Cyber Espionage and the Vacuum of International Law
Dermot Costello, LLB, King’s College London.
New technologies present challenges for international law. After Alexander Graham Bell invented the telephone in 1849, and as international telephone calls became more common, the International Telegraphic Convention (ITC) was signed in 1865. This created the International Telegraphic Union (ITU), which still exists today and continues to regulate international telecommunication. It is a rather mundane part of international law, and its obscurity is testament to its success. It provides uncontroversial rules that facilitate an incredibly important aspect of modern life.
In due course, the international law of human rights expanded to cover using a telephone. In Malone v United Kingdom,[1] the European Court of Human Rights held that the police did not have an unfettered right to tap phones in the U.K. Some legal protection against arbitrary interference with privacy was required, and warrantless phone tapping was unlawful. Although the European Convention on Human Rights is only a regional treaty, Malone was a good bellwether of how international human rights treaties protected the users of new technology.
Developing norms for the internet will not prove as easy. After the invention of a new technology, there is an inevitable period of flux and uncertainty while rules develop. We are currently in this period of uncertainty for the internet, and as of yet we have little satisfactory international law. But the development of norms for the internet will be particularly difficult. The international effect of telephone calls was limited: Parties could now make instant oral contracts while in different countries, confidence tricksters could use it for international scams (phone fraud is still common today), and there were issues regarding the tapping of international calls and calls from embassies. The tapping of internal phone-calls was a purely domestic matter. In comparison, the list of issues raised by the internet is a veritable bedlam. The range of information stored and communicated on the internet is more complex and multifarious. Developing norms for cyberspace will be a longer and more arduous process.
The focus of this post is on “state v. state” espionage, where the intelligence agencies of one state use cyberspace directly against the organs of another state: For example: the alleged Russian hack of the Democratic National Committee’s email servers. In my next blog post, I will examine the human rights implications of “state v. population” cyber espionage and bulk data gathering, e.g. the CIA’s Prism programme. While the division is somewhat artificial, it is useful as it is not as relevant to consider human rights obligations in the context of “state v. state” espionage.
The pre-existing vacuum
With the exception of the international law of human rights, which I will deal with in my next blogpost, international law says almost nothing about cyber espionage! It is unsurprising international law has very little to say about cyber espionage when it has almost nothing to say about old-school espionage. The whole point of espionage is its deniability and secrecy, it exists in the twilight of international law. States do not want to give up their tricks of the trade, conducting treaty negotiations on espionage would involve divulging sensitive information.[2]
In 1905, Lassa Oppenheim, an eminent international law academic, wrote that spying “is not considered wrong morally, politically or legally.”[3] His view continues to be an accurate description of international law today. If we look to the sources of international law which are listed in Article 38 of the Statute of the International Court of Justice, we find that there are no treaties, general principles or subsidiary sources prohibiting spying. Neither is there any international custom prohibiting it, the widespread state practice of maintaining intelligence agencies would negate any international custom.
Part of the reason for the absence of international custom on the matter is the difficulty of attributing spying. States are seldom called on to justify their actions; the “U2 incident” was a rare example of a state defending spying. When Gary Powers was shot down in a CIA spy-plane above the Soviet Union in 1960, President Eisenhower publicly asserted the right of the U.S. to engage in espionage.[4] Similarly, protests by states against espionage are usually muted. When the U.K protested against Soviet spying in 1971, it merely expelled 90 Soviet diplomats from the U.K.[5] States have an absolute right to expel foreign diplomats anyway; the U.K.’s actions were not a legally significant response.
The difficulty of international attribution
Attribution is a high standard in international law. The Articles on the Responsibility of States for Internationally Wrongful Acts, (ARSIWA) although not a treaty, is consistent with international custom on the attribution of acts to states. Article 4 provides that actions by any state organ will be attributable to that state. But in domain of espionage and covert activity, it is seldom possible to prove this, and states are often clever in using non-state actors to achieve their ends. Article 8 of ARSIWA attributes the actions of individuals or groups to states where they are ‘in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct.’ In the Military and Paramilitary activities in and against Nicaragua Case,[6] the International Court of Justice held that the acts of the Nicaraguan contras could not be attributed to the United States government, despite close coordination and U.S. involvement in planning attacks,[7] training and arms supply,[8] along with U.S. logistical support and funding.[9] The U.S. was held not to have ‘created’ the contras,[10] and the connection of the contras to the U.S. was insufficient for their activities to be attributed to the U.S. The standard for attribution was ‘effective control’.[11] In the Tadic case, the International Criminal Court for the Former Yugoslavia applied a broader, ‘overall control’[12] test to attribute the activities of organised groups to a state. However, in the Case Concerning the Application of the Convention on the Prevention and Punishment of the Crime of Genocide, the ICJ again reaffirmed the more stringent ‘effective control’ test.[13] It confined the ‘overall control’ test to the realm of determining whether a state was involved in an armed conflict such that it would constitute an ‘international armed conflict’ under the Geneva Conventions.[14] This was the only question that the Tadic court was called upon to decide, and it made no finding attributing responsibility to a state.
It is difficult to imagine cyber espionage being conclusively attributed to a state, and it is often conducted through the medium of non-state actors. For example, the hacker of the Democratic National Party’s email server, ‘Fancy Bear’, appear to be linked and funded by Russia. However, the precise nature of the links are denied by Russia and remain unclear, and it is unlikely that the ‘effective control’ test espoused in the Military and Paramilitary Activities judgment would be satisfied. The 2007 cyber-attacks against Estonia (which was not confined merely to espionage) again, appeared to be informally organised on Russian online chat sites, and the Russian government made ominous statements against the Estonian government and appeared uninterested in apprehending the hackers. Even if norms on cyber espionage did exist, the difficulty of international attribution would render them meaningless. It’s possible that bespoke standards of attribution in cyberspace will develop in the future and we will see movement away from the ‘effective control’ test, but finding sufficient evidence for attribution will remain challenging.
We are left with the somewhat unsatisfactory position that espionage is legal because it is not specifically prohibited. This position seems to have been recognised in the seminal Tallinn Manual (a Nato document discussing the application of international law to cyber attacks), it was suggested that cyber espionage is not contrary to international law generally.[15] This repeats the position of the 1927 Lotus decision: Something not specifically prohibited by international law is legal. On this tenuous hook cyber espionage hangs.
Non-intervention, and cyber operations going beyond espionage
It has been argued that espionage breaches the international law principle of non-intervention. Although I argue that this is incorrect, a consideration of the principle of non-intervention illustrates some of the difficulties of applying international law to cyberspace. The Military and Paramilitary Activities judgment offered guidance on the content of the international rule on non-intervention.[16] Intervention is prohibited only when it uses coercion: ‘the element of coercion… defines, and indeed forms the very essence of prohibited intervention’.[17] Some have argued that espionage infringes upon territorial and political sovereignty as it involves sending clandestine agents to foreign territory. However, it is unclear how information gathering coerces a state to adopt a particular course of action. Furthermore, this argument demonstrates how murky the concept of foreign surveillance is in cyberspace. The U.S. Prism programme required the cooperation of domestic technological companies, and many cyber espionage activities are achieved with minimal extraterritorial effect. There is no intrusion to speak of when cyber espionage occurs.
When cyber espionage is combined with other low-level cyber operations, we may stray closer to the domain of non-intervention. The issue is that the precise nature of the coercion required to breach international law is unclear. How much pressure is too much? The Fancy Bear attacks described above were used as part of a Russian strategy to leak documents aimed at discrediting Hillary Clinton. This certainly strays closer towards one state forcing its choice upon another, however, the required element of coercion is lacking. The U.S. population were free to respond to the leaked information as they pleased. What if Russia orchestrated a hack that interfered with the electoral register for the Republican primary vote in the presidential elections? Arguably this would cross the Rubicon into prohibited coercive intervention, but a detailed analysis on the facts would be required. The nature of cyberspace, and the extent of the sovereignty that states enjoy over it is still somewhat unsettled. This makes determining what sort of intrusions are prohibited a difficult task. What if German political parties used Microsoft Outlook for their internal purposes and discussions, and the U.S. falsified or deleted emails to influence policy? Again, the U.S. would be exercising control over a domestic company (a matter of ordinary internal regulation), but this appears to be a clear-cut case of one state forcing its view upon another. The demarcation between legal and illegal intervention has been muddied in the cyber realm.
A kick in the right direction?
Where states have unilateral power, they are discouraged from expanding international law to restrict their action. International law’s role is often to constrain powerful states. The Treaty on the Non-Proliferation of Nuclear Weapons was signed on 1 July 1968, over 20 years after the use of nuclear weapons in Japan by the U.S. When other states began to acquire nuclear arms, the motive for mutual regulation became stronger, as U.S. nuclear hegemony diminished. U.S.-Russia relations are at a low-point and this may impede the development of cyber norms. But the diminishing U.S. cyber advantage, and an increasing awareness of U.S. vulnerability to high-level cyber espionage may provide the impetus towards developing more norms in cyber space.
In the meantime, the vacuum of international norms governing cyber espionage will persist. International law for new technologies develops by reasoning from analogy, and with no law on the question it’s unsurprising that the law on cyber espionage is a quagmire. The world of espionage is obscured with smoke and mirrors, it stands to reason that the same is true of international law.
Want to find out more? Follow our ProTechMe Series!
[1] [1984] ECHR 10.
[2] Ashley Deeks, “An International Legal Framework for Surveillance” (2015) 55 Virginia LR 291.
[3] L Oppenheim, International Law, a treatise, (1905), §455.
[4] Felix Belair Jr., President Asserts Secrecy of Soviets Justifies Spying, N.Y. Times, May 12, 1960.
[5] Britain expels 90 Russian diplomat spies, 25 September 1971, The Guardian.
[6] (Nicaragua v. United States of America). Merits, Judgment. I.C.J. Reports 1986, p. 14
[7] Ibid, para 106.
[8] Ibid, para 101.
[9] Ibid, para 106.
[10] Ibid, para 108.
[11] Ibid, para 584.
[12] IT-94–1-A, [1999], Para 122
[13] Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro), Judgment, I.C.J. Reports 2007, p. 43, at para 400.
[14] At para 404. Geneva Convention Relative to the Protection of Civilian Persons in Time of War (Fourth Geneva Convention) 75 UNTS 287, Article 2.
[15] Tallin Manual, p194.
[16] Military and Paramilitary Activities, para 202. See Sean Watts, ‘Low-intensity Cyber Operations and the Principle of Non-Intervention’ available at http://ssrn.com/abstract=2479609
[17] Military and Paramilitary Activities, para 205.
