Law

Thibault Moulin
in Cyber-espionage in international law
,
in Cyber-espionage in international law
Silence speaks
Author:

While espionage among nations is a long-standing practice, the emergence of the internet has challenged the traditional legal framework and has resulted in the intensification of intelligence activities. In fact, espionage was subject to indirect regulation, which applied where a spy was (often at their own risk) trespassing on foreign territory or sent behind enemy lines. With the emergence of cyber-espionage, however, agents may collect intelligence from within their own jurisdictions, with a great deal of secrecy and less risk. This monograph argues that – save for some exceptions – this activity has been subject to normative avoidance. It means that it is neither prohibited – as spying does not result in an internationally wrongful act – nor authorised, permitted or subject to a right – as States are free to prevent and fight foreign cyber-espionage activities. However, States are aware of such status of law, and are not interested in any further regulation. This situation did not emerge by happenstance but rather via the purposeful silence of States – leaving them free to pursue cyber-espionage themselves at the same time as they adopt measures to prevent falling victim to it. To proceed, this monograph resorts to a first-class sample of State practice and analyses several rules and treaties: territorial sovereignty, collective security and international humanitarian law (i.e. the rules applicable between belligerent and neutral Powers, as well as between belligerents themselves), the law of diplomatic relations, human rights law, international law and European economic law. It also demonstrates that no specific customary law has emerged in the field.

Thibault Moulin

This chapter argues that neither the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) nor European Union law prohibits economic cyber-espionage. In fact, they still tolerate cyber-espionage on some specific grounds. On the one hand, Articles 3 (national treatment) and 39 (protection of undisclosed information) of the TRIPS do not prohibit it. This chapter argues that Article 3 and subsequent practice confirm that ‘national treatment’ only applies on the very territory of the Member State – i.e., it is not supposed to regulate the extraterritorial conduct of States – and is not intended to protect trade secrets. Then, pursuant to Article 39, States have a positive obligation: to give private persons the means to protect undisclosed information from ‘others’ – i.e., other private persons. However, States are not required to abstain from spying abroad. Furthermore, it argues that the ideals of an EU free market, loyal cooperation and a high level of competitiveness are not enough to prevent such activity either. The application of EU Directive 2016/943 does not give better results. On the other hand, under Article 73 of the TRIPS, Member States are free, ‘in time of war or other emergency in international relations’, to take any necessary measure for the protection of ‘essential security interests’. Yet, this power is more limited in peacetime. In fact, only information relating to ‘fissionable materials or the materials from which they are derived’, ‘traffic in arms ammunition and implements of war’ may be collected over this period. This means that, when essential security interests are at stake, certain forms of cyber-espionage are still conceivable.

in Cyber-espionage in international law
Thibault Moulin

If human rights treaties are concerned with the protection of privacy, this chapter argues that extraterritorial espionage usually escapes such regulation. In fact, the current understanding of jurisdiction remains physical, and it is only where physical access to the infrastructure is secured that State jurisdiction is relevant. It means that the right to privacy must only be secured where data is intercepted by national authorities as it crosses the border, or where a State requests another actor based on its territory – like an internet or cloud-service provider – to deliver pieces of data, even if information is stored abroad. This is due to the fact that this actor is indeed based on the territory of a Member State, and subject to its jurisdiction. However, this is not the case where data is directly and remotely accessed by intelligence services. Then, and even where the right to privacy applies, it does not set burdensome requirements. If human rights bodies are quite strict regarding the application of the legality principle, most cyber-espionage activities may actually find a lawful justification (whether in terms of national security, preservation of economic well-being or the prevention and repression of crimes). If the requirement of proportionality would typically require Member States to favour the least intrusive solution, it does not outlaw bulk interceptions per se.

in Cyber-espionage in international law
Thibault Moulin

These preliminary words briefly explore the history of espionage and the emergence of cyber-espionage. The main challenges are mentioned – i.e. the possibility to evade arrest and attribution, the cheap cost and the special nature of cyber-space.

in Cyber-espionage in international law
in Cyber-espionage in international law
in Cyber-espionage in international law
Thibault Moulin

This chapter argues that Hague Conventions V and XIII do not regulate cyber-espionage, and underlines that States did little to define further regulation in the field. First, both conventions contain rules pertaining to material operations which are irrelevant to cyber-espionage: Articles 1, 2, 3, 4 and 5 of the Hague Convention V and Articles 1, 2 and 8 of the Hague Convention XIII. Yet – and at least for the moment – this chapter argues that States only consider that belligerents are prevented from inflicting damage to a neutral State and from erecting ICT infrastructures on neutral territories or neutral waters. In addition, they consider that the mere transiting of cyber-operations through the infrastructure of a neutral State is not contrary to international law. Second, the Hague Convention V contains rules pertaining to the use of telecommunications. This chapter argues that belligerents are prevented from launching cyber-operations through these means. In parallel, a neutral State is not obliged to forbid or restrict the use on behalf of the belligerents of telecommunications infrastructure belonging to it or to companies or private individuals. If restrictions are decided, they must be impartially applied to both belligerents. In this situation, this chapter argues that cyber-espionage activities may be indirectly affected, but without resulting in a general prohibition.

in Cyber-espionage in international law
Thibault Moulin

The Hague Conventions II (1899) and IV (1907), as well as the Additional Protocol to Geneva Conventions (1977), are the only conventions where spying is expressly mentioned. In fact, they define what is a spy, and mention how spies may be captured and punished – but without prohibiting this activity itself. Several experts suggest, then, that the regime applicable to traditional espionage applied to cyber-espionage. This chapter argues that things are not that simple, and that wartime cyber-espionage between belligerents escapes regulations. In fact, these instruments were conceived to apply on land, and rely on these notions of ‘zone of operations’, ‘controlled territory’ or ‘occupied territory’. However, they do not make any sense in cyber-space, which is a fifth and different domain. States could have clarified whether and how these rules applied, but failed to do so. In fact, most States opted for the definition of minimal standards of protection – i.e., compliance with the principles of humanity, necessity, proportionality and discrimination – but ignored regulation of cyber-espionage.

in Cyber-espionage in international law