The Cyber Espionage Predominant Purpose Test
Jessica “Zhanna” Malekos Smith
While ‘spying’ may strike some as indecorous state behavior, it is essentially akin to a bodily function, like sneezing, that is necessary to sustaining the health of the body politic.
But can international law meaningfully distinguish between cyberespionage for national security purposes and economic espionage? According to former U.S. Treasury Secretary, Henry M. Paulson, Jr. in Dealing with China, “the distinction between cyberespionage and cybertheft from a company for commercial use can become fuzzy.” This article proposes a new approach – a Cyber Espionage Predominant Purpose (CEPP) Test – to resolve international disputes concerning cyberespionage operations that involve mixed elements of national security espionage and commercial espionage.
But first, what exactly is the value of the CEPP Test?
In 2013 the U.S. National Intelligence Estimate announced that “France, alongside Russia and Israel, to be in a distant but respectable second place behind China in using cyberespionage for economic gain.” In comparison, according to Dr. Catherine Lotrionte, the Director of the CyberProject at Georgetown University, the U.S. does not conduct commercially motivated cyber espionage. In fact, the Obama Administration avers that a distinction exists between economic intelligence – a subset of national security espionage – and commercially motivated economic espionage.
For Drake University Law Professor Peter Yu, however, this distinction is nebulous at best: “Not only do most countries—democratic or otherwise—fail to recognize it, this line is also not always drawn in situations involving U.S. intelligence and surveillance efforts.” Yu highlights that for countries like China, the U.S.’ definitional distinction imparts little clarity here, “given the perceived “overlap between security and economic concerns” among Chinese policymakers and the continued domination of state-owned enterprises in the local business environment.”
Thus, given the distinct cultural norms embedded in distinguishing between permissible and impermissible intelligence collection, a dispute resolution framework that accounts for these disparities, as well as the complexities of attribution, is needed. The value of this test is that rather than argue for one country’s particular definition here, it enables the ICJ to holistically evaluate both parties’ views in reaching a settlement. Moreover, a bright line rule that prohibits gathering intelligence on all state-industrial entities would not be viable in China according to Yu, because it “overlook[s] the historical fact that trade secrets originated in China as a form of state secret.”
What is a ‘predominant purpose’ test?
In disputes over the mixed subject matter of a contract, the approach taken by U.S. courts is to analyze the overall ‘predominant purpose’ of the contract (e.g., a contract for the sale of goods or services) and apply the most fitting legal regime. The CEPP Test operates under the same principle. Here, it would require the International Court of Justice (ICJ) to evaluate the overall ‘predominant purpose’ of the alleged act of cyberespionage.
Wait… when and how would the ICJ apply the CEPP Test?
Pursuant to U.N. Charter Article 33: “The parties to any dispute, the continuance of which is likely to endanger the maintenance of international peace and security, shall, first of all, seek a solution by negotiation, enquiry, mediation, conciliation, arbitration, judicial settlement, resort to regional agencies or arrangements, or other peaceful means of their own choice.”
Drawing on this judicial settlement framework, the aggrieved state could petition the ICJ for redress and the court would examine the following three factors to determine the predominant purpose of the act of cyberespionage:
(1) The intrinsic nature of the economic information in dispute; (2) the means of acquisition and predominant application by the entity, and (3) the overall intent of the collecting entity.
If the ICJ found by a preponderance of the evidence that the act of cyberespionage was ultimately committed to confer a commercial advantage to the other state’s home industry, then an appropriate remedy would be granted to the aggrieved state.
Does this solve the attribution problem?
No. However, as a counter balance to the attribution problem, the test utilizes a lower evidentiary standard from civil law, a preponderance of the evidence (i.e., a showing of more than 50%), to allow the aggrieved state the opportunity to seek legal recourse from the ICJ.
The benefit of applying a lower standard of proof here, versus a heightened “beyond a reasonable doubt” standard typically applied in criminal proceedings, is that it operates as a stronger deterrent. The reason being, faced with the looming specter of litigation and its associated costs, states that routinely engage in cyber economic espionage would face a greater cost disincentive.
But if a state believes they can remain anonymous in conducting cyber economic espionage and leverage non-attribution here, can international accords prohibiting the cyber theft of intellectual property hold any measurable deterrent effect? Indeed, a major critique of the Obama-Xi Cyber Pact of September 2015, as vocalized by the Wall Street Journal, was that it represented “a digital arms deal that is full of promises but no enforcement.”
As a result, should international law be completely jettisoned in cyberspace? To former U.S. Secretary of State, Madeleine K. Albright, who described herself as an “optimist who worries a lot” at Wellesley College’s Albright Institute Symposium in January 2016, the answer would most likely be a resounding no. In Secretary Albright’s book, The Mighty and The Almighty, she reasons that while countries often do take action outside of the charter’s guidelines, “[d]espite such violations, the standards in the charter remain relevant, just as laws against murder remain relevant even though murders are still committed.”
Building and Rebuilding International Norms in Cyberspace
Admittedly, international norms do not blossom into fully-grown gardens overnight. What the CEPP Test does offer, however, is a proverbial seed, which if properly cultivated could take root in the international legal system. Ultimately, because no state is an island in cyberspace, a model that is both attentive to the attribution problem and the mixed nature of espionage operations can help promote the economic security of all.