Scenario 09: Economic cyber espionage

Private entities become targets of economic cyber espionage by or on behalf of a State. Under what circumstances can cyber espionage be attributed to the State and the latter be held responsible under international law? What measures, if any, can the victim State lawfully take in response?

Keywords
Advanced persistent threat, economic cyber espionage, sovereignty, diplomatic and consular law, premises of the mission, persona non grata, countermeasures

Facts
[F1] State A learns that several hi-tech companies incorporated and having headquarters in its territory are subject to an advanced persistent threat (APT) operation by unknown actors. The goal of the APT operation is to obtain trade secrets and other intellectual property from the companies’ computers and networks. In the course of the operation, the unknown actors exfiltrated hundreds of terabytes of technical data about the companies’ products and services, emails of the companies’ employees, internal memos, and other documents. After a meticulous investigation that lasts for over a year, State A determines that the operation was conducted by a military unit subordinated to State B’s Armed Forces' General Staff; and that, additionally, one diplomat at State B’s embassy accredited to State A and physically located in State A also took part in the operation under authorization of State B.

[F2] State A decides to declare several diplomats of State B in State A as personae non gratae. As stated, one of them was allegedly directly involved in the cyber espionage operation, while others are merely suspected of other activities against the interests of State A that are unrelated to the APT operation. An insider in one of the victim companies, who is a State B national and who was found to be working for State B’s APT operation, is indicted and taken into custody. State A also indicts several members of State B’s military unit who were reportedly involved in it. State B denies all of State A's allegations and, in turn, declares the same number of State A diplomats in State B as personae non gratae.

[F3] Both State A and State B are parties to the Vienna Convention on Diplomatic Relations (VCDR).

Examples

 * SuperMicro supply chain breach (since 2010)
 * Chinese PLA Unit 61398 indictments (2014)
 * Wu Yingzhuo, Dong Hao and Xia Lei indictment (2017)
 * Operation Cloudhopper (2017)
 * SolarWinds (2020)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The legal analysis briefly deals with attribution, then discusses whether State B breached any of its potentially relevant international obligations (illegal use of the premises of the mission, violation of State A’s sovereignty, and a violation of a supposed rule forbidding economic cyber espionage), and finally closes with a consideration of State A’s options for responding (specific remedies in diplomatic law; countermeasures).

Attribution to State B
[L2] Given that participation of a State B military unit and an embassy diplomat in the operation has been established, the APT operation can verifiably be attributed to State B. This is because both the military unit and the diplomat are State organs and as such, their conduct is attributable to State B.

[L3] The legal qualification of the insider’s conduct is less clear. If the fact of “working for State B” entailed an ongoing relationship of subordination reaching to the level of direction or control, then the relevant conduct may also be attributed to State B. Absent subordination, the degree of instruction and control actually exercised over the insider will determine whether attribution can be made to the State, although the facts may be difficult to establish in that case.

Violation of diplomatic law by misusing the premises of the mission
[L4] Depending on the extent to which State B's diplomat exceeded the legitimate functions of the mission of State A, the latter may claim that the operations would have amounted also to a violation of State B’s international obligations towards it according to the VCDR.

[L5] The cyber operations conducted by State B’s diplomat from the premises of State B’s embassy and utilizing its cyber infrastructure most likely violated the domestic law of State A, which can be expected to prohibit foreign espionage in its domestic criminal law as most other States do.

Obligation to respect the sovereignty of other States
[L6] The diplomat of State B working at the embassy in State A might have violated State A’s sovereignty by engaging in cyber espionage operations against State A’s companies while physically present in State A’s territory (option 1).

[L7] The insider might have violated State A’s sovereignty by engaging in cyber espionage from State A’s territory (option 1), but only if he or she was an organ of State B or these activities can be otherwise attributed to State B (such as acting on the instructions of State B).

[L8] On this ground, State B in any case only incurs responsibility under diplomatic law for the activities of the diplomat and the insider on the foreign territory, but not for its military unit conducting the cyber espionage operation from its own territory.

[L9] Options 2 to 5 are not applicable to the situation.

Violation of a potential rule in international law forbidding economic cyber espionage
[L10] Hence, the mere characterization of State B’s cyber operations as amounting to economic cyber espionage is insufficient to establish its international responsibility. For any ramifications according to the rules on sovereignty or prohibited intervention, see above.

Permissible responses by State A
[L11] It should be reiterated that State B violated its obligation under Article 41 VCDR by using the premises of the mission for an unlawful cyber espionage operation; it may also have violated State B’s sovereignty by the same activity, and by using the insider in State A’s territory for the spying.

[L12] The indictments of the insider and of the members of State B’s military unit constitute an exercise of criminal jurisdiction of State A, without direct relevance for the purposes of analysis under public international law (except for possible international legal assistance implications which are not mentioned in the description of facts).

Countermeasures
[L13] State B's operation does amount to an internationally wrongful act, so countermeasures could be available:

[L14] Given that the internationally wrongful act by State B in this case entailed a breach of its duties under the VCDR, it is likely that the internationally wrongful act of State B has ceased when the diplomats were expelled and the insider arrested; the act had a continuing character and was terminated by State A’s response, even though its effects (malware in State A’s systems) may have taken longer to remedy. The answer if the act was continuing would be less clear if State B continued to use its military unit to maintain the malware after State A’s response.

[L15] If, instead, State A chose to use countermeasures before or instead of declaring the diplomats personae non gratae, State B’s internationally wrongful act would be of a continuing nature. State A would only have to call upon State B to fulfil its obligations, and, if the countermeasures were not urgent, also inform State B about the decision to take countermeasures.

[L16] Importantly, State A’s countermeasures must not affect its “obligations arising from the inviolability of diplomatic or consular agents, premises, archives and documents”. For instance, hacking the diplomats’ computers would not be a legitimate countermeasure.

[L17] In summary, all of the responses by State A referred to in the scenario are compatible with the applicable rules of international law.

Checklist

 * Attribution:
 * Is the diplomat a State organ?
 * What is the link between the insider in the private company and State B?
 * Diplomatic law/Espionage:
 * Where and when are diplomats not permitted to spy?
 * Sovereignty/Espionage:
 * Is geography relevant for establishing a violation of sovereignty by espionage operations?
 * Economic cyber espionage:
 * Is economic cyber espionage legally different from non-economic cyber espionage?
 * Permissible responses:
 * What specific remedy does diplomatic law provide?
 * Are countermeasures available in addition to any specific remedies, and what are the relevant requirements?

Bibliography and further reading

 * Russell Buchan, ‘The International Legal Regulation of State-Sponsored Cyber Espionage’ (2016) in Anna-Maria Osula and Henry Rõigas (Eds.) International Cyber Norms: Legal, Policy & Industry Perspectives (NATO CCD COE Publications, Tallinn 2016).
 * James Crawford, Brownlie's Principles of Public International Law (OUP 2012).
 * Gary P. Corn and Robert Taylor, ‘Sovereignty in the Age of Cyber’ (2017) 111 AJIL Unbound 207.
 * Jean D’Aspremont, ‘Persona Non Grata’, in Rudiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008).
 * David Fidler, ‘Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets through Cyber Technologies’ (2013) 17/10 ASIL Insights.
 * Robin Geiss and Henning Lahmann, ‘Freedom and Security in Cyberspace: Shifting the Focus Away from Military Responses Towards Non-Forcible Countermeasures and Collective Threat-Prevention’ in Katharina Ziolkowski (ed), Peacetime Regime for State Activities in Cyberspace (NATO CCD COE 2013).
 * James Green, ‘Fluctuating Evidentiary Standards for Self-Defence in the International Court of Justice’ (2009) 58 ICLQ 163.
 * Erika Häger & Carolina Dackö, ‘Economic Espionage: A Report by Mannheimer Swartling’ (2018).
 * Wolff Heintschel von Heinegg, 'Territorial Sovereignty and Neutrality in Cyberspace' (2013) 89 Int’l L. Stud. 123.
 * Catherine Lotrionte, ‘Countering State-Sponsored Cyber Economic Espionage Under International Law’ (2015) 40 N.C. J. INT'L L. & COM. REG. 443.
 * Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JCSL 405.
 * Darien Pun, ‘Rethinking Espionage in the Modern Era’ (2017) 18 Chicago JIL 353.
 * Michael N Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017).
 * Michael N Schmitt, 'Virtual Disenfranchisement: Cyber Election Meddling in the Grey Zones of International Law' (2018) 19 ChiJIntlL 30.
 * Michael N Schmitt and Liis Vihul, ‘Respect for Sovereignty in Cyberspace’ (2017) 95 Tex L Rev. 1639.
 * Sean Watts & Theodore Richard, 'Baseline Territorial Sovereignty and Cyberspace' (2018) 22 Lewis & Clark L. Rev. 771.

Contributions

 * Scenario by: Taťána Jančárková & Tomáš Minárik
 * Analysis by: Tomáš Minárik
 * Reviewed by: Deborah Housen-Couriel; Kadri Kaska; Cedric Sabbah