As more and more of our lives moves into the digital realm, so too do some of our greatest vulnerabilities.
In May, international freight company Toll Group confirmed it had been subject to an attack on its IT systems in a bid to secure a ransom, while the NZX stock exchange has suffered a number of distributed denial-of-service attacks this year.
Covid-19 has also opened up new avenues for hackers to explore: New Zealand’s National Cyber Security Centre (NCSC), which focuses on potentially high-risk events and nationally significant organisations, said the pandemic had “created many opportunities for malicious cyber actors to steal data, commit financial crimes, undertake espionage or disrupt the systems of organisations with a pandemic response role”.
While some attacks may have purely financial motives, others have more geostrategic factors – and the hand of foreign countries – at play.
Thirty percent of the 352 cyber security incidents the NCSC recorded in 2019/20 had been linked to state-sponsored actors, while Government Communications Security Bureau director-general Andrew Hampton warned in August that “state-sponsored groups almost certainly have the capability and intent to target organisations for the purpose of gathering information about their response to Covid-19”.
But with room for uncertainty over what exactly countries can do to respond, the Ministry of Foreign Affairs and Trade (with Crown Law) has set out New Zealand’s view on how international law applies to the wild west of cyberspace.
The position paper argues that international rules such as the United Nations charter, the law of state responsibility and international human rights law apply online as much as they do offline.
“Calling someone out, you put the spotlight on it and you bring attention to it, it’s a much better response than trying to respond in a reciprocal kind of way, because otherwise, things just escalate.”
University of Waikato law professor Al Gillespie, who specialises in international law, told Newsroom MFAT was right to argue that a cyber attack could amount to a “use of force” against a nation – although the threshold for that was very high.
“Ultimately, what you’d have to be looking at is an attack [that] would be akin to if someone dropped a bomb on your country or threw a missile – it’s a high threshold, so we aren’t looking at those kinds of attacks.”
Instead, Gillespie said New Zealand faced a growing trend of malicious attacks involving ransomware or attempts to shut down organisations like the NZX.
In the position paper, the Government says countries can take legal countermeasures against wrongful cyber activity with their own actions online, provided they are “necessary measures, with minimally destructive effects, to defend against the harmful activity of malicious cyber actors”.
The paper says New Zealand is also “open to the proposition that victim states, in limited circumstances, may request assistance from other states in applying proportionate countermeasures” – perhaps implying collaboration among Five Eyes partners.
However, Gillespie said the Government had instead opted to publicly identify state actors behind cyber attacks in recent years, such as the Russian government’s 2017 involvement in the NotPetya attack and the role of China’s Ministry of State Security in what the GCSB called “a global campaign of cyber-enabled commercial intellectual property theft”.
“That kind of approach, where you call the country out, is the best way to deal with that, because they’ve got a responsibility to make sure that they agents aren’t causing havoc in other countries,” Gillespie said.
“Calling someone out, you put the spotlight on it and you bring attention to it, it’s a much better response than trying to respond in a reciprocal kind of way, because otherwise, things just escalate.”
That collaboration between countries was crucial given the innate difficulties in identifying the source and nature of a cyber attack, compared to one in the physical world.
“The grey area in this context is huge. If it’s a real obvious attack, like they’re trying to close down your infrastructure and … make your energy power grid crash or something like that, then yeah it’s serious.
“But what you’re getting here is a lot of grey material, and attribution is very difficult, so that you might suspect … the attack’s coming from somewhere, but often trying to be conclusive in that is a difficult task.”
“You’ve got all these principles of international law that traditionally applied to physical activities, you know, if it is soldiers on the ground, and here now you find these activities that can threaten territories of the state that can be done by someone sitting in their living room on a computer.”
It might seem tempting, then, to develop a new treaty designed specifically to deal with cyber attacks – but Victoria University of Wellington international law professor Alberto Costi told Newsroom it was easier to rely on old principles that could cover online actions, given the complexities involved with the treaty-making process.
“Keep in mind to adopt treaties, you need to get a large number of states with different interests, different views, to sit down and agree on a document that is really so short, so concise, that there is the risk of either it’s a treaty that will have no force … or the risk that the treaty can be interpreted in many different ways.”
While the actions did take place in cyberspace, they did originate from computers and – on occasion – the decisions made by political leaders, Costi said.
“You’ve got all these principles of international law that traditionally applied to physical activities, you know, if it is soldiers on the ground, and here now you find these activities that can threaten territories of the state that can be done by someone sitting in their living room on a computer.”
The problem is unlikely to dissipate: Gillespie said he expected cyberattacks to trend upwards, with “a continual catch-up game between those who are attacking and those who are building defences”.
That means the legal framework protecting countries like New Zealand, and how it is interpreted around the world, may be as important as ever.
