Scenario 09: Economic cyber espionage

Private entities become targets of economic cyber espionage by or on behalf of an attacking State. Under what circumstances can cyber espionage be attributed to the attacking State and the latter held responsible under international law? What measures, if any, can the victim State lawfully take in order to respond?

Keywords
Advanced persistent threat, economic cyber espionage, sovereignty, diplomatic and consular law, premises of the mission, persona non grata, countermeasures

Facts
State A discovers that several hi-tech companies incorporated and having headquarters in its territory are subject to an advanced persistent threat (APT) operation by unknown actors. The goal of the APT operation is to obtain trade secrets and other intellectual property from the companies’ computers and networks. In the course of the operation, the unknown actors exfiltrated hundreds of terabytes of technical data about the companies’ products and services, emails of the companies’ employees, internal memos, and other documents. After a meticulous investigation that lasts for over a year, State A determines that the operation was conducted by a military unit subordinated to State B’s General Staff; and that, additionally, one diplomat posted at State B’s embassy in State A also took part in the operation.

State A decides to declare several diplomats of State B in State A as personae non gratae. As stated, one of them was allegedly directly involved in the cyber espionage operation, while others are merely suspected of other activities against the interests of State A that are unrelated to the APT operation. An insider in one of the victim companies, who is a State B national and who was found to be working for State B’s APT operation, is indicted and taken into custody. State A also indicts several members of State B’s military unit who were reportedly involved in it. State B denies all of State A's allegations and, in turn, declares the same number of State A diplomats in State B as personae non gratae.

Both State A and State B are parties to the Vienna Convention on Diplomatic Relations (VCDR).

Examples

 * Wu Yingzhuo, Dong Hao and Xia Lei indictments (2017)
 * Operation Cloudhopper (2017)
 * Chinese PLA Unit 61398 indictments (2014)

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

The legal analysis briefly deals with attribution, then discusses whether State B breached any of its potentially relevant international obligations (illegal use of the premises of the mission, violation of State A’s sovereignty, and a violation of a supposed rule forbidding economic cyber espionage), and finally closes with a consideration of State A’s options for responding (specific remedies in diplomatic law; countermeasures).

Attribution to State B
The APT operation can safely be attributed to State B. This is because both the military unit and the diplomat are State organs and as such, their conduct is attributable to State B.

The legal qualification of the insider’s conduct is less clear. If the fact of “working for State B” entailed in it an ongoing relationship of subordination reaching to the level of direction or control, then the relevant conduct may also be attributed to State B.

Violation of diplomatic law by misusing the premises of the mission
The cyber operations conducted by State B’s diplomat from the premises of State B’s embassy and utilizing its cyber infrastructure most likely violated the domestic law of State A, which can be expected to prohibit foreign espionage in its domestic criminal law as most other States do. As such, the operations would have amounted also to a violation of State B’s international obligations.

Obligation to respect the sovereignty of other States
The diplomat of State B working at the embassy in State A might have violated State A’s sovereignty by engaging in cyber espionage operations against State A’s companies, due to his or her physical presence in State A’s territory and proximity to the target computers and systems (option 1).

The insider might have violated State A’s sovereignty by engaging in cyber espionage from State A’s territory (option 1), but only if he or she was an organ of State B or these activities can be otherwise attributed to State B.

On this ground, State B in any case only incurs responsibility under diplomatic law for the activities of the diplomat and the insider on the foreign territory, but not for its military unit conducting the cyber espionage operation from its own territory.

Violation of a potential rule in international law forbidding economic cyber espionage
Hence, the mere characterization of State B’s cyber operations as amounting to economic cyber espionage is insufficient for the establishment of its international responsibility. However, should they amount to coercion they may have ramifications under breach of sovereignty or the prohibition on intervention.

Permissible responses by State A
It should be reiterated that State B violated its obligation under Article 41 VCDR by using the premises of the mission for a cyber espionage operation; it may also have violated State B’s sovereignty by the same activity, and by using the insider in State A’s territory for the spying.

The indictments of the insider and of the members of State B’s military unit constitute an exercise of criminal jurisdiction of State A, without direct relevance for the purposes of analysis under public international law.

Countermeasures
State B's operation does amount to an internationally wrongful act, so countermeasures could be available:

In the case at hand, it is likely that the internationally wrongful act of State B has ceased when the diplomats were expelled and the insider arrested; the act had a continuing character and was terminated by State A’s response, even though its effects (malware in State A’s systems) may have taken longer to remedy. The answer if the act was continuing would be less clear if State B continued to use its military unit to maintain the malware after State A’s response.

If, instead, State A chose to use countermeasures before or instead of declaring the diplomats personae non gratae, State B’s internationally wrongful act would be of a continuing nature. State A would only have to call upon State B to fulfil its obligations, and, if the countermeasures were not urgent, also inform State B about the decision to take countermeasures.

Importantly, State A’s countermeasures must not affect its “obligations arising from the inviolability of diplomatic or consular agents, premises, archives and documents”. For instance, hacking the diplomats’ computers would not be a legitimate countermeasure.

In summary, all of the responses by State A referred to in the scenario are compatible with the applicable rules of international law.

Checklist

 * Attribution: Is the diplomat or a State organ?
 * Attribution: What is the link between the private company's insider and State B?
 * Diplomatic law/Espionage: Where and when are diplomats not permitted to spy?
 * Sovereignty/Espionage: Is geography relevant for establishing a violation of sovereignty by espionage operations?
 * Economic cyber espionage: Is economic cyber espionage legally different from non-economic cyber espionage?
 * Permissible responses: What specific remedy does diplomatic law provide?
 * Permissible responses: Are countermeasures available in addition to any specific remedies, and what are the relevant requirements?

Bibliography and further reading

 * [TBC]

Contributions

 * Scenario by: Taťána Jančárková & Tomáš Minárik
 * Analysis by: Tomáš Minárik
 * Reviewed by: [TBC]