A Conversation on Economic Espionage with Catherine Lotrionte
April 29, 2021 | 12:30 - 1:30 pm | Zoom Webinar
In her talk, Dr. Lotrionte discussed how international law may apply to acts of state-sponsored cyber economic espionage. Her remarks reflected and built off of her 2015 article on the same subject, “Countering State-Sponsored Cyber Economic Espionage Under International Law.” Lotrionte began the talk by discussing what prompted her research in 2015. In recent years, China’s theft of U.S. trade secrets has garnered a great deal of attention; in particular, there were two events that really heightened the profile of this issue. First, in May 2014, the DOJ indicted five People’s Liberation Army (PLA) hackers for economic espionage and computer hacking; this was the first time the U.S. indicted known state actors for hacking. Second, in September 2015, President Obama and President Xi reached a bilateral agreement on cyber activities and the cessation of state-sponsored theft of intellectual property. Like the indictments, this agreement was the first of its kind.
Lotrionte then stepped back to define economic espionage–“economic espionage is a state using its national intelligence resources and assets in order to steal information from the private sector of another country [in order to] provide a benefit to their own companies.” In U.S. government practice, Lotrionte explained, there is a distinction, definitionally and operationally, between economic espionage and economic intelligence. A state committing economic espionage hopes to use the stolen information to gain a competitive advantage–such as by helping its own industry bypass the costs and time of research and development. Economic espionage is considered distinct from a state’s traditional military or political espionage or “intelligence collection.” As Lotrionte explained, while the United States engages in traditional espionage, it does not engage in economic espionage for commercial gain. Economic intelligence about things like currency valuation or trade negotiations may be collected, but it’s collected to inform national security and foreign policy. It is not collected to benefit the U.S. private sector.
Not all countries draw a distinction between traditional espionage and economic espionage; for example, France and China, historically, do not draw that distinction. And this is true in both the cyber and the physical world. Today, economic espionage is very often cyber-enabled.
But even in the early 1990s, a number of intelligence community reports found that over a dozen countries, including US allies, were engaging in economic espionage against the U.S. private sector. This is now a longstanding, and increasingly concerning issue for the U.S. government. The cost of economic espionage to the U.S. economy, Lotrionte noted, is hard to estimate due to underreporting and other data issues. However, even conservative estimates place the cost of economic espionage to the U.S. economy in terms of hundreds of billions of dollars.
In July of 2013, the UN Group of Governmental Experts on Developments on the Field of Information and Telecommunications in the Context of International Security (UN GGE) stated, explicitly that international law, and in particular the Charter of the United Nations, is applicable in cyberspace. If the GGE’s assertion was true, what principles of international law may constrain states’ behavior or enable states’ responses when it comes to economic espionage? In particular, Lotrionte asked–what could the U.S. do in response, aside from diplomatic agreements like the Obama-Xi agreement, under international law as a target or victim of this activity?
Lotrionte suggested that customary international law, and particularly the rule on nonintervention, may provide some answers. The rule on nonintervention existed even prior to the UN Charter, and it is widely accepted as universal, normative law. The rule essentially says states are prohibited from interfering in those internal or external affairs of the state that are reserved for the state to decide on its own. This protects the “domaine résérve” of states–it reserves issues (such as political, economic, cultural, or social issues) not regulated by international law for the state’s discretion. The state is to be free from wrongful intervention in these issue areas. Wrongful intervention happens when a state intervenes by means of coercive acts or behavior. Today, the debate over the rule on nonintervention revolves around what constitutes coercion and wrongful intervention. It’s something more than mere interference. On the other end of the spectrum, uses of force, as prohibited by the UN Charter, are always considered wrongful interventions. But not all wrongful interventions are uses of force. Nonforcible interventions can be coercive and can amount to a violation of the rule on nonintervention.
Applying this rule to cyber-enabled economic espionage, Lotrionte concluded that acts of economic espionage could constitute a violation of the rule on nonintervention. Lotrionte explained that not everyone agrees with that conclusion; it all depends on whether you believe such activity is “coercive.” Lotrionte argued, “if [a state is] effectively blocking [another] state from being competitive in global markets, then massive IP-theft is a coercive act.”
If the rule on nonintervention has been violated, then the victim state may avail itself of the law of countermeasures under the law of state responsibility, as found in customary international law. There are strict procedural and substantive requirements that must be satisfied for an act to constitute a lawful countermeasure. For example, the act cannot be forcible; it’s preferred that a state give notice; and the state employing the countermeasure must provide sufficient justification. When a state suffers a breach of obligation due to the wrongful intervention of another state, it is the breaching state’s duty to stop what it’s doing and come back into compliance with the international law. The victim state may employ a countermeasure at least until the breaching state comes back into compliance (if not until reparations are made).
Lotrionte also briefly discussed whether the WTO’s dispute resolution mechanism, particularly on the authority of the TRIPS agreement, would be a good tool for dealing with economic espionage. But despite the TRIPS agreement containing relatively robust provisions for the protection of international property, there are a number of challenges and difficulties with seeking recourse for cyber-enabled economic espionage through the WTO.
Lotrionte concluded her remarks by discussing current efforts at the UN to try to reach an agreement to regulate state behavior in cyberspace. As noted prior, in 2013, the GGE concluded that international law does apply to cyberspace. But since then, there have been disagreements as to how international law applies and as to which principles of international law, beyond the UN Charter, apply to cyberspace. As of 2017, the GGE was not able to reach a consensus report, namely because there were three major issues on which states could not come to an agreement: (1) the right of self-defense; (2) the law of countermeasures; and (3) the international humanitarian law. Russia, China, and by 2017, Cuba, have consistently argued that none of these principles apply in cyberspace. There is currently a new, ongoing GGE; while there is some doubt as to whether any major agreements will be made, Lotrionte was hopeful that it would be able to produce some kind of consensus report.
Alongside the GGE, there has been a parallel process, originally proposed and promoted by Russia and not supported by the U.S., known as the Open-ended Working Group (OEWG), which issued its final report in March 2021. The OEWG, unlike the GGE, has been open to participation by an UN states; by comparison, as Russia and China have complained about, the GGE had only 15 and now 25 members. Lotrionte explained that the final report published by the OEWG does contain some good provisions for confidence and capacity building measures in cyberspace, but it makes virtually no progress on the applicability of international law.
Dr. Catherine Lotrionte is currently a Senior Researcher at Georgetown University, a Senior Associate in the Technology Policy Program at CSIS and a Senior Fellow at the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University. Previously she served as the Brent Scowcroft scholar at the Atlantic Council. She is also the founder and former Director of the CyberProject at Georgetown University, where she has taught and written on international and national security law, international affairs and technology. At Georgetown she founded the CyberProject in 2008 and the Annual International Conference on Cyber Engagement which draws on the experience of government practitioners, industry representatives and academic scholars, providing technical, corporate, legal and policy perspectives from the international community. Lotrionte served as Counsel to the President’s Foreign Intelligence Advisory Board at the White House, on the Joint Inquiry Committee of the Senate Select Committee on Intelligence investigating the 9/11 terrorist attacks, as an Assistant General Counsel at the Central Intelligence Agency and in the U.S. Department of Justice.
She is an internationally recognized expert on international law and cyber conflict and has testified before Congress and NATO on cyber issues. She has authored numerous publications on a broad array of topics, including espionage, information technology, international law, and deterrence and is a frequent speaker at cyber conferences across the global.
Dr. Lotrionte holds a MA and Ph.D. from Georgetown University and a J.D. from New York University. She currently serves on the board of directors of the American Federation of Scientists and has previously served as a member of the Homeland Security Advisory Council, the World Economic Forum’s Global Agenda Council on Cybersecurity, the Center for Strategic and International Studies’ Cyber Policy Task Force, and the CFR-sponsored Independent Task Force on Defending an Open, Global, Secure, and Resilient Internet. She is a life member of the Council on Foreign Relations.