Cyber-espionage in international law: Silence speaks

By Thibault Moulin

While espionage between states is a practice dating back centuries, the emergence of the internet revolutionised the types and scale of intelligence activities, creating drastic new challenges for the traditional legal frameworks governing them.

This book argues that cyber-espionage has come to have an uneasy status in law: it is not prohibited, because spying does not result in an internationally wrongful act, but neither is it authorised or permitted, because states are free to resist foreign cyber-espionage activities. Rather than seeking further regulation, however, governments have remained purposefully silent, leaving them free to pursue cyber-espionage themselves at the same time as they adopt measures to prevent falling victim to it.

Drawing on detailed analysis of state practice and examples from sovereignty, diplomacy, human rights and economic law, this book offers a comprehensive overview of the current legal status of cyber-espionage, as well as future directions for research and policy. It is an essential resource for scholars and practitioners in international law, as well as anyone interested in the future of cyber-security.

• Language: English
• Publisher: Manchester University Press
• Release date: May 2, 2023
• ISBN: 9781526168023

Book preview

Cyber-espionage in international law

Melland Schill Studies in International Law

General editors, Iain Scobbie and Jean D’Aspremont

Founded as a memorial to Edward Melland Schill, a promising scholar killed during the First World War, the Melland Schill Lectures (1961–74) were established by the University of Manchester following a bequest by Edward’s sister, Olive B. Schill, to promote the understanding of international law and implicitly lessen the possibilities for future conflict. Dedicated to promoting women’s employment rights and access to education, Olive’s work is commemorated in both the Melland Schill series and the Women in International Law Network at the University of Manchester.

The Melland Schill lecture series featured a distinguished series of speakers on a range of controversial topics, including Quincy Wright on the role of international law in the elimination of war, Robert Jennings on the acquisition of territory, and Sir Ian Sinclair on the Vienna Convention on the Law of Treaties.

In the 1970s, Gillian White, the first woman appointed as a Professor of Law in mainland Britain, transformed the lectures into a monograph series, published by Manchester University Press. Many of the works previously published under the name ‘Melland Schill monographs’ have become standard references in the field, including: A.P.V. Rogers’ Law on the battlefield, which is currently in its third edition, and Hilary Charlesworth and Christine Chinkin’s The boundaries of international law, which offered the first book-length treatment of the application of feminist theories to international law.

Closely linked to the Melland Schill Classics and Melland Schill Perspectives series, Melland Schill Studies in International Law has become a home for exceptional academic work from around the world.

Principles of direct and superior responsibility in international humanitarian law Ilias Bantekas

The treatment and taxation of foreign investment under international law Fiona Beveridge

War crimes and crimes against humanity in the Rome Statute of the International Criminal Court Christine Byron

The boundaries of international law Hilary Charlesworth and Christine Chinkin

The law of the sea: Fourth edition Robin Churchill, Vaughan Lowe and Amy Sander

International law and policy of sustainable development Duncan French

The values of international organizations James D. Fry, Bryane Michael and Natasha Pushkarna

The changing rules on the use of force on international law Tarcisio Gazzini

Contemporary law of armed conflict Leslie Green

Child soldiers in international law Matthew Happold

Human rights in Europe J.G. Merrills and A.H. Robertson

The rights and duties of neutrals Stephen Neff

Law on the battlefield A.P.V. Rogers

Indigenous peoples and human rights Patrick Thornberry

Jurisprudence of international law Nicholas Tsagourias

The law of international organisations Nigel D. White

Cyber-espionage in international law

Silence speaks

Thibault Moulin

Manchester University Press

Copyright © Thibault Moulin 2023

The right of Thibault Moulin to be identified as the author of this work has been asserted by them in accordance with the Copyright, Designs and Patents Act 1988.

Published by Manchester University Press

Oxford Road, Manchester M13 9PL

www.manchesteruniversitypress.co.uk

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

ISBN 978 1 5261 6803 0 hardback

First published 2023

The publisher has no responsibility for the persistence or accuracy of URLs for any external or third-party internet websites referred to in this book, and does not guarantee that any content on such websites is, or will remain, accurate or appropriate.

Front cover: adapted from ‘Connected World: Untangling the Air Traffic Network’, Martin Grandjean (2016). CC BY-SA.

Typeset

by Deanta Global Publishing Services, Chennai, India

This book is dedicated to my parents, Anne and Christophe, and to my grandparents, Bernard and Marie-Jo. It is also dedicated to my sisters, Coralie and Ludmilla.

And in loving memory of Cédric and Pascal, who are travelling the stars…

Contents

Acknowledgements

List of abbreviations

Part I: Introduction

Introduction to Part I

1 Main notions

1.1 The concept of ‘cyber-espionage’

1.2 The concept of ‘cyber-space’

2 Methodological and conceptual frameworks

2.1 The determination of law

2.1.1 The approach to treaty interpretation

2.1.2 The approach to sources

2.2 The concept of normative avoidance

2.2.1 Definition

2.2.2 Novelty

Part II: The rules connected to territorial integrity

Introduction to Part II

3 Territorial sovereignty

3.1 The dissimilarities between physical trespass and digital intrusion

3.1.1 Espionage per se is not an international wrongful act

3.1.2 The lack of an analogy between digital and physical intrusions

3.2 The ‘do-not-harm’ challenge and the minimal effects of cyber-espionage

4 Collective security law

4.1 A traditional interpretation of the UN Charter does not result in a regulation of cyber-espionage

4.2 Alternative interpretations of cyber-espionage do not result in the regulation of cyber-espionage

4.2.1 Interpretation based on meta-rules

4.2.2 Teleological interpretation

5 The law applicable between belligerent States

5.1 The territorial rationale of the regulation of espionage between belligerents

5.1.1 The categories of spies defined by the law of armed conflict

5.1.2 The challenging application of rules about espionage in a digital space

5.2 A lack of State support in favour of the application of espionage-related rules in cyber-space

6 The law applicable between belligerent and non-belligerent States

6.1 The absence of regulation by rules on material operations

6.1.1 The obligations between belligerents

6.1.2 The obligations on neutral States

6.2 A limited restriction of cyber-espionage by rules on the use of telecommunications

6.2.1 The obligations between belligerents

6.2.2 The obligations on neutral States

Conclusion to Part II

Part III: The rules disconnected from territorial integrity

Introduction to Part III

7 The law of diplomatic relations

7.1 Indirect regulation of espionage by embassies

7.1.1 The accreditation of the mission

7.1.2 The performing of the mission

7.2 Indirect regulation of espionage on embassies

7.2.1 The lack of regulation by the inviolability of diplomatic premises

7.2.2 The incompatibility of cyber-espionage with the rules protecting the inviolability of archives and documents

8 International economic law

8.1 The absence of a prohibition of economic cyber-espionage

8.1.1 The absence of a prohibition by national treatment

8.1.2 The absence of a prohibition by the obligation to protect undisclosed information

8.2 The tolerance of cyber-espionage required for the preservation of essential security interests

8.2.1 Cyber-espionage activities in peacetime

8.2.2 Cyber-espionage in a time of war or other emergency in international relations

9 International human rights law

9.1 The absence of extraterritorial jurisdiction in the event of remote cyber-espionage activities

9.2 The measured regulation of surveillance activities by the right to privacy

9.2.1 Interference and legality

9.2.2 Legitimacy and proportionality

10 State practice

10.1 The unanimous prohibition of espionage by domestic criminal law

10.1.1 The traditional prohibition of espionage

10.1.2 The progressive prohibition of digital intrusions and interceptions

10.2 The predominant authorisation of one’s own intelligence activities against other States

10.2.1 Provisions authorising intelligence gathering

10.2.2 Grounds allowing intelligence collection

11 Opinio juris

11.1 The absence of a right to spy

11.2 The absence of a prohibition on espionage

Conclusion to Part III

Conclusion

Index

Acknowledgements

Life is a strange journey. One meets all kinds of people: some of them will help you, most of them remain indifferent and sometimes, one may even encounter hostile elements. In my academic career, I was fortunate enough to meet the former ones – and I would like to give them the special thanks they deserve. First of all, I owe enormous gratitude to Professor Jean d’Aspremont. Jean provided invaluable advice at key career turning points, and I have always been able to count on his help. I hope that I will be as good a mentor as Jean was to me. Then, I would like to thank Professor Iain Scobbie, whose guidance, kindness and style have been inspirational for many years now. I also thank Professor Théodore Christakis and Dr Karine Bannelier for their advice. I am equally grateful to Professors Duncan Hollis and Nicholas Tsagourias. Duncan and Nicholas accepted the task of commenting on my draft research articles and exchanging views in the past few years, and I want to underline how much it means to me. I am indebted to Professors Noam Lubell and Yuval Shany as well. I worked under their guidance in the framework of a postdoctoral research fellowship at the Hebrew University of Jerusalem between March 2018 and August 2019. When I look back, I realise how much I learnt thanks to them. I also thank the editorial team at Manchester University Press and the anonymous reviewers for their work and comments.

My friends helped me in various ways, and I will take the liberty of singling out Ajmal, Andrea, Antal, Camila, Constance, David, Emmanuel, Guillaume, Jérémie, Loïc, Michael, Sylvain, Thibaud and Zérah. I will also take the liberty of singling out Mariela, Masha and Martin – as well as my dear godson Marcus.

Last but not least, I would like to thank my family, in particular my mum Anne and my dad Christophe, my grandparents Bernard and Marie-Jo, my sisters Coralie and Ludmilla, my cousins Pierre-Marc and Jeanne-Marie (and also her husband Manuel), as well as my aunts and uncles (Béatrice and André, Bertrand and Vanina, Thierry and Françoise), for their unwavering love and support. I also have a special thought for my cousin Émilie. On a lighter note, I also thank my cat-friends (everyone knows I am very much a fan).

As I write this – and from where I am – the cherry trees are in blossom and the sun currently sets on the snow-draped peaks of the Alps. I believe it is time to leave my keyboard and enjoy the unique (non-cyber) spectacle of nature.

Thibault Moulin

Saint-Martin-Sur-La-Chambre, Savoie, France

April 2023

List of abbreviations

Part I

Introduction

Introduction to Part I

‘The real miracle here, or stunning thing to me, is that Angela Merkel thought that she could talk on a cellphone and no one would be listening to her, allies or foes.’¹ This was the comment made by Joe Trippi, a Democrat political strategist, in the wake of the NSA spying scandal. If in the eyes of ordinary people, the business of intelligence gathering is full of mystery, it is usually not the same for decision-makers. They are (or perhaps they should be) aware that they may be subject to foreign espionage activities. The head of the National Security Agency (NSA), General Keith Alexander, decided to answer with humour: ‘[t]he great irony is [that] we’re the only ones not spying on the American people’.² Moreover, it is a paradox that a State is often entitled – by virtue of its domestic laws – to collect foreign intelligence, and at the same time to punish anyone who spies on one’s own secrets. The motto of the Australian Signals Directorate (ASD) is the best example of such a contradiction: ‘Reveal Their Secrets – Protect Our Own’.

Espionage is not a new phenomenon, and it is known as ‘the second oldest profession in the world’.³ During the sixth century BC, Chinese strategist Sun Tzu already advocated for the use of spies: ‘it is only the enlightened ruler and the wise general who will use the highest intelligence of the army for purposes of spying and thereby they achieve great results’.⁴ Since ancient times, espionage has become common practice. Historians reported that spies were sent by Greeks, Carthaginians and Romans, and were valuable during military campaigns.⁵ Spies were even mentioned in the Bible and the Iliad. The so-called ‘black chambers’, which intercepted and deciphered foreign communications, were created by France and England in the early modern times.⁶ Later, George Washington earned the nickname of ‘the eighteenth century’s greatest spymaster’, owing to the large-scale practice of espionage during the American War of Independence.⁷ And as a matter of fact, several spies like Richard Sorge may have influenced the course of history. In May 1941, Stalin was informed by Richard Sorge that an invasion of the Soviet Union by Germany was imminent, and two weeks later, he warned the Kremlin: ‘[t]he war will begin on June 22’.⁸ Sorge was not trusted by Stalin. On 22 June 1941, Hitler’s troops were indeed marching on the Soviet Union. Later that year, Sorge reported that Japan was not planning an attack on the Union of Soviet Socialist Republics (USSR) – it was considering a war with the United States and Great Britain instead – and recommended that additional Soviet troops be moved to the Eastern Front.⁹ This time (and following cross-checking with other sources), the information was allegedly trusted by Stalin.¹⁰ In October 1941, Sorge was arrested by the Japanese authorities, and sentenced to death. Japan offered to trade him several times, but Moscow denied knowing him. Historians suggested: ‘[m]any countries do not acknowledge their spies. But Sorge was probably doomed for a different reason: he was an embarrassing reminder that Stalin had ignored warnings of the impending German attack. Such a reminder, and witness, would be most unwelcome to Stalin and his regime.’¹¹ In November 1944, Sorge was executed and, twenty years later, he was made a Hero of the Soviet Union. Another spymaster is Eli Cohen, who informed Israel of Syria’s plans to divert the Jordan River in an attempt to deprive it of water resources.¹² He also collected valuable intelligence about Syrian defences, which allegedly helped Israel to win the Six-Day War.¹³ Cohen, as many spies before him, was eventually uncovered and sentenced to death, despite a worldwide appeal for clemency.

The face of espionage has however undergone drastic change with the emergence of the internet, and the ‘dematerialisation’ of this activity has significant benefits for States. Where methods of cyber-espionage are implemented, it is not necessary to send or to recruit officers in foreign territories anymore, and the use of sophisticated devices is not required either. First, it means that espionage is less risky for spies and for the sending State. With traditional methods of espionage – and if they are arrested – a spy may be executed,¹⁴ or become a bargaining chip.¹⁵ The cases mentioned above confirm Sir Baden-Powell’s statement, according to whom ‘[f]or anyone who is tired of life, the thrilling life of a spy should be the very finest recuperator’.¹⁶ There is nothing similar with cyber-espionage. If a hacker is identified, they may be subject to an arrest warrant, but will probably never be jailed. In addition, the responsible State may deny any involvement in espionage activities, and has no interest in surrendering an intelligence officer. Second, the preparation of cyber-espionage operations requires less time and resources. In fact, a spy is often required to learn foreign languages, to build fake identities or to resort to special means of communication.¹⁷ The use of wiretapping devices and,¹⁸ a fortiori the creation of satellite reconnaissance programmes,¹⁹ are very expensive. In contrast – and with the exception of some special techniques, such as mass data mining – cyber-espionage is surprisingly cheap.²⁰ In fact, it just requires computers, computer experts, and internet access. Third, cyber-espionage provides potential access to more information. In 1999, a cyber-espionage operation called Moonlight Maze was attributed to a State (Russia) for the first time. At the time, investigators ‘concluded that the total number of files stolen, if printed and stacked, would be taller than the Washington monument’.²¹ General Keith Alexander famously declared that economic cyber-espionage against American companies was ‘the greatest transfer of wealth in history’.²²

Regulation of cyber-espionage is central to this study, and this topic raises two major challenges. Firstly, espionage per se does not constitute an internationally wrongful act. In international law, an explicit reference to espionage only appears in the law of armed conflict, and this activity does not breach the laws of war. Outside this framework – that is, in peacetime – espionage is subject to indirect regulation through the rule of territorial sovereignty. It is indeed clear that sending an officer into foreign territory necessarily breaches the sovereignty of the targeted State (unless it consents to it). Another form of indirect regulation is present in the Vienna Convention on Diplomatic Relations. On the one side, the receiving State cannot send agents onto the premises of an embassy and in addition, the archives, documents and official correspondence of the mission shall be inviolable. On the other side, diplomatic staff are prohibited from breaching local laws, which usually forbid espionage. Hence, there is no binding instrument that expressly prohibits (or authorises) espionage, let alone cyber-espionage. Secondly, another challenge resides in the possible transposition of these rules to a digital environment and activity. Even though the relevance of international law in cyber-space – which is often described as the ‘fifth domain’ – has long been acknowledged by States,²³ there is no consensus on the concrete implementation of existing rules. Against this background, this introduction is structured as follows. In the next parts, the main notions are defined (Chapter 1), and then, both the conceptual framework and main arguments are explained (Chapter 2).

Notes

1 Jose Delreal and Nick Gass, ‘NSA Spying: 20 Great Quotes’, Politico (28 November 2013) www.politico.com/gallery/2013/10/nsa-spying-20-great-quotes-001650?slide=4 (accessed 3 April 2022).

2 Alex Gangitano and Amelia Schonbek, ‘The Crisis in a Nutshell: The Key Quotes about the NSA and Americans’ Phone Records’, New Yorker (6 June 2013) www.newyorker.com/news/news-desk/the-crisis-in-a-nutshell-the-key-quotes-about-the-n-s-a-and-americans-phone-records (accessed 3 April 2022).

3 Philip Knightley, The Second Oldest Profession: Spies and Spying in the Twentieth Century (New York: Norton, 1980), p. 468.

4 Lionel Giles, Sun Tzu on the Art of War (Leicester: Allandale Online Publishing, 2000), p. 62.

5 I Richmond ‘Spies in Ancient Greece’, Greece & Rome, 45:1 (1998), pp. 4–5; ‘Espionage in Ancient Rome’, History (12 June 2006) www.historynet.com/espionage-in-ancient-rome/ (accessed 27 March 2022).

6 David McElreath et al., Introduction to Homeland Security (Boca Raton, FL: CRC Press, 2013), p. 297.

7 John Nagy, George Washington’s Secret Spy War: The Making of Americas First Spymaster (New York: St Martin’s Press, 2016), p. 274.

8 Gordon Prange, Donald Goldstein and Katherine Dillon, Target Tokyo: The Story of the Sorge Spy Ring (New York: McGraw-Hill, 1985), p. 471.

9 Ibid. p. 407.

10 Christopher Andrew and Oleg Gordievsky, KGB: The Inside Story of Its Foreign Operations from Lenin to Gorbachev (New York: Harper Collins, 1990), p. 271.

11 Stuart Goldman, ‘The Spy Who Saved the Soviets’, Historia (30 July 2010) www.historynet.com/the-spy-who-saved-the-soviets/ (accessed 27 March 2022).

12 Michael Bradley, The Secret Service Handbook (New York: Barnes & Noble, 2006), p. 50.

13 Liat Collins, ‘Eli Cohen, the Spy Who Was Larger Than Life’, Jerusalem Post (8 May 2020) www.jpost.com/opinion/eli-cohen-the-spy-who-was-larger-than-life-627326 (accessed 27 March 2022).

14 For instance, ‘[f]rom the final weeks of 2010 through the end of 2012, according to former American officials, the Chinese killed at least a dozen of the CIA’s sources [Central Intelligence Agency]’. Moreover, ‘[a]ccording to three of the officials, one was shot in front of his colleagues in the courtyard of a government building – a message to others who might have been working for the CIA’. See: Mark Mazzetti et al., ‘Killing C.I.A. Informants, China Crippled U.S. Spying Operations’, New York Times (20 May 2017) www.nytimes.com/2017/05/20/world/asia/china-cia-spies-espionage.html (accessed 9 April 2022).

15 ‘Spy Swap in the Offing? Exchange for Whelan to Be Considered after Sentence, Says Lawyer’, TASS (15 June 2020) https://tass.com/society/1167735 (accessed 9 April 2022); ‘Spy Swap: Five Freed in Russia-Lithuania-Norway Exchange’, BBC (15 November 2019) www.bbc.com/news/world-europe-50431713 (accessed 9 April 2022); Michael Crowley, ‘In Prisoner Swap, Iran Frees American Held Since 2016’, New York Times (7 December 2019) www.nytimes.com/2019/12/07/us/politics/iran-prisoner-swap-xiyue-wang.html (accessed 9 April 2022).

16 Charles Lathrop, The Literary Spy (New Haven, CT: Yale University Press, 2004), p. 135.

17 Mark Galeotti, ‘Size Doesn’t Matter for Spies Anymore’, Foreign Policy (31 March 2018) https://foreignpolicy.com/2018/01/31/size-doesnt-matter-for-spiesanymore (accessed 3 April 2022).

18 For example, Operation CKELBOW consisted in tapping the ‘sensitive data line running from the nuclear weapons facility at Troitsk to the Defence Ministry in Moscow’ and ‘cost the United States some $20million’. See: David Hoffman, The Billion Dollar Spy: A True Story of Cold War Espionage and Betrayal (New York: Anchor Books, 2017), ch. 14.

19 Stephen Schwartz, Atomic Audit: The Costs and Consequences of U.S. Nuclear Weapons since 1940 (Washington, DC: Brookings Institution Press, 1998), pp. 238–9.

20 Galeotti, ‘Size Doesn’t Matter for Spies Anymore’ (n 17). Moreover, building ‘cyber-weapons’ is always cheaper, thanks to ‘four processes’. First, ‘labour becomes more efficient; attackers become more dexterous in that they spend less time learning, experimenting, and making mistakes in writing code’. Second, ‘[s]ome parts of cyber-weapons have become increasingly standardised, such as exploit tool kits, leading to an increase in efficiency’. Third, ‘reusing and building upon existing malware tools allows attackers to learn to produce cyber-weapons more cost effectively’. Fourth, ‘there are shared experience effects, which allow lessons from one piece of malware to shed light on other offensive capabilities’. See: Max Smeets, ‘How Much Does a Cyber Weapon Cost? Nobody Knows’, CFR (21 November 2016) www.cfr.org/blog/how-much-does-cyber-weapon-cost-nobody-knows (accessed 4 April 2022).

21 Michael Robinson, Why Democrats Lost the Presidential Election and How They Can Win Next Time (Scotts Valley, CA: CreateSpace, 2017), p. 107.

22 Josh Rogin, ‘NSA Chief: Cybercrime Constitutes the Greatest Transfer of Wealth in History’, Foreign Policy (9 July 2012) https://foreignpolicy.com/2012/07/09/nsa-chief-cybercrime-constitutes-the-greatest-transfer-of-wealth-in-history/ (accessed 9 April 2022).

23 For a recent example: United Nations General Assembly (UNGA), ‘Official Compendium of Voluntary National Contributions on the Subject of How International Law Applies to the Use of Information and Communications Technologies’ (2021) UN Doc A/73/136. See also: Frédérick Douzet, ‘Propos introductifs’ in Maryline Grange and Anne-Thida Norodom (eds), Cyberattaques et droit international – Problèmes choisis (Paris: Pédone, 2018), p. 6. Then, and as highlighted by Anne-Thida Norodom, the choice between two terms (i.e. the ‘internet’ or ‘cyber-space’) may be important: the former focuses on the network, whereas the latter focuses on the virtual space and physical infrastructures. See: Anne-Thida Norodom, ‘Internet et le droit international: défi ou opportunnité?’ in SFDI, Internet et le droit international (Paris: Pédone, 2013), p. 13.

1

Main notions

The word ‘cyber-space’ was coined by William Gibson, an American writer. In the novel Neuromancer, it was defined as follows: ‘[c]yberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation […] A graphic representation of data abstracted from banks of every computer in the human system.’²⁴ From a terminological point of view, ‘cyber-space’ is a contraction of ‘space’ and ‘cybernetics’ – and the prefix ‘cyber’ itself derives from a Greek term which means ‘to govern’ (‘κυβερνάω’). Even if the word ‘cyber-space’ has become part of the everyday language, there is no consensual definition of this term, and – at least from a lawyer’s perspective – Gibson’s definition is highly unsatisfactory. A working definition of cyber-space is thus proposed by this study (1.2). But prior to that, attention must be paid to the central concept of this study: cyber-espionage.²⁵ In 1990, another American writer – Alvin Toffler – predicted that computers might be used for the purpose of spying. In his views, ‘[t]he spy of the future’ would be ‘less likely to resemble James Bond’ than the ‘engineer who lives quietly down the street and never does anything more violent than turn a page of a manual or flick on his microcomputer’.²⁶ Alvin Toffler was however not a lawyer, and did not propose any definition of this concept. A working definition of ‘cyber-espionage’ is thus proposed beforehand (1.1).

1.1 The concept of ‘cyber-espionage’

Even if there is no consensual definition of ‘cyber-espionage’, elements of convergence may be identified in State documents. In fact, most States agree that the purpose of cyber-espionage consists in the ‘theft’, ‘access’ or ‘gathering’ of ‘secrets’, ‘classified’ or ‘confidential’ information – and ‘without the permission’ of the information holder, in an ‘unauthorised’ or ‘illicit’ fashion.²⁷ It might be relevant to say a few words about Chinese and Russian ‘particularism’. In recent years, Beijing and Moscow have developed their own terminology to describe cyber-threats, like the concepts of ‘computer attack’ and the ‘improper use of information resources’. They may overlap with the concept of cyber-espionage.²⁸

These conditions are necessary,²⁹ albeit not sufficient. Another characteristic of cyber-espionage was rightly identified by some States: the use of computer networks.³⁰ In fact, the internet enables one to access a remote computer and steal data.³¹ In contrast, to sit behind a computer and to copy files onto a USB stick would be more similar to traditional espionage, as physical access throughout the operation is required. The information collected is however not necessarily in a digital form. For instance, hacking a computer microphone or webcam to listen to or watch a face-to-face discussion may actually qualify as cyber-espionage. It results from the above that cyber-espionage has three main characteristics: (1) it collects data, (2) without permission from the owner(s) and (3) through the use of computer networks.

Even if they may blur in practice – and I will have the opportunity to talk about the so-called ‘composite’ operations and large-scale cyber-espionage campaigns a bit later – it is worth mentioning that a distinction is usually drawn between cyber-espionage and cyber-sabotage. In fact, the intention behind them is not the same: in theory, cyber-espionage only aims at information gathering, whereas cyber-sabotage resorts to electronic communication means to damage the content or to disrupt the proper functioning of computers, computer networks or other facilities. This difference is almost unanimously confirmed by State practice.³² Again, the use of electronic means of communication is an essential condition, albeit rarely mentioned by State documents.³³ It is arguable, for instance, that the use of a sledgehammer to tear down computers, or the use of shears to cut optical fibre cables, hardly qualify as cyber-sabotage. However, cyber-sabotage may indeed result in virtual and physical damage. For instance, one of the world’s first cyber-attacks resulted in the explosion of a gas pipeline in Siberia in 1983, and was caused by some booby-trapped software.³⁴ For the sake of clarity, it may be noted that the term ‘cyber-attack’ is sometimes used as a synonym for ‘cyber-sabotage’ (for instance by the United States). However, the term ‘cyber-attack’ is also increasingly being used as a general one – i.e. to describe a malicious cyber-action against the confidentiality, availability or integrity of information and information systems.

Cyber-espionage and cyber-sabotage may share some similarities, as they ‘canonically start with the penetration of the target to insert malware’,³⁵ and both take advantage of a vulnerability.³⁶ Intrusion techniques may consist, inter alia,³⁷ of a Trojan horse,³⁸ remote access Trojan³⁹ or rootkit.⁴⁰ However, they are expected to act differently once an access to the target machine has been secured. In fact, the malware then ‘calls out for instructions’, which ‘variously can instruct the infected machine to do something damaging’ (cyber-sabotage) or ‘to send back information of a particular type’ (cyber-espionage).⁴¹ Even if this finding is subject to some exceptions, damage must normally be minimal with cyber-espionage, as ‘the best cyber-exploitation is one that such a user never notices’.⁴² In practice, an analysis of the technique used by a cyber-operation often allows a prima facie understanding of the adversary’s intentions. It is worth mentioning that cyber-espionage may also consist in the interception of communications between two points (eavesdropping).⁴³ Eavesdropping ‘takes the form of sniffing for data’ as ‘[a] specialised programme is used to sniff and record packets of data communications from a network and then subsequently listened to or read using cryptographic tools for analysis and decryption’.⁴⁴

Another distinction must be drawn between cyber-espionage – which is either activated or conducted remotely – and surveillance activities which require physical and continuous access to the targeted equipment.⁴⁵ For instance, ‘tapping’ is more similar to traditional forms of espionage, and consists in extracting signals from a cable, at the entry or exit point. For instance, mass interception conducted by the Government Communications Headquarters (GCHQ) consisted in attaching ‘intercept probes’ to ‘transatlantic fibre-optic cables where they land on British shores’, as they were ‘carrying data to western Europe from telephone exchanges and internet servers in north America’.⁴⁶ Furthermore, the cable itself is vulnerable, and may be tapped through fibre-bending or optical-splitting.⁴⁷ Thanks to fibre-bending, ‘the cable’s coating is peeled down to the protective material covering the fibre itself, enabling the attacker to bend the cable to a point where light can be collected from the cable’.⁴⁸ Thanks to optical-splitting, ‘the optical cable is split using a clip that cuts into the cable and attaches a second fibre cable, which transmits light from the main fibre to a device controlled by the attacker’.⁴⁹ These techniques were apparently used by the United States, which deployed submarines capable of tapping undersea fibre-optic cables.⁵⁰ Tapping is however not in a legal vacuum. In fact, the legal framework applicable to the space where it takes place – the high seas, territorial sea, foreign or national territory – still applies.⁵¹

In contrast, some forms of surveillance may require physical access to a computer – or to computer components – at an early stage, for the purpose of inserting a spy device. But then, espionage activities are carried out remotely, and these operations may still qualify as cyber-espionage. Such is the case for supply-chain backdoors. The ‘supply chain’ is defined as ‘the entire process of making and selling commercial goods, including every stage from the supply of materials and the manufacture of the goods through to their distribution and sale’.⁵² Yet, it appears that ‘[e]ffectively securing the supply chain can be hard because vulnerabilities can be inherent, or introduced and exploited at any point in the supply chain’.⁵³ That is how specific chips may be inserted in computer and networking hardware, therefore allowing one to create a backdoor and to gain access to the altered machines at a later stage.⁵⁴ To proceed, spies may resort to two main methods. The first method consists in ‘manipulating devices as they’re in transit from manufacturer to customer’ and was allegedly implemented by the United States.⁵⁵ It was reported that ‘agents carefully open the package in order to load malware onto the electronics, or even install hardware components that can provide backdoor access for the intelligence agencies. All subsequent steps can then be conducted from the comfort of a remote computer.’⁵⁶ The second method ‘involves seeding changes from the very beginning’ – i.e. ‘during the manufacturing process’.⁵⁷ It was apparently implemented in China, as chips were inserted at factories.⁵⁸

Espionage is also related to ‘intelligence’ but they do not have the same meaning. Intelligence may equally refer to those pieces of information that guide decision-making, and to the process that results in data production.⁵⁹ The ‘intelligence cycle’ consists of five phases.⁶⁰ The first phase is ‘planning’: intelligence needs are defined and the agencies are given permission to act. The second phase is ‘collection’: information is collected and gathered. The third phase is ‘processing’: the reliability of information is assessed and it is cross-checked with other sources. The fourth phase is ‘analysis’: the information is put in context and the ‘finished intelligence’ is produced. The fifth and final phase of this cycle is ‘dissemination’: intelligence is transferred to decision-makers (e.g. politicians, the military or companies). Further elements are worth mentioning regarding the second phase – i.e. ‘collection’. Information comes from four main sources: open, human, electromagnetic and imagery intelligence. Open-source intelligence derives from publicly available and non-classified information, like newspapers, reviews, websites, databases and speeches.⁶¹ Human intelligence – which includes ‘traditional’ espionage – derives from human sources, and may be collected by State officers deployed on the ground or a network of informants.⁶² It may also consist in interrogating prisoners,⁶³ and raises specific ethical and legal controversies (like the use of torture).⁶⁴ Signals intelligence – which includes cyber-espionage – derives from electromagnetic signals and emissions.⁶⁵ It may consist of phone tapping, the interception or access to electronic communications (emails) and so on. Imagery intelligence derives from pictures and video recordings captured by aeroplanes or satellites.⁶⁶

*

Two observations must be made before proposing a working definition of ‘cyber-espionage’. First, this study focuses on State-sponsored espionage. Second, experts often draw a distinction between economic and political cyber-espionage, which depends on the nature of the data being sought or the nature of the target (another State or a private company). In fact, an ever-greater number of States – originally led by the United States – are in favour of a binary legal regime. Accordingly, political espionage would be acceptable, in contrast with economic espionage. Even if this distinction may be desirable, it is still de lege ferenda. Leaving aside human rights treaties and the Agreement on Trade-Related Aspects of Intellectual Property Rights,⁶⁷ the nature of the information being sought or the target do not matter for most rules analysed here. Cyber-espionage, then, is defined by this study as ‘a state-sponsored activity, whether launched, deployed or operated remotely, through the use of computer networks, which seeks an unauthorised access to confidential data resident on an information-system or transiting through it’.⁶⁸ It is now necessary to define the environment where cyber-espionage occurs, and which makes it so special: cyber-space.

1.2 The concept of ‘cyber-space’

In contrast with other ‘natural’ spaces, cyber-space is hybrid in nature. On the one hand, it creates a virtual space, where relations and transactions are deterritorialised, and it is partly based on immaterial layers. It may indeed be underlined that cyber-space needs protocols to exist, i.e. ‘sets of rules for message formats and procedures that allow machines and application programmes to exchange information’.⁶⁹ Famous protocols are known as ‘Open Systems Interconnection’ (OSI)⁷⁰ and ‘Transmission Control Protocol/Internet Protocol’ (TCP/IP), and they rely on the so-called ‘layers’ to perform properly. In fact, ‘[e]ach layer performs its functions by invoking the services provided by the layers below it, then it returns the results to the invoking layer above’.⁷¹ In the OSI protocol, the network layer is responsible for data routing;⁷² the transport layer ensures that messages are delivered free from error, with no loss or duplication;⁷³ the session layer maintains communications between the network’s nodes;⁷⁴ the presentation layer translates messages into a language that receiving