By Jessica “Zhanna” Malekos Smith
While ‘spying’ may strike some as indecorous state behaviour, it is essentially akin to a bodily function, like sneezing, that is necessary to sustaining the health of the body politic.
But can international law meaningfully distinguish between cyberespionage for national security purposes and economic espionage? According to former U.S. Treasury Secretary, Henry M. Paulson, Jr. in Dealing with China, “the distinction between cyberespionage and cybertheft from a company for commercial use can become fuzzy.” This article proposes a new approach – a Cyber Espionage Predominant Purpose (CEPP) Test – to resolve international disputes concerning cyberespionage operations that involve mixed elements of national security espionage and commercial espionage.
But first, what exactly is the value of the CEPP Test?
In 2013 the U.S. National Intelligence Estimate announced that “France, alongside Russia and Israel, to be in a distant but respectable second place behind China in using cyberespionage for economic gain.” In comparison, according to Dr. Catherine Lotrionte, the Director of the CyberProject at Georgetown University, the U.S. does not conduct commercially motivated cyber espionage. In fact, the Obama Administration averred that a distinction exists between economic intelligence – a subset of national security espionage – and commercially motivated economic espionage.
For Drake University Law Professor Peter Yu, however, this distinction is nebulous at best: “Not only do most countries—democratic or otherwise—fail to recognize it, this line is also not always drawn in situations involving U.S. intelligence and surveillance efforts.” Yu highlights that for countries like China, the U.S.’ definitional distinction imparts little clarity here, “given the perceived “overlap between security and economic concerns” among Chinese policymakers and the continued domination of state-owned enterprises in the local business environment.”
Thus, given the distinct cultural norms embedded in distinguishing between permissible and impermissible intelligence collection, a dispute resolution framework that accounts for these disparities, as well as the complexities of attribution, is needed. The value of this test is that rather than argue for one country’s particular definition here, it enables the The International Court of Justice to holistically evaluate both parties’ views in reaching a settlement. Moreover, a bright line rule that prohibits gathering intelligence on all state-industrial entities would not be viable in China according to Yu, because it “overlook[s] the historical fact that trade secrets originated in China as a form of state secret.”
What is a ‘predominant purpose’ test?
In disputes over the mixed subject matter of a contract, the approach taken by U.S. courts is to analyze the overall ‘predominant purpose’ of the contract (e.g., a contract for the sale of goods or services) and apply the most fitting legal regime. The CEPP Test operates under the same principle. Here, it would require the International Court of Justice (ICJ) to evaluate the overall ‘predominant purpose’ of the alleged act of cyberespionage.
Wait… when and how would the ICJ apply the CEPP Test?
Pursuant to U.N. Charter Article 33: “The parties to any dispute, the continuance of which is likely to endanger the maintenance of international peace and security, shall, first of all, seek a solution by negotiation, enquiry, mediation, conciliation, arbitration, judicial settlement, resort to regional agencies or arrangements, or other peaceful means of their own choice.”
Drawing on this judicial settlement framework, the aggrieved state could petition the ICJ for redress and the court would examine the following three factors to determine the predominant purpose of the act of cyberespionage:
(1) The intrinsic nature of the economic information in dispute; (2) the means of acquisition and predominant application by the entity, and (3) the overall intent of the collecting entity.
If the ICJ found by a preponderance of the evidence that the act of cyberespionage was ultimately committed to confer a commercial advantage to the other state’s home industry, then an appropriate remedy would be granted to the aggrieved state.
Does this solve the attribution problem?
No. However, as a counter balance to the attribution problem, the test utilizes a lower evidentiary standard from civil law, a preponderance of the evidence (i.e., a showing of more than 50%), to allow the aggrieved state the opportunity to seek legal recourse from the ICJ.
The benefit of applying a lower standard of proof here, versus a heightened “beyond a reasonable doubt” standard typically applied in criminal proceedings, is that it operates as a stronger deterrent. The reason being, faced with the looming spectre of litigation and its associated costs, states that routinely engage in cyber economic espionage would face a greater cost disincentive.
But if a state believes they can remain anonymous in conducting cyber economic espionage and leverage non-attribution here, can international accords prohibiting the cyber theft of intellectual property hold any measurable deterrent effect? Indeed, a major critique of the Obama-Xi Cyber Pact of September 2015, as vocalized by the Wall Street Journal, was that it represented “a digital arms deal that is full of promises but no enforcement.”
As a result, should international law be completely jettisoned in cyberspace? To former U.S. Secretary of State, Madeleine K. Albright, who described herself as an “optimist who worries a lot” at Wellesley College’s Albright Institute Symposium in January 2016, the answer would most likely be a resounding no. In Secretary Albright’s book, The Mighty and The Almighty, she reasons that while countries often do take action outside of the charter’s guidelines, “[d]espite such violations, the standards in the charter remain relevant, just as laws against murder remain relevant even though murders are still committed.”
Will the Trump administration reaffirm the ‘no-hack-pact’ with China?
In October 2017 the Trump administration’s Department of Justice reaffirmed the 2015 ‘no-hack-pact’ with Chinese officials.
Building off of that momentum, a pledge to uphold the “The First U.S.-China Law Enforcement and Cybersecurity Dialogue” was publicly released by the US Department of Homeland Security. Following the announcement of this pledge, however, Politico reported that the “Trump administration has not made strong public statements either way regarding the U.S.-China cyber pact despite jointly pledging with China in October to continue implementing the deal.” That aside, the cyber pact is still in effect between the two countries and has been largely positively viewed by cyber security leaders as a milestone in cyber international relations. According Dmitri Alperovitch of CrowdStrike and Christopher Porter of FireEye, this pact has been effective in reducing the amount of cyber economic espionage incidents. For Porter, ‘[i]t shows that diplomacy can be used to reduce the cyber threat to Americans” and that norm-building in cyberspace is feasible.
Building and Rebuilding International Norms in Cyberspace
Admittedly, international norms do not blossom into fully-grown gardens overnight, but diplomatic initiatives like the 2015 U.S.-China cyber pact, can help foster growth here. Thus, what the CEPP Test offers the international community is a proverbial seed, which if properly cultivated could take root in the international legal system. Ultimately, because no state is an island in cyberspace, a model that is both attentive to the attribution problem and the mixed nature of espionage operations can help promote the economic security of all.
This article has been updated and republished on Strife Blog with the author’s permission. It was originally published on Small Wars Journal.
Jessica “Zhanna” Malekos Smith is a M.A. candidate with King’s College London, Department of War Studies. Previously, she was a Postdoctoral Fellow with the Belfer Center for Science and International Affairs at the Harvard Kennedy School. She holds a B.A. from Wellesley College, where she was a Fellow of the Madeleine Korbel Albright Institute for Global Affairs, and a J.D. from the University of California, Davis School of Law.
Image Source: https://upload.wikimedia.org/wikipedia/commons/9/9e/Party_game_with_cards.png (Wikimedia Commons)
J. Zhanna Malekos Smith
Jessica ‘Zhanna’ Malekos Smith, the Reuben Everett Cyber Scholar at Duke University Law School, served as a Captain in the U.S. Air Force Judge Advocate General’s Corps. Before that, she was a post-doctoral fellow at the Belfer Center’s Cyber Security Project at the Harvard Kennedy School. She holds a J.D. from the University of California, Davis; a B.A. from Wellesley College, where she was a Fellow of the Madeleine Korbel Albright Institute for Global Affairs; and is finishing her M.A. with the Department of War Studies at King’s College London.