In situations of international concern, alternatives to armed force are frequently necessary to resolve a situation, mitigate its effects, or hold accountable those responsible. This is where sanctions play a crucial role.
Significant cyber incidents can harm individuals, businesses, economies, or governments, both in Australia and around the world.
Australia established a sanctions regime in relation to significant cyber incidents on 21 December 2021. This article explores the key aspects of the significant cyber incidents sanctions regime.
The significant cyber incidents sanctions regime
The significant cyber incidents sanctions regime (the regime) is a thematic autonomous sanctions regime. Unlike a country-specific autonomous sanctions regime, a thematic autonomous sanctions regime applies to sanctionable conduct wherever it occurs in the world.
This is crucial as cybercrime is transnational by nature and is not restricted by international borders. It is in the global interest for all countries to cooperate in the fight against cybercrime.
Under the regime, the Minister for Foreign Affairs may designate a person or entity for targeted financial sanctions and declare a person for a travel ban if the Minister is satisfied the person or entity has caused, assisted with causing, or been complicit in, a cyber incident or an attempted cyber incident that is significant or which, had it occurred, would have been significant.
When will the regime be applied?
The application of the regime will be limited to the most serious cyber incidents of international concern. Before making a designation or declaration under the regime, the Minister for Foreign Affairs must secure written agreement from the Attorney-General and consult with other relevant Ministers, as deemed appropriate by the Minister for Foreign Affairs.
What is prohibited by the significant cyber incidents sanctions regime?
The significant cyber incidents sanctions regime imposes the following sanctions measures:
- Restrictions on providing assets to designated persons or entities.
- Travel bans on designated persons.
- Restrictions on dealing with the assets of designated persons or entities (requirement to freeze assets).
Under the regime, it is prohibited to make an asset available directly or indirectly to, or for the benefit of, a designated person or entity, and to use or deal with an asset that is owned or controlled by a designated person or entity.
An “asset” includes an asset or property of any kind, whether tangible or intangible, movable or immovable. The Consolidated List available on DFAT’s website includes the names of all designated persons and entities.
A designated person or entity is an individual, organisation, group or business who is subject to targeted financial sanctions under Australian sanctions law. Those listed may be Australian citizens, foreign nationals, or residents in Australia or overseas.
The relevant legislation for the significant cyber incidents sanctions regime includes the following:
- Autonomous Sanctions Act 2011
- Autonomous Sanctions Regulations 2011
- Autonomous Sanctions (Designated and Declared Persons – Thematic Sanctions) Instrument 2022
- Customs (Prohibited Exports) Regulations 1958
- Migration Regulations 1994
Who must comply with sanctions?
Australian sanction laws apply to activities in Australia and to activities undertaken overseas by Australian citizens and Australian‐registered bodies corporate.
If you become aware that you are holding an asset of a designated person or entity, you are required to freeze (hold) that asset and notify the Australian Federal Police (AFP) as soon as possible.
In some circumstances, it may be possible to obtain a sanctions permit from the Minister for Foreign Affairs to engage in an activity that would otherwise be prohibited by a sanctions measure.