Authored by Abhyudaya Singh, III Year Student at the National Law School of India University, Bangalore

Introduction

Accessing information held by another state that is deemed strategic or sensitive in the military, security, or economic domains on behalf of a state is known as international espionage. While espionage mostly occurred in physical space for a long time, it now mostly occurs in cyberspace in the twenty-first century.

Many international lawyers hold the opinion that there is no prohibition on espionage outside of IHL and  that a wide measure of discretion is vested with the states under international law, which is only limited in certain cases by prohibitive rules. Others contend that there is an affirmative right to spy under international law and that forbidding espionage would curtail the right to self-defence.[i] The rest contend that because certain espionage techniques fundamentally undermine a State’s sovereignty and disregard the fundamental right of nations to control their own territory and make independent decisions without outside interference.

The Tallinn Manual has attempted to define sovereignty as including the cyberspace. The Tallinn Manual discusses how existing international law frameworks might be applied to emerging questions of cyber operations. This project, however, is completely non-binding and purely academic.

Certain forms of intelligence gathering are officially condoned such as the capture and use of satellite imagery of other States. While some forms of espionage in diplomatic relations can be seen as permitted under international law, individual states such as India frequently enact more stringent domestic laws to safeguard their own interests. India punishes certain espionage such as disclosing of trade secrets[ii] or information gathered through digital intrusion such as hacking. India has also criminalized the leaking of classified government information in the Official Secrets Act, 1923 as well as authorized the government to collect information and restrict certain rights using intelligence agencies by utilising acts such as the Intelligence Organisations Act, 1985.

Cyber Espionage in International Law

Cyberspace exploitation to obtain and gather sensitive information is referred to as cyber espionage. Cyber espionage definitions typically consist of four key elements:

• Non-consensual
• Copying or “gathering, analysis, verification and dissemination”
• Confidential and/or Relevant information
• Information is resident in and/or transiting in cyber-space

The advent of digital technologies has significantly expanded the capabilities of nations to conduct both political and economic intelligence operations. As a result, the risks these activities pose to worldwide peace and security are heightened in the cyber domain.

1. Cyber Espionage violates International Law

Unauthorized digital intrusions into another nation’s computer systems and networks can be viewed as violations of territorial sovereignty. This principle of territorial sovereignty thus serves as one key legal basis for countries to defend against cyber espionage attempts by foreign actors.

But what happens if the cyber activities of one state infringe the human rights of individuals situated in another state? State parties are subject to duties under the International Covenant on Civil and Political Rights (“ICCPR”) “in respect of acts done by a State in the exercise of its jurisdiction outside of its own territory,” according to rulings from international tribunals and human rights organisations. The relationship between the individual and the State determines how the ICCPR is applied, and the place where the violation occurred is irrelevant. Hence, the cyberspace remains protected.

Cyber espionage collides with the right to privacy, which shields an individual’s conversations and information from outside intrusion, in terms of substantive human rights. Article 8 of the European Convention on Human Rights safeguards “the right to respect for private and family life, his home, and his correspondence,” and Article 17 of the ICCPR states that “no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home, or correspondence.” However, as privacy is not an complete and absolute right, there can be situations where restrictions may be permissible.

B. Exception through Customary International Law

Despite it appearing that cyber-espionage violates certain international laws, an argument can be made that the developments in customary international law have crafted permissible exceptions. Nevertheless, the absence of state practice or opinio juris, which are fundamental components of customary international law, has prevented the creation of these kinds of customary exceptions.[iii] In terms of state policy, espionage is typically carried out covertly. However, for the purposes of the creation of customary international law, covert state behaviour does not meet the criteria of state practice.[iv]

Furthermore, although espionage incidents are frequently and reliably reported, states nearly never take ownership or responsibility of their espionage activities, and unreported state behaviour is seldom taken into account when developing customary international law.[v] The policy of silence that states have adopted towards their covert intelligence activities impedes the formation of widespread legal consensus. This silence obstructs the development of accepted customs that could potentially legitimize certain espionage practices within the international legal framework.

C. The Self-Defence and Necessity argument

Cyberespionage can only be justified by nations as an act of self-defence when they are confronted with an immediate danger of armed aggression. However, such cyber-based intelligence gathering, even when used for protective purposes, must remain within reasonable bounds. It should not exceed what is essential and appropriate given the circumstances to fend off an armed assault, prevent its recurrence, or thwart similar attacks that are reasonably expected to occur.

The defence of necessity may exempt a nation from responsibility for illegal cyber espionage activities under specific circumstances. These include: protecting a crucial national interest from an urgent and severe threat and ensuring the action does not significantly damage essential interests of the targeted state or the international community. However, in the realm of modern cyber espionage, particularly economic espionage, it is rare for such operations to meet the stringent requirements of imminent threat, proportionality, or necessity that would justify invoking this defence.

While cyber espionage is indeed governed by existing international legal principles there remains a need for more specific regulation. India would be well-advised to advocate for a lex specialis framework that explicitly addresses and governs cyber intelligence gathering activities in the international community. This tailored approach could provide clearer guidelines and norms for state behaviour in cyberspace, filling gaps in current international law.

Why India Benefits from a Les Specialis Framework for Cyber Espionage

India has been at the receiving end of several cyber-attacks in the past few years. American cybersecurity company Recorded Future disclosed in April 2022 that state-sponsored Chinese hackers had targeted Ladakh power grids. The suspected reason is to collect information about India’s critical infrastructure and prepare for future sabotages. China has been systematically pursuing offensive cyber operations against India for more than ten years, and the targeting of the power grids and cyber-espionage campaign falls into this larger pattern. Further, in recent times, China has increasingly targeted adversaries like India through cyber espionage and cyber-attacks.

Numerous attacks have also been connected to Pakistan. In May 2023, Meta revealed that Pakistani hackers with ties to the state had been spying on Indian military personnel and that the Pakistan Air Force had been utilising websites and apps to compromise their personal devices. Other recent attacks from this year include one in September 2023, in which an Indian cybersecurity company discovered plans to disrupt the G20 summit in India by hacking groups from Indonesia and Pakistan, and another in June 2023, in which a hacker group based in Pakistan infiltrated the Indian army and education sector as part of their most recent wave of attacks against Indian government institutions.

According to digital privacy provider Kaspersky, India is among the top five targets for cyberattacks in the Asia-Pacific region. India also is ranked fifth on the list of nations where National Security Agency programmes have spied. Further, there have also been national security concerns as displayed above.

With regards to India’s own ability, according to Morgan Wright, India offensive capability is presently immature compared to other countries such as the US, UK, North Korea, China, Israel and Russia. According to a study by the International Institute for Strategic Studies, countries such as China, Russia, United Kingdom and Israel form the second tier of cyber superpowers, while the US is considered a “top-tier” player. In terms of cyber capability, India is placed in the third tier. India lags behind some of its adversaries such as China and this gap could result in damage, in the form of economic or political espionage, to India’s critical infrastructure which India should seek to avoid.

Except for a few conventions[vi] international law does not have specific rules for regulating the cyber-sphere. India, perhaps, would have the most to gain from a “Digital Geneva Convention” to regulate the activities of states in the cyber-sphere, with protection from economic espionage and cyberspace protection from Pakistan and China, at least to some degree.

An open, secure, stable, accessible and peaceful information and communications technologies environment requires “effective cooperation.” States have begun to recognise that international law principles flow and apply to the conduct of States in the cyberspace, however certain states such as the US and UK maintain their position that espionage remains an unregulated activity with “no anti-espionage treaty”.[vii]

Conclusion

Governments have publicly admitted the existence of their intelligence services and systematic espionage operations[viii] and so they can no longer hide behind the veil of ‘silence’. In actuality, several states have passed legislation specifically governing their international espionage practices.

Establishing that cyber espionage breaches in international law has the advantage over domestic law in that it gives governments countermeasures to deploy in order to coerce states into adhering to their legal obligations. The use of human sources to collect information, referred to as human intelligence (“HUMINT”)[ix], represented the ‘primary source of intelligence’ for many centuries.[x] After the technological revolution gained traction, a new method for collecting intelligence emerged- signals intelligence (“SIGINT”).[xi] The limited applicability of domestic legislations which could govern violations through HUMINT, are not fully available under SIGINT as the operation can take place through a remote location that goes beyond the jurisdiction of the state that has been wronged. This calls for newer methods to be devised to counter cyber-espionage.

In conclusion, the evolving landscape of espionage, especially in the cyber-sphere, underscores the critical need for a comprehensive international legal framework. Cyber espionage, a growing concern, demands explicit regulation. India, grappling with increasing cyber threats, stands to benefit from advocating a lex specialis framework. Such a framework would address the unique challenges posed by cyber espionage, providing clarity, protection, and fostering international cooperation. As the digital realm expands, a concerted effort to regulate espionage becomes imperative for global stability and the protection of sovereign interests.

---

[i] Russell Buchan, Cyber Espionage and International Law, Hart Publishing, 2021.

[ii] Indian Contract Act, 1872; Article 39(2) Agreement on Trade Related Aspects of Intellectual Property Rights; Tata Motors Limited & Anr v State of Bengal (GA No. 3876 of 2008 in WP No. 1773 of 2008).

[iii] Russell Buchan, Cyber Espionage and International Law, Hart Publishing, 2021.

[iv] ibid.

[v] ibid.

[vi] See Budapest Convention on Cybercrime, 2001; African Union Convention on Cyber Security and Personal Data Protection, 2014.

[vii] Excerpts from State Positions on Issues of Cyber Operations, Cyber Espionage and Sovereignty, Prof. Asaf Lubin and Prof. Matthew Waxman, Course pack on S. Intelligence and International Law, LAW L8855, Colombia Law School, Fall 2023.

[viii] J Kish and D Turns, International Law and Espionage, (The Hague, Martinus Nijhoff, 1995).

[ix] Prof. Asaf Lubin and Prof. Matthew Waxman, Course pack on S. Intelligence and International Law, LAW L8855, Colombia Law School, Fall 2023.

[x] Russell Buchan, Cyber Espionage and International Law, Hart Publishing, 2021.

[xi] Prof. Asaf Lubin (n 9).