Cybersecurity: Crime and Espionage

Agreements on Commercial Cyber Espionage: An Emerging Norm?

By Matthew Dahl
Friday, December 4, 2015, 11:16 AM

When the U.S. and China reached an agreement in late September not to engage in commercially motivated cyber espionage it was viewed as a significant step forward in cybersecurity relations between the two countries. A few weeks later, China reached the same deal with the U.K., and soon after Germany announced that it would likely enter into a similar agreement. Suddenly, the progress initially made between the U.S. and China, took on global significance as governments representing four of the top five economies in the world addressed the issue of cyber espionage carried out for commercial gain. The rapid succession of these deals raises an interesting possibility: we may be moving towards the formation of international law norms against economically motivated cyber espionage.

[Note: As a primer, “The Nature of International Law Cyber Norms” is an excellent general background on the existence and formation of norms in international law and how they are formed.]

There is currently little by way of international law norms pertaining to activities in cyberspace; in fact, there is little international law of any type applicable to the domain. Generally, norms arise from either treaties or customary international law. The agreements that the U.S. and U.K. have reached—and Germany hopes to reach—with China are not treaties because the agreements do not create any legally binding rights between the parties. In particular, the U.S.-China deal cannot constitute a treaty because it was made without the “advice and consent” of the Senate, as constitutionally required. It is possible, however, that these agreements lay the foundation for the formation of customary law against commercially motivated cyber espionage.

Customary international law comprises a set of general practices which are accepted as law by the international community. Customary laws form when states conduct themselves in a certain manner over an extended period of time and out of a sense of legal obligation. This standard for formation is, admittedly, non-specific. There are not bright-line rules governing how long a practice must occur before it becomes a norm. Although often customary norms take many years to emerge, examples of rapidly crystallizing norms do exist, such as those governing the law of space. This might indicate that norms potentially emerge more quickly in relatively new domains like cyberspace.  

So, will these agreements prohibiting commercially motivated cyber espionage form the foundation for a new norm recognized under international law? That depends on whether states decide to abide by them. The agreements themselves are not necessary for the ultimate formation of a norm prohibiting commercial espionage; what is necessary is for states to not engage in commercially motivated cyber espionage for a sufficient period of time. But to the extent the agreements indicate the actual intention of states not to engage in this type of espionage, they represent the first steps towards the formation of a norm under customary international law.

Just this week, U.S. and Chinese officials met in Washington to discuss cybersecurity issues as part of the deal reached in September. Media reports indicate the meetings might be seen as a movement towards the establishment of a norm in this area. And perceptions that norms are developing can be self-reinforcing; the perception acts as the impetus for more states enter into similar agreements against commercial cyber espionage or to simply refrain from undertaking the behavior, and thus the norm is more likely to ultimately develop.

Whatever the ultimate normative value, these agreements will be difficult to enforce. In cyberspace, attribution presents a significant challenge, as the domain allows for obfuscation and deception with respect to the origin of malicious operations. Because it is rare to catch an operator with his “hands on the keyboard,” conclusive—or even sufficient—attribution often requires a substantial investment of time and expertise. Such resources are commonly available only to government intelligence agencies, and those agencies may be unwilling to provide concrete evidence for attribution, in order to protect sources and methods critical to their ability collect similar intelligence in the future.

Here, one distinct—but related—enforcement challenge is presented in developing sufficient evidence as to intent. These agreements only pertain to commercially motivated cyber espionage; and states are not agreeing to refrain from carrying out cyber espionage for national security purposes. In a previous post, I’ve discussed the hypothetical scenario in which the US detects an espionage operation against a member of the defense industrial base and believes the threat originates from China. While the US may view the theft of this type of private company data as commercially motivated, China may view it as a national security tactic. In order to prove a genuine commercial motivation in this scenario, the US would likely need to demonstrate that the stolen data flowed to China and that, ultimately, a Chinese company used it to gain a competitive advantage. Such a showing would be exceedingly difficult to make, even with intelligence community resources.

Only time will tell, if these agreements actually lay the groundwork for a new cybersecurity norm, and even if a norm develops, significant enforcement challenges remain. Nevertheless, it is encouraging that highly influential global actors have taken preliminary steps towards rules governing the actions of states in cyberspace.