The conclusion explains that, for a long time, espionage was only indirectly constrained by international law – and States were satisfied with this. This regime was however destabilised by the digitalisation of espionage. Hence, cyber-espionage is neither authorised nor prohibited: it is not unlawful, but States do not want to create a right to spy. As a matter of fact – and for the time being – regulation of cyber-espionage is mainly achieved through domestic laws. The conclusion also focuses on the managerialist approach to international law, and explains how a need to fill a so-called legal vacuum emerged in doctrine.
While espionage among nations is a long-standing practice, the emergence of the internet has challenged the traditional legal framework and has resulted in the intensification of intelligence activities. In fact, espionage was subject to indirect regulation, which applied where a spy was (often at their own risk) trespassing on foreign territory or sent behind enemy lines. With the emergence of cyber-espionage, however, agents may collect intelligence from within their own jurisdictions, with a great deal of secrecy and less risk. This monograph argues that – save for some exceptions – this activity has been subject to normative avoidance. It means that it is neither prohibited – as spying does not result in an internationally wrongful act – nor authorised, permitted or subject to a right – as States are free to prevent and fight foreign cyber-espionage activities. However, States are aware of such status of law, and are not interested in any further regulation. This situation did not emerge by happenstance but rather via the purposeful silence of States – leaving them free to pursue cyber-espionage themselves at the same time as they adopt measures to prevent falling victim to it. To proceed, this monograph resorts to a first-class sample of State practice and analyses several rules and treaties: territorial sovereignty, collective security and international humanitarian law (i.e. the rules applicable between belligerent and neutral Powers, as well as between belligerents themselves), the law of diplomatic relations, human rights law, international law and European economic law. It also demonstrates that no specific customary law has emerged in the field.
This chapter argues that neither the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) nor European Union law prohibits economic cyber-espionage. In fact, they still tolerate cyber-espionage on some specific grounds. On the one hand, Articles 3 (national treatment) and 39 (protection of undisclosed information) of the TRIPS do not prohibit it. This chapter argues that Article 3 and subsequent practice confirm that ‘national treatment’ only applies on the very territory of the Member State – i.e., it is not supposed to regulate the extraterritorial conduct of States – and is not intended to protect trade secrets. Then, pursuant to Article 39, States have a positive obligation: to give private persons the means to protect undisclosed information from ‘others’ – i.e., other private persons. However, States are not required to abstain from spying abroad. Furthermore, it argues that the ideals of an EU free market, loyal cooperation and a high level of competitiveness are not enough to prevent such activity either. The application of EU Directive 2016/943 does not give better results. On the other hand, under Article 73 of the TRIPS, Member States are free, ‘in time of war or other emergency in international relations’, to take any necessary measure for the protection of ‘essential security interests’. Yet, this power is more limited in peacetime. In fact, only information relating to ‘fissionable materials or the materials from which they are derived’, ‘traffic in arms ammunition and implements of war’ may be collected over this period. This means that, when essential security interests are at stake, certain forms of cyber-espionage are still conceivable.
If human rights treaties are concerned with the protection of privacy, this chapter argues that extraterritorial espionage usually escapes such regulation. In fact, the current understanding of jurisdiction remains physical, and it is only where physical access to the infrastructure is secured that State jurisdiction is relevant. It means that the right to privacy must only be secured where data is intercepted by national authorities as it crosses the border, or where a State requests another actor based on its territory – like an internet or cloud-service provider – to deliver pieces of data, even if information is stored abroad. This is due to the fact that this actor is indeed based on the territory of a Member State, and subject to its jurisdiction. However, this is not the case where data is directly and remotely accessed by intelligence services. Then, and even where the right to privacy applies, it does not set burdensome requirements. If human rights bodies are quite strict regarding the application of the legality principle, most cyber-espionage activities may actually find a lawful justification (whether in terms of national security, preservation of economic well-being or the prevention and repression of crimes). If the requirement of proportionality would typically require Member States to favour the least intrusive solution, it does not outlaw bulk interceptions per se.
These preliminary words briefly explore the history of espionage and the emergence of cyber-espionage. The main challenges are mentioned – i.e. the possibility to evade arrest and attribution, the cheap cost and the special nature of cyber-space.
This chapter argues that Hague Conventions V and XIII do not regulate cyber-espionage, and underlines that States did little to define further regulation in the field. First, both conventions contain rules pertaining to material operations which are irrelevant to cyber-espionage: Articles 1, 2, 3, 4 and 5 of the Hague Convention V and Articles 1, 2 and 8 of the Hague Convention XIII. Yet – and at least for the moment – this chapter argues that States only consider that belligerents are prevented from inflicting damage to a neutral State and from erecting ICT infrastructures on neutral territories or neutral waters. In addition, they consider that the mere transiting of cyber-operations through the infrastructure of a neutral State is not contrary to international law. Second, the Hague Convention V contains rules pertaining to the use of telecommunications. This chapter argues that belligerents are prevented from launching cyber-operations through these means. In parallel, a neutral State is not obliged to forbid or restrict the use on behalf of the belligerents of telecommunications infrastructure belonging to it or to companies or private individuals. If restrictions are decided, they must be impartially applied to both belligerents. In this situation, this chapter argues that cyber-espionage activities may be indirectly affected, but without resulting in a general prohibition.