Cyber espionage and international law

Cyber espionage and cyber attacks were not explicitly considered in the United Nations Charter, as it was drafted in 1945. The key areas of the Charter that relate to cyber espionage and cyber attacks include the principles of state sovereignty, the prohibition of the use of force, and the rights to self-defense.

State Sovereignty: The UN Charter establishes the sovereignty of states as a fundamental principle. Each state has complete and exclusive sovereignty over its territory, including cyberspace operations that originate from or are directed towards its digital infrastructure. Espionage, which often involves the violation of this sovereignty (through unauthorized access and penetration of systems), is interpreted by countries as a breach of the Charter's principles.

Prohibition of the Use of Force: Under Article 2.4, the Charter prohibits the threat or use of force against the territorial integrity or political independence of any state. While traditional espionage generally does not constitute the use of force, aggressive cyber espionage that results in damage or disruption could potentially be viewed under this light, especially if it leads to significant consequences akin to traditional acts of aggression.

Non-intervention: Article 2.7 of the Charter prohibits the intervention in matters that are within the domestic jurisdiction of any state. However, this principle also lays the groundwork for interpreting state actions in foreign territories, including cyber operations like espionage, as potentially unlawful if they involve coercive measures that effectively intervene in the internal affairs of another state.

Peaceful Settlement of Disputes: Article 33 encourages states to seek peaceful settlement of disputes that might arise, including those potentially involving espionage. This can encompass diplomatic discussions, mediation, or judicial settlement, suggesting a framework within which states might address and resolve issues related to espionage.

Right to Self-Defense: Article 51 provides for the right to self-defense if an armed attack occurs. The application to cyber attacks hinges on whether the cyber operations can be considered an "armed attack." This determination depends on the severity and impact of the attack. If a cyber attack results in, or could have resulted in, death, injury, or significant destruction, it might be considered sufficient to trigger a state’s right to self-defense.

The evolving nature of cyber operations continually tests the limits and applicability of these foundational principles of international law.

---

United Nations Charter, Article 2.4. and 2.7.

The regulation of force and conflict begins with the UN Charter, and specifically Article 2(4), which prohibits the threat or use of force, and calls on all Members to respect the sovereignty, territorial integrity and political independence of other States.

United Nations Charter, Article 2

The Organization and its Members, in pursuit of the Purposes stated in Article 1, shall act in accordance with the following Principles.

1. The Organization is based on the principle of the sovereign equality of all its Members.

2. All Members, in order to ensure to all of them the rights and benefits resulting from membership, shall fulfill in good faith the obligations assumed by them in accordance with the present Charter.

3. All Members shall settle their international disputes by peaceful means in such a manner that international peace and security, and justice, are not endangered.

4. All Members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.

5. All Members shall give the United Nations every assistance in any action it takes in accordance with the present Charter, and shall refrain from giving assistance to any state against which the United Nations is taking preventive or enforcement action.

6. The Organization shall ensure that states which are not Members of the United Nations act in accordance with these Principles so far as may be necessary for the maintenance of international peace and security.

7. Nothing contained in the present Charter shall authorize the United Nations to intervene in matters which are essentially within the domestic jurisdiction of any state or shall require the Members to submit such matters to settlement under the present Charter; but this principle shall not prejudice the application of enforcement measures under Chapter Vll.

United Nations Charter, Article 33.

The parties to any dispute, the continuance of which is likely to endanger the maintenance of international peace and security, shall, first of all, seek a solution by negotiation, enquiry, mediation, conciliation, arbitration, judicial settlement, resort to regional agencies or arrangements, or other peaceful means of their own choice.

The Security Council shall, when it deems necessary, call upon the parties to settle their dispute by such means.

United Nations Charter, Article 51.

Nothing in the present Charter shall impair the inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defence shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.

Cyber espionage, cyber attacks, and the United Nations Charter.

The use of military force authorized under Article 51 is not prohibited under Article 2(4).

It is difficult to define the threshold at which a cyber attack becomes a use of force. This is a political decision for every country, based on strategy, evidence and intelligence. When cyber operations produce severe consequences, that qualify as a use of force, according to the military doctrine in several countries. So, cyber attacks can constitute a prohibited use of force, and can give rise to the right to use military force in self-defensive response, pursuant to the rights reserved in Article 51 of the United Nations Charter.

Cyber attacks targeting the critical infrastructure that injure or kill persons, can be considered equal to an armed attack against which a country enjoys the right to resort to force in self-defense. The degree of damage or injury is a political decision.

Many nondestructive cyber operations like intelligence gathering, cyber theft, or periodic disruption or denial of nonessential cyber services can not be considered equal to an armed attack, according to international law.

Cyber espionage, legal challenges

1. The definition and the threshold of armed attacks. Article 51 permits self-defense in the event of an "armed attack." The international legal community generally requires that such an attack results in significant physical damage or loss of life. Cyber espionage, which usually aims at data theft or surveillance without direct physical damage, does not typically meet this threshold. Thus, it is generally not considered an armed attack that would justify self-defense under Article 51.

2. The attribution of Cyber Espionage. Even when cyber espionage is considered an act warranting a response under Article 51, attributing these activities to a specific state actor is inherently challenging. Cyber operations can be conducted remotely, anonymously, and often involve routing through third countries, complicating definitive attribution.

3. The Proportionality principle. Any response to cyber espionage under international law would also need to adhere to the principle of proportionality. This principle restricts responses to those that are strictly necessary to address the immediate threat and ensure that the response is proportional to the severity of the incident. In cases of cyber espionage, where there is no immediate or physical threat to life, a military response would likely be viewed as disproportionate.

While a direct military response to cyber espionage is generally not justified under international law, affected states will make the final decision and take the measures they consider appropriate.

There are many non-military responses that can be very effective:

- Diplomatic measures (demarches, expelling diplomats).

- Legal actions (indictments against individuals involved in espionage).

- Economic sanctions.

- Cybersecurity enhancements to prevent future incidents. It includes improving cybersecurity defenses to protect against espionage, strengthening systems, enhancing detection capabilities, training, and of course improving counterespionage measures and counterintelligence processes.

A more detailed description of non-military responses to cyber espionage.

1. Diplomatic Actions

Diplomatic measures are one of the first lines of response to cyber espionage. These include:

Demarches: Formal diplomatic protests to convey displeasure or concerns directly to the other government.

Summons: Summoning the ambassador or diplomatic representatives of the offending nation to express concerns or protest officially.

Expulsion of Diplomats: In more serious cases, countries might expel diplomats suspected of espionage or as a punitive measure in response to cyber espionage.

Reduction or suspension of diplomatic engagements: Temporarily halting bilateral meetings or negotiations can signal displeasure and pressure the offending nation to address the espionage activities.

2. Economic Sanctions

Economic sanctions can be an effective tool to penalize countries or entities involved in cyber espionage:

Targeted Sanctions: Imposing sanctions on individuals, organizations, or sectors believed to be involved in or benefiting from cyber espionage activities.

Trade Restrictions: Imposing restrictions or higher tariffs on goods and services from the offending nation as a form of economic pressure.

Blocking Assets: Freezing assets of individuals or companies involved in cyber espionage.

3. Legal Measures

Legal actions can provide a framework for addressing cyber espionage, although jurisdictional challenges often complicate enforcement:

Indictments: Legal indictments against identified perpetrators, often leading to international arrest warrants.

Cybercrime Legislation: Enacting or strengthening laws to address cyber espionage more effectively, thereby improving the legal basis for domestic and international actions.

International Legal Cooperation: Engaging in treaties and agreements to facilitate cross-border legal cooperation and mutual legal assistance.

4. Cyber Defense and Counterintelligence

Improving cyber defenses and counterintelligence efforts are critical in protecting sensitive information and deterring espionage:

Enhancing Cybersecurity: Strengthening government and critical infrastructure cybersecurity measures to resist and detect espionage attempts.

Public-Private Partnerships: Collaborating with the private sector to secure commercial secrets and technologies.

Incident Response Teams: Establishing specialized teams to respond to cyber incidents quickly and efficiently.

5. Norms and International Cooperation

Developing and adhering to international norms can help establish a common understanding of unacceptable behavior in cyberspace:

Bilateral and Multilateral Dialogues: Engaging in discussions to establish cyber norms and cooperative agreements on state behavior in cyberspace.

Confidence-Building Measures: Implementing measures that promote transparency and predictability among states, such as sharing best practices and conducting joint exercises.

International Advocacy: Advocating at international forums like the United Nations to promote and enforce cyber norms.

6. Public and Diplomatic Outreach

Informing and engaging the international community and the public can help in building a coalition against the perpetrators:

Public Statements: Officially acknowledging an incident and its details to inform and alert other potential targets.

Coalition Building: Forming coalitions with other affected countries to issue joint statements or take collective actions, thereby increasing the pressure on the perpetrator.

---

The Vienna Convention on Diplomatic Relations (VCDR) and cyber espionage.

The Vienna Convention on Diplomatic Relations (VCDR) of 1961 is an international treaty that defines the framework for diplomatic relations between independent countries. It establishes the rules for diplomatic immunity and the conduct of diplomatic personnel, ensuring that diplomats can perform their duties without fear of coercion or harassment by the host country. However, the Convention does not specifically address cyber espionage, given that it predates the digital age and the complex cyberspace challenges that have emerged.

While the VCDR does not explicitly mention cyber activities, several of its provisions are pertinent when considering the implications of cyber espionage on diplomatic relations:

Article 22: This article guarantees the inviolability of the premises of the mission. The premises should not be entered by the host nation without permission from the head of the mission. This protection could extend to the digital infrastructure physically located within the embassy, though interpretations vary and do not necessarily cover digital intrusions per se.

Article 24: Ensures that the archives and documents of the diplomatic mission are inviolable at any time and wherever they may be. This could potentially be interpreted to cover digital archives as well, protecting them from cyber espionage.

Article 27: Focuses on the freedom of communication for the mission for all official purposes. The host nation must permit and protect free communication on the part of the mission for all official purposes. In practice, while this should protect communications from interception and interference, the extent to which this applies to cyber communications is not entirely clear and could be subject to interpretations in the context of cyber espionage.

Article 29: Provides that the person of a diplomatic agent shall be inviolable and that he cannot be detained or arrested. While this pertains to physical inviolability, the exploitation of a diplomat’s personal devices through cyber means for espionage could be seen as a violation of this principle.

Article 41: Obligates diplomats to respect the laws and regulations of the host country and not to interfere in the internal affairs of that state. Engaging in or directing cyber espionage could be seen as a breach of this obligation.

Challenges and Considerations - Vienna Convention on Diplomatic Relations (VCDR) and cyber espionage.

Legal Interpretation and Application: The VCDR’s provisions are subject to interpretation, particularly concerning emerging technologies and cyber operations. The principles of non-interference and inviolability of diplomatic communications and documents could be argued to extend to cyber activities, but this application is not universally accepted and remains a grey area.

Cyber Espionage and Diplomatic Strains: Instances where diplomatic missions are accused of conducting or facilitating cyber espionage can lead to significant diplomatic repercussions, including expulsions of diplomats, public denunciations, and severe strains in bilateral relations. Such actions, while diplomatically and politically charged, often do not get legally adjudicated under the VCDR framework directly.

International Law and Cyber Operations: The absence of specific international legal frameworks directly addressing cyber operations in the context of diplomatic relations highlights the need for modern interpretations of existing treaties like the VCDR, or potentially new international agreements that specifically address cyber operations and espionage.

While the Vienna Convention on Diplomatic Relations provides a fundamental framework for the conduct of diplomatic relations, its application to cyber espionage is complex and not directly addressed by the treaty. Interpretations of the VCDR in the context of cyber operations require careful consideration of the principles of sovereignty, non-interference, and the inviolability of diplomatic missions. As cyber threats continue to evolve, there may be increasing calls for international legal instruments to explicitly address these issues.

---