
A necessary step, but not the only one
Clearly, this proposal is a response to the current invasion of Ukraine, and the Russian cyber aggression that has accompanied it. But given future wars are also likely to be fought in cyber space, this proposal will also be more broadly relevant.
Sooner or later, Australia will have to reckon with the prospect of significant numbers of citizens becoming involved in foreign cyber warfare. And there’s truly no time like the present.
A version of my proposal could usefully be adopted by any nation that wants to support the defence of Ukraine. But in the meantime, there are still things concerned Australians can do to help the Ukrainians.
Donations to carefully selected organisations is one option, but social media abounds with other possibilities too. One creative option is to counter Russian disinformation by posting verified information about the atrocities on any Russian site that allows user posts – such as restaurant reviews, for example. Such posts are very likely to be removed, but if posted in sufficient numbers they may reach some of the Russian people.