Scenario 09: Economic cyber espionage

Private entities become target of economic cyber espionage by or on behalf of a State. Under what circumstances can cyber espionage be attributed to the State and the latter held responsible under international law? What measures, if any, can the victim State lawfully take to respond to the intrusions?

Keywords
Advanced persistent threat, economic cyber espionage, violation of sovereignty, diplomatic and consular law, persona non grata, countermeasures

Facts
State A discovers that several hi-tech companies incorporated and having headquarters in its territory are subject to an advanced persistent threat (APT) operation by unknown actors. The goal of the operation is to obtain trade secrets and other intellectual property from the companies’ computers. In the course of the operation, the APT actors exfiltrated hundreds of terabytes of technical data about the companies’ products, emails of the companies’ employees, internal memos, and other documents. After a meticulous investigation that lasts for over a year, State A determines that the operation was conducted by a military unit subordinated to State B’s General Staff and that, additionally, one diplomat at State B’s embassy in State A also took part in the operation.

State A decides to declare several diplomats of State B in State A as personae non gratae. One of them was allegedly directly involved in the cyber espionage operation, while others are merely suspected of other activities against the interests of State A. An insider in one of the victim companies, who is a State B national and who was found to be working for State B’s espionage operation, is indicted and taken into custody. State A also indicts several members of State B’s military unit who were reportedly involved in the cyber espionage operation. State B denies all allegations.

Both State A and State B are parties to the Vienna Convention on Diplomatic Relations (VCDR).

Similar real-world incidents
Wu Yingzhuo, Dong Hao and Xia Lei indictments (2017)

APT10 – Operation Cloudhopper (2017)

APT1 – Chinese PLA Unit 61398 indictments (2014)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

The legal analysis briefly deals with attribution, then discusses whether State B breached any of its potentially relevant international obligations (illegal use of the premises of the mission, violation of State A’s sovereignty, and a violation of a supposed rule forbidding economic cyber espionage), and finally closes with a consideration of State A’s options for responding (specific remedies in diplomatic law; countermeasures).

Attribution to State B
The espionage operation can safely be attributed to State B. This is because both the military unit and the diplomat are State organs and as such, their conduct is attributable to State B.

The legal qualification of the insider’s conduct is less clear. If the fact of “working for State B” entailed in it an ongoing relationship of subordination reaching to the level of direction or control, then the relevant conduct may also be attributed to State B.

Breach of an international obligation by State B
The following options of a breach of an international obligation by State B can be considered:

Violation of diplomatic law by misusing the premises of the mission
The cyber espionage operations conducted by State B’s diplomat from the premises and cyber infrastructure of State B’s embassy most likely violated the domestic law of State A, which can be expected to prohibit foreign espionage as most other States do. As such, the operations would have amounted also to a violation of State B’s international obligations.

Obligation to respect the sovereignty of other States
The diplomat of State B working at the embassy in State A might have violated State A’s sovereignty by engaging in cyber espionage operations against State A’s companies. This is because the diplomat was physically present in State A’s territory (option 1).

The insider might have violated State A’s sovereignty by engaging in cyber espionage from State A’s territory (option 1), but only if she was an organ of State B or her activities can be otherwise attributed to State B.

On this ground, State B in any case only incurs responsibility for the activities of the diplomat and the insider on the foreign soil, but not for its military unit conducting the cyber espionage operation from its own territory.

Violation of a potential rule in international law forbidding economic cyber espionage
Hence, the mere characterization of State B’s cyber operations as amounting to economic cyber espionage is insufficient for the establishment of its international responsibility.

Permissible responses by State A
It should be reiterated that State B violated its obligation under Article 41 VCDR by using the premises of the mission for a cyber espionage operation; it may also have violated State B’s sovereignty by the same activity, and by using the insider in State A’s territory for the spying.

The indictments of the insider and of the members of State B’s military unit constitute an exercise of criminal jurisdiction of State A, without direct relevance for the purposes of analysis under public international law.

Countermeasures
State B's operation does amount to an internationally wrongful act, so countermeasures could be available:

In the case at hand, it is likely that the internationally wrongful act of State B has ceased when the diplomats were expelled and the insider arrested; the act had a continuing character and was terminated by State A’s response, even though its effects (malware in State A’s systems) may have taken longer to remedy. The answer if the act was continuing would be less clear if State B continued to use its military unit to maintain the malware after State A’s response.

If, instead, State A chose to use countermeasures before or instead of declaring the diplomats personae non gratae, State B’s internationally wrongful act would be of a continuing nature. State A would only have to call upon State B to fulfil its obligations, and, if the countermeasures were not urgent, also inform State B about the decision to take countermeasures.

Importantly, State A’s countermeasures must not affect its “obligations arising from the inviolability of diplomatic or consular agents, premises, archives and documents”. For instance, hacking the diplomats’ computers would not be a legal countermeasure.

In summary, all of the responses by State A referred to in the scenario are compatible with the applicable rules of international law.

Checklist

 * Attribution: Is diplomat a State organ?
 * Attribution: What is the link between the insider and State B?
 * Diplomatic law/Espionage: Where and when are diplomats not allowed to spy?
 * Sovereignty/Espionage: Is geography important for violation of sovereignty by espionage operations?
 * Economic cyber espionage: Is economic cyber espionage legally different from non-economic cyber espionage?
 * Permissible responses: What specific remedy does diplomatic law provide?
 * Permissible responses: Are countermeasures available besides this specific remedy, and what are the conditions and requirements?

Bibliography and further reading

 * MN Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017)
 * Etc.

Original text by: Tomáš Minárik

Reviewed by: Kubo Mačák