In 2015, then US President Barack Obama referred to cyberspace as the “new Wild West” — vast, lawless, and without a sheriff in sight.Footnote 1 Given these qualities, it is unsurprising that actors leverage cyberspace to perpetrate crime, terrorism, foreign influence, and espionage with increasing effectiveness. Meanwhile, the international community has struggled to find common ground on the application, let alone enforcement, of international law in cyberspace. While there have been a number of high-level commitments made by allied states to work together to develop “norms of cyberspace,”Footnote 2 the prominent and decade-long effort of the United Nations Group of Governmental Experts to address state behaviour in cyberspace collapsed in 2017 due to a lack of consensus.Footnote 3 Two separate and open-ended working groups have since taken its place; one effort led by the United States,Footnote 4 the other by Russia.Footnote 5
In his text, Cyber Espionage and International Law, Russell Buchan not only takes on the notion that cyberspace is a lawless domain, but he also challenges the oft-repeated assertion that state-sponsored espionage is lawful under international law. Buchan, a senior lecturer in international law at the University of Sheffield, defines espionage as “the non-consensual collection of confidential information that is under the control of another actor.”Footnote 6 A common and accepted practice of modern states, realists have long justified political espionage as a necessary means of enhancing not only national, but also international, security.Footnote 7 Buchan explains, however, that the reach, frequency, and impact of espionage carried out by and against state and non-state actors has ballooned with the development of the Internet.Footnote 8 Correspondingly, the enormous volumes of valuable information resident on or available via cyberspace has fuelled the growth of economic espionage, aimed at stealing foreign trade secrets to boost a state’s domestic economy.Footnote 9
Despite, or perhaps more accurately, because of its prevalence, peacetime espionage is not the subject of any international treaty. Nor is it directly regulated by customary international law. As a result, many legal scholars suggest that espionage is neither legal nor illegal under international law.Footnote 10 Cyber Espionage and International Law is a strong and well-supported rebuttal of this interpretation. In his text, Buchan argues that those who advance the notion that international law is silent on the subject of espionage are consciously unwilling to identify the applicable international legal rules that regulate this behaviour.Footnote 11 He refreshingly refuses to ignore the growing “elephant in the room” and sets out to identify the international legal rules implicated by both political and economic cyber espionage.Footnote 12 His monograph seeks to dispose of the argument that cyber espionage occurs in a legal vacuum and establish that a “patchwork of norms” applicable to the underlying conduct already exists across international law. He also advocates for the development of a specialized legal framework (lex specialis) to delineate when and under what circumstances cyber spying is acceptable.Footnote 13
Buchan is certainly not the first author to question international law’s application to cyberspace. The most influential text on the subject is the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Footnote 14 In the second edition of the manual, published in 2017, nineteen legal experts from around the world expanded the original text, which focused on cyber warfare to include rules governing cyber operations in times of peace. Buchan’s text is the first to narrow in on this specific element of cyber operations — cyber espionage — and engage in both a deeper and broader analysis of the regulation of that conduct by international law.
The first two chapters of this concise work lay the foundation for Buchan’s central thesis. Chapter 1 begins by defining cyber espionage as the non-consensual “use of cyber operations to copy confidential data that is resident in or transiting through cyberspace, even if it is not read or analyzed.”Footnote 15 “Cyberspace” includes the entire information infrastructure, both hardware and software, that supports the Internet, computer networks and telecommunications systems, and the resident data.Footnote 16 Buchan is right to distinguish the “copying” of information from the alteration or destruction of data, hardware, and so forth, which he classifies as cyber attacks rather than espionage. That said, his definition fails to encapsulate the copying of information that is not intended to be resident in, or transiting through, cyberspace but may be captured remotely using a target’s cyber-connected hardware. Simple examples include surreptitiously taking photographs of a room using a computer’s webcam or capturing an in-person conversation by triggering the microphone on a participant’s wireless device. The author’s definition also fails to include online probing or the reconnaissance of a target’s cyber networks and defences.
In Chapter 2, Buchan situates his argument within international relations theory, taking on the realist position that justifies the use of political espionage as a tool for enhancing national security and international peace.Footnote 17 Buchan asserts that the realist approach does not accurately capture the “contemporary world order” that seeks to maintain peace by protecting the sovereign equality of states and human dignity; both threatened by political espionage.Footnote 18 Buchan also takes on Christopher Baker’s functional argument for espionage.Footnote 19 Using historical and modern examples like the international fall-out following the intelligence leaks perpetrated by Edward Snowden, he aims to convince the reader that political spying is detrimental and not conducive to building trust and confidence between states.Footnote 20 Next, Buchan establishes that economic espionage is a threat to the economic stability of states and has a destabilizing effect on the economic world order.Footnote 21 Buchan goes so far as to argue that there is a direct line from the prohibition of economic espionage to the preservation of international security.Footnote 22
In Chapters 3–6, Buchan identifies how existing rules of international law constrain state use of political and economic espionage. Sequentially, Buchan explores the relevant rules stemming from the principles of sovereignty, non-intervention, and the non-use of force; diplomatic and consular law; international human rights law; and whether trade agreements under the World Trade Organization apply to economic espionage. In each chapter, Buchan succinctly canvasses the applicable sources of law and relevant national and international jurisprudence before adapting the resulting principles to the cyber espionage context. Throughout, the author is clear to note when he is offering his own interpretation or opinion on an unsettled area of law, and he is careful to delineate between where the law is progressing (lex ferenda) and the current state of the law (lex lata).
Many of Buchan’s findings in these chapters stem from his conclusion that any penetration of a foreign state’s computer networks and the cyber infrastructure located within its territory is a violation of that state’s sovereignty.Footnote 23 On this fundamental question, Buchan explicitly breaks with the authors of the Tallinn Manual who were unwilling to conclude that cyber espionage that results in neither physical damage nor destructive effects violates a state’s territorial integrity.Footnote 24 Notably, Buchan finds support for his position in a 2008 judgment of the Federal Court of Canada that refused to issue a warrant authorizing the Canadian Security Intelligence Service (CSIS) to conduct espionage activities in a foreign jurisdiction. In that case, Justice Edmond Blanchard found that such activities would violate the target state’s territorial sovereignty.Footnote 25 That said, Buchan reasons that the mere copying of information is unlikely to violate the principle of non-intervention because the behaviour lacks coercive effect.Footnote 26
Having established that state-sponsored espionage is impermissible under several international legal regimes, Buchan then examines whether customary international law has carved out exceptions for its use or whether states can invoke the doctrines of self-defence and necessity as an authority or justification for engaging in otherwise unlawful activity. In Chapter 7, Buchan rejects the common assertion that customary law is permissive of espionage, citing a lack of state practice and opinio juris to support such a finding. Quite simply, for the author, the fact that states fail to acknowledge or take responsibility for their espionage activities publicly impedes the crystallization of customary international law on this issue.Footnote 27 With respect to self-defence and necessity, Buchan finds that both doctrines would justify the use of espionage, but only under strict circumstances to defend against an imminent attack or grave peril.Footnote 28
Throughout his work, Buchan does not limit his analysis or arguments to political and economic espionage conducted in or through cyberspace. In fact, in almost every instance, he proves that the relevant law or legal principle applies to cyber espionage by adapting a physical analogue that demonstrates the illegality of traditional spying. In doing so, Buchan succeeds in convincing the reader that a series of disparate rules already exist that regulate political and economic espionage. Examples throughout the book also support his claim that cyberspace exacerbates the threat posed by espionage to international peace and security.Footnote 29 Yet, for reasons never fully articulated, Buchan stops short of advocating for an outright prohibition on state-sponsored espionage and advocates instead for rules that “expressly and unequivocally prohibit” cyber espionage.Footnote 30 Early on, Buchan apparently undermines his own position by including the caveat that legal rules must give states authority to engage in political cyber espionage “where it is necessary to address grave and imminent threats to their essential interests.”Footnote 31 The use of the term “threats” rather than “attacks” is curious and also never fully explained.
Unfortunately, Buchan devotes little more than the concluding two paragraphs of his book to convincing the reader that states should develop a set of international rules to govern cyber espionage specifically.Footnote 32 Buchan’s sole argument to support the idea that the international community is prepared to adopt “an international law of espionage” is the fact that states are more prepared to discuss their intelligence collection activities and legislate rules governing foreign espionage.Footnote 33 However, Buchan previously concluded that this practice was limited to only a handful of liberal democracies and was not necessarily indicative of a widespread trend.Footnote 34
That said, Canadians should read Cyber Espionage for precisely this reason. Canada is one of the few liberal democracies that has legislated the conduct of foreign espionage by its intelligence services. In the near future, Bill C-59, An Act Respecting National Security Matters,Footnote 35 will give the Communications Security Establishment (CSE), Canada’s signals intelligence agency, the authority to engage in foreign cyber espionage and kinetic cyber operations abroad.Footnote 36 Under the resulting Communications Security Establishment Act, Canada’s Minister of National Defence may authorize these cyber activities despite “any other Act of Parliament or of any foreign state” but, as currently drafted, not in violation of international law.Footnote 37 Buchan’s book, therefore, is essential reading for anyone interested in understanding or tasked with interpreting the scope of the CSE’s new powers in light of existing international law.