Peacetime cyber espionage

From International cyber law: interactive toolkit
Jump to navigation Jump to search

In general[edit | edit source]

Peacetime cyber espionage
Peacetime espionage has been traditionally considered as unregulated by international law. This is also reflected in the Tallinn Manual 2.0, which posits that ‘[a]lthough peacetime cyber espionage by States does not per se violate international law, the method by which it is carried out might do so.’[1]

However, the methods of peacetime cyber espionage are varied and the legal consensus is almost non-existent with regard to cyber operations below the threshold of use of force or armed attack.

It must be noted that although cyber espionage operations are generally not illegal from the perspective of international law, they are usually prohibited according to the domestic law of the target State. Moreover, the acting State’s authorities will also typically be subject to specific domestic law prescriptions pertaining to the conduct of foreign intelligence operations.

Conversely, the mere fact that an operation is a cyber espionage operation does not make it legal in international law, according to a majority of the experts drafting Tallinn Manual 2.0.[2] According to a minority of the experts, espionage creates an exception for certain otherwise illegal cyber operations.[3]

Publicly available national positions that address this issue include: National position of the United States of America (2020) (2020), National position of the United States of America (2021) (2021).

Economic cyber espionage[edit | edit source]

Economic cyber espionage
The United States has, already in its 2011 International Strategy for Cyberspace, declared that it “will take measures to identify and respond to [persistent theft of intellectual property, whether by criminals, foreign firms, or state actors working on their behalf,] to help build an international environment that recognizes such acts as unlawful and impermissible, and hold such actors accountable.”[4] The G20 countries reaffirmed in 2015 that “no country should conduct or support ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”[5] In September 2015, the US and China agreed on a similar commitment on a bilateral basis.[6]

Therefore, there is a push to curb the practice by developing a prohibition of such practice as a matter of international law.

However, according to the prevailing opinion, no such prohibition has crystallised in customary international law. In this regard, it is noteworthy that the 2015 UN GGE report does not mention economic cyber espionage among the applicable norms, rules, and principles of responsible State behaviour in cyberspace.[7] Several authors,[8] including experts of the Tallinn Manual 2.0,[9] consider that there is no distinction between economic cyber espionage and other forms of cyber espionage in general international law.[10] Additionally, no international consensus exists that agreements such as the WTO TRIPS[11] protect trade secrets against espionage conducted by a foreign state, and it is unclear whether the affected company can challenge the spying State in a domestic court or pursuant to a bilateral investment treaty, if there is one.[12]

Accordingly, such conduct is not subject to any general prohibition under extant international law.

National positions[edit | edit source]

United States (2020)[edit | edit source]

"For cyber operations that would not constitute a prohibited intervention or use-of-force, the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory. This proposition is recognized in the Department’s adoption of the “defend forward” strategy: “We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” The Department’s commitment to defend forward including to counter foreign cyber activity targeting the United States—comports with our obligations under international law and our commitment to the rules-based international order.

The DoD OGC view, which we have applied in legal reviews of military cyber operations to date, shares similarities with the view expressed by the U.K. Government in 2018. We recognize that there are differences of opinion among States, which suggests that State practice and opinio juris are presently not settled on this issue. Indeed, many States’ public silence in the face of countless publicly known cyber intrusions into foreign networks precludes a conclusion that States have coalesced around a common view that there is an international prohibition against all such operations (regardless of whatever penalties may be imposed under domestic law).

Traditional espionage may also be a useful analogue to consider. Many of the techniques and even the objectives of intelligence and counterintelligence operations are similar to those used in cyber operations. Of course, most countries, including the United States, have domestic laws against espionage, but international law, in our view, does not prohibit espionage per se even when it involves some degree of physical or virtual intrusion into foreign territory. There is no anti-espionage treaty, and there are many concrete examples of States practicing it, indicating the absence of a customary international law norm against it. In examining a proposed military cyber operation, we may therefore consider the extent to which the operation resembles or amounts to the type of intelligence or counterintelligence activity for which there is no per se international legal prohibition.

Of course, as with domestic law considerations, establishing that a proposed cyber operation does not violate the prohibitions on the use of force and coercive intervention does not end the inquiry. These cyber operations are subject to a number of other legal and normative considerations."[13]

United States (2021)[edit | edit source]

"In certain circumstances, one State’s non-consensual cyber operation in another State’s territory, even if it falls below the threshold of a use of force or non-intervention, could also violate international law. However, a State’s remote cyber operations involving computers or other networked devices located on another State’s territory do not constitute a per see violation of international law. In other words, there is no absolute prohibition on such operations as a matter of international law. This is perhaps most clear where such activities in another State’s territory have no effects or de minimise effects. The very design of the Internet may lead to some encroachment on other sovereign jurisdictions."[14]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. Tallinn Manual 2.0, rule 32.
  2. Tallinn Manual 2.0, rule 32 and commentary to rule 32, para 6.
  3. Id.; Ashley Deeks, 'An International Legal Framework for Surveillance' (2015) 55 VA.J.INT’LL. 291, 302-3.
  4. President of the United States, ‘International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World’ (2011).
  5. G20 Leaders’ Communiqué (15–16 November 2015), para 26; see also G7 Principles and Actions on Cyber (Annex to the Ise-Shima Declaration from 27 May 2016).
  6. See US, ‘FACT SHEET: President Xi Jinping’s State Visit to the United States’ (25 September 2015).
  7. UNGA ‘Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’ (22 July 2015), A/70/174.
  8. Catherine Lotrionte, ‘Countering State-Sponsored Cyber Economic Espionage Under International Law’ (2015) 40 N.C. J. INT'L L. & COM. REG. 443, 488-492; David Fidler, ‘Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets through Cyber Technologies’ (2013) 17/10 ASIL Insights; Erica Häger & Carolina Dackö, ‘Economic Espionage: A Report by Mannheimer Swartling’ (2018).
  9. Tallinn Manual 2.0, rule 32, commentary 3.
  10. For an opposing view, see Russell Buchan, ‘The International Legal Regulation of State-Sponsored Cyber Espionage’ (2016) in International Cyber Norms: Legal, Policy & Industry Perspectives, Anna-Maria Osula and Henry Rõigas (Eds.), NATO CCD COE Publications, Tallinn 2016.
  11. Agreement on Trade-Related Aspects of Intellectual Property Rights, Annex 1C to the Agreement Establishing the World Trade Organization (signed on 15 April 1994 in Marrakesh), 1869 UNTS 299, 33 ILM 1197.
  12. Erika Häger & Carolina Dackö, ‘Economic Espionage: A Report by Mannheimer Swartling’ (2018), page 5: “Economic espionage, to the extent it qualifies as a violation of intellectual property rights, should arguably be treated as an act comparable to commercial activities, jure gestionis. A [S]tate would then not be able to claim state immunity for such acts and could thus instead face a normal trial in a domestic court.“
  13. Hon. Paul C. Ney, Jr., DOD General Counsel Remarks at U.S. Cyber Command Legal Conference, 2 March, 2020
  14. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 140.

Bibliography and further reading[edit | edit source]