Cyber espionage:
The threat international law can no longer ignore
Abstract: In 1962, Richard Falk proclaimed that ‘international law is remarkably oblivious to the peacetime practice of espionage’. Little has changed since, and international law has only now begun to grapple with the governance and regulation of espionage in its many forms. One particular practice of espionage which has emerged since the advent of the internet and cyberspace is cyber espionage. Cyber espionage refers to the clandestine accessing and copying of protected or confidential information. It is committed using cyber technologies and cyber infrastructure. It occurs mostly during peacetime. Its perpetrators include both state and non-state actors. And the question to be answered is: How does international law apply to it? Using the doctrinal method, this thesis examines from an internal perspective how international law applies to cyber espionage using the regimes and principles of international law. The thesis considers whether state conducted or state-sponsored cyber espionage committed against other states falls within the regime of jus ad bellum, the principle of territorial sovereignty and the duty not to intervene. For instances when cyber espionage has an economic or financial motive, the application of the TRIPS Agreement is considered. And when cyber espionage is committed by non-state actors, the thesis examines how the due diligence principle applies to impose obligations on states to prevent non-state actors committing cyber espionage against other states. While cyber espionage does not fit neatly into all of the regimes and principles, it is a threat which can no longer go unregulated by international law.
Mia Tuzovic
Master of International and European Law: Public International Law Dr Catherine Brölmann (thesis supervisor)
Universiteit van Amsterdam | University of Amsterdam 26 July 2016
Table of contents
1. Introduction ... 1
2. International law and espionage... 4
3. International law and cyber espionage ... 5
3.1. Cyber espionage and jus ad bellum ... 7
3.2. Cyber espionage, the principle of territorial sovereignty and the duty not to intervene ... 12
3.2.1. Cyber espionage and the principle of territorial sovereignty ... 13
3.2.2. Cyber espionage and the duty not to intervene ... 16
3.3. Economic cyber espionage and the TRIPS Agreement ... 19
3.4. Cyber espionage and the principle of due diligence ... 25
4. Conclusion ... 31
1
1. Introduction
Espionage is not new or novel.1 But it has evolved over time. And it has adapted to the current
environment and contemporary technologies. Yet, what was once expressed in 1962 can still be stated today – ‘[t]raditional international law is remarkably oblivious to the peacetime practice of espionage’.2 International law as it currently stands has not developed a treaty by
which the practice of traditional espionage is regulated or governed. This normative lacuna has enabled for newer forms of espionage, such as cyber espionage, to emerge with little to no guidance for their regulation.
Cyber espionage is one of a long list of perilous activities occurring on a daily basis in cyberspace. The application of international law to cyberspace is no longer disputed, and in the last few years a discourse amongst states, scholars, and international organisations has developed regarding state activities in cyberspace. Some are of a general nature referring to all types of activities undertaken through information and computer technologies (ICTs). Others refer to specific acts and identify the responsibilities of states to behave or refrain from behaving in a certain way. This thesis examines how international law applies to cyber espionage by referring to an established body of international law regimes and principles. Cyber espionage is gaining momentum at an unprecedented speed and the sheer scale and volume of it has captured the concern of states. In 2013, Mandiant published a report (Mandiant Report) evidencing the Chinese government to be sponsoring the cyber espionage and data theft activities of a Chinese-based group called APT1 targeting various state and non-state actors over several years, the majority of which were located in the United States.3 In February
2016, China was blamed for a cyber hack on an Australian state government department targeting sensitive mining data which occurred while a number of mining projects were awaiting approval, including one worth $1.2 billion AUD.4 In May 2016, Germany’s secret
1 For examples, see Katharina Ziolkowski, ‘Peacetime Cyber Espionage – New Tendencies in Public
International Law’ in Katharina Ziolkowski (ed), Peacetime Regime For State Activities in Cyberspace (NATO CCD COE Publication, 2013) 425, and Richard A Falk, ‘Foreword’ in Roland J Stanger (ed), Essays on Espionage and International Law (Ohio State University Press, 1962) v.
2 Falk (n 1) v; John Radson, ‘The Unresolved Equation of Espionage and International Law’ (2007) 28
Michigan Journal of International Law 595, 602.
3 Mandiant, ‘APT1 Exposing One of China’s Cyber Espionage Units’ (2013)
<https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf> accessed 20 June 2016.
4 Angela Lavoipierre, ‘Cyber attacks on NSW Government department raises security fears’ ABC (3 February
2016) <http://www.abc.net.au/news/2016-02-03/hackers-target-state-government-department/7136076> accessed 6 February 2016.
2 service claimed Russia was behind a series of cyber acts aimed at espionage and sabotage, one of which targeted the German parliament.5 It is also believed Russia attempted to hack the
Dutch Safety Board’s computer systems in order to access a sensitive report concerning the 2014 downing of flight MH17 over Ukraine.6 Although these showcase some of the most recent
cyber espionage threats, the reality is the number of cyber espionage ‘incidents detected is probably only a fraction of the actual number’ occurring.7
While analogies can be drawn between traditional espionage and cyber espionage, the threat posed by cyber espionage outweighs that of traditional espionage. Traditional espionage is defined as an act that is committed covertly ‘or under false pretences or disguise’; by a state or must be ‘attributable to a state’; and ‘must target information not publicly available’.8 Cyber
espionage, on the other hand, is described as the unauthorised accessing and copying of information or data by a state or non-state actor, which is not publicly available and which is wirelessly transmitted, ‘temporarily available’ or saved on computer networks or information technology systems located on territory within ‘the exclusive jurisdiction of another’ state.9
Like espionage, cyber espionage is conducted secretly or under false pretences, and without consent.10 Confidential or protected information is information which is not publicly
available.11
In the absence of treaties or clear international law regulating the peacetime practice of traditional espionage and in light of the grave threat cyber espionage poses to states and non-state actors, cyber espionage can no longer continue unregulated. States are turning to international law for help, an action signifying departure from how states traditionally dealt with espionage. Yet, differing views exist among states, scholars and other actors as to how international law applies to cyber espionage. This thesis offers a much-needed analysis in response to the following questions: What regimes and principles of international law apply to cyber espionage committed by states against other states? Is cyber espionage legal or illegal
5 Agence-France Presse in Berlin, ‘Russia accused of series of international cyber-attacks’ The Guardian (13
May 2016) <https://www.theguardian.com/technology/2016/may/13/russia-accused-international-cyber-attacks-apt-28-sofacy-sandworm> accessed 15 May 2016.
6 Ibid.
7 National Cyber Security Centre, ‘Cyber Security Assessment Netherlands CSAN 2015’ (Ministry of Security
and Justice, 17 November 2015) 21
<https://www.ncsc.nl/english/current-topics/Cyber+Security+Assessment+Netherlands/cyber-security-assessment-netherlands-2015%5B2%5D.html> accessed 28 June 2016 (CSAN 2015).
8 Ziolkowski (n 1) 428.
9 Ibid 429; Russell Buchan, ‘Cyber espionage and international law’ in Nicholas Tsagourias and Russell Buchan
(eds), Research Handbook on International Law and Cyberspace (Edward Elgar Publishing, 2015) 171-173.
10 Ziolkowski (n 1) 429. 11 Buchan (n 9) 171.
3 under the applicable regimes and principles of international law? And how can international law regulate cyber espionage committed by non-state actors?
To answer these questions, I use the doctrinal method and undertake my analysis of international law from an internal perspective. In other words, I use the tools and sources of international law, as set out in Article 38 of the Statute of the International Court of Justice (ICJ), to answer each of the questions identified above.12 Since I look at various international
law regimes and principles, these parts of my thesis are ‘expository’.13 And in analysing the
application of the regimes and principles to cyber espionage, I make normative assessments based on the applicability of international law to cyberspace.
This thesis begins with an overview of how international law deals with traditional espionage. The thesis then analyses cyber espionage using specific regimes and principles of international law. First, since many states consider cyber espionage to be a grave threat to their national security, cyber espionage committed by states against other states is considered under the regime of jus ad bellum, the principle of territorial sovereignty and the duty not to intervene. The thesis makes conclusions on whether cyber espionage is a violation of international law under these regimes and principles. Second, economic cyber espionage, which targets trade secrets owned by state and non-state actors, is considered in the context of the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS Agreement) within the system of the World Trade Organization (WTO). The thesis focuses on state conducted or state-sponsored economic cyber espionage since tackling this problem is high on the agenda for many states as they seek to minimise the risk of valuable and confidential business information of state enterprises and private companies being stolen by cyber espionage. Third, in determining how international law can regulate cyber espionage committed by non-state actors, the principle of due diligence is considered. The global scope of cyber espionage reveals the number of actors committing it is increasing, making attribution a complex task and regulation even more challenging.14 The principle of due diligence can overcome these issues and impose
obligations on states to prevent cyber espionage from being committed by non-state actors against other states. Finally, the thesis provides some conclusions on international law and cyber espionage.
12 Statute of the International Court of Justice (adopted 26 June 1945, entered into force 25 October 1945)
UNTS 993.
13 Robert Cryer et al, Research Methodologies in EU and International Law (Hart Publishing 2011) 8. 14 CSAN 2015 (n 7) 31-32.
4
2. International law and espionage
The starting point of how international law governs or regulates state conduct is The Case of the SS Lotus (SS Lotus).15 The Permanent Court of International Justice therein stated that
international law leaves states with ‘a wide measure of discretion which is only limited in certain cases by prohibitive rules’.16 In all other instances, states ‘remain free to adopt the
principles which [they regard] as best and most suitable’.17 This means that only those acts
subject to express rules are prohibited.
The legal principle established by SS Lotus is referred to by some states and academics as supporting the proposition that under international law traditional espionage between states is not prohibited.18 In reality, traditional espionage occupies a murky existence in international
law as to its legality and illegality. Academics have acknowledged that international law prefers to only address the issue of espionage during wars and conflicts.19 The issue of peacetime
espionage, on the other hand, continues to divide international law academics.
Quincy Wright opines that ‘espionage is a legitimate belligerent operation’ but ‘all peacetime espionage in foreign territory is illegal’.20 According to Wright, traditional espionage during
peacetime is a violation of international law because states are under a duty ‘to respect the territorial integrity and political independence of other states’.21 This suggests traditional
espionage violates the territorial sovereignty of a state. Professor Garcia-Mora considers that espionage during wartime is not prohibited by international law, but ‘peacetime espionage is regarded as an international delinquency and a violation of international law’.22 Stone, on the
other hand, dissents from the view that ‘even if there is no illegal territorial intrusion’ peacetime espionage is ‘an international delinquency of the state permitting it’.23 In the absence of state
practice evidencing any restriction against peacetime espionage, the act of espionage during peacetime is not illegal.24 Stone thus concludes that ‘there is no sufficient warrant for saying
15 The Case of the SS Lotus (France v Turkey) PCIJ Rep Series A No 10. 16 Ibid 19.
17 Ibid.
18 Ashley Deeks, ‘An International Legal Framework for Surveillance’ (2015) 55 Virginia Journal of
International Law 291, 301.
19 Lt Col Geoffrey B Demarest, ‘Espionage in International Law’ (1996) 24(2) Denver Journal of International
Law and Policy 321, 330.
20 Quincy Wright, ‘Espionage and the Doctrine of Non-Intervention in Internal Affairs’ in Stanger (n 1) 11; 21. 21 Ibid 12; Radson (n 2) 604-605.
22 Manuel R Garcia-Mora, ‘Treason, Sedition and Espionage as Political Offenses under the Law of Extradition’
(1964) 26 University of Pittsburgh Law Review 65, 79-80; Radson (n 2) 604.
23 Julius Stone, ‘Legal Problems of Espionage in Conditions of Modern Conflict’ in Stanger (n 1) 33. 24 Ibid.
5 that international law does not permit state-authorized espionage in peacetime’.25 He adds one
reservation however – if the act of peacetime espionage involves a ‘collateral illegality such as intrusion on territory’ then it constitutes an international delinquency and a violation of international law.26 In Demarest’s view, espionage during peacetime is not illegal.27 Demarest
stipulates that espionage, or ‘clandestine intelligence gathering’, is ‘an unfriendly act between nations’ but it does not amount to a violation of international law.28 Adopting a pragmatic
approach, Falk presents espionage as having the ‘peculiar quality of being tolerated, but illegal’.29 In Falk’s opinion, no attempts have been made ‘to impose legal responsibility upon
the state for the espionage it has commissioned’.30 A different view altogether considers that
international law preserves espionage ‘as a tool by which to facilitate international cooperation’.31 In other words, espionage is allowed to function as a means by which states can
determine whether other states are ‘complying with [their] international obligations’.32 It is also
used as a method to assure states of the legitimacy of the promises given by other states.33 By
permitting espionage to operate in this way, states are more likely to engage in foreign relations.34 This functional approach may explain why academics such as Falk deem espionage
to be ‘tolerated’ under international law.
Although cyber espionage takes place in a different domain to traditional espionage – ‘cyber’ space versus ‘territorial’ space – the application of international law to traditional espionage offers a useful analogy for considering how international law applies to cyber espionage.
3. International law and cyber espionage
To be able to consider how different legal regimes and principles apply to cyber espionage, international law must operate in cyberspace. During its inception, some academics claimed that due to the lack of territorial boundaries in cyberspace, cyberspace operates outside the
25 Ibid 34. 26 Ibid 35.
27 Radson (n 2) 603.
28 Ibid; Demarest (n 19) 347.
29 Richard A Falk, ‘Space Espionage and World Order: A Consideration of the Samos-Midas Program’ in
Stanger (n 1) 57.
30 Ibid.
31 Radson (n 2) 606; Christopher D Baker, ‘Tolerance of International Espionage: A Functional Approach’
(2004) 19 American University International Law Review 1091, 1092.
32 Baker (n 31) 1092. 33 Ibid.
6 confines of traditional law and customary legal frameworks.35 As a result, a new system of
laws and rules specific to cyberspace and separate from original legal doctrines confined by time, space, and borders needed to develop.36 This did not eventuate and it is undisputed now
that international law applies to cyberspace.37 Several proclamations attesting to this have been
made, the most recent in June 2016, when the North Atlantic Treaty Organization (NATO) ‘affirmed that international law applies to cyberspace’38 and recognised cyberspace as an
‘operational domain’, the same as ‘air, sea and land’.39
The recognition of international law’s application to cyberspace has led to the development of norms which either carry legally-binding obligations on states or are non-binding but provide for standard or ‘expected behaviour’.40 In 2013, the UN Group of Governmental Experts on
Developments in the Field of Information and Telecommunications in the Context of International Security proclaimed in a report (2013 UN Governmental Experts Report) that international law and the Charter of the United Nations (UN Charter) are applicable and essential ‘to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment’.41 In 2015, a second report issued by the UN Group of
Governmental Experts (2015 UN Governmental Experts Report) recommended a set of non-binding, voluntary norms for responsible state behaviour in the ICT environment.42 A few
months earlier, China, Kazakhstan, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan, under cover of a letter to the Secretary-General of the UN, proposed an international code of conduct for information security.43 The code, among other things,
35 David R Johnson and David Post, ‘Law and Borders – The Rise of Law in Cyberspace’ (1996) 48 Stanford
Law Review 1367.
36 Ibid.
37 Michael Schmitt, ‘Introduction’ in Tsagourias and Buchan (n 9) 2. 38 --- ‘Cyber defence’ (North Atlantic Treaty Organization, 23 June 2016)
<http://www.nato.int/cps/en/natohq/topics_78170.htm> accessed 7 July 2016 (NATO Cyber defence).
39 --- ‘Press Conference by NATO Secretary General Jens Stoltenberg following the North Atlantic Council
meeting at the level of NATO Defence Ministers’ (North Atlantic Treaty Organization, 14 June 2016)
<http://www.nato.int/cps/en/natohq/opinions_132349.htm?selectedLocale=en> accessed 21 June 2016 (NATO Press Conference).
40 Anna-Maria Osula and Henry Rõigas, ‘Introduction’ in Anna-Maria Osula and Henry Rõigas (eds),
International Cyber Norms: Legal, Policy and Industry Perspectives (NATO CCD COE, 2016) 12.
41 UNGA ‘Report of the Group of Governmental Experts on Developments in the Field of Information and
Telecommunications in the Context of International Security’ (24 June 2013) 68th session UN Doc A/68/98, [19] (2013 UN Governmental Experts Report).
42 UNGA ‘Report of the Group of Governmental Experts on Developments in the Field of Information and
Telecommunications in the Context of International Security’ (22 July 2015) 70th session UN Doc A/70/174 (2015 UN Governmental Experts Report).
43 UNGA ‘Letter dated 9 January 2015 from the Permanent Representatives of China, Kazakhstan, Kyrgyzstan,
the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General’ (13 January 2015) 69th session UN Doc A/69/723.
7 included a pledge for states not to interfere with the internal affairs of other states through the use of ICTs ‘with the aim of undermining their political, economic and social stability’.44
Although it is now settled that international law applies in cyberspace, the question that remains is how does international law apply to cyber espionage? The thesis answers this by looking at different instances of cyber espionage and at specific principles and regimes: jus ad bellum; the principle of territorial sovereignty and the duty not to intervene; the TRIPS Agreement; and the principle of due diligence.
3.1. Cyber espionage and jus ad bellum
The pervasiveness of cyberspace in everyday life has brought with it new threats and challenges. States are now facing ‘sophisticated and damaging’ threats and attacks over cyberspace that at times surpass the destruction caused by traditional weaponry.45 Cyber
espionage is considered by states to be a ‘significant’ danger to their national security.46
Reports of state-sponsored or state conducted cyber espionage against other states are becoming more common. The Cyber Security Assessment Netherlands 2015 (CSAN 2015) considers that the ‘biggest digital espionage threat is posed by foreign intelligence services’.47
But an analysis in academia of such acts under the regime of jus ad bellum is still lacking. In this section, I examine whether cyber espionage amounts to a ‘threat or use of force’ or an ‘armed attack’ under Article 2(4) and Article 51 of the UN Charter.48
Jus ad bellum, which refers to international law governing the right to use force, is codified in the UN Charter.49 Article 2(4) contains a prohibition of the ‘threat or use of force against the
territorial integrity or political independence of any [s]tate, or in any other manner inconsistent with the Purposes of the’ UN. Article 51 provides an ‘inherent right of individual or collective self-defence if an armed attack occurs’ pending the Security Council taking ‘measures necessary to maintain international peace and security’. The use of the terms ‘against the territorial integrity or political independence of any state’ in Article 2(4) has caused controversy, with some authors postulating the phrase denotes a qualification or restriction to
44 Ibid 5, [3].
45 NATO Cyber defence (n 38).
46 See for example: Australian Cyber Security Centre, ‘ACSC 2015 Threat Report’ (Australian Government,
Australian Cyber Security Centre, July 2015) 6
<https://www.acsc.gov.au/publications/ACSC_Threat_Report_2015.pdf> accessed 28 June 2016.
47 CSAN 2015 (n 7) 28.
48 Charter of the United Nations (adopted 26 June 1945, entered into force 24 October 1945) UNTS 993 (UN
Charter).
8 the prohibition, and permits the threat or use of force in all other circumstances.50 However,
the prevailing view is that Article 2(4) is ‘not intended to have a restrictive effect’ to the prohibition against the threat or use of force.51
The ICJ in the Case Concerning Military and Paramilitary Activities In and Against Nicaragua (Nicaragua v United States of America) (Nicaragua case) recognised the existence of the principles contained in Articles 2(4) and 51 under customary international law.52 As to what
amounts to an ‘armed attack’, the ICJ determined this includes ‘action by regular armed forces across an international border’ and the sending ‘of armed bands, groups, irregulars or mercenaries, which carry out acts of armed force against another [s]tate of such gravity as to amount to … an actual armed attack’.53 In relation to what constitutes a ‘use of force’, the ICJ
declared it ‘necessary to distinguish between the most grave forms of the use of force (those constituting an armed attack) from other less grave forms’.54 The ICJ considered the ‘use of
force’ may encompass ‘assistance to rebels in the form of the provision of weapons or logistical or other support’.55 However, it excluded the possibility of supplying funds to the contras as
qualifying as a use of force.56 The ICJ also considered that the ‘organizing or encouraging the
organization of irregular forces or armed bands … for incursion into the territory of another [s]tate, and participating in acts of civil strife … in another [s]tate’ may violate the prohibition of the threat or use of force.57
When considering the application of jus ad bellum to activities in cyberspace, the effects-based approach is most favoured by scholars.58 This approach determines that cyber activities can
amount to a ‘use of force’ or an ‘armed attack’ when the damage or effect caused is comparable to the damage caused by a conventional conflict or the use of a conventional weapon.59 Two
50 Malcolm N Shaw, International Law (7th edition, Cambridge University Press, 2014) 817; James R
Crawford, Brownlie’s Principles of Public International Law (8th edition, Oxford University Press, 2012) 747.
51 Crawford (n 50) 747.
52 Case Concerning Military and Paramilitary Activities In and Against Nicaragua (Nicaragua v United States
of America) ICJ Reports 1986, 14, [176]; [188] (Nicaragua Case).
53 Ibid [195]. 54 Ibid [191]. 55 Ibid. 56 Ibid [228]. 57 Ibid.
58 See for example: Ziolkowski (n 1) 451; Marco Roscini, ‘Cyber operations as a use of force’ in Tsagourias and
Buchan (n 9) 236; Alexander Melnitzky, ‘Defending America against Chinese Cyber Espionage Through the Use of Active Defenses’ (2012) 20(2) Cardozo Journal of International and Comparative Law 537, 553-554; Commander Todd C Huntley, ‘Controlling the Use of Force in Cyber Space: The Application of the Law of Armed Conflict During a Time of Fundamental Change in the Nature of Warfare’ (2010) 60 Naval Law Review 1, 16, 22; Herbert S Lin, ‘Offensive Cyber Operations and the Use of Force’ (2010) 4 Journal of National Security Law & Policy 63, 71.
9 opposing arguments, both stemming from the effects-based approach, have emerged in considering cyber espionage within the regime of jus ad bellum. The first argument espouses acts of cyber espionage as a ‘direct or indirect threat to national security’ that can ‘warrant military action’.60 The second argument excludes cyber espionage entirely from the operation
of the ‘international law governing cyber warfare’.61
Melnitzky uses the effects-based approach to argue that cyber espionage can attract military recourse due to the gravity and significant threat and severity of data theft.62 On this basis,
Melnitzky considers that the requirement for cyber espionage to cause the same amount of damage as a conventional military attack is satisfied.63 Another author claims that ‘[c]yber
espionage might cause greater damage to the national security’ of a state ‘than the physical destruction of a weapons system or military facility’.64 Cyber espionage is therefore
distinguished from traditional forms of espionage which cannot compete with the scale and scope of cyber espionage.65 And because cyber espionage can be more invasive than traditional
espionage, it deserves to be treated with greater ‘concern than traditional espionage’.66
Following this line of reasoning, cyber espionage can constitute a ‘use of force’ under Article 2(4), and may even rise to the level of an ‘armed attack’ within the meaning of Article 51. Also raised is the argument that cyber espionage may amount to a ‘threat of force’ (as opposed to a ‘use of force’) if a state is able to identify that a computer network has been the subject of confidential information or data collection, and there is a likelihood of an exploitation or violation occurring in the future.67 While this means an isolated cyber espionage incident is
insufficient to constitute a ‘threat of force’, such a classification requires a lower threshold to be satisfied than for a ‘use of force’ or an ‘armed attack’, and may overcome the requirement for cyber espionage to cause effects comparable to traditional weaponry.68
In determining whether cyber espionage falls under Articles 2(4) and 51 of the UN Charter, one author compares the damage caused by traditional espionage with cyber espionage.
60 Melnitzky (n 58) 538, 566.
61 Michael N Schmitt (ed), Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge
University Press, 2013) 4.
62 Melnitzky (n 58) 566. 63 Ibid 566.
64 Huntley (n 58) 39. 65 Melnitzky (n 58) 566.
66 Anna Wortham, ‘Should Cyber Exploitation Ever Constitute a Demonstration of Hostile Intent That May
Violate UN Charter Provisions Prohibiting the Threat or Use of Force?’ (2011 2012) 64(3) Federal Communications Law Journal 643, 658.
67 Ibid 656. 68 Ibid 655.
10 According to Buchan, traditional espionage is a ‘hostile act’ which ‘threatens’ a state’s national security ‘and international peace and security more generally’, as that term appears in the UN Charter.69 Cyber espionage, on the other hand, ‘amplifies the threat to international peace and
security’ caused by traditional espionage because the ability to access and copy confidential information stored in cyberspace has grown to epic proportions.70 I agree with Buchan’s
characterisation of the threat caused to states by cyber espionage, particularly in circumstances where a state’s networks or systems are consistently being targeted, or there is a single act targeting highly sensitive or large volumes of confidential information. Buchan also reasons that cyber espionage is a ‘threat to international peace and security’ in circumstances where data directly related to a state’s critical national infrastructure is copied; and in circumstances where there is no direct link to the critical national infrastructure, but the individual or entity affected falls under the sovereignty of the state.71 Despite his conclusions on the severity of
cyber espionage, Buchan does not consider that such acts rise to a ‘use of force’ under Article 2(4) or an ‘armed attack’ under Article 51.72
The opposing argument under the effects-based approach does not regard cyber espionage as a ‘threat or use of force’ or an ‘armed attack’. Some academics draw a distinction between a ‘cyber attack’ and ‘cyber exploitation’, the former being capable of amounting to a ‘threat or use of force’ or ‘armed attack’, and the latter falling short of the threshold. The difference between the two is described in terms of ‘the nature of the payload to be executed’.73 In other
words, a cyber attack aims to cause damage or be ‘destructive’, whereas a cyber exploitation seeks to acquire data in a non-destructive manner.74 A cyber exploitation is usually
undetectable and clandestine,75 and focuses ‘on intelligence collection, surveillance, and
reconnaissance’.76 Based on this definition, cyber espionage is a type of cyber exploitation.
Cyber exploitations, such as the examples referred to in the Introduction, are considered to never qualify as a ‘use of force’ within the meaning of Article 2(4).77 Applying the
effects-based approach, the consequences of cyber espionage are not comparable to the effects of 69 Buchan (n 9) 175. 70 Ibid 178. 71 Ibid 179. 72 Ibid 186-188. 73 Lin (n 58) 64. 74 Ibid. 75 Ibid.
76 Marco Roscini, Cyber Operations and the Use of Force in International Law (Oxford University Press, 2014)
16.
11 conventional weapons and as a result, cannot be considered to be a ‘use of force’ or an ‘armed attack’.78 This view presently garners the greatest support and acceptance among academics.79
The Tallinn Manual recently emerged as the leading authority for this view. Generally speaking, the Tallinn Manual does not deal with cyber espionage and theft of intellectual property as it considers that the law of armed conflict and the law on the use of force have little to do with such cyber activities.80 But it does assert that cyber espionage does not amount to a
use of force because international law does not explicitly prohibit traditional espionage.81 The
Manual also stipulates that ‘[c]yber espionage and other forms of information gathering directed at an adversary during an armed conflict do not violate the law of armed conflict’, which is in line with the views on traditional espionage discussed in Section 2.82 However, it
needs to be noted that this particular rule only applies to cyber espionage committed during an armed conflict and in ‘territory controlled by a party to the conflict’.83
The opposing argument is preferred by this thesis. While the damage cyber espionage causes is incredibly serious and constitutes a threat to ‘international peace and security’, it does not rise to the level of a ‘threat or use of force’ or an ‘armed attack’ under Articles 2(4) and 51 of the UN Charter. This is because cyber espionage aims to access and copy protected or confidential information, it largely occurs during peacetime, it is difficult to detect, and the damage or effect caused is usually difficult to assess. Cyber espionage, therefore, is distinguishable from cyber attacks which aim to attack computer networks and systems and cause perceivable physical destruction – such as the Stuxnet virus attack in Iran in 2010, where a computer worm affected the operation of approximately 1,000 centrifuges Iran was using to purify uranium.84
78 Ziolkowski (n 1) 452.
79 See for example: Buchan (n 9) 187-188; David P Fidler, ‘Economic Cyber Espionage and International Law:
Controversies Involving Government Acquisition of Trade Secrets through Cyber Technologies’ (2013) 17(10) ASIL Insights 1
<https://www.asil.org/insights/volume/17/issue/10/economic-cyber-espionage-and-international-law-controversies-involving> accessed 20 January 2016; Christopher Yoo, ‘Cyber Espionage or Cyberwar?’ in Jens David Ohlin, Kevin Govern and Claire Finklestein (eds), Cyber War: Law and Ethics of Virtual Conflicts (Oxford University Press, 2015) 11.
80 Schmitt (n 61) 4. 81 Ibid 50.
82 Ibid 192, Rule 66. 83 Ibid 193.
84 David E Sanger, ‘Obama Order Sped Up Wave of Cyberattacks Against Iran’ International New York Times
(1 June 2012) <http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?ref=stuxnet&_r=0> accessed 29 June 2016; Russell Buchan, ‘Cyber Attacks: Unlawful Uses of Force or Prohibited Interventions?’ (2012) 17(2) Journal of Conflict and Security Law 211.
12 It follows from the above that the regime of jus ad bellum and Article 2(4) and Article 51 do not apply to cyber espionage. As a result, no conclusion can be made about the legality and illegality of cyber espionage under this regime. However, with the recent declaration by NATO, and the concern states are expressing regarding cyber espionage, a reinterpretation of Articles 2(4) and 51 of the UN Charter may eventuate in the future.
3.2. Cyber espionage, the principle of territorial sovereignty and the duty not to intervene
The ‘whole of international law’ is said to rest on the principle of state sovereignty. 85 The UN
itself ‘is based on the principle of sovereign equality of all its Members’.86 But the application
of the principle of state sovereignty in cyberspace was initially met with opposition from the ‘exceptionalists’, who insisted that cyberspace is a domain over which states cannot assert sovereignty.87 The ‘sovereigntists’ on the other hand, believed international law to apply in
cyberspace, and the systems and networks making up cyberspace to be located on state territory.88 Two particularly influential documents confirm that the view of the ‘sovereigntists’
prevailed. The 2013 UN Governmental Experts Report declares state sovereignty and its associated international law ‘norms and principles’ to be applicable to ‘[s]tate conduct of ICT-related activities, and to their jurisdiction over ICT infrastructure within their territory’.89 The
follow-up report of 2015 confirmed states exercise ‘jurisdiction over the ICT infrastructure located within their territory’, and when using ICTs states are required to ‘observe, among other principles of international law, [s]tate sovereignty, sovereign equality, the settlement of disputes by peaceful means and non-intervention in the internal affairs of other [s]tates’.90
Sovereignty between states was expressed by the Permanent Court of Arbitration as signifying ‘independence’; ‘[i]ndependence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other [s]tate, the functions of a [s]tate’.91 The principle of
territorial sovereignty builds on this notion, and the ICJ cemented the importance of territorial sovereignty when it stated that ‘[b]etween independent [s]tates, respect for territorial
85 Nicaragua Case (n 52) [263]. 86 UN Charter (n 48) Article 2(1).
87 Sean Watts, ‘Cyber Law Development and the United States Law of War Manual’ in Osula and Rõigas (n 40)
49.
88 Ibid 50.
89 2013 UN Governmental Experts Report (n 41) [20].
90 2015 UN Governmental Experts Report (n 42) [28(a)-(b)].
91 Island of Palmas case (Netherlands v USA) (1928) II Reports of International Arbitral Awards 829, 838
13 sovereignty is an essential foundation of international relations’.92 Also ingrained in
international law is the ‘duty not to intervene in matters within the domestic jurisdiction of any [s]tate’.93 It is considered that these ‘principles surrounding sovereignty, such as
non-intervention, are essential’ in maintaining a ‘stable system of competing states’.94
Section 3.1 concluded that even though cyber espionage committed between states does not fall within the scope of Article 2(4) and Article 51 of the UN Charter, it is capable of constituting a threat to ‘international peace and security’. It is impossible to ignore a problem of such a scale, especially if the number of actual incidents is likely to be higher than what is detected or reported.95 And it is deeply concerning if such a large-scale threat is permitted to
operate under international law. In this section I look at whether cyber espionage committed by a state against another state is capable of violating a state’s territorial sovereignty, and whether a state breaches the duty not to intervene when it commits cyber espionage against another state.
3.2.1. Cyber espionage and the principle of territorial sovereignty
The principle of territorial sovereignty is reflected to some degree in Article 2(4) of the UN Charter, which stipulates that member states ‘shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any [s]tate’. According to Kish, Article 2(4) ‘covers all national spaces’ and ‘territorial integrity applies … to national territory’, ‘the territorial sea and to national airspace’.96 Applying the principle to
cyberspace means that ‘cyber infrastructure located on the’ territorial land, in the territorial sea and waters, or in the ‘national airspace is covered by’ a state’s territorial sovereignty.97 Cyber
infrastructure located on the territory of a state is therefore ‘protected against interference by other’ states, which includes any state attributed act violating the territorial sovereignty of another state.98
92 Corfu Channel case ICJ Reports 1949, 35 (Corfu Channel).
93 UNGA ‘Declaration on Principles of International Law concerning Friendly Relations and Co-operation
among States in accordance with the Charter of the United Nations’ (24 October 1970) UN Doc A/RES/25/2625 (1970 Declaration concerning Friendly Relations).
94 Shaw (n 50) 155. 95 CSAN 2015 (n 7) 21.
96 John Kish, International Law and Espionage (Kluwer Law International, 1995) 84.
97 Wolff Heintschel von Heinegg, ‘Legal Implications of Territorial Sovereignty in Cyberspace’ in C. Czosseck,
R. Ottis and K. Ziolkowski (eds) 2012 4th International Conference on Cyber Conflict Proceedings (NATO CCD COE Publications, 2012) 11.
14 One of the main questions which arises when considering which acts infringe a state’s territorial sovereignty, is whether the act must cause a ‘perceivable physical effect’ or damage in the state’s territory.99 In other words, is the intrusion or unauthorised entry itself unlawful or
must there also be physical damage?100 The question is crucial because cyber espionage is
unlikely ‘to produce’ physical effects on, or cause damage to, the computer networks or systems it targets.101
Generally, it is accepted a violation of a state’s territorial sovereignty occurs if the act or interference committed causes damage.102 This applies equally if the act is committed in
cyberspace and the target of the unauthorised intrusion is a state’s cyber infrastructure, so long as there is damage inflicted.103 However, if damage is a requisite then traditional espionage
will not violate a state’s territorial sovereignty.104 Similarly, cyber espionage will not infringe
a state’s territorial sovereignty because there is usually no perceivable physical effect or damage caused.
The better way of looking at the principle and its application to cyber espionage hinges on the interpretation of what constitutes an infringement of a state’s territorial sovereignty. Buchan suggests the ICJ’s reasoning in the Corfu Channel case calls for a broad interpretation, one not requiring a perceivable physical effect or damage to the other state’s territory. Buchan argues the ICJ’s finding that the sending of warships by the UK to Albanian waters was unlawful, is based exclusively on the ‘unauthorised intrusion into Albania’s territorial sea’, and not on the UK’s collection of physical evidence of illegal mining.105 From the ICJ’s reasoning, it appears
the UK was found to have violated Albanian sovereignty because it sent ships to sweep the Corfu Channel without obtaining Albania’s consent, the ‘area swept was in Albanian territorial waters’, the operation was not an exercise of the right of innocent passage, and there was a large assembly of warships for the minesweeping operation in Albania’s territorial sea which in principle is not allowed under international law.106 No mention is made of any damage or
physical effect caused by the unauthorised intrusion and minesweeping. On this basis, while
99 Ziolkowski (n 1) 458; Russell Buchan, ‘The International Legal Regulation of State-Sponsored Cyber
Espionage’ in Osula and Rõigas (n 40) 69.
100 Buchan (n 99) 69. 101 Ibid.
102 Wolff Heintschel von Heinegg, ‘Territorial Sovereignty and Neutrality in Cyberspace’ (2013) 89
International Law Studies 123, 129.
103 Ibid 128-129. 104 Ibid 129.
105 Buchan (n 99) 70.
15 damage makes an infringement easier to identify, it is not a steadfast requirement for there to be an infringement of a state’s territorial sovereignty. And if it is applied, it is a limitation which places cyber espionage entirely outside the operation of international law.107
This thesis finds that damage is not necessary for there to be an infringement of a state’s territorial sovereignty. Since damage is not a requisite, an act of traditional espionage such as an unauthorised entry, intrusion or stay by an actor into the territory (land, sea, or air) of another state for intelligence-gathering purposes infringes the principle of territorial sovereignty.108 But
does this also apply for cyber espionage, where the unauthorised intrusion is more ‘virtual’ than physical?109
We know that cyber espionage involves the accessing and copying of confidential and protected information stored on cyber infrastructure located on another state’s territory. In that respect, two things are worth noting. The first is that gathering intelligence is not deemed to violate international law unless international law explicitly protects the subjects or objects targeted by intelligence-gathering.110 However, the unauthorised entry, intrusion or stay by an
individual or an aircraft, vessel or vehicle into another state’s territory does violate international law (since damage is not a requisite).111 There is no reason why an intrusion through cyberspace
into a state’s cyber infrastructure should render the principle of territorial sovereignty to be inapplicable. After all, the cyber infrastructure is physically located on the territory of a state. And to successfully commit cyber espionage, access must be gained to the computer networks or systems being targeted, whether it be by a spear-phishing email or something else. On this basis, an unauthorised intrusion such as cyber espionage committed by a state into another state’s cyber infrastructure suffices to violate the targeted state’s territorial sovereignty.112 This
thesis thus concludes that cyber espionage is capable of infringing a state’s territorial sovereignty and is a breach of international law. Based on this conclusion, cyber espionage is illegal under the principle of territorial sovereignty.
There does exist one scenario which highlights a potential limitation of the principle of territorial sovereignty to constrain or regulate cyber espionage. Buchan identifies the very real possibility of a state’s data or information being intercepted during transmission ‘through cyber
107 Anders Henriksen, ‘Lawful State Responses to Low-Level Cyber-Attacks’ (2015) 84 Nordic Journal of
International Law 323, 338.
108 Ziolkowski (n 1) 457.
109 Ibid 458; Henriksen (n 107) 337-338. 110 Henriksen (n 107) 338.
111 Ibid.
16 infrastructure located on the territory of’ a third state.113 In those circumstances, the state which
owns the data or information is unlikely to be able to claim an infringement of its territorial sovereignty. Only the state on whose territory the infrastructure is located in is able to assert such a claim.114 This means the victim state is offered ‘very little protection’ by the principle
of territorial sovereignty.115
3.2.2. Cyber espionage and the duty not to intervene
Some acts that infringe a state’s territorial sovereignty may also amount to intervention.116 The
duty not to intervene is considered by scholars to be represented in Article 2(1) of the UN Charter, which refers to the principle of sovereign equality among member states.117 Mention
is also made of Article 2(7) of the UN Charter which stipulates that ‘[n]othing contained in the present Charter shall authorize the United Nations to intervene in matters which are essentially within the domestic jurisdiction of any [s]tate’.118 However, this Article only applies to the
organisation of the UN, and not to member states.119 The duty not to intervene is also expressed
in several UN documents, two of which are worth noting here: the 1965 Declaration on the Inadmissibility of Intervention in the Domestic Affairs of States and the Protection of Their Independence and Sovereignty,120 and the 1970 Declaration on Principles of International Law
concerning Friendly Relations and Co-operation among States in accordance with the Charter of the United Nations.121 The latter document declares that no state ‘has the right to intervene,
directly or indirectly, for any reason whatever, in the internal or external affairs of any other State’.122 The duty not to intervene was confirmed by the ICJ in the Nicaragua case to be ‘part
and parcel of customary international law’.123
The duty not to intervene is described as including ‘the right of every sovereign [s]tate to conduct its affairs without outside interference’.124 It prohibits states from intervening ‘directly
113 Buchan (n 99) 73. 114 Ibid.
115 Ibid.
116 Henriksen (n 107) 338.
117 Philip Kunig, ‘Prohibition of Intervention’ in Max Plank Encyclopedia of International Law (Oxford
University Press, April 2008) [9].
118 Terry D Gill, ‘Non-Intervention in the Cyber Context’ in Ziolkowski (n 1) 219-220. 119 Kunig (n 117) [12].
120 UNGA ‘Declaration on the Inadmissibility of Intervention in the Domestic Affairs of States and the
Protection of Their Independence and Sovereignty’ (21 December 1965) UN Doc A/RES/20/2131.
121 1970 Declaration concerning Friendly Relations (n 93). 122 Ibid [1].
123 Nicaragua Case (n 52) [202]. 124 Ibid.
17 or indirectly’ in other states’ ‘internal or external affairs’.125 In order to amount to an
intervention, two elements must be established.126 First, the act committed by a state must
impact on issues which the other sovereign state is able to freely decide upon.127 The ICJ
identified a non-exhaustive list of the possible issues, which include the choosing of a ‘political, economic, social and cultural system, and the formulation of foreign policy’.128 Second, the act
complained of must involve coercion.129 Coercion can involve a perpetrating state either
compelling another state to do something it would not normally do, or compelling another state to refrain from doing something it would normally do.130 According to the ICJ, an ‘intervention
in the internal or external affairs of’ states includes the giving of ‘assistance to rebels in the form of provision of weapons or logistical or other support’.131 The supplying of funds by the
United States to the contras also constitutes an intervening act in the internal affairs of a state.132
As confirmed by the 2015 UN Governmental Experts Report, the duty not to intervene applies in cyberspace.133 The Tallinn Manual offers some observations regarding cyber espionage and
non-intervention. It states that in the absence of a coercive element, cyber espionage does not violate the duty not to intervene.134 This is the dominant view in the literature so far. The
alternative view insists that cyber espionage can constitute an intervention.
To support the latter assertion, Buchan reasons that a state exercises sovereignty over property and information in its territory. Buchan then argues that a state exercises sovereignty over information stored on the cyber infrastructure located in another state’s territory and over information being transmitted through another state’s cyber infrastructure.135 To support this
construction, reliance is placed on the ICJ’s judgment in Questions Relating to the Seizure and Detention of Certain Documents and Data (Timor-Leste v Australia), in which the ICJ ordered provisional measures against Australia on the basis it found plausible Timor-Leste’s claim that material located in Australia and seized by Australian authorities belonged to Timor-Leste or
125 Ibid [205].
126 Michael N Schmitt and Sean Watts, ‘Beyond State-Centrism: International Law and Non-State Actors in
Cyberspace’ (draft as of 21 March 2016) 4 <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2752683>.
127 Nicaragua case (n 52) [205]. 128 Ibid.
129 Ibid.
130 Schmitt and Watts (n 126) 4. 131 Nicaragua case (n 52) [195]. 132 Ibid [228].
133 2015 UN Governmental Experts Report (n 42) [28(b)].
134 Schmitt (n 61) 44. 135 Buchan (n 99) 76.
18 Timor-Leste had a right to its protection under international law.136 Buchan suggests that
although the seized material ‘was physically located in the office of [Timor-Leste’s] legal advisor in Australia’, the material ‘was clothed with [Timor-Leste’s] sovereignty and intervention with’ the material was prohibited by international law.137 Thirdly, Buchan argues
for an expansive definition of coercion, which regards as coercive any ‘conduct which compromises or undermines the authority of the state’138 (being, state sovereignty) as opposed
to conduct which is required to impose ‘imperative pressure’.139
Buchan’s second argument is difficult to accept. While the ICJ did find Timor-Leste’s claim plausible, it also made the qualification that it did not need to ‘determine definitively whether the rights which Timor-Leste wishes to see protected exist’.140 Moreover, the ICJ specifically
noted the rights it found plausible to warrant protection under international law – ‘the right to conduct arbitration proceedings or negotiations without interference by Australia’, and ‘the right of confidentiality of and non-interference in its communications with its legal advisors’.141
The ICJ considered the right of Timor-Leste to confidentially communicate with its legal advisors regarding arbitration proceedings or negotiations with Australia, ‘might be derived from the principle of sovereign equality of [s]tates’.142 And it noted that states have an
expectation to conduct ‘arbitration proceedings or negotiations without interference by’ another state.143 Even if it is accepted that the seized material were clothed in Timor-Leste’s
sovereignty, it is unclear whether this would extend to all information targeted by cyber espionage or whether it only applies to privileged or legally confidential information that is the subject of legal proceedings between the offending state and the targeted state.
Regarding coercion, the expansive definition finds limited support in the literature and jurisprudence. Under the duty not to intervene the ordinary meaning of coercion excludes from its scope cyber espionage, because ‘in and by itself cyber espionage’ does not impose ‘imperative pressure’ on issues each state is able to freely decide upon.144 In other words, if
cyber espionage is ‘not aimed at changing the policies of the targeted state [it] cannot constitute
136 Questions Relating to the Seizure and Detention of Certain Documents and Data (Timor-Leste v Australia)
Provisional Measures, ICJ Reports 2014, 147, [1], [28] (Timor-Leste v Australia).
137 Buchan (n 99) 76. 138 Ibid 78. 139 Ibid 77. 140 Timor-Leste v Australia (n 136) [26]. 141 Ibid [28]. 142 Ibid [27]. 143 Ibid. 144 Buchan (n 99) 77.
19 unlawful intervention’.145 Buchan’s expansive definition aims to cover the act of cyber
espionage itself, being the accessing and copying of confidential information. But it may broaden the duty not to intervene beyond the types of activities it is intended to cover. In the Nicaragua case, the ICJ explained the ‘element of coercion … forms the very essence of, prohibited intervention’.146 The ICJ considered coercion to be most obvious when the
intervention ‘uses force’,147 but it can also be indirect ‘through economic, political and
diplomatic means’.148 While the opinion of the ICJ regarding coercion is not definitive, the
ordinary definition of coercion refers to ‘[c]onstraint, restraint, compulsion; the application of force to control the action of a voluntary agent’.149 This indicates the act of the intervening
state should compel, restrain or apply force, whether directly or by economic, political or diplomatic means, on the targeted state regarding its internal or external affairs. It is difficult to accept an argument that goes beyond even the ordinary dictionary definition of a word. The unauthorised obtaining of protected or confidential data or information, which constitutes cyber espionage, does not meet the threshold of imperative pressure or ‘coercive or dictatorial interference’.150 On this basis, cyber espionage does not fall within the scope of the duty not to
intervene. Since it does not fall within the scope, the legality or illegality of cyber espionage under the duty cannot be discerned.
3.3. Economic cyber espionage and the TRIPS Agreement
States are growing increasingly concerned about acts of cyber espionage which aim to secure an economic or financial gain for the state or non-state actor committing them. Most commonly referred to as economic cyber espionage, it is considered by President Obama and his administration to be a cyber activity which poses ‘one of the most serious economic and national security challenges to the United States’.151 The CSAN 2015 reports that between
April 2014 and April 2015, 20 Dutch companies were targeted by economic cyber espionage.152
145 Henriksen (n 107) 340. 146 Nicaragua case (n 52) [205]. 147 Ibid.
148 Kunig (n 117) [6].
149 “coercion, n.” Oxford English Dictionary Online (Oxford University Press, March 2016)
<http://www.oed.com.proxy.uba.uva.nl:2048/view/Entry/35725?redirectedFrom=coercion#eid> accessed 28 April 2016.
150 Gill (n 118) 223-224.
151 Office of the Press Secretary, ‘Statement by the President on Executive Order “Blocking the Property of
Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”’ (The White House, 1 April 2015) <https://www.whitehouse.gov/the-press-office/2015/04/01/statement-president-executive-order-blocking-property-certain-persons-en> accessed 28 June 2016.
20 And although the exact scope and the total amount of economic damage caused is uncertain because companies in the Netherlands are not required to report such incidents, the report cites that during that time ‘the Netherlands was dealing much more often with digital espionage attacks that posed a threat to national security and economic interests’.153
Economic cyber espionage specifically refers to the use of cyber technologies to obtain the trade secrets of states, and foreign private and state-owned entities.154 The focus of this section
is on state-sponsored or state conducted economic cyber espionage, but it can also be conducted by non-state actors, which some scholars refer to as corporate cyber espionage or industrial espionage.155 The threat posed by economic cyber espionage is severe as the access to, or theft
of, trade secrets gives state and non-state entities an unfair economic or business benefit over their competitors.156 This is highly problematic and states and private entities suffer large fiscal
losses because of it.
In light of its extraterritorial reach and damaging consequences, states are looking to international law to address economic cyber espionage. In September 2015, the United States and China reached consensus that neither government will commit or support economic cyber espionage.157 And in November 2015, the leaders of the G20 issued a communiqué following
the summit in Antalya, Turkey, in which they pledged that ‘no country should conduct or support ICT-enabled theft of intellectual property, including trade secrets or other confidential business information’.158 International trade law also provides an already established regime
for the protection of trade secrets – the TRIPS Agreement. Some authors suggest states can utilise the TRIPS Agreement to address economic cyber espionage.159 This section examines
153 Ibid 10, 22.
154 Fidler (n 79) 1; Karen Sepura, ‘Economic Espionage: The Front Line of a New World Economic War’
(1998) 26 Syracuse Journal of International Law and Commerce 127, 132.
155 Fidler (n 79) 1; Nicholas Tsagourias, ‘Economic cyber espionage and due diligence’ (Unpublished paper,
University of Sheffield May 2015) 1.
156 James Pooley, ‘Trade Secrets: the other IP right’ (2013) 3 WIPO Magazine 2; Mia Tuzovic, ‘The Protection
of Trade Secrets under Article 39 of the TRIPS Agreement and the Proposal for a Trade Secrets Directive: Does the Proposal Signify Better Protection of Trade Secrets?’ (International Trade Law and Domestic Regulation, Dr J H Mathis, April 2016) 1.
157 Ellen Nakashima and Steven Mufson, ‘U.S., China vow not to engage in economic cyberespionage’ The
Washington Post (Washington, 25 September 2015) <https://www.washingtonpost.com/national/us-china-vow-not-to-engage-in-economic-cyberespionage/2015/09/25/90e74b6a-63b9-11e5-8e9e-dce8a2a2a679_story.html> accessed 20 January 2016; Office of the Press Secretary, ‘Fact Sheet: President Xi Jinping’s State Visit to the United States’ (The White House, 25 September 2015)
<https://www.whitehouse.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states> accessed 19 April 2016.
158 G20 Leaders’ Communiqué (Antalya Summit, 15-16 November 2015)
<http://g20.org.tr/g20-leaders-commenced-the-antalya-summit/> accessed 20 January 2016, [26].
159 Christina Parajon Skinner, ‘An International Law Response to Economic Cyber Espionage’ (2014) 46(4)
21 the application of the TRIPS Agreement to economic cyber espionage and determines whether states can utilise this international law regime to address the growing phenomenon.
The TRIPS Agreement is the ‘most important’ multilateral agreement on intellectual property rights.160 The TRIPS Agreement defines the level of protection for intellectual property rights
under international law, which states are required to give effect to within their national legal systems.161 The key provision of the TRIPS Agreement which is relevant to economic cyber
espionage is Article 39. Article 39 protects information which is ‘secret’, possesses ‘commercial value because it is secret’, and reasonable steps have been taken by the person lawfully controlling the information ‘to keep it secret’.162 Information which does not satisfy
this criteria falls outside the scope of Article 39.163 Although Article 39 does not expressly refer
to ‘trade secrets’ opting for the term ‘undisclosed information’ instead, the two terms are used interchangeably in this section.164
In order to ensure ‘effective protection against unfair competition as provided in Article 10bis of the Paris Convention (1967)’, Article 39(1) imposes an obligation on WTO members to ‘protect undisclosed information’.165 Under Article 39(2), individuals and ‘legal persons’ are
given ‘the possibility of preventing information lawfully within their control from being disclosed to, acquired by, or used by others without their consent in a manner contrary to honest commercial practices’.166 This right only arises if the information satisfies the three criteria
listed above. A footnote to the provision defines ‘a manner contrary to honest commercial practices’ as including ‘at least practices such as breach of contract, breach of confidence … and the acquisition of undisclosed information by third parties who knew, or were grossly negligent in failing to know, that such practices were involved in the acquisition’.167
In addition to directly obliging states to protect trade secrets, the meanings of the terms ‘unfair competition’ and ‘a manner contrary to honest commercial practices’ as they appear in Articles
160 Keith E Maskus, ‘Trade-Related Intellectual Property Rights’ in Martin Daunton, Amrita Narlikar and Robert
M Stern (eds) The Oxford Handbook on The World Trade Organization (Oxford University Press, 2012) 394; Tuzovic (n 156) 1.
161 Agreement on Trade-Related Aspects of Intellectual Property Rights (15 April 1994) 1869 UNTS 299,
Article 1(1) (TRIPS Agreement); Tuzovic (n 156) 1.
162 TRIPS Agreement (n 160) Article 39(2)(a)-(c); Tuzovic (n 156) 2. 163 Tuzovic (n 156) 3.
164 Gerald O’Hara, ‘Cyber-Espionage: A Growing Threat to the American Economy’ (2010-2011) 19
CommLaw Conspectus 241, 256: ‘The definition of “undisclosed information” in the Agreement, however, is consistent with the traditional trade secret definition’; Tuzovic (n 156) 3.
165 Tuzovic (n 156) 2.
166 TRIPS Agreement (n 161) Article 39(2); Tuzovic (n 156) 2.
22 39(1) and 39(2) can be interpreted to encompass economic cyber espionage. Since Article 39(1) makes explicit reference to Article 10bis of the Paris Convention (1967), ‘the interpretation of the latter, including its negotiating history, are of crucial importance to interpret Article 39 in accordance with the Vienna Convention on the Law of Treaties’.168 While a narrow
interpretation of ‘unfair competition’ is endorsed by some authors,169 the preferred view of this
thesis is that economic cyber espionage can constitute ‘unfair competition’ because a ‘broad reading’ of the term covers ‘any act of competition’, including the ‘misappropriation of trade secrets’.170
In relation to the interpretation of ‘a manner contrary to honest commercial practices’, the footnote to Article 39(2) sets out a ‘non-exhaustive’ list of such practices.171 No other definition
of ‘honest commercial practices’ is provided by the provision, therefore it is reasonable to accept that ‘[w]hat is ‘honest’ depends on the values of a particular society at a given point in time’.172 It is also noted that the negotiators of the TRIPS Agreement refused the insertion of
the words ‘theft’ and ‘electronic and other forms of commercial espionage’ as examples of conduct ‘contrary to honest commercial practices’ because the ‘consensus [was] that these practices inherently constituted a manner contrary to honest commercial practices’.173
Following this reasoning, economic cyber espionage is an act that is ‘contrary to honest commercial practices’.
The TRIPS Agreement therefore, provides a potential mechanism for addressing economic cyber espionage.174 In order to adequately ensure the protection of trade secrets, WTO members
are required to make enforcement procedures available under their national law ‘so as to permit effective action against any act of infringement of intellectual property rights covered by the Agreement’.175 This includes the protection of undisclosed information as an intellectual
property right.176 On the international level, WTO members have access to the dispute
168 Carlos M Correa, Trade Related Aspects of Intellectual Property Rights: A Commentary on the TRIPS
Agreement (Oxford University Press, 2007) 369.
169 Jamie Strawbridge, ‘The Big Bluff: Obama, Cyber Economic Espionage, and the Threat of WTO Litigation’
(2016) 47 Georgetown Journal of International Law 833, 848-849.
170 Ibid 849; 855-856. 171 Correa (n 168) 372. 172 Ibid 371.
173 Strawbridge (n 169) 857, footnote 92; Peter-Tobias Stoll, Jan Busche and Karin Arend (eds) WTO:
Trade-Related Aspects of Intellectual Property Rights (Martinus Nijhoff Publishers, 2009) 643-644.
174 Fidler (n 79) 3; Ziolkowski (n 1) 435-436; Sepura (n 154) 144; Parajon Skinner (n 159) 1171. 175 TRIPS Agreement (n 161) Article 41(1); Tuzovic (n 156) 3.
