This chapter argues that Hague Conventions V and XIII do not regulate cyber-espionage, and underlines that States did little to define further regulation in the field. First, both conventions contain rules pertaining to material operations which are irrelevant to cyber-espionage: Articles 1, 2, 3, 4 and 5 of the Hague Convention V and Articles 1, 2 and 8 of the Hague Convention XIII. Yet – and at least for the moment – this chapter argues that States only consider that belligerents are prevented from inflicting damage to a neutral State and from erecting ICT infrastructures on neutral territories or neutral waters. In addition, they consider that the mere transiting of cyber-operations through the infrastructure of a neutral State is not contrary to international law. Second, the Hague Convention V contains rules pertaining to the use of telecommunications. This chapter argues that belligerents are prevented from launching cyber-operations through these means. In parallel, a neutral State is not obliged to forbid or restrict the use on behalf of the belligerents of telecommunications infrastructure belonging to it or to companies or private individuals. If restrictions are decided, they must be impartially applied to both belligerents. In this situation, this chapter argues that cyber-espionage activities may be indirectly affected, but without resulting in a general prohibition.
The Hague Conventions II (1899) and IV (1907), as well as the Additional Protocol to Geneva Conventions (1977), are the only conventions where spying is expressly mentioned. In fact, they define what is a spy, and mention how spies may be captured and punished – but without prohibiting this activity itself. Several experts suggest, then, that the regime applicable to traditional espionage applied to cyber-espionage. This chapter argues that things are not that simple, and that wartime cyber-espionage between belligerents escapes regulations. In fact, these instruments were conceived to apply on land, and rely on these notions of ‘zone of operations’, ‘controlled territory’ or ‘occupied territory’. However, they do not make any sense in cyber-space, which is a fifth and different domain. States could have clarified whether and how these rules applied, but failed to do so. In fact, most States opted for the definition of minimal standards of protection – i.e., compliance with the principles of humanity, necessity, proportionality and discrimination – but ignored regulation of cyber-espionage.
This chapter defines the main notions in the book – i.e. ‘cyber-espionage’ and ‘cyber-space’ – and highlights their characteristics. In particular, cyber-espionage is distinguished from cyber-sabotage and from other intelligence-related activities, while cyber-space is often described as the ‘fifth domain’ – and hence, different from land, sea, airspace and outer-space. This difference has consequences in terms of regulation by international law, which are highlighted here.
The methods used in the book – including the approaches to treaty interpretation and the approach to sources (customary international law and general principles of law) – are explained here. Then, the concept which constitutes the bedrock of this book (i.e. ‘normative avoidance’) is explained, as well as its characteristics and consequences (i.e. the absence of prohibition or authorisation, as a result of State will).
Opinio juris ‘means that the practice in question must be undertaken with a sense of legal right or obligation’. If legislation pertaining to intelligence collection is certainly established with ‘a sense of legal right’, this chapter doubts that the implementation of this legislation – i.e., by carrying out espionage or cyber-espionage activities – is carried out with the same ‘sense of legal right’. It means that the existence of opinio juris – whether in terms of authorisation or prohibition – cannot be proved in that respect.
This chapter is conceived as a first step in the identification of specific customary rules on cyber-espionage. In fact, the ILC made clear that ‘legislative acts’ and ‘executive conduct’ had to be considered as part of State practice in this context. It explores the national laws that exist in the field of espionage and cyber-espionage, and underlines that States usually prohibit espionage against their own interests, but authorise their own espionage activities abroad. It also analyses the grounds allowing intelligence collection, and notes that – more often than not – they are not limited to the protection of national security, but also include the economic well-being of a country. Then, a challenge to executive conduct – i.e., spying activities themselves – resides in the fact that they are usually performed in secret. It is however admitted that practice must be public (or at least known to the ‘victim State’), which means that clandestine examples of executive conduct cannot be taken into account in the assessment of customary international law. The admissible examples of State practice then exclusively reside in legislative acts, which were analysed in the previous chapter. This means that only the normative power of States – i.e., the possibility to adopt laws that authorise intelligence activities abroad, but prohibit espionage directed at their own interests – may count as State practice. In contrast, the clandestine implementation of these laws – which is materialised into executive conduct and espionage activities – is not admissible.
This chapter demonstrates that cyber-espionage does not breach sovereignty. First, it argues that digital intrusions are not similar to physical trespass and – as espionage per se is not an international wrongful act – cyber-espionage does not breach international law either. Second, it disagrees with a view which gained support over the last years, and according to which damage should be taken into account to determine whether a breach of sovereignty occurred. In fact, damage is irrelevant in assessing whether a breach of sovereignty occurred, and the contrary view does not find satisfactory support in State practice. Even if this view was valid, cyber-espionage would not breach sovereignty, as it results in minimal effects. Several case studies are included.