Ten years ago, in September 2011, Australia and the US stretched ANZUS to cover cyberspace. That year’s AUSMIN communiqué addressed the challenges posed by growing cyber threats, specifically endorsing a joint statement on cyberspace. The statement committed Australia and the US, ‘in the event of a cyber attack that threatens the territorial integrity, political independence or security of either of our nations … [to] consult together and determine appropriate options to address the threat’.
The inclusion of cyber matters was seen as maintaining the relevance of ANZUS in the face of new threats. Both countries had been grappling with cybersecurity since the first warnings of imminent cyberwar in the early 1990s. The inclusion of cyberspace—notably extending the remit of Article V—suggests more than simply diplomatic discussion: it implies the possibility of a conflict triggered by a cyberattack.
Ten years have passed since the statement. There’s been no cyber-triggered conflict. Yet the online environment has become more dangerous, adversaries more numerous and capable, and actual and potential costs higher and more widespread. The number of attacks has increased by orders of magnitude, and the breadth of attacks—their form, purpose and targets—has similarly expanded. Perpetrators can lurk in systems for years without being detected. Means and methods are multipurpose: they can be used for attacks, for intelligence collection and for criminal purposes, including extortion, and the blurring of intent, effect and consequence. The lucrative nature of cyber operations, underpinned by the technologies’ ease of access, has created a hypercompetitive market for malware and new business models, and services for hire are available to both criminals and nation-states.
We’ve also gained a better understanding of how cybertechnology may be used in or to shape a conflict from cases in the Middle East (most notably Israeli and Iranian activities, but also Islamic State, Syrian and Turkish activities), Eastern Europe (especially the Russian use of cyberattacks in concert with conventional warfare in Georgia and Ukraine) and our own region (Chinese activity, including against Indian infrastructure during border clashes).
So cyberspace has become contested in more ways than expected. It’s now intrinsic to warfare but, perhaps more importantly, it’s being used to shape the strategic and operational environment. There are costs imposed on individuals, companies and institutions, not just national governments, almost always without redress, undermining resilience and trust.
Given such events, the inclusion of cybertechnology under ANZUS seems to have served little purpose. Yet that would be too superficial a judgement, on three counts.
First, there’s the nature of the ANZUS alliance. Much of its value lies in the slow institutionalisation of expectations, practices and world views between a large, capable partner and a small, willing partner. The alliance, predicated on our shared strategic interests, still works best within the traditional portfolios of defence and diplomacy.
Notably, initiatives under the ANZUS banner have more substance than those outside its remit. For example, cybertechnology has been discussed at all AUSMIN meetings since 2011, which have produced further agreements on the application of international law in cyberspace and on the joint development of advanced cyber capabilities, which have realised outcomes. In contrast, initiatives agreed by President Barack Obama and Prime Minister Malcolm Turnbull in 2016 lacked the support of an institutional framework and ongoing political impetus: though worthy, they have largely fallen by the wayside. That may be a measure of ambition; it also reflects priorities.
Second, because cyber matters have lain primarily with the intelligence and security agencies, it’s been the Five Eyes relationship, not the ANZUS alliance per se, that’s driven operational cooperation. Operational needs have been allowed to drive policy and legislative responses.
Australia’s constitutional provisions (no bill of rights and no first amendment, for example) have made it easier for Canberra to lead the Five Eyes on banning Huawei from 5G networks, weakening encryption to meet internal security needs and legislating step-in powers over critical infrastructure.
Third, there’s the nature of cybertech. Its value to nation-states lies in its invisibility, subterfuge and deniability—characteristics especially valued by the intelligence community. But that nature, and the speed and transience of change in that domain, also make it hard to apply ‘normal’ tools of strategy, statecraft and defence. Yet a strategic, and statecraft, understanding of cybertech is needed: digital technologies are inextricable from daily life, individuality, economic activity, broader technological progress, institutions and the social substrate of nations. How cyber interference—the dark side of digital—is managed has consequences for trust in systems, institutions and governments: without care, that may work in favour of authoritarians and against democracies.
Those challenges may—and probably should—prompt a change in the role of the alliance. Cyberpower is but part of a broader diffusion and reaggregation of power resulting from digital technologies and social, economic and political realignments over the past 30 to 40 years.
So, while ANZUS still remains the stuff of bedrock, especially for Australia, it may make sense to expand Article II cooperation to strengthen our democracies, build resilience, improve technological competitiveness and provide guardrails to improve certainty during rapid change in the environment. If we’re less confident about a ‘secure, resilient and trusted cyberspace that ensures safe and reliable access for all nations’, as envisaged by the 2011 AUSMIN declaration, then we’d better be prepared for the alternative.
This post is an excerpt from ANZUS at 70: the past, present and future of the alliance, published by ASPI with support from the American Chamber of Commerce in Australia and edited by Patrick Walters.