�ʹڲ�Ʊ

When does a cyber attack become an act of war? And what's worth going to war over?

For Dr Sally Burt, it’s an evolving question that is becoming more prominent and critical.

The �ʹڲ�Ʊ Canberra academic, who runs a course on Cyber and International Security, began looking at the role cyber played in diplomacy after completing her PhD in Sino-US diplomatic history.

Dr Burt said she worked out quickly that history was the lesser interest in her research and was more curious about strategic competition and the rise of China. 

“We get to the point in the 1990s where the US is an incredible military power and wipes the floor with Iraq in the first Gulf War, China looks at that and says, ‘well, we're never going to beat them militarily. So how do we beat them?’ Dr Burt said

“And they decided being better at tech than the US would be the way to go. So China started working on getting ahead of the US in the tech world.”

Dr Burt said it wasn’t until Barack Obama took over the presidency in 2009 that the United States began to use cyber to drive the economy and national security.

His administration established key roles such as the White House Cybersecurity Coordinator and cyber ambassadors within the State Department, as well as developing the first comprehensive cybersecurity strategy.

But with Donald Trump now back in the White House, Dr Burt admits to feeling unease over how the United States and its adversaries engage.

Rules of the game

While the United Nations has a level of agreement on basic cyber principles, there's some robust disagreement over who writes these rules, and how they can be policed – if at all. 

“The doom and gloom side of me thinks the future is very bleak,” Dr Burt said.

“I don't see how this era of strategic competition ends without our adversaries being the ones on top. The optimistic part of me says we all get nicer and play better with each other and start establishing rules of the road. 

“There are some rules - it's not a complete Wild West in cyberspace.” 

There are 11 UN norms of , intended to reduce risks to international peace and security and contribute to conflict prevention.  

These norms are voluntary and non-binding and describe what states should and should not do in cyberspace.

The norms include responsible behaviour such as interstate cooperation on security, ensure supply chain security and protecting critical infrastructure. 

What is an act of war?

Despite these norms, Dr Burt said the global community was yet to decide on where the red lines are: when does a cyber attack become an act of war?

“For instance, the interference in the 2016 US election could be seen as a fundamental breach of sovereignty, yet it wasn’t met with publicly serious repercussions,” Dr Burt said. 

“Is that not a red line? Can I interfere with your sovereignty and that’s OK as long as it’s in cyberspace and I’m not sending in the military?

“None of those red lines have really been established. There's a whole grey zone where it's not black or white - we can push and see what happens. 

“That gets dangerous when rules are being made, because rules are shaped by how people behave. If states behave in certain ways and nobody responds appropriately, that becomes normal.

“If we don't get the rules right - if we have no rules - we're in real trouble. That would be like having trade with no rules about shipping - the world doesn't function well.  

“If cyber ends up with no rules, it would be drastic because tech companies and cybercriminals could do whatever they want.”

But while technical knowledge is important, addressing cyber challenges requires expertise from humanities and social sciences too. 

Understanding geopolitical contexts, strategic competition, deterrence theory, and diplomatic history is essential for effective cyber policy and strategy. 

Attribution of cyberattacks, for instance, requires both technical forensics and geopolitical analysis to determine who would benefit from specific actions. 

“It's really hard to definitively identify who's attacking you and prove it,” Dr Burt said. 

“To do the best we can in attribution, we need both the technical side and the humanities side. We need to understand what happened, how sophisticated it was, what the attack did, and what was the intent. 

“What data were they after? What did they do with the data?” 

China threat 

Chinese advanced persistent threat groups are reportedly embedded in critical infrastructure across the US, Australia, and the UK, potentially positioning China to hold these nations' infrastructure hostage during a future conflict.

Dr Burt says this represents how cyber capabilities enable coercive power without necessarily requiring kinetic warfare, changing the nature of international competition and conflict.

“From China's perspective, they don't have to fight - they're holding a gun to everyone's head saying, ‘I want to play over here in my sandpit’. And you let them because they have that leverage,” she said.

“Ukraine shows traditional war isn't finished, but China is focused on not fighting unless absolutely necessary, and they're finding ways to avoid direct conflict.” 

It is this idea that war could eventually become computer games that Dr Burt discusses with her students in her Cyber and International Security three-day course.

"They'd have to be dangerous computer games to achieve strategic objectives.

“If you're saving lives by just using automated drones, why not? That requires more humanities thinking than technical computer science perspective.”

• Dr Sally Burt will run her next Cyber and International Security three-day course from 21-23 October, 2025. This in-person course will be held on campus at �ʹڲ�Ʊ Canberra. You can find more information here.