Espionage is a practice almost as old as human history. The act of transnational spying dates at least to the fourth century BCE, when Aeneas Tactitus recorded his musings on reconnaissance and military intelligence. Ancient Rome reportedly developed its intelligence service a bit later, a delay which allowed the Gauls to take the city by surprise in 390 BCE. Hieroglyphs documenting the 1274 BCE Battle of Kadesh, in which Ramesses II fought the Hittites under Muwatalli II, include a description of the beating of captured spies before the pharaoh to gain information.
While its certain today’s spy operations are still concerned with security interests, espionage is now enmeshed not just with political and military affairs, but also economic strategies. As technologies—digital infrastructure in particular—develop, so too does the sheer amount of surface area susceptible to intercontinental intelligence operations.
Cyberspace is, for the most part, a lawless wasteland. As cyber scholar Jessica “Zhanna” Malekos Smith explains, most legislation revolves on bilateral and somewhat multilateral agreements, as well as codes of ethics passed by global organizations. The European Union is seeking to become a pioneer leader in this field, passing a comprehensive law to curb risks related to artificial intelligence. International governance and scholarship, though, generally struggles to establish robust frameworks to understand, address, and regulate the electronic highway.
This gap in policy offers a great deal of room for ambiguity. Though wartime espionage falls into a legal category of its own, peacetime espionage lacks tight international regulations. Its very nature as a “back-door” endeavor makes it an already-awkward terrain, and the lack of legislative clarity is a phenomenon that scholarship has repeatedly interpreted to the benefit of different actors. Peacetime espionage is best defined as not particularly illegal, and the lack of global governance is likely an intentional choice. Attribution—the link made between information and an entity—complicates things. When a state or non-state actor attributes cases of cyber-related activity to another state or actor, it can be a move of aggression, measured strategy, or political procedure, or just interpreted as such.
Given the inordinately difficult process of determining and assigning cause, Smith proposes a new way to systematize top-down policy in cyber-related espionage issues. The Cyber Espionage Predominant Purpose (CEPP) test considers three factors to determine how to respond to peacetime spying:
- what actual information is being collected;
- how is that information being collected; and
- why is that information being collected in the first place.
According to Smith, intention matters a great deal in current practices: it demarcates the otherwise indeterminate line between economic intelligence and economic espionage. Depending on the actors involved and their intentions, cases can look like “normal operations” or just plain theft. Attribution can also be a politically strategic move, forcing the target state to reveal its operative capacities. One of the richest examples of this is aviation-related espionage: a state’s aerospace technologies can be both commercial and military, and economic intelligence gathering can quickly slide into global criminality. Matters are even more complicated when the states involved already hold contentious relationships. A recent extradition arrest made by the United States sentenced Yanjun Xu, a Chinese intelligence officer, to twenty years in prison, a consequence of threatening the land of opportunity’s state security.
Arguably, the interpretation and application of international policy differs depending on the involved actors, their actions, and their motivations. The future of cyber espionage is unclear, though international cooperation would be an optimistic outcome—one that will need to jump many obstacles. As Smith points out, when Edward Snowden released a flow of information to the American public, he also sacrificed any hopes for the immediate development of espionage/intelligence diplomacy.
Perhaps a robust theoretical framework, like Smith’s CEPP, is the sort of bridge between espionage and intelligence that international governance needs. Cyber operations conducted between states are unlikely to go anywhere, but scholarship and policy must seal the fissures sooner than later.