The cyber and critical tech team at the Australian Department of Foreign Affairs and Trade has certainly been proactive about advancing their global and regional cyber engagement agenda. No easy feat when navigating intricate geostrategic realities in the Asia Pacific, the complexities of major power rivalries and rising strategic competition amid a global health crisis.
The team responsible for cyber affairs and critical technology at the Australian Department of Foreign Affairs and Trade (AUSDFAT) is creating a name for itself. Leading by example and focusing on measurable, sustainable actions, they continue to spearhead novel – and sometimes groundbreaking – cyber diplomacy and international cyber engagement initiatives. With this in mind, I asked Tobias Feakin and Johanna Weaver – a power duo of Australian cyber diplomacy – to share some lessons from Australia’s experience so far. I begin by asking what they think has worked, as well as what has not worked, as can often be the case. Feakin’s response displays the team’s foresight and willingness to adapt in practical ways to the realities of a rapidly changing technological landscape. This is by no means an easy ask of government ministries, which can tend towards slow-moving bureaucracy.
When Feakin first took office in 2017, he was first to hold the position of Ambassador for Cyber Affairs for Australia, which he explains was by no means the norm internationally. In the years since, he notes, more countries than not have established a similar position with responsibility for international cyber engagement, sometimes within foreign ministries and sometimes within a national cyber agency. This trend is notable, considering that not all EU Member States have established such a position. Moreover, while many of these international cyber engagement teams continue to focus predominately on the international security dimensions of cyber diplomacy, Feakin displays forward-thinking openness to moving with the changing technological tide.
Feakin now prefers to “encourage a holistic approach that addresses international cyber, digital and technology issues in a comprehensive manner”. His own mandate has, in fact, expanded to include not only cyber affairs but also critical technology, reflecting the central role that technology issues have in politics. He explains that “a key part of this for Australia has been development and delivery of a Cyber Affairs Diplomatic Academy curriculum equipping diplomats and policymakers to address these issues as a core part of their existing responsibilities”. These steps are based on the belief that “as technologies integrate more and more into every aspect of life, it is likely that cyber diplomacy will simply become diplomacy”. Regardless of whether these issues are managed by dedicated teams within ministries of foreign affairs or mainstreamed across departments, as is increasingly common, Feakin is clear in his conviction that cyber, digital and technology issues will continue to be central tenets of foreign policy well into the future.
These practical approaches to international cyber engagement seem to enable the team to more effectively advance substantive foreign policy aspects of the cyber and critical tech agenda. I ask Feakin about specific international cyber engagement initiatives such as the Cyber Cooperation Program and related cyber capacity building focused on maturing the cyber agenda within the Asia Pacific region. It will not be lost on our readership that a key tagline from the 2017 Australian International Cyber Engagement Strategy is an ambition to be “global in perspective and regional in focus”. A core tenet of the Cyber Cooperation Program, for instance, is to improve cyber resilience across the “Indo-Pacific”, supporting Australia’s international cyber engagement goals and its commitment to deliver on the UN 2030 Agenda for Sustainable Development.
Feakin explains that this $34 million program “aims to equip countries in ASEAN and the Pacific with the capacity to respond to the challenges and harness the opportunities of increased connectivity. The Program has five areas of focus, namely: deepening understanding of the international cyber stability framework (in other words, international law, norms and confidence building measures); cybercrime prevention, prosecution and cooperation; cyber incident response; best practice technology for development; human rights and democracy online”.
Clearly, the Program takes a comprehensive approach to cyber capacity building that is not focused solely on the international cyber stability framework as a stand-alone theme. Feakin flags another aspect that will undoubtedly resonate with seasoned capacity building experts – he has “yet to attend a capacity building session and not learn something”. The team has a rule of thumb with potential relevance to teams the world over: team members try to attend these workshops because they recognise that “the value of this two-way exchange is difficult to quantify”.
Despite this intellectual and practical openness to two-way exchange and constant learning, Feakin’s team still faces challenges. One of the most significant, in his experience, is “ensuring programs are tailored to each country and respond to their specific needs”. He also repeats a sentiment heard often in this field, noting that coordination among donors is vital in terms of the content, nature and timing of workshops. He is positive though that these coordination efforts are improving, including through initiatives like the Global Forum on Cyber Expertise.
Strategic Rivalry in the Indo-Pacific
At this point, it seems like a natural segue to discuss the geostrategic realities facing an Indo-Pacific country like Australia and what they mean for the country’s interests and its international cyber agenda. One cannot escape the discourse surrounding a so-called rising China and the strategic competition between China and the United States that is perceived to be playing out in the region. In response, Johanna Weaver points me to remarks of the Australian Prime Minister, Scott Morrison, who has indeed recently recognised that the Indo-Pacific is the epicentre of rising strategic competition, noting that “it is the focus of the dominant global contest of our age”.
From Weaver’s perspective, “cyber, digital and technology issues infuse almost every aspect of this strategic competition, namely national security, international stability, economic prosperity and sustainable development”. In her view, “these factors make this agenda one of the most relevant and intellectually challenging of our times”, highlighting one of the factors drawing many regional cyber experts to the field. She explains how “power and influence is increasingly being exerted online, or via cyber and digital technologies, with direct impact on our experiences in the physical world”, arguing that “it follows that cyber and digital issues should no longer be seen as a separate agenda, or an add-on to, foreign and domestic policy; rather they should infuse every aspect of a country’s policy agenda, just as they do our national interests”.
Australia’s first International Cyber Engagement Strategy sets out a policy framework for the type of comprehensive engagement, as described by Weaver, and work is already underway to update it. The International Cyber and Critical Technology Engagement Strategy under development by DFAT will broaden the first strategy’s scope to include critical technology, reflecting the increasing interdependencies and connections between Australia’s cyber and technology policy interests, as emphasised by both Weaver and Feakin.
Contextually speaking, the team considers critical technologies to be those current and emerging technologies that will affect Australia’s, the region’s and the world’s safety, security and prosperity. The new strategy will take a comprehensive and coordinated approach to international cyber and critical tech issues. And in a time of high global and regional tension, it will “set out how Australia can influence international technology discussions, development and use to ensure that technology enables a safe, secure and prosperous Australia, Indo-Pacific and the World”. In Feakin’s mind, it would be “remiss of us not to demand that these technologies be made to reflect values we – as individuals and as countries – think are important”. However, he also recognises that “it would be naïve of us not to be prepared for others to have differing views”.
I then ask what kind of role the EU already plays or could play in relation to the evolving cyber agenda in the Asia Pacific. Feakin is highly positive about the Union’s potential, noting that there already good examples of the EU playing both an “active and impactful role in the Indo-Pacific”. In particular, he points to the work of the Council of Europe Global Action on Cybercrime (Glacy+) in Tonga. Australia also cooperates with various EU Member States, such as The Netherlands, to deliver workshops on norm implementation and the application of international law to cyberspace.
Feakin is quick to note, however, that there is space for the EU to engage in “much more than just capacity building; all countries are grappling with similar questions on cyber and critical technologies; and there is much value to be gained from two-way exchanges of policy and best practice”. He suggests that coordination will be key in the future, and notes that his team is always open to exchanges.
Rising Strategic Competition and the UN
It is widely acknowledged that the combination of unfolding geostrategic dynamics, rising strategic competition and the global pandemic are impacting cyber diplomacy and aspects of the ongoing UN cyber processes. Australia’s Foreign Minister, Marise Payne, noted recently that global multilateral institutions are under unprecedented strain related to a new era of strategic competition. Weaver can speak first hand to these matters: she represents AUSDFAT in both the sixth UN Group of Governmental Experts and the inaugural UN Open Ended Working Group in negotiations surrounding responsible state behaviour in cyberspace.
Weaver is clear that “undoubtedly, geostrategic dynamics are evident in the UN cyber negotiations”. Despite these broader trends, Weaver is still optimistic that these negotiations will produce meaningful results, especially where COVID-19 has, in her mind, highlighted our increased technological dependence and interdependence. She elaborates: “All countries have a direct interest in ensuring a peaceful and stable cyberspace, and these negotiations present a unique opportunity to advance this shared interest”. Weaver sees these two UN groups as complementary, whereby “the inclusiveness of the OEWG ensures all countries play a direct part in deepening understanding of the rules of the road for countries in cyberspace. Meanwhile the smaller group format of the GGE allows a representative group of experts to delve deeply into some of the more sensitive topics with a view to identifying areas of confluence”.
As Australians and the international community band together to respond to COVID-19, it is concerning and unacceptable to Weaver that “malicious cyber actors are seeking to exploit the pandemic for their own gain, including seeking to damage or impair the operation of hospitals, medical services and facilities, crisis response and vaccine research”. Indeed, she notes that at recent OEWG consultations, there was strong support for a proposal that the OEWG report underscore that health infrastructure is critical infrastructure for the purpose of norms (f) and (g) specified in the 2015 GGE report. This means states should take appropriate measures to protect health infrastructure from ICT threats and that states should not knowingly damage or otherwise impair health infrastructure using ICTs.
Weaver emphasises that it also important that states consider their existing obligations under international law, specifying that “depending on the circumstances, these could include the duty not to intervene in the internal affairs of another state, the prohibition on the use of force in international relations, and, during armed conflict, international humanitarian law. Under the law on state responsibility, a cyber operation against the health sector that is attributable to a state and which breaches one of these obligations will be an internationally wrongful act”. On this note, Australia has published its views on the application of international law to cyberspace as well as case studies by way of a non-paper that was submitted to the OEWG.
Weaver is quick to remind us, though, that negotiating consensus reports is only the beginning, cautioning that “to be meaningful, the words on a page need to translate into action”. The team at AUSDFAT certainly demonstrates how to be action-oriented. Mexico and Australia have spearheaded a cross-regional proposal for the OEWG report to recommend the establishment of a National Survey of Implementation of the UN cyber recommendations. It is hoped that this would deepen understanding of the UN Framework of Responsible State Behaviour in Cyberspace while identifying best practices and barriers to implementation, which, in turn, would inform better-targeted capacity building.
In a similar vein, another priority for Australia in both the GGE and OEWG is agreeing on practical guidance on implementation of the 11 norms of responsible state behaviour agreed upon in 2015. On this note, the team has actively submitted several supporting documents to the UN, such as the Australian implementation of the norms, country agnostic commentary and best practice guidance and a compilation of best practice advice from the private sector and civil society.
The GGE and OEWG are scheduled to finalise their respective reports in April and May 2021. Weaver observes that “there is a clear appetite among UN member states to continue inclusive and transparent discussions”. Australia’s Research Paper – What next for advancing responsible state behaviour at the United Nations? – considers potential elements of a new UN cyber forum drawing on lessons learned from the Small Arms and Light Weapons Program of Action. The Research Paper complements a cross regional proposal led by Egypt and France for establishment of a Cyber Program of Action (a summary of which is available here). Weaver emphasises that “the details need to be discussed and agreed by all UN members, but a Cyber POA – or POA-style mechanism – could have many benefits. It would establish a permanent UN forum, thereby signalling to the world that preserving a peaceful and stable cyberspace is a priority issue for all countries. It could be mandated to continue to study and discuss complex issues (such as international law and norms), while also bringing a new focus on ‘practical action’; for example, by providing for voluntary surveys of implementation and tailored capacity building support”. Suffice to say, there is lots to discuss as both groups enter the home stretch of negotiations.
Circling back to the pandemic, Weaver describes how “in many respects, malicious cyber activity against health infrastructure encapsulates the challenge and opportunity of current UN negotiations: the existing framework of responsible state behaviour in cyberspace applies to the threat, but we need to deepen awareness of ‘how’ it applies, while increasing implementation and adherence to the agreed framework”. The global pandemic is certainly forcing contemplation about how the framework of responsible state behaviour in cyberspace does indeed apply.
Gender Parity and Diversity in the UN Cyber Negotiations
Coming to the end of the interview, we would be remiss not to draw attention to recent endeavours by Australia and other states to link issues of gender to the international security cyber agenda. In her immediate area, Weaver sees women underrepresented at UN negotiations on the use of technologies in the context of international security, despite the fact that women are uniquely and differently impacted by conflict and that women’s direct participation in peace negotiations increases the sustainability and the quality of peace. She argues that we must “close the participation gap: it’s not enough to simply have more women in the room, we must create an inclusive environment in which they can meaningfully contribute.”
In fact, Weaver delivered a passionate talk on this topic during the Closing the Gap Conference in July 2020. Weaver was also one of the initiators of the Women in International Security and Cyberspace Fellowship, a joint project by the Governments of Australia, Canada, the Netherlands, New Zealand and the United Kingdom. This fellowship saw gender parity achieved in interventions within UN First Committee discussions for the first time in the history of the UN. However, Weaver is quick to remind me that gender diversity alone is not enough; more broadly defined diversity is also beneficial.
Throughout the interview, the team displayed examples of Weaver’s conviction that “action must be taken to address problems and to ensure that action produces direct and measurable results”. No doubt a sign of things to come.
About the Author
Caitríona Heinl is Executive Director at The Azure Forum for Contemporary Security Strategy, Ireland and Adjunct Research Fellow at the School of Politics and International Relations at University College Dublin (UCD). Caitríona has over a decade of experience in international and Irish research and academic environments working on transnational crime, international security and defence questions with particular focus on cybersecurity policy, emerging technologies, and regional security.