“Information is powerful. And precious. It can shape battles, shake nations, protect us…or control us. Which is why nations spy.”  This simple yet sharp explanation of the ubiquity of spying is found upon entry at the Spy Museum in Washington, D.C. In the cyber era, espionage has not only taken on new dimensions, but also become a tolerated foreign policy practice. Peacetime political cyberespionage is largely perceived as “extralegal” by international legal scholarship, which justifies the argument that “we have always done it this way.”  This article will analyze some of these legal justifications and identify whether international law addresses the most invoked gaps and concerns. The analysis focuses on political state-sponsored espionage, as industrial espionage is subject to different international legal rules and has been largely covered in respect to cyberoperations again vaccine R&D during the current pandemic.

Why is Cyberespionage Perceived as Extralegal?

As international law does not explicitly address espionage outside armed conflicts, the dominant view on the international landscape is that these practices might be unlawful under various domestic laws, but do not violate international law. In the absence of an express prohibition in the U.N. Charter or a contrary erga omnes obligation, scholars and policy makers asserted the universality of this practice and the fact that states cannot be held accountable under existing international legal rules. Therefore, one of the few guiding rules remains the Lotus principle, which implies that if a specific action is not prohibited under international law, states are allowed to undertake that action. Scholarship has integrated cyberespionage practices in the application of traditional international law principles and customary international law rules. Early literature focused on linking hostile cyberoperations to the use of force. Malicious actors are often careful not to reach the threshold of destruction and physical harm, which in turn focused the conversation on the principles of sovereignty and non-intervention.

There are two schools of thought about how international law applies to state-sponsored cyber activity that takes place below the threshold of use of force. The first group argues that the principle of non-intervention applies to certain state-sponsored cyber intrusions, and that below the threshold set by this principle, cyberactivity may be unfriendly, but does not constitute a breach of international law giving rise to state responsibility. According to this approach, sovereignty is a principle of international law that may guide state interactions, but it does not amount to a standalone primary rule, an approach endorsed by the UK. The second view holds that such cyber operations may be unlawful as violations of the target state’s sovereignty, a rule of international law.

The line between cyber espionage and hostile cyberoperations is that the latter lead to data loss or destruction and affect the integrity of data, networks or systems. [i] Although most scholars regard state-sponsored cyberoperations involving a physical intrusion against another state as violations of sovereignty, they only partially agree that this is also the case for remote operations. The same approaches were visible among the Tallinn Manual 2.0 International Group of Experts, who predominantly agreed that remotely launched cyberoperations violate territorial sovereignty only when causing physical damage or at least destructive effects “in cyberspace”, i.e. loss of functionality of cyber infrastructure (Rule 4). Nevertheless, if physical intrusions do not need to harm human life or property to be in violation of the principle of sovereignty, there is no reason to justify why a remote operation would need to meet additional conditions in order to violate the very same norm.

This inconsistency leaves two open issues. First, there is an obvious protection gap between state territorial sovereignty and sovereignty over cyberinfrastructure, although the latter is located within state territory. Second, unlawful collection of confidential information undoubtedly generates destructive effects, as unauthorized access to national security information deprives the state from its sovereign right to decide on the distribution and use of data, and opens a door to malicious use of the accessed data against the interest of that state.

One argument of advocates of “sovereignty as a principle” is that the absence of an express prohibition of cyberespionage in international law is indicative of the lack of a mandatory character of the principle of sovereignty. However, I argue that the reverse argument is valid as well, namely, one of the main obstacles for recognizing the unlawful character of (cyber)espionage is the fragmented interpretation of the principle of sovereignty. If sovereignty were recognized as an international law rule, then cyberespionage, which clearly infringes state sovereignty in many situations (a position suggested by France and other legal experts), would be unlawful under international law. If states and other stakeholders deliberately choose not to apply existing legal frameworks, the perception of acceptance and permissibility will prevail.

Cyberespionage and Coercion

Another argument for the “extralegal” character of espionage practices is that these represent mere interferences in foreign governmental activity, but do not reach the threshold of intervention, as they do not involve any coercive actions. As interpreted in the aftermath of the International Court of Justice (ICJ) Nicaragua judgement, coercive behavior is the typical dividing line between interference and intervention.

One can deduct from this portrayal that it is close to impossible to integrate cyberespionage into existing international legal regimes – in absence of any destruction, it does not represent an unlawful use of force; if conducted remotely, it allegedly does not infringe territorial sovereignty; and lacking the coercive element – nor does it represent unlawful intervention. Similar to the false ambiguity related to the principle of sovereignty, I argue that cyberespionage may involve coercive behavior and press the injured party to alter and adapt its behavior.

First, cyberespionage does not compel the victim in the traditional sense, but through “cyber degradation,”[ii] complementing traditional coercive tools, such as diplomacy, sanctions, and military threats, to apply pressure. It aims to shift information asymmetries in order to gain short-term and long-term advantages. Second, although cyberespionage operations don’t directly affect the target’s freedom of decision, individual elements can contain coercive methods, such as manipulation of information and opinion, and be driven by the intention to compel. [iii] Furthermore, Rule 32 of the Tallinn Manual 2.0 notes that “[a]lthough peacetime cyber espionage by States does not per se violate international law, the method by which it is carried out might do so.” Therefore, the specific cyberespionage practice is often a preparatory act or a composite part of a broader foreign policy action which is driven by a coercive aim. Although the conversation on the qualification of targets, instruments, and consequences is ongoing in respect to the interpretation of the use of force threshold in cyberspace, the same elements could be analyzed in the assessment of cyberespionage practices.

Third, unauthorized intrusion deprives the victim of the right to protect, use, and disclose national security or private data, and to express consent regarding the involvement of foreign actors in the performance of governmental functions. Intervention is defined through the lens of sovereignty, i.e. a foreign practice is unlawful if it intrudes into an area falling within state sovereign control and self-governance, its domaine réservé. The same idea was reflected by the 1970 U.N. General Assembly Declaration on Principles of International Law concerning Friendly Relations and Co-operation among States, which emphasized the prohibition of state intervention in the internal or external affairs of another state, because an “armed intervention and all other forms of interference or attempted threats against the personality of the State or against its political, economic and cultural elements, are in violation of international law.” This declaration is perceived as reflective of customary international law.

In an earlier writing, Russell Buchan argued that “conduct which compromises or undermines the authority of the state should be regarded as coercive.” By definition, unlawful intervention implies “an act conducted by a state against another one, aiming at coercing the latter on its ability to freely decide.” [iv] The intruder gains a competitive advantage, which hinders the victim to achieve an objective, by obtaining information that can be used to direct the victim’s choices. Although data collection is not directly linked to coercion, subsequent capitalizing on the collected data underlies a broader foreign policy purpose and either prepares or complements a wider aim to coerce or alter the target state’s behavior. [v] The more complex question is whether the traditional coercion standard includes this type of deprivation of free choice. In the aftermath of the Snowden revelations, experts noted that Germany was “robbed of the opportunity of making sovereign decisions on whom it wants to share the secret deliberations with” and denied the “right to develop its domestic and foreign affairs policies unobserved by a foreign power.” Nevertheless, this approach is currently not supported by state practice and justified by little opinio juris.

Given the current complexity of cyber means and effects, the coercion standard described in the Nicaragua judgement proves to be underprotective and narrow in many circumstances, and numerous recent harmful interferences don’t meet this standard. Aiming at a higher protection of victims, a reevaluation of this approach should employ an effect-orientated test to determine the severity of interference, the legal consequences and prejudice caused to the victim though unauthorized access to information. Although lawyers were early to dismiss the application of the traditional principle of intervention in the modern cyber era in cases when the coercion element was not met, in light of the doctrine of intertemporal law, a clarification of this term is required to set a clear limit between interference and intervention in cyberspace and to define the threshold of coercion above which the principle of non-intervention is violated .

Conclusion

The unique benefits of cyberespionage tools shift the question of permissibility of cyberespionage to the assertion that international law is “silent in this regard”. The secrecy of this practice, although inherent to the purpose of espionage, only confirms the compatibility of cyberespionage with international law. Nevertheless, malicious cyberactors continue to employ methods that are outside the traditional coercion standard, as these actions are repeatedly confirmed to remain outside the scope of applicable international law principles. Apart from the above proposed development of the traditional understanding of coercion, other experts proposed a new standard to identify wrongful cyber interventions, that addresses means such as manipulation, deception, disruption, and disinformation. There is still optimism that with the growth of state practice, the legal interpretations of traditional international law principles will change to encompass malicious cyberespionage practice.

---

[i] Russell Buchan, Cyber Espionage and International Law 18 (2019).

[ii] Brandon Valeriano et al., Cyber Strategy: The Evolving Character of Power and Coercion 21, 34 (2018).

[iii] Id. at 59-64.

[iv] François Delerue, Cyber Operations and International Law 237 (2020).

[v] Id. at 258.

---

Adina Ponta is a Romanian lawyer and was the 2020 Detlev F. Vagts International Law Fellow at the American Society of International Law in Washington, D.C. Prior to that, she worked in the legal offices of two NATO headquarters, where she advised on the lawful conduct of armed forces during conflict and peacetime military operations. She has an LL.M. in international law and a Ph.D. in business and technology law.