Cyber Espionage

BANKS GALLEYSPROOFS2 2/22/2017 1:01 PM

CYBER ESPIONAGE AND ELECTRONIC SURVEILLANCE:
BEYOND THE MEDIA COVERAGE

William C. Banks∗

INTRODUCTION

In the twenty-first century it seems that everyone is eavesdropping on
everyone else—governments and companies, militaries, law enforcement and
intelligence agencies, hackers, criminals, and terrorists. State-sponsored and
private cyber espionage and criminal and foreign-intelligence surveillance
have ramped up in part because the national security threat environment is ever
more complicated and multifaceted, and the ability to meet it is increasingly
dependent on good intelligence, in real time. However, surveillance and
espionage have also increased because the Internet and cyber technology so
readily enable exploitation of intellectual property and other commercially
valuable information. Among its many attributes, the Internet has introduced
new dynamics to the age-old tensions between security and liberty. The
Internet expands our freedom to communicate at the same time it makes us less
secure. It expands our online vulnerabilities while it lowers the visibility of
intrusions. The Internet provides new means for enabling privacy intrusions
and causing national security and economic harm even as it provides
governments with ever more sophisticated tools to keep tabs on bad actors. Yet
in the cat and mouse game between the government agents and suspected
terrorists and criminals, ever newer devices and encryption programs ratchet
up privacy protections in ways that may prevent government access to those
devices and their contents. These devices and programs, in turn, may enable
cyber theft or even destructive terrorist attacks.

Espionage and intelligence collection are part of the national security
apparatus of every state. Cyber espionage involves deliberate activities to
penetrate computer systems or networks used by an adversary for obtaining
information resident on or transiting through these systems or networks. A
pertinent subset is economic espionage, where a state attempts to acquire
secrets held by foreign companies. Of course, states conducted economic

∗ Board of Advisers Distinguished Professor, Syracuse University College of Law; Director, Institute for
National Security and Counterterrorism.

BANKS GALLEYSPROOFS2 2/22/2017 1:01 PM

514 EMORY LAW JOURNAL [Vol. 66:513

espionage before the Internet, but the availability of cyber exploitation rapidly
and significantly expanded the activity.1

Electronic surveillance intercepts communications between two or more
parties. The intercepts can give insight into what is said, planned, and
anticipated by adversaries. Because such vast quantities of communications
now travel through the Internet, more than humans can comprehend in their
raw form, surveillance often leads to processing and exploitation through
algorithms or other search methods that can query large amounts of collected
data in pursuit of more specific intelligence objectives.2

Traditional state-sponsored surveillance and espionage have been
transformed into high-tech and high-stakes enterprises. Some of the cyber
activity is electronic surveillance for foreign intelligence purposes, mimics
traditional spying, and services a range of what most of us would concede are
legitimate national security objectives—anticipating terrorist attacks, learning
about the foreign policy plans of adversaries, and gaining advantage in foreign
relations negotiations.3 However, a good deal of the cyber sleuthing involves
economic matters, sometimes extending to include intellectual property theft,
and is undertaken by states or their proxies to secure comparative economic
advantage in trade negotiations, other deals, or for particular companies.4

I. ECONOMIC CYBER ESPIONAGE

Governments and their agents have been exploiting Internet connectivity by
penetrating the electronic networks of foreign companies for nearly a quarter-
century.5 Until 2010, companies chose to ignore the problem, more or less.6
Then Google publicly claimed that China had stolen source code and used it to

1 Gerald O’Hara, Cyber-Espionage: A Growing Threat to the American Economy, 19 COMMLAW
CONSPECTUS: J. COMM. L. & POL’Y 241, 241–42 (2010).
2 See Joe Pappalardo, NSA Data Mining: How It Works, POPULAR MECHANICS (Sept. 11, 2013), http://
www.popularmechanics.com/military/a9465/nsa-data-mining-how-it-works-15910146/.
3 Heather Kelly, NSA Chief: Snooping Is Crucial to Fighting Terrorism, CNN (Aug. 1, 2013, 10:35
AM), http://www.cnn.com/2013/07/31/tech/web/nsa-alexander-black-hat/; David E. Sanger, U.S. Cyberattacks
Target ISIS in a New Line of Combat, N.Y. TIMES (Apr. 24, 2016), http://www.nytimes.com/2016/04/25/us/
politics/us-directs-cyberweapons-at-isis-for-first-time.html.
4 See infra notes 5–9 and accompanying text.
5 Joel Brenner, The New Industrial Espionage, 10 AM. INT., Winter 2015, at 28, 28–29, http://www.the-
american-interest.com/2014/12/10/the-new-industrial-espionage/.
6 Id. at 29.

BANKS GALLEYSPROOFS2 2/22/2017 1:01 PM

2017] CYBER ESPIONAGE AND ELECTRONIC SURVEILLANCE 515

spy and to penetrate other companies’ networks.7 At about the same time,
major economic espionage was carried out against large western oil companies
and traced to a site in China, and another theft lifted security key tokens, which
in turn led to the penetration of other firms, including defense contractors in
the United States.8

In May of 2014, the FBI issued “Most Wanted” posters for five Chinese
nationals, members of the Peoples’ Liberation Army.9 In United States v.
Wang, the five were indicted by a federal grand jury for breaking into
computer systems of American companies and stealing trade secrets for the
benefit of Chinese companies.10 Although there was no chance that the United
States would obtain jurisdiction over the accused so that they could be tried,
the indictments may have been intended to incentivize negotiations with the
Chinese on corporate spying. At first, the Chinese responded by complaining
about U.S. hypocrisy and double standards.11 The Chinese asserted that
American authorities have conducted large-scale, organized cyber-espionage
activities against government officials, companies, and individuals, in China
and many other states.12 The distinction that our government draws between
spying for national security purposes and not spying on companies to give a
competitive edge to one’s own businesses is not recognized as valid by China,
and they point out that our definition of national security includes obtaining
advantages in trade negotiations and for other international economic purposes,
including enforcing sanctions regimes and detecting bribery.13

Then, in 2015, some seemingly remarkable things happened. Following the
indictment of the Chinese hackers and an executive order promulgated by
President Barack Obama that authorized sanctions against malicious hackers,14

7 Andrew Jacobs & Miguel Helft, Google, Citing Attack, Threatens to Exit China, N.Y. TIMES (Jan. 12,
2010), http://www.nytimes.com/2010/01/13/world/asia/13beijing.html.
8 Nathan Hodge & Adam Entous, Oil Firms Hit by Hackers from China, Report Says, WALL ST. J. (Feb.
10, 2011, 12:01 AM), http://www.wsj.com/articles/SB10001424052748703716904576134661111518864;
Elinor Mills, China Linked to New Breaches Tied to RSA, CNET (June 6, 2011, 4:00 AM), https://www.cnet.
com/news/china-linked-to-new-breaches-tied-to-rsa/.
9 Cyber’s Most Wanted, FBI, https://www.fbi.gov/wanted/cyber (last visited Apr. 25, 2016).
10 Indictment, United States v. Wang, Criminal No. 14-118 (W.D. Pa. May 1, 2014), https://www.justice.
gov/iso/opa/resources/5122014519132358461949.pdf.
11 Jonathan Kaiman, China Reacts Furiously to US Cyber-Espionage Charges, GUARDIAN (May 20,
2014, 8:31 AM), https://www.theguardian.com/world/2014/may/20/china-reacts-furiously-us-cyber-espionage-
charges.
12 David E. Sanger, With Spy Charges, U.S. Draws a Line that Few Others Recognize, N.Y. TIMES (May
19, 2014), http://www.nytimes.com/2014/05/20/us/us-treads-fine-line-in-fighting-chinese-espionage.html.
13 Id.
14 Exec. Order No. 13,694, 80 Fed. Reg. 18,077 (Apr. 2, 2015).

BANKS GALLEYSPROOFS2 2/22/2017 1:01 PM

516 EMORY LAW JOURNAL [Vol. 66:513

the United States and China reached an agreement on a range of cybersecurity
matters.15 In addition to cooperation on law enforcement matters in
cyberspace, China reversed its prominent policy position and committed not to
engage in commercially-motivated cyber espionage.16 The agreement also
includes implementation and compliance provisions, the violation of which
could lead to sanctions under the Obama administration executive order.17

Although the 2014 indictments had been dismissed as meaningless by
many, the Chinese appear not to have understood their lack of practical
significance and instead viewed them more like sanctions.18 The PLA unit also
may have felt exposed and diminished in its prestige after the indictments.19
Meanwhile, news reports indicate that China began to dismantle its economic
espionage network and started to crack down on PLA hackers who were
moonlighting on the side and selling information to Chinese companies that
was not central to the PLA national security mission.20 A few weeks after the
U.S.–China agreement was reached, similar agreements were reached between
China and the United Kingdom and China and Germany.21

II. SURVEILLANCE

Meanwhile, governments are not the only participants in the cyber-
sleuthing. The Islamic State (ISIS) has broadened its recruitment and appeal,
focusing in part on young, tech-savvy persons living far from the battlefields of
Syria and Iraq.22 In October 2015, the United States arrested Kosovar Ardit
Ferizi while he was living in Malaysia and charged him with providing

15 JOHN W. ROLLINS, CONG. RESEARCH SERV., IN10376, U.S.-CHINA CYBER AGREEMENT (2015),
https://www.fas.org/sgp/crs/row/IN10376.pdf.
16 Id.
17 Id.
18 Ellen Nakashima, Following U.S. Indictments, China Shifts Commercial Hacking Away from Military
to Civilian Agency, WASH. POST (Nov. 30, 2015), https://www.washingtonpost.com/world/national-
security/following-us-indictments-chinese-military-scaled-back-hacks-on-american-industry/2015/11/30/fcdb
097a-9450-11e5-b5e4-279b4501e8a6_story.html.
19 Id.
20 Id.
21 Rowena Mason, Xi Jinping State Visit: UK and China Sign Cybersecurity Pact, GUARDIAN (Oct. 21,
2015, 12:13 PM), http://www.theguardian.com/politics/2015/oct/21/uk-china-cybersecurity-pact-xi-jinping-
david-cameron; Stefan Nicola, China Working to Halt Commercial Cyberwar in Deal with Germany,
BLOOMBERG TECH. (Oct. 29, 2015, 8:31 AM), http://www.bloomberg.com/news/articles/2015-10-29/china-
working-to-halt-commercial-cyberwar-in-deal-with-germany.
22 Maeghin Alarid, Recruitment and Radicalization: The Role of Social Media and New Technology, in
IMPUNITY: COUNTERING ILLICIT POWER IN WAR AND TRANSITION 313, 322 (Michelle Hughes & Michael
Miklaucic eds., 2016).

BANKS GALLEYSPROOFS2 2/22/2017 1:01 PM

2017] CYBER ESPIONAGE AND ELECTRONIC SURVEILLANCE 517

material support to terrorism by hacking a U.S. government database and
stealing personal information on more than 1350 military and civilian
government personnel.23 Ferizi allegedly passed the information to an
operative of ISIS.24

The ISIS Cyber Caliphate hacking unit seized control of U.S. Central
Command Twitter and YouTube feeds early in 2015, using them to post
propaganda videos and personal information on top military officials.25 The
hackers seized more than 54,000 Twitter accounts for the same objectives
again late in 2015.26 Even terrorists who seek visible, kinetic effects from their
attacks—and are thus less likely to engage in malware insertion and other
disruptive, but not destructive, cyber attacks—increasingly rely on digital
protections (encryption) to assure the secrecy of their communications.27 Most
notably, ISIS has demonstrated a sophisticated understanding of methods for
shielding its communications from electronic surveillance by intelligence
agencies. Security companies have described a manual released by an ISIS
operative urging its followers to use fake phone numbers to set up an encrypted
chat system that will shield ISIS communications from intelligence
surveillance and avoid revealing personal information.28

For the most part, international law has been a bystander to this entire
fabric of stealth, deception, and greed. The individual strands of this story are
bound together by a unique set of oppositional forces and compelling needs for
action.

• The costs of economic cyber espionage are staggeringly high and
will continue to rise unless something is done.29

23 Joe Davidson, ISIS Threatens Feds, Military After Theft of Personal Data, WASH. POST (Jan. 31,
2016), https://www.washingtonpost.com/news/federal-eye/wp/2016/01/31/isis-threatens-feds-military-after-
theft-of-personal-data/.
24 Id.
25 CNN Staff, CENTCOM Twitter Account Hacked, Suspended, CNN POLITICS (Jan. 12, 2015, 5:43 PM),
http://www.cnn.com/2015/01/12/politics/centcom-twitter-hacked-suspended/.
26 Jigmey Bhutia, Isis ‘Cyber Caliphate’ Hacks More than 54,000 Twitter Accounts, INT’L BUS. TIMES
(Nov. 9, 2015, 9:10 AM), http://www.ibtimes.co.uk/isis-cyber-caliphate-hacks-more-54000-twitter-accounts-
1527821.
27 Kate O’Keeffe, American ISIS Recruits Down, but Encryption Is Helping Terrorists’ Online Efforts,
Says FBI Director, WALL ST. J. (May 11, 2016, 8:54 PM), http://www.wsj.com/articles/american-isis-recruits-
down-but-encryption-is-helping-terrorists-online-efforts-says-fbi-director-1463007527?mg=id-wsj.
28 Kim Zetter, Security Manual Reveals the OPSEC Advice ISIS Gives Recruits, WIRED (Nov. 19, 2015,
4:45 PM), http://www.wired.com/2015/11/isis-opsec-encryption-manuals-reveal-terrorist-group-security-protocols/.
29 See infra note 53 and accompanying text.

BANKS GALLEYSPROOFS2 2/22/2017 1:01 PM

518 EMORY LAW JOURNAL [Vol. 66:513

• The Snowden leaks have sewn distrust among citizens and
between allied governments, each doubting the veracity of the
United States and other nations’ intelligence collection
practices.30

• Intelligence collection incidentally but persistently invades
citizens’ liberties in collecting beyond the reasonable needs of
government.31

• Yet continuing terrorist attacks in a wide range of locations
reinforces the need for the most effective means of electronic
surveillance of potential terrorist activities.32

• Traditional espionage is now scapegoated in ways that harm
allied relationships and impose costs on intelligence collection.

If we do not act to put a stopper in these escalating crises of costs and
confidence soon, the security and integrity of the Internet may be up for grabs.
Not to mention the efficacy of intelligence collection by electronic means.

III. THE LIMITED ROLE OF INTERNATIONAL LAW

Cyberspace remains a netherworld for intelligence activities—whatever
surveillance or cyber spying a government does outside its own national
borders is, in most circumstances, an international law free-for-all. Decades of
state practice tell us that surveillance or espionage may be conducted across
borders without violating sovereignty.33 Examples of presumably permissible
behavior include collecting the contents of electronic communications or
metadata about them; watching government computer systems, including
SCADA systems, through cyber penetration; exfiltration of government data,
including military or other national security secrets; and denial of service
penetrations that decrease the bandwidth for government web sites. Disruptive
cyber activities that are not destructive or coercive in some way apparently do
not violate international law. The line between permitted espionage and
unlawful cyber intrusions is far from clear.

30 Alan Travis, Snowden Leak: Governments’ Hostile Reaction Fuelled Public’s Distrust of Spies,
GUARDIAN (June 15, 2015, 11:19 AM), https://www.theguardian.com/world/2015/jun/15/snowden-files-us-uk-
government-hostile-reaction-distrust-spies.
31 See infra notes 45–49 and accompanying text.
32 See Kelly, supra note 3; Sanger, supra note 3.
33 Glenn Sulmasy & John Yoo, Counterintuitive: Intelligence Operations and International Law, 28
MICH. J. INT’L L. 625, 626, 628 (2007).

BANKS GALLEYSPROOFS2 2/22/2017 1:01 PM

2017] CYBER ESPIONAGE AND ELECTRONIC SURVEILLANCE 519

One response to the increasing concerns about online theft of intellectual
property and complaints of invasions of privacy has been for more
governments around the world to enact or at least talk about data-localization
laws. Such laws, already in place in authoritarian states such as Russia, China,
and Iran, typically enforce limitations for all citizen data and the infrastructure
that supports it.34 China strictly vets companies selling Internet technology and
services in China.35 Now-democratic states such as Brazil, India, and Germany
are contemplating data-localization. Brazil plans to stop using Microsoft
Outlook for e-mail, and Germany has unhooked from Verizon and signed on
with Deutsche Telekom.36 There is talk among our European allies about
creating a European Internet.37

To what extent does the uniqueness of the cyber domain make cyber
espionage and foreign intelligence surveillance legally distinct? On the one
hand, the fact that no person has to cross a border to accomplish the espionage
or surveillance probably does not matter, legally. Remoteness is just a means
of collection. On the other hand, attribution, knowing who stole your secrets, is
a serious technical problem and makes controlling cyber exploitation more
difficult than keeping tabs on traditional spying. In addition, in the cyber world
distinguishing exploitation from a cyber attack (an intrusion designed to
disrupt or destroy systems or data) can be difficult. The malware that exploits a
computer to retrieve its data may be indistinguishable at first from malware
that will destroy the computer hard drive. Thus, the exploited state may be
hard-pressed deciding how to prepare and respond.

States have historically tolerated traditional espionage because they all do it
and gain from it.38 Domestic laws proscribe spying for those that are caught.
Most espionage disputes are resolved through diplomacy, and in extreme
cases, states send the spies home. In cyber espionage, the status quo favors

34 Anupam Chander & Uyên P. Lê, Data Nationalism, 64 EMORY L.J. 677, 686–88, 701–02, 735–36
(2015).
35 Paul Mozur, New Rules in China Upset Western Tech Companies, N.Y. TIMES (Jan. 28, 2015),
http://www.nytimes.com/2015/01/29/technology/in-china-new-cybersecurity-rules-perturb-western-tech-
companies.html?_r=0.
36 Anton Troianovski & Danny Yadron, German Government Ends Verizon Contract, WALL ST. J. (June
26, 2014, 2:54 PM), http://www.wsj.com/articles/german-government-ends-verizon-contract-1403802226; see
also Brazil to Create Its Own Email System After Protesting U.S. Spying, UPI.COM (Oct. 14, 2013, 5:12 PM),
http://www.upi.com/Science_News/Technology/2013/10/14/Brazil-to-create-its-own-email-system-after-
protesting-US-spying/69911381785172/.
37 Sam Ball, Plans to Stop US Spying with European Internet, FRANCE 24, http://www.france24.com/en/
20140217-european-internet-plans-nsa-spying (last updated Feb. 18, 2014).
38 See Sulmasy & Yoo, supra note 33, at 626–29.

BANKS GALLEYSPROOFS2 2/22/2017 1:01 PM

520 EMORY LAW JOURNAL [Vol. 66:513

sophisticated countries with the finances and technological capabilities to
extract the intelligence. But the status quo is changing rapidly. Cyberspace
reduces the power differentials among actors. Powerful states have more cyber
resources but also more government and private-sector vulnerabilities. The
advantage increasingly lies with state-sponsored and non-state hackers—the
offense, not the defense—and the costs of cyber exploitation of security and
proprietary data are forcing states to look for ways to curb the espionage.

To date, efforts to anchor the law of cyber espionage or foreign-intelligence
surveillance in international law have developed in three mostly nascent
directions. One potential pathway is the conventional and customary norm of
nonintervention, a corollary to state sovereignty. The principle of
nonintervention is reflected in Article 2(4) of the U.N. Charter and its
prohibition of “the threat or use of force against the territorial integrity or
political independence of any state.”39 In theory at least, nonintervention is
broader than use of force and the Charter. As the International Court of Justice
stated in Nicaragua v. United States,40 wrongful intervention involves
“methods of coercion,”41 and the United States engaged in wrongful
intervention even though it did not use force in Nicaragua. Should
nonintervention take on new meaning in the twenty-first century based on the
expanding cornucopia of technical means for crossing sovereign borders
without human intervention? Apart from the technical means, does the
contemporary use of state-supported espionage to steal trade secrets and
intellectual property constitute intervention? Is a breach of the norm measured
by the impact of the intervention, whether virtual or physical? Certainly cyber
surveillance or espionage targeting government activities interferes with the
internal affairs of the victim state.

However, the legislative history of the Charter and later commentary
confirm that “force” in Article 2(4) does not include economic or political
pressure.42 Thus, under the Charter, espionage does not constitute an
internationally wrongful act triggering state responsibility under international
law. (If a state is responsible for an unlawful act, the victim state is entitled to
reparation, and a state may take any responsive actions that neither amount to a

39 U.N. Charter art. 2, ¶ 4.
40 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986 I.C.J.
Rep. 14 (June 27).
41 Id. at ¶ 205.
42 Matthew C. Waxman, Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4), 36
YALE J. INT’L L. 421, 422 (2011).

BANKS GALLEYSPROOFS2 2/22/2017 1:01 PM

2017] CYBER ESPIONAGE AND ELECTRONIC SURVEILLANCE 521

use of force nor breach a treaty or customary law obligation. Or it may take
countermeasures.)43 Cyber exploitation directed at financial targets, for
example, could cause economic loss, panic in the streets, and a loss of public
confidence in the state. Yet if there is no physical damage or loss of life, the
Charter suggests that the norm of nonintervention has not been violated.

Some scholars have argued in the alternative that cyber espionage is a
lawful precursor to a state’s exercise of its U.N. Charter Article 51 self-defense
rights.44 Preparing for and anticipating an armed attack is critically important
in the modern world, the argument goes. If not affirmatively allowed as an
adjunct to Article 51, others maintain that espionage has been recognized by
widespread state practice and thus is supported by a norm of customary
international law.

From the human rights perspective, electronic surveillance could be seen to
violate the International Covenant on Civil and Political Rights (ICCPR),
Article 17(1), which protects against “arbitrary or unlawful interference
with . . . privacy.”45 The reach and application of the ICCPR and a similar
provision in the European Convention on Human Rights46 (ECHR) outside any
state’s territory are unsettled, although there is support for the view that the
protection extends to foreign nationals outside the territory of the state party in
the context of electronic surveillance or cyber intrusions. The U.N. Special
Rapporteur wrote that Article 17 protects against “mass surveillance of the
Internet,” and that bulk surveillance must be justified following a
proportionality analysis that accounts for “systematic interference with the
Internet privacy rights of a potentially unlimited number of innocent people
located in any part of the world.”47 The Rapporteur finds bulk collection
“indiscriminately corrosive of online privacy” and threatening to the core of
Article 17 privacy.48 (Jurisdictional issues cloud whether any court or treaty
body would apply human rights law to surveillance or cyber spying.) Cases are

43 Michael N. Schmitt, “Below the Threshold” Cyber Operations: The Countermeasures Response
Option and International Law, 54 VA. J. INT’L L. 697, 703 (2014).
44 Ashley Deeks, An International Legal Framework for Surveillance, 55 VA. J. INT’L L. 291, 302
(2015); see also U.N. Charter art. 51 (“Nothing in the present Charter shall impair the inherent right of
individual or collective self-defense . . . .”).
45 International Covenant on Civil and Political Rights art. 17, ¶ 1, Dec. 19, 1966, 999 U.N.T.S. 171.
46 Convention for the Protection of Human Rights and Fundamental Freedoms art. 8, Nov. 4,
1950, 213 U.N.T.S. 221.
47 U.N. Secretary-General, Report of the Special Rapporteur on the Promotion and Protection of Human
Rights and Fundamental Freedoms While Countering Terrorism, ¶ 59, U.N. Doc. A/69/397 (Sept. 23, 2014).
48 Id.

BANKS GALLEYSPROOFS2 2/22/2017 1:01 PM

522 EMORY LAW JOURNAL [Vol. 66:513

pending now in the European Court of Human Rights alleging privacy
violations due to the U.K. Government Communications Headquarters’s
cooperation with the National Security Agency in collecting upstream contents
and bulk data.49

An unusual alignment of interests between some powerful governments
(victims of cyber exploitation and overbroad surveillance), ordinary citizens,
and major corporations and their clients present what may be a propitious time
for forging new international law in these areas. Governments, citizens, and
influential opinion makers learned a great deal about foreign intelligence
surveillance from the Snowden leaks. And the governments most affected by
the Snowden leaks are some of the same ones most victimized by cyber
espionage of one sort or another.

The United States has already begun to limit their surveillance activities in
response to political pressure, not least from the heads of state whose
conversations were recorded.50 Meanwhile, litigation in European and U.S.
courts and a resolution by the U.N. General Assembly addressing the right of
privacy in the digital era51 sow the seeds of a rights-based reorientation of
international law. Perhaps most important, the economic impacts of cyber
espionage and foreign surveillance are considerable. On the surveillance side
of things, Internet service providers and social media companies in the United
States are losing contracts and clients in many places, and the data-localization
laws and other steps taken by some states to insulate “their” piece of the
Internet threaten to further constrain the global economy.52 As for cyber

49 See, e.g., Applicant’s Reply, 10 Human Rights Orgs. v. United Kingdom, App. No. 24960/15 (2016),
https://www.documentcloud.org/documents/3115985-APPLICANTS-REPLY-to-GOVT-OBSERVATIONS-
PDF.html; Ryan Gallagher, Europe’s Top Human Rights Court Will Consider Legality of Surveillance
Exposed by Edward Snowden, INTERCEPT (Oct. 3, 2016), https://theintercept.com/2016/09/30/echr-nsa-gchq-
snowden-surveillance-privacy/.
50 Presidential Policy Directive PPD-28: Directive on Signals Intelligence Activities, 2014 DAILY COMP.
PRES. DOC. 31 (Jan. 17, 2014); REVIEW GROUP ON INTELLIGENCE AND COMMC’NS TECHS., LIBERTY AND
SECURITY IN A CHANGING WORLD: REPORT AND RECOMMENDATIONS OF THE PRESIDENT’S REVIEW GROUP ON
INTELLIGENCE AND COMMUNICATIONS TECHNOLOGIES 20 (2013), https://www.whitehouse.gov/sites/default/
files/docs/2013-12-12_rg_final_report.pdf (suggesting steps to place certain allied leaders’ private
communications off-limits for the NSA).
51 Human Rights Council, Rep. of the Office of the U.N. High Comm’r for Human Rights, The Right to
Privacy in the Digital Age, U.N. Doc. A/HRC/27/37 (June 30, 2014).
52 Claire Cain Miller, Revelations of N.S.A. Spying Cost U.S. Tech Companies, N.Y. TIMES, (Mar. 21,
2014), http://www.nytimes.com/2014/03/22/business/fallout-from-snowden-hurting-bottom-line-of-tech-
companies.html.

BANKS GALLEYSPROOFS2 2/22/2017 1:01 PM

2017] CYBER ESPIONAGE AND ELECTRONIC SURVEILLANCE 523

espionage, the estimated $300–600 billion annual price tag53 is illustrative of
the costs imposed by theft of IP and trade secrets, along with other valuable
government and private sector information.

States could agree to distinguish national-security espionage from all other
forms, and tolerate only the former. After all, keeping a nation safe is a high
and noble objective, and intelligence can directly serve that end. The trick is to
thoughtfully limit that power to collect intelligence only where it is necessary
to safeguard national-security interests, and then to be sure that the intelligence
function is subject to effective oversight. All other forms of espionage could be
treated as theft, and rules forbidding that activity could be enforced in the
private, commercial realm. It remains difficult in some instances to distinguish
national-security espionage from other spying. Developing customary
international law is a slow, lengthy process, but it could begin in just this way.
If a sufficient number of other states sign on, new international norms may be
made. A similar process could lead to developing international law on
surveillance, perhaps starting with agreements among the Five Eyes—the
English speaking democracies.

Similarly, states could agree that international law forbids spying by a state
for the direct benefit of a private company. Governments can and have at times
established rules of the road for limiting espionage and created incentives for
cooperation. The 2015 U.S.–China agreement is exemplary.54 The new
approaches are necessary because the model response to conventional
espionage—arrest their spies, expel diplomats, and the like—does not work
when the cyber theft is accomplished remotely by unnamed agents. Trade
sanctions, tariffs, and diplomatic pressures are often effective tools.

Another method of influencing international law could be to adapt domestic
laws to international law. Domestic regulation of cyber espionage in the United
States has been provided by the Economic Espionage Act (EEA), which
proscribes the possession, collection, duplication, transfer, or sale of trade
secrets for the benefit of a foreign nation or any of its agents.55 The Justice
Department is expressly given extraterritorial enforcement authority.56

53 Ellen Nakashima & Andrea Peterson, Report: Cybercrime and Espionage Costs $445 Billion Annually,
WASH. POST (June 9, 2014), https://www.washingtonpost.com/world/national-security/report-cybercrime-and-
espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html (CSIS
places the figure at $375–$575 billion).
54 See supra notes 15–21 and accompanying text.
55 18 U.S.C. § 1831 (2012).
56 18 U.S.C. § 1836 (2012).

BANKS GALLEYSPROOFS2 2/22/2017 1:01 PM

524 EMORY LAW JOURNAL [Vol. 66:513

Amendments to the EEA in 2012 and 2013 increased the criminal penalties
and the breadth of coverage for stealing trade secrets to benefit a foreign
government.57 New amendments have been recommended that would provide
a private right of action for those who hold trade secrets that have been subject
to theft.58 In addition, the Computer Fraud and Abuse Act (CFAA) prohibits
intentionally causing damage through a computer code or program to any
computer connected to the Internet.59 Although not written with espionage in
mind, the CFAA could be used to counter cyber exploitation. These domestic
laws could provide foundational concepts for developing international
agreements and, eventually, international law.

The benefits of augmenting international law with domestically grown
mechanisms are numerous, but ultimately, customary international law needs
an international platform. For example, in the intellectual property realm,
customary international law could incorporate intellectual property theft
proscriptions from the World Trade Organization (WTO) and the related Trade
Related Aspects of Intellectual Property Rights agreement.60 An advantage is
the use of a respected international forum, where nations such as China could
also seek relief from cyber exploitation (by the United States). A drawback is
that WTO agreements presently require meeting obligations only within the
member’s territory.61 The structure of the agreements could be changed, if they
could figure out how to prove responsibility for a state’s actions outside its
territory.

In an effort to distinguish espionage while applying domestic legal
structures, states could determine that disruptive cyber actions should be
treated differently than espionage. Such agreements could be grafted onto the
Cybercrime Convention.62 The Cybercrime Convention commits states to enact
domestic laws criminalizing cyber theft.63 Of course, the Cybercrime
Convention could be amended to make unlawful espionage that steals trade
secrets or other proprietary information for the benefit of domestic firms. The
domestic laws required by the Convention are largely ineffective against state-

57 Id.
58 Dennis Crouch, Defend Trade Secret Act Moving Forward, PATENTLY-O (Apr. 5, 2016),
http://patentlyo.com/patent/2016/04/secret-moving-forward.html.
59 18 U.S.C. § 1030 (2012).
60 Agreement on Trade-Related Aspects of Intellectual Property Rights, Apr. 15, 1994, 1869 U.N.T.S.
299.
61 See, e.g., id. art. 1, ¶ 1.
62 Convention on Cybercrime, Nov. 23, 2001, 2296 U.N.T.S. 167.
63 Id. art. 2.

BANKS GALLEYSPROOFS2 2/22/2017 1:01 PM

2017] CYBER ESPIONAGE AND ELECTRONIC SURVEILLANCE 525

sponsored theft because of the difficulties of obtaining jurisdiction of accused
cyber criminals and because of diplomatic immunities. The domestic laws are
difficult to enforce anyway because of attribution problems. There are no
enforceable international law violations recognized by the treaty. As it now
stands, the Cybercrime Convention includes no universal definition of
cybercrime, for example.64 Does cybercrime include theft for espionage
purposes? The Convention has demonstrated that problems of cyber espionage
cannot be addressed as a traditional crime problem because a large portion of
what is criminal is state-tolerated or state-supported. Nor are Mutual Legal
Assistance Treaties useful where the crimes are politically motivated and state
sponsored.

Furthermore, distinguishing between cyber espionage and disruptive cyber
activity could encourage states to come to agreements upon some off-limits
parts of cyber. For example, agreements not to disrupt nuclear installations or
other critical infrastructure would be beneficial to all sides. Abolishing spying
on these systems goes hand in hand with limiting disruption. Once the
infrastructure is off-limits for attack, there is no legitimate reason to illicitly
obtain information about that system.

CONCLUSIONS

The confluence of interests between victims of overbroad surveillance and
cyber espionage presents an opportunity to begin developing new norms and
eventual international law that could bring more rationality, predictability, and
privacy protections to the cyber domain. The costs of cyber espionage are real,
and the threats and vulnerabilities will increase with the progression of
technology. Companies and governments are underprepared for the level of
cyber espionage they are facing. Solutions vary, but they all share the common
foundation of increased international cooperation and the development of a
customary international legal framework that everyone understands.

Meanwhile, blowback from the Snowden leaks has generated sufficient
political pressure to cause some changes to surveillance authorities. As those
reforms develop and privacy claims are litigated in international fora and
European courts, it is likely that new international law will emerge, too,
perhaps in tandem with reforms to the limits on cyber espionage.

64 Id. art. 1.

Reproduced with permission of the copyright owner. Further reproduction prohibited without
permission.

Cyber Espionage: The Silent Crime of Cyberspace

Virginia Greiman
Boston University, Boston, USA
[email protected]

Abstract: In recent years, the disclosure of secrets through cyber infiltration of America’s largest intelligence organization,
the National Security Agency (NSA), has raised the fears of veteran intelligence officials and close allies around the globe that
no institution or government is secure from those who roam the discrete halls of cyberspace. Although espionage has existed
since before the days of the Greek mythological Trojan horse, no one could have envisioned the sophisticated use of
espionage in today’s networked world. Espionage has been used for political and military intelligence and economic and
industrial pursuits with a lack of understanding of all of the impacts on our daily lives. In the context of foreign or international
law, espionage is sometimes characterized as lawless, without controls or regulation, and it rarely distinguishes between
economic and security based cyber espionage. Through empirical analysis this paper explores the treatment of espionage
under various legal systems including those countries and regions considered the most advanced at cyber espionage, the
United States, the United Kingdom, Russia and China. To provide greater insight into the different perspectives of cyber
espionage from a legal standpoint, this paper distinguishes the law of national intelligence collection from the criminal laws
of economic/industrial espionage on the domestic front. The purpose of this research is to analyze the development of cyber
espionage as a preferred means of contemporary warfare, as well as a tool for economic and political intelligence. The paper
concludes by responding to the challenges faced by nation-states in the development of an effective legal system governing
espionage at the domestic and international level.

Keywords: cyber espionage, cybercrime, foreign surveillance, national intelligence, economic espionage, cyber warfare

1. Introduction
Although many countries all over the world are committing cyber espionage, the United States, Russia, and China
represent the most sophisticated cyber spying capabilities (Senate, 2014). A 2011 Report by the Office of the
National Counterintelligence Executive (ONCIX) suggested that the rise of cyberspace as a platform for
innovation and storage of trade secrets was greatly enhancing the risks faced by American firms. The report also
found that the United States remains the prime target for foreign economic collection and industrial espionage
by virtue of its global technological leadership and innovation (ONCIX, 2011).

Cyber espionage has also become an accepted and even preferred means of warfare. That is not to say that
cyber espionage will replace traditional means of warfare, but it is already affecting the nature of nation-state
conflict. Dunn Cavelty (2012) suggests that this shift began with the Cold War, when the United States and Russia
focused their efforts on covert information gathering over outright warfare. Because all-out war between major
world powers has become less acceptable in the modern world, more cautious strategies have continued into
the 21st century. In the last few decades especially, as technology has become more advanced, cyber espionage
tools have become indispensable to modern military operations (DoD, 2015). The Defense Department
continues to support the Justice Department and other agencies in exploring new tools and capabilities to help
deter such activity in cyberspace (DoD, 2015, p. 12). For example, the United States used verifiable and
attributable data to engage China about the risks posed by its economic espionage. The attribution of this data
allowed the United States to express concerns regarding the impact of Chinese intellectual property theft on
U.S. economic competitiveness, and the potential risks posed to strategic stability by Chinese activity. To deter
China from conducting future cyber espionage, the Justice Department indicted five members of the People’s
Liberation Army for stealing U.S. intellectual property to directly benefit Chinese companies. The Chinese
hackers were indicted on 31 counts, 23 of which were under the Computer Fraud and Abuse Act. While Justice
Officials say the indictment was a breakthrough, others characterize the punishment as only symbolic as the
likelihood of prosecution is slim (DOJ, 2014).

The 2014 Office of Personnel Management (“OPM”) data breach has been described as the greatest theft of
sensitive personnel data in history. However, neither the scope nor scale of the breach, nor its significance, has
been fully investigated and shared with victims and the public. The 22 million victims—and their families—of
this espionage attack share concerns with the deficiency of this counterintelligence campaign that have not been
answered or addressed (Nakashima, 2015).

245

Virginia Greiman

Based on empirical research this paper explores the unique characteristics of cyber espionage under the laws of
four major powers and the existing legal concepts and doctrines for national intelligence and cybersecurity and
organizes a conceptual legal structure that frames the convergence and divergence in espionage laws and legal
practice, and the areas for harmonization and agreement among nations.

2. Espionage under international law
Espionage, commonly known as spying, is the practice of secretly gathering information about a foreign
government or a competing industry, with the purpose of placing one’s own government or corporation at some
strategic or financial advantage. In the United States, federal law prohibits espionage when it jeopardizes the
national defense or benefits a foreign nation (18 U.S.C.A. § 793). Criminal espionage involves betraying U.S.
government secrets to other nations. Importantly, espionage does not reach the level of use of force under the
U.N. Charter. According to the International Group of Experts that authored the Tallinn Manual 2.0 on the
international law applicable to cyberspace, cyber espionage is distinct from the underlying acts that enable the
espionage (NATO, 2017).

The definition of a cyber-attack varies widely. For example, the United States definition of a cyber-attack does
not include espionage as the U.S. has a separate Espionage Act (Espionage Act of 1917), while Germany makes
no distinction between cyber-attack and probe or espionage (Germany CSS, 2011, pp. 14-15). However,
espionage’s permissibility under international law remains largely unsettled; no global regulation exists for this
important state activity (Pun, 2017). The contradiction of espionage is evident as states deem their own
espionage activities legitimate and essential for national security, while aggressively pursuing criminal actions
against foreign espionage activity. “The law of espionage is, therefore, unique in that it consists of a norm
(territorial integrity), the violation of which may be punished by offended states, however, states have
persistently violated the norm” … (Scott, 1999).

Although it is unclear under international law whether states in general have a lawful right to spy on other states,
the disallowance of certain activities within espionage is clearer (Pun, 2017). The treatment of those involved in
spying activities as well as the use of torture to extract information has been held unlawful by Courts in many
nations (Forcese, 2011). In 2013, fifteen countries, including the United States and China, agreed that
international law, in particular, the United Nations Charter applies in cyberspace and explicitly highlighted the
need to elaborate confidence-building measures and norms, rules, or principles of responsible behavior of States
(UN Report, 2013).

3. The United States Espionage Act, Foreign Intelligence Surveillance Act, and Economic
Espionage Act

More than one hundred years ago, President Woodrow Wilson signed the Espionage Act. Enacted soon after the
United States entered World War I in 1917, the Espionage Act prohibited individuals from expressing or
publishing opinions that would interfere with the U.S. military’s efforts to defeat Germany and its allies.
Specifically, the Espionage Act made it a crime willfully to interfere with U.S. war efforts by conveying false
information about the war, obstructing U.S. recruitment or enlistment efforts, or inciting insubordination,
disloyalty, or mutiny. Ironically, this tension between national security and free speech rights still exists today.

To be convicted under the 1917 Act, the law requires proof of intent for the information to be used to injure the
United States or to advantage any foreign nation or reason to believe that the information will be used for either
of these purposes. Section 794(b) applies “in time of war” and prohibits the communication of this information
to the enemy or attempts to elicit any information relating to the public defense. The offenses contained in
sections 794(a) and (b) are punishable by death or imprisonment for any term of years or for life. Courts have
held that the statute requires the government to prove four elements under §793 : (1) the defendant lawfully
or unlawfully had possession of, access to, or control over, or was entrusted with (2) information relating to the
national defense that (3) the defendant reasonably believed could be used to the injury of the United States or
the advantage of a foreign nation and (4) that the defendant willfully communicated, delivered, or transmitted
such information to a person not entitled to receive it (§793). The U.S. Department of Defense tracks the 1917
Espionage Act and defines “espionage” in its Joint Publication 2-01.2 as “[t]he act of obtaining, delivering,
transmitting, communicating, or receiving information about the national defense with an intent, or reason to
believe that the information may be used to the injury of the United States or to the advantage of any foreign

246

Virginia Greiman

nation (JP 2-01.2). Espionage is a violation of 18 United States Code 792-798 and Article 106, Uniform Code of
Military Justice.

The Espionage Act is far from a paradigm of clarity. Scholars have described it as “incomprehensible if read
according to the conventions of legal textualism, while paying fair attention to legislative history” (Edgar and
Schmidt, 1986). A major problem that arises from the lack of clarity is to whom exactly the Espionage Act applies.
The plain meaning of the Espionage Act appears to apply to everyone including government employees, leakers,
whistleblowers, and members of the press alike. For example, Section 793(e) prohibits the willful communication
of confidential information by someone who is not authorized to possess it.

To address with more clarity the role of National Intelligence and Foreign data collection, the United States
passed the Foreign Intelligence Surveillance Act in 1978 (FISA) with major Amendments in 2007 and 2008 to
ease restrictions on surveillance of terrorists suspects where one party (or both parties) to the communication
are located overseas (FISA, 1978). Despite the ample evidence that FISA has led federal investigators to
significant victories in the apprehension of terrorists and the conviction of conspirators passing U.S. secrets on
to foreign nations, it has been criticized for not maintaining the proper balance between national security and
the protection of individual privacy (Breglio, 2003; Correia, 2014).

Following the end of the Cold War, in the West there was a noticeable shift of concern about espionage from
that which is political and military in nature to economic espionage, especially when carried out by cyber means
(U.S. Strategy, 2011). In 1996, Congress passed the Economic Espionage Act (EEA), to help reduce the theft by
foreign entities of proprietary information and trade secrets of U.S. businesses. Economic espionage occurs
when a foreign government seeks information to advance its own technological or financial interest against
another government, foreign company or an individual.

The weaknesses of the Economic Espionage Act has been a subject of scholarly research. With some finding that
the Act has been difficult to prove with minimal sentences under para. 1831, while others argue that the
government has taken a hands off approach in helping private industry, and a lack of support from other nations
assisting in international investigations (Reid, 2016). Notably, since the inception of the EEA in 1996 there have
been fewer than 10 convictions to date under the law. Walter Liew, was the first person to be convicted of
economic espionage by a U.S. jury in March 2014 and was sentenced to 15 years in prison.

4. China’s National Intelligence and Trade Secrets Law
China passed its new National Intelligence Law on June 27, 2017 by the 28th meeting of the Standing Committee
of the 20th National People’s Congress. Article 1 of the Law states its broad purpose under the Constitution …
“to strengthen and safeguard national intelligence work and to preserve state security and interests” (China,
2017b). The Law further specifies its purpose by providing that “National Intelligence work adheres to the overall
national security perspective, provides intelligence as a reference in major national decision-making, provides
intelligence support for the prevention and mitigation of threats endangering national security, and preserves
the national political power, sovereignty, unity, and territorial integrity, the welfare of the people, sustainable
social and economic development and other major national interests” (Art. 2). Consistent with China’s
governance of national security, the Law stipulates that “The Central Military Commission uniformly leads and
organizes military intelligence efforts” (Art. 3). To address respect for the law and human rights, the Law states
“that the National intelligence efforts shall be conducted in accordance with law, shall respect and protect
human rights, and shall preserve the lawful rights and interests of individuals and organizations” (Art. 8).

The United States Intelligence Community in their 2017 Threat Assessment Report ranked China as the number
one threat against U.S. interests in cyberspace noting that Beijing will continue actively targeting the US
Government, its allies, and US companies for cyber espionage (Coates, 2017). As noted in the Report, The
Chinese government continues to conduct pervasive industrial espionage against U.S. companies, universities,
and the government and direct efforts to circumvent U.S. export controls to gain access to cutting-edge
technologies and intellectual property in strategic sectors (U.S.-China, 2017). According to the Intellectual
Property Commission Report by the National Bureau of Asian Research (NBAR) the scale of international theft
of American intellectual property (IP) is in the hundreds of billions of dollars per year, on the order of the size of
U.S. Exports to Asia (NBAR, 2013, p. 1).

247

Virginia Greiman

China’s espionage laws like the United States encompass both trade secret protections and national security.
China first enacted trade secret “protections” in 1993 with the passage of Article 10 of the Unfair Competition
Law, which prohibits businesses from the following: a) obtaining the trade secret of the rightful party by theft,
inducement, duress or other illegal means; b) disclosing, using or allowing others to use the trade secrets of the
rightful party obtained by illegal means; or c) disclosing, using or allowing others to use trade secrets in breach
of an agreement or the confidentiality requirement imposed by the rightful party (China, 1993).

5. The United Kingdom’s Espionage and Trade Secrets Law
From the earliest days of the British intelligence community, which was established in the early twentieth
century, there was a close connection between intelligence-gathering and empire (Walton, 2013). Intelligence
played an essential role in the administration of the empire, which by the 1920s had grown to encompass one –
quarter of the world’s territory and population. The formation of the two services that would later become
known as MI5 and SIS commonly called MI6 represented a fundamental break with all British intelligence-
gathering efforts up to that point. For the first time, the government had professional, dedicated peacetime
intelligence services at its disposal (Walton, 2013, p. 5).

Historically, the United Kingdom embraced a stronger culture of secrecy than the United States (Donahue, 2005).
The Official Secrets Act of 1989 is the key statute that prohibits the unauthorized disclosure of government
information. The law criminalizes “secondary disclosures,” that is, the publication by journalists or members of
the public of protected information received from government employees in contravention of the law (OSA,
1989).

The Official Secrets Act 1889 (52 & 53 Vict. c. 52) was an Act of the Parliament of the United Kingdom. It created
offences of disclosure of information (section 1) and breach of official trust (section 2). It was replaced in the UK
by the Official Secrets Act 1911. The Official Secrets Act 1989 (c. 6) replaced section 2 of the Official Secrets Act
1911, thereby removing the public interest defense created by that section. The Official Secrets Bill was enacted
to give increased powers against offences of disclosing confidential matters by officials, and to prevent the
disclosure of such documents and information by spies, and/or to prevent breaches of official trust, in order to
punish such offences of obtaining information and communicating it, against the interests of the British State.

Unlike the U.S., Russia and China, the United Kingdom (UK), has not criminalized the misappropriation of trade
secrets, and has limited its remedies to civil actions including injunctive relief, search and seizure orders and
damages (UK, 2017). Based on an extensive consultation paper on the protection of official data, the UK Law
Commission recently recommended that the UK criminalize the theft of trade secrets, however, the
recommendations have not been acted upon (UK, 2017). The UK also proposed changes to the Serious Crime Bill
in order to deter hackers by increasing the penalty under the Computer Misuse Act to a life sentence.

6. Russia’s Espionage and Trade Secrets Law
Russia’s External Intelligence Service (SVR) is the current incarnation of one of the world’s oldest and most
extensive espionage agencies, known for decades as the KGB (BBC, 2010). While China uses various methods to
steal foreign trade secrets for both political and economic interests, Russia has recently focused its efforts on
cyber espionage to promote its national economic interests, while also employing intelligence officers under
diplomatic cover.

The Criminal Code of the Russian Federation, Law No. FZ-190 as amended in 2012 , sets out what is termed “High
Treason,” which is defined as “espionage, disclosure of state secrets, or any other assistance rendered to a
foreign State, a foreign organization, or their representatives in hostile activities to the detriment of the external
security of the Russian Federation committed by a citizen of Russia (RF, 1996, 2012). Under Article 275, of Law
No. FZ-190 high treason shall be punishable by 12 to 20 years imprisonment with or without a fine in an amount
of up to 500 thousand roubles or in the amount of the wage or salary, or other income of the convicted person
for a period of up to three years.

According to the Russian Federal Security Service (FSS), which proposed the bill, the amendments are aimed at
emphasizing that state treason is a broad concept and that espionage and disclosure of state secrets are forms
of it (RF, 2012). The FSS also stated, in its explanatory memo to the amendment law, that previous practice in
enforcing the law in cases related to state treason and espionage identified the necessity of prosecuting acts of

248

Virginia Greiman

cooperation with representatives of international organizations engaged in hostile activities as state treason and
of extending the liability of persons to whom state secrets are entrusted (Russia Code, Art. 51). The new Law
has caused concern among human rights activists, who argue that its parameters of state treason are too broad
and that there are no firm criteria to define when cooperation with an international organization assumes a
criminal character, thereby leaving that assessment to the discretion of investigative and judicial authorities
(Ozerova, 2012).

Trade Secrets in Russia are protected under the Federal Law on Commercial Secrecy, Law No. 98-FZ effective 29
July, 2004 as amended in 2006 and 2007. Such secrets are protected from insiders to whom secrets have been
entrusted, outsiders who obtain the secrets by improper means, and government agencies that might obtain
and release the secrets (U.S. Library of Congress, 2012). Violating the trade secret law can entail disciplinary,
civil, administrative, or criminal liability as provided by the legislation.

7. Challenges to harmonization of the international perspectives on cyber espionage
As shown by each country’s approach to espionage, domestic laws are not sufficient to negotiate the challenges
arising from trans-border issues such as those relating to national security and human rights, the public’s right
of access to information, the individual’s right to privacy, the corporation’s right to remain competitive, the right
to criminal process, and extraterritorial jurisdiction. International cooperation and international laws are also
needed—both to allocate authority among political entities, and to define and protect core substantive values
in the physical and virtual worlds (Bederman and Keitner, 2016). Powerful actors such as the United States,
Russia, the United Kingdom and the United States have not gone far enough in addressing global inequality and
the digital divide. International laws can address these injustices in ways that domestic laws cannot because of
each nation’s own self-interest in national security and economic advancement.

The United Nations Charter requires that any use of force, cyber or otherwise, must meet the requirements of
military necessity, distinction between civilians and military targets, proportionality, and avoidance of
unnecessary suffering (UN Charter, 1945). To the extent that cyber espionage amounts to an act of war, the
international community must recognize and monitor these behaviors to maintain a peaceful existence.

Scholars contend that a treaty which bans the use of cyber-attacks or limits their use is not realistic because
there is currently no way to ensure compliance. More effective may be the establishment of norms as proposed
by NATO, the OECD and other transnational organizations to prevent the possibility of a cyber war conducted
through the use of cyber espionage. Developing state practice and norms relates to current international law,
and rather than prohibiting espionage outright, it might serve as a more realistic approach. As noted by one
expert, “[i]f states want these voluntary, non-binding norms of responsible state behavior in cyberspace to be
truly meaningful words that can achieve their desired goals, then their actions and practice must demonstrate
those tenets. States must demonstrate that they are willing to take the necessary steps to protect the security
and prevent the misuse of the Internet in their respective countries” (Hathaway, 2017). This requires a calling
out of wrongful acts conducted by other states, something that victimized states have been reluctant to do
(Hathaway, 2017, p. 5). We cannot afford to be silent anymore.

Vice Admiral Arthur K. Cebrowski, former Director, Office of Force Transformation at the Pentagon introduced
the concept of institutionalizing transformation by innovating faster than our opponents and advocating more
open access to information. If we are to be effective in the digital age, new approaches must be considered for
national security that may require “less in trying to restrict information and more in knowing what is occurring”
(Blaker, 2006).

More cooperation among states at the international level is also clearly needed concerning economic espionage.
Legal scholars have also noted the need for accountability at the international level when one country is
wrongfully attacked by another (Kuntz, 2013). For example, the United States’ Cyber Economic Espionage
Accountability Act expresses the sense of Congress that cyber economic espionage should be a priority issue in
all economic and diplomatic discussions with the People’s Republic of China, with the Russian Federation and
other countries determined to encourage, tolerate, or conduct such cyber economic espionage (U.S., 2014).

A review of the espionage laws shows the need for the United States to take a lead in developing better
international collaboration and clearer laws. On the national security side, this requires stronger sanctions and

249

Virginia Greiman

cooperation from the international community, and stronger penalties for economic espionage. Since the
enactment of the EEA in 1996 the statute has been amended to increase the fines that can be imposed from
$500,000 to $5 million in the case of an individual and from $10 million to not more than the greater of $10
million or three times the value of the stolen trade secret (Economic Penalty Act, 2013). Though these fines are
severe they clearly do not go far enough in changing the behaviors of the perpetrators.

The United States Espionage Act needs revision to remove confusion and create a more consistent application
of the law. In order to effectively prosecute legitimate cases of espionage, courts and prosecutors must clearly
understand what constitutes espionage. Technology and the classification system for espionage should comport
with modern reality. International cooperation on the conduct of espionage may take decades, but in the
interim, application of the statute to leakers, whistleblowers and others requires amendment of this antiquated
law to better protect our nations’ interests and our competitive advantage in the world.

8. Conclusion
Although States may take different positions on the application, interpretation and development of international
law, they have reached a consensus on the applicability of international law to cyberspace. Though the prospects
of a comprehensive binding treaty on cyber espionage remains a challenge, the existence of a multiplicity of
diverse non-binding norm initiatives, as well as several recent bilateral agreements reached between the main
cyber powers, demonstrate that cyber norms development is possible.

Future research must explore possible solutions for enhancing not only the laws of espionage, but the policies
that inform these laws to meet modern realities. This requires multilateral cooperation and an international
agreement on the rules and norms that govern cyber espionage both at the national security and economic level
to better meet the needs of our evolving digital society.

References
Bederman, D. and Keitner, C. (2016) International Law Frameworks, (4th ed) Foundation Press, New York.
Blaker, J. (2006) “Arthur K. Cebrowski: A Retrospective,” Naval War College Review, spring 2006, Vol. 59, No. 2.
Breglio, N. K. (2003) “Leaving FISA Behind: The Need To Return To Warrantless Foreign Intelligence Surveillance,” 113 Yale

L.J. 179.
British Broadcasting Company (BBC) (29 June 2010) News Profile: Russia’s SVR intelligence agency.
China’s National Intelligence Law of the PRC (Promulgated on June 27, 2017 by 28th meeting of the Standing Committee of

the 20th National People’s Congress) effective June 28, 2017.
China’s Unfair Competition Law of the PRC (September 2, 1993) promulgated by People’s Republic of China Presidential

Order No. 10.
Coates, D. R. (11 May 2017) Statement for the Record: Worldwide Threat Assessment of the US Intelligence Community,

Director of National Intelligence Testimony, Senate Select Committee on Intelligence.
Correia, E. R. C. (2014) “Pulling Back The Veil Of Secrecy: Standing To Challenge The Government’s Electronic Surveillance

Activities,” 24 Temp. Pol. & Civ. Rts. L. Rev. 185.
Donohue, L.K. (2005) “Terrorist Speech and the Future of Free Expression,” 27 Cardozo L. Rev. 233, 325-26.
Dunn Cavelty. (2012) “The Militarization of Cyberspace: Why Less May Be Better”, IEEE Explore, 2012 4th International

Conference on Cyber Conflict (CYCON), Tallinn, Estonia, p 113.
Economic Espionage Act (EEA) (October 11, 1996) 18 U.S.C. Sections 1831 and 1832.
Edgar, H. and Schmidt, B.C. (1986) “Curtiss-Wright Comes Home: Executive Power and National Security Secrecy,” 21

Harvard Civil Rights-Civil Liberties Law Review, 349, 393.
Forcese, C. (2011) “Spies Without Borders: International Law and Intelligence Collection” 5 J. Nat’l Security Law and Policy

179, 186-93.
Foreign and Economic Espionage Penalty Enhancement Act (FEEPEA) of 2012, Pub. L. No. 112-269, 126 Stat. 2442. (2013).
Germany. (2011) “Cyber Security Strategy for Germany.” Federal Ministry of the Interior, February.
Hathaway, M. (2017) “Getting Beyond Norms,” CIGI Papers No. 127, Centre for International Governance Innovation,

Ontario, Canada.
Joint Publication (JP-201). (05 January 2012) Joint and National Intelligence Support to Military Operation, Chairman of the

Joint Chiefs of Staff, U.S. Department of Defense, Washington, D.C.
Kuntz, R. L. (2013) “How Not To Catch A Thief: Why The Economic Espionage Act Fails To Protect American Trade Secrets,”

28 Berkeley Tech. L.J. 901.
Nakashima, E. (2015) “Hacks of OPM databases compromised 22.1 million people, federal authorities say.” The Washington

Post, Washington, D.C., July 9.
National Bureau of Asian Research (2013) “Intellectual Property Commission Report of the Commission on the Theft of

American Intellectual Property,” The National Bureau of Asian Research (NBR), Seattle Washington.

250

Virginia Greiman

NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) (2017) “The Tallinn Manual 2.0 on the International Law

Applicable to Cyber Operations,” (Michael Schmitt and Liis Vihul (eds.)) Cambridge University Press, Cambridge,
England.

Ozerova, M. (2012) “He Did Not Betray Himself: Putin Signed the Law on State Treason” [in Russian], Moskovskii
Komsomolets, 15 November.

Pun, D. (2013) “Rethinking Espionage in the Modern Era” 18 Chicago Journal of International Law 353.
Reid, M. (2016) “A Comparative Approach to Economic Espionage: Is Any Nation Effectively Dealing With This Global

Threat?” 70 U. Miami L. Rev. 757.
Russian Federation (RF) (2012) Explanatory Memo to the Draft Federal Law on Amending the Criminal Code of the Russian

Federation and Article 151 of the Criminal Procedure Code of the Russian Federation [in Russian], State Duma of the
Russian Federation.

Russian Federation (RF) Criminal Code No. 63-FZ of June 13, 1996 (as amended up to Federal Law No. 120-FZ of June 7,
2017).

Russia Law Nr. 190-FZ [in Russian], Rossiiskaia Gazeta, No. 5935 (Nov. 14, 2012) (official publication).
Russian Federation Article 151 of the Criminal Procedure Code [in Russian], State Duma of the Russian Federation (June 29,

2015) Amendments to Article 183 of the Russian Criminal Code.
Scott, D. (1999) “Territorially Intrusive Intelligence Collection and International Law,” 46 A.F. L. REV. 217, 218.
Senate Select Committee on Intelligence (January 29, 2014) Open Hearing on Current and Projected National Security

Threats to the U.S., 113th Cong.
The Charter of the United Nations signed on 26 June 1945.
The Foreign Intelligence Surveillance Act of 1978 (FISA) Pub.L. 95–511, 92 Stat. 1783, 50 U.S.C. ch. 36.
The United Kingdom, Official Secrets Act 1989, c. 6 and Official Secrets Act 1911, c. 28.
The United Kingdom Law Commission (2017) “Protection Of Official Data,” Consultation Paper No 230, Crown Copyright,

London, England.
United Nations (2013) United Nations General Assembly Group of Governmental Experts on Developments in the field of

information and telecommunications in the context of international security, United Nations General Assembly, Sixty-
eighth session, 24 June.

United States Department of Defense (US DoD) (2015) “Department of Defense Strategy for Operating in Cyberspace.”
Pentagon, Washington, D.C.

United States Cyber Economic Espionage Accountability Act Summary: H.R.2281 — 113th Congress (2013-2014).
United States Department of Justice (2014) “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S.

Corporation and a Labor Organization for Commercial Advantages,” U.S. Department of Justice, Office of Public
Affairs, Washington, D.C.

United States Library of Congress (2012) Russia: Espionage and State Treason Concepts Revised, Law Library of Congress,
Washington, D.C., November 28.

United States Office of the National Counterintelligence Executive (ONCIX) (2011) “Foreign Spies Stealing US Economic
Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage 2009-2011,”
October 2011. Director of the National Counterintelligence and Security Center under the Office of the Director of
National Intelligence (ODNI), Washington, D.C.

U.S.-China Economic And Security Review Commission (2017) “Report to Congress. Executive Summary and
Recommendations.” One Hundred Fifteenth Congress, First Session, November 2017.

Walton, C. (2013) Empire of Secrets: British Intelligence, The Cold War and the Twilight of Empire, The Overlook Press, New
York, NY.

251

xiii

Virginia Greiman is Professor of Global Cyber Law and Governance and Megaprojects and Planning at Boston University
and she teaches at Harvard University Law School. She served as a diplomatic official to the U.S. Department of State in
Eastern and Central Europe, Asia and Africa and has held several high level appointments with the U.S. Department of
Justice.

Jeffrey Guion is a Captain in the U.S. Air Force and a graduate student at the Air Force Institute of Technology. He has a
Computer Science B.S. from Northeastern University and previously managed the Wing Cybersecurity Office at Edwards
AFB. His is currently working on mission relevant cyber terrain mapping for his thesis.

Rudy Agus Gemilang Gultom, is a senior researcher at the Indonesian Defense University (IDU), Indonesia. He finished his
M.Sc. in Computer Science from the University of Sheffield, United Kingdom (funded by the British Chevening Scholarship).
He finished his Doctoral Degree in Electrical Engineering from University of Indonesia, Indonesia (funded by the Indonesian
Government).

Ginger Guzman is currently an international research fellow at The Institute of World Politics and is a PhD candidate in the
School of Governance, Law, and Society at Tallinn University. Her research and interests are on cyberpower, security
studies, and, international relations. More specifically her work examines the role of ideational cyberpower for states.

Sharif Hassan has over 15 years of experience in Cyber security, specifically adversarial Cyber testing, and is the manager of
the Lockheed Martin corporate Red Team. Sharif is currently pursuing his PhD in Computer Science at the University of
Central Florida.

Dr. Moniphia O. Hewling is a Cyber Security Consultant who currently heads the Jamaica Cyber Incident Response Team, a
division in the Ministry of Science Energy and Technology. Often described as a cyber-warrior, Dr. Hewling’s main aim at
this juncture is to drive the creation of a robust cyber security framework for Jamaica.

Vahid Heydari received the M.S. degree in Cybersecurity and the Ph.D. degree in Electrical and Computer Engineering from
the University of Alabama in Huntsville. He is currently an Assistant Professor of Computer Science at Rowan University,
Glassboro, NJ, USA. His research interests include moving target defenses, mobile ad-hoc, sensor, and vehicular networks
security.

Dr Corey Hirsch is Chief Information Security Officer of Teledyne Technologies. He also serves as visiting fellow at both
Warwick Business School, Coventry, and Henley Business School at University of Reading, U.K. Dr. Hirsch teaches
information security at Stevens Institute of Technology. His practice and teaching centers around enterprise systems,
leading the ICT function, information security, operations, and competitor intelligence. His 24-year career with Tektronix,
Inc. included overseas assignments totaling nine years, and culminated as vice president, Europe. Both LeCroy and
Tektronix participate in the test and measurement industry. Dr. Hirsch has research interests in information security and
enterprise risk management. He earned his doctorate in business administration from Brunel University, London.

Michael Bennett Hotchkiss has research interests in the study of Information Warfare, Propaganda, Disinformation, and
the History of Espionage. Michael possesses a Master of Organization Development degree (M.O.D.) from Bowling Green
State University (USA), and a Bachelor of Arts in Industrial Psychology (minor Criminal Justice, Phi Beta Kappa honors) from
University of Connecticut (USA).

Gazmend Huskaj is a PhD candidate in Cyber Operations at the Swedish Defence University. He received his MSc in
Information Security from Stockholm University in 2015 as a distinguished graduate. Previously, he was Director
Intelligence in the Swedish Armed Forces focusing on cyber-related issues. He is also a ISACA Certified Information Security
Manager (CISM).

Steve Hutchinson is a cyber security researcher with ICF contracted to the US Army Research Laboratory. He has research
interests in the cognitive aspects of cyber security decision-making and human-machine interface techniques to augment
analyst capabilities. He has a MS in Instruction Science, graduate studies in Computer Science, and BS in Electrical
Engineering.

Ehinome Ikhalia holds a PhD in Information Systems and Computing, Ehinome possesses exceptional insight in the
application of cyber security. He keeps his finger on the pulse of cyber security and has presented at international

Reproduced with permission of copyright owner. Further reproduction
prohibited without permission.

© 2018 Carnegie Endowment for International Peace. All rights reserved.

Carnegie does not take institutional positions on public policy issues; the views represented herein
are the authors’ own and do not necessarily reflect the views of Carnegie, its staff, or its trustees.

No part of this publication may be reproduced or transmitted in any form or by any means without
permission in writing from the Carnegie Endowment. Please direct inquiries to:

Carnegie Endowment for International Peace
Publications Department
1779 Massachusetts Avenue NW
Washington, DC 20036
P: +1 202 483 7600
F: +1 202 483 1840
CarnegieEndowment.org

This publication can be downloaded at no cost at CarnegieEndowment.org/pubs.

ABOUT THE AUTHORS …………………………………………………………………………… v

ACKNOWLEDGMENTS ………………………………………………………………………….. vii

TIMELINE ………………………………………………………………………………………………. ix

SUMMARY ………………………………………………………………………………………………. 1

INTRODUCTION ……………………………………………………………………………………………………………. 5

C H A P T E R O N E

IRAN: TARGET AND PERPETRATOR ………………………………………………………………………. 9

C H A P T E R T W O

IRAN’S CYBER ECOSYSTEM: WHO ARE THE THREAT ACTORS? ………………17

C H A P T E R T H R E E

IRAN’S EXTERNAL TARGETS …………………………………………………………………. 29

C H A P T E R F O U R

IRAN’S INTERNAL TARGETS ………………………………………………………………….. 39

CONTENTS

iv IRAN’S CYBER THREAT

CONCLUSIONS AND PRESCRIPTIONS ……………………………………………………49

GLOSSARY ……………………………………………………………………………………………. 57

NOTES ………………………………………………………………………………………………….. 59

CARNEGIE ENDOWMENT FOR INTERNATIONAL PEACE ……………………….. 72

v

C O L L I N A N D E R S O N is a Washington, DC–based researcher focused on cybersecu-
rity and internet regulation, with an emphasis on countries that restrict the free flow of
information. Beginning in January 2018, he will be a fellow in the TechCongress Con-
gressional Innovation Fellowship program. Prior to this fellowship, Anderson’s involve-
ments have included working as a researcher at Measurement Lab, producing numer-
ous publications on privacy and security, and advising several organizations focused on
human rights and Iran.

K A R I M S A D J A D P O U R is a senior fellow at the Carnegie Endowment for Interna-
tional Peace, where he focuses on Iran and U.S. foreign policy toward the Middle East.
He is also an adjunct professor at Georgetown University’s School of Foreign Service,
teaching a class on U.S. foreign policy and the Middle East.

ABOUT THE AUTHORS

vii

The authors would like to primarily thank Claudio Guarnieri, who was responsible for a
significant amount of the technical analysis that informs this report.

Parts of this research were made possible based on the generous access to data provided
by DomainTools. Similarly, this work was supported by dozens of organizations and
individuals in the Iranian human rights community who provided cases and context, in-
cluding but not limited to Amir Rashidi, Nariman Gharib, Nima Fatemi, Simin Kargar,
and Farnoosh Hashemian.

In addition, Tim Maurer, Michele Dunne, Eli Levite, George Perkovich, Jen Psaki, and
Mayss al-Alami at the Carnegie Endowment for International Peace, as well as former
intern E. Scott Goldstein, provided very helpful feedback on drafts of the report.

Lastly, over the course of this research, we have had the fortune of meeting members of
the cybersecurity and information technology communities that have acted as advisers
and provided their expertise. It is immensely gratifying to know that behind the scenes
of important communications platforms and security companies, there are people who
hold such concern for the well-being of others in distant countries. These experiences
have lent reassurance that the internet might continue to provide opportunities to at-risk
populations against threats to their safety and liberty.

ACKNOWLEDGMENTS

ix

TIMELINE

JANUARY 1992
Iran first connects to the internet.

2000
Internet access becomes increasingly common, with hundreds of thousands of Iranians
going online on a regular basis.

2001
The Supreme Council of the Cultural Revolution issues rules on internet access, including
mandatory filtering and surveillance of sites considered politically, culturally, and
religiously subversive.

FEBRUARY 2002
The hacking forum Ashiyane is created, serving as a catalyst for Iran’s hacking community
and later implicated in facilitating the Iranian government’s repression of dissidents.

APRIL 2003
Sina Motalebi is arrested, one of the first bloggers in the world arrested for their online
writings, commencing a crackdown on internet expression.

x IRAN’S CYBER THREAT

JUNE 2005
Hardliner Mahmoud Ahmadinejad is elected president of Iran, marking a new era of
domestic repression and international hostility.

2007
Iranian threat actors begin to develop tools and conduct campaigns.

JUNE 2009
The contested reelection of Mahmoud Ahmadinejad provokes Iran’s largest popular
uprising since 1979, known as the Green Movement.

DECEMBER 2009
The Iranian Cyber Army defaces Twitter—taking it offline for several hours—in response
to the Green Movement.

SEP TEMBER 2011
An Iranian hacker breaches Dutch security firm DigiNotar, allowing the Iranian
government to spy on Gmail users in Iran. This remains one of the largest security
breaches in the history of the internet.

APRIL 2012
Iranian oil infrastructure is targeted by sabotage malware agents Flame and Wiper.

JUNE 2012
New York Times reporter David Sanger makes public the details of Operation Olympic
Games. One of the most sophisticated cyber attacks in history, the operation was begun by
the United States and Israel in 2007 to covertly sabotage Iran’s nuclear infrastructure.

JULY 2012
The Madi malware agent, the first Iranian-attributed espionage cyber campaign,
is disclosed.

AUGUST 2012
Saudi Aramco, the world’s largest oil company, has data destroyed by the malware
agent Shamoon.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E x i

SEP TEMBER 2012
The first denial-of-service attacks against U.S. banks in what is known as
Operation Ababil.

JUNE 2013
Pragmatic cleric Hassan Rouhani is elected president of Iran, with the promise of
improving Iran’s economy by resolving the nuclear standoff.

NOVEMBER 2013
Announcement of nuclear negotiations between the United States, China, Russia, UK,
France, and Germany and Iran, resulting in an interim agreement.

JULY 2015
The nuclear deal is finalized, known as the Joint Comprehensive Plan of Action.

NOVEMBER 2016 –JANUARY 2017
Cyber attacks against Saudi Arabia are renewed in Shamoon 2.

1

Incidents involving Iran have been among the most sophisticated, costly, and consequen-
tial attacks in the history of the internet. The four-decade-long U.S.-Iran cold war has
increasingly moved into cyberspace, and Tehran has been among the leading targets of
uniquely invasive and destructive cyber operations by the United States and its allies. At
the same time, Tehran has become increasingly adept at conducting cyber espionage and
disruptive attacks against opponents at home and abroad, ranging from Iranian civil so-
ciety organizations to governmental and commercial institutions in Israel, Saudi Arabia,
and the United States.

IR AN’S CYBER THRE AT ENVIRONMENT

• Offensive cyber operations have become a core tool of Iranian statecraft, providing
Tehran less risky opportunities to gather information and retaliate against perceived
enemies at home and abroad.

• Just as Iran uses proxies to project its regional power, Tehran often masks its cyber
operations using proxies to maintain plausible deniability. Yet there are clear indica-
tions that such operations are conducted by Iranians and frequently can be linked
to the country’s security apparatus, namely the Ministry of Intelligence and Islamic
Revolutionary Guard Corps.

SUMMARY

2 IRAN’S CYBER THREAT

• Iran’s cyber capabilities appear to be indigenously developed, arising from local
universities and hacking communities. This ecosystem is unique, involving diverse
state-aligned operators with differing capabilities and affiliations. Over the decade
that Iranians have been engaged in cyber operations, threat actors seemingly arise
from nowhere and operate in a dedicated manner until their campaigns dissipate,
often due to their discovery by researchers.

• Though Iran is generally perceived as a third-tier cyber power—lacking the capabili-
ties of China, Russia, and the United States—it has effectively exploited the lack of
preparedness of targets inside and outside Iran. Just as Russia’s compromise of Demo-
cratic Party institutions during the 2016 U.S. presidential election demonstrated that
information warfare can be conducted through basic tactics, Iran’s simple means have
exacted sometimes enormous political and financial costs on unsuspecting adversaries.

• The same Iranian actors responsible for espionage against the private sector also con-
duct surveillance of human rights defenders. These attacks on Iranian civil society of-
ten foreshadow the tactics and tools that will be employed against other targets and
better describe the risks posed by Iranian cyberwarfare.

• Through technical forensics of cyber attacks, researchers documenting these cam-
paigns can provide a unique window into the worldview and capabilities of Iran’s
security services and how it responds to a rapidly changing technological and geopo-
litical environment.

U. S. RESPONSES GOING FORWARD

• While Iran does not have a public strategic policy with respect to cyberspace, its his-
tory demonstrates a rationale for when and why it will engage in attacks. Iran uses
its capabilities in response to domestic and international events. As conflict between
Tehran and Washington subsided after the 2015 nuclear deal, so too did the cycle of
disruptive attacks. However, Iran’s decisionmaking process is obscured and its cyber
capabilities are not controlled by the presidency, as evident in cases of intragovern-
mental hacking.

• The United States is reliant on an inadequately guarded cyberspace and should
anticipate that future conflicts, online or offline, could trigger cyber attacks on U.S.
infrastructure. The first priority should be to extend efforts to protect infrastructure
and the public, including increased collaboration with regional partners and nongov-
ernmental organizations targeted by Iran.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 3

• Narrowly targeted sanctions could be used to deter foreign countries or other actors
from providing assistance to Iranian offensive cyber operations. Such restrictions should
still prioritize allowing Iranian society wide access to the internet and information tech-
nologies, to mitigate the regime’s ability to control information and communications.

• The United States has pursued a name and shame strategy against Iranian threat ac-
tors, and should continue to do so. The Justice Department has issued indictments
against Iranians implicated in disruptive campaigns and has successfully obtained the
extradition from a third country of a hacker involved in the theft of military secrets.
Because of the small operational footprint of the groups, targeted sanctions or legal
proceedings are more symbolic than disruptive. These indictments may at least chill
participation by talented individuals who wish to travel or emigrate.

• Iran continues to pursue its interests through cyber operations, engaging in attacks
against its regional opponents and espionage against other foreign governments. A
better understanding of the history and strategic rationale of Iran’s cyber activities is
critical to assessing Washington’s broader cyberwarfare posture against adversaries,
and prudent U.S. responses to future cyber threats from Iran and elsewhere.

5

Cyberspace has become the newest frontier in the four-decade-long U.S.-Iran cold war.
Perhaps more than any government in the world, the Islamic Republic of Iran has been
the target of uniquely destructive cyber attacks by the United States and its allies. At the
same time, groups associated with Iran’s security forces—namely the Islamic Revolu-
tionary Guard Corps (IRGC) and Ministry of Intelligence—have become increasingly
adept at conducting their own offensive cyber operations. The targets of such operations
include Iranian government critics at home and abroad, corporations, and nongovern-
mental organizations, as well as the economic, defense, and diplomatic institutions of
countries including Germany, Israel, Saudi Arabia, and the United States.

The Iranian government has provided conflicting public accounts of its offensive cyber
operations, touting its capabilities while denying responsibility for attacks attributed to
it. Consistent with its use of proxy groups to assert its regional power, Tehran frequently
masks its involvement in such operations using cutouts (intermediaries) to avoid attribu-
tion and provide it plausible deniability. Despite these denials, it is clear Iran has invested
in indigenous cyber capabilities for both defensive and offensive purposes, and is willing
to use them in the event of conflict.

Tehran’s offensive cyber capabilities are relatively unsophisticated compared to states like
China, Russia, and the United States. While the Iranian hacking scene emerged in the early
2000s, there is little evidence of state-aligned cyber activities before 2007. This compara-
tively late start and underinvestment in part accounts for its lower capacity. Yet Moscow’s
compromise of Democratic Party institutions and political operatives during the 2016 U.S.

INTRODUCTION

6 IRAN’S CYBER THREAT

election demonstrated that information warfare can be conducted through basic tactics.
Iran has similarly preyed upon the lack of sophistication or preparedness of vulnerable tar-
gets both inside and outside Iran, including Saudi oil companies, Middle Eastern govern-
ments, and U.S. banks. Though these operations have often caused great financial damage,
the methods used to destroy data or disrupt access were relatively simple.

Iran has demonstrated how militarily weaker countries can use offensive cyber operations
to contend with more advanced adversaries. Tehran’s operations against foreign interests
have been mostly espionage and sabotage campaigns against soft targets in rival coun-
tries, rather than economic theft. Disruptive and destructive attacks have repeatedly been

used by Tehran to signal its ability to impose
retaliatory costs on its adversaries. Overall,
these disruptive incidents appear to have been
restrained based on strategic calculations, and
limited to tit-for-tat exchanges within the
same domain during times of conflict.

That said, most victims of Iranian cyber
operations are in Iran or the large Iranian
diaspora—the so-called internal enemies that
Tehran’s leadership fears. The early and effec-

tive adoption of the internet and social media by regime opponents and critics has fed
the perception of Tehran’s hardliners that foreign powers are conspiring to subvert the
Islamic Republic through new technologies. But the targets of Tehran’s digital surveil-
lance include not only human rights defenders and perceived enemies of the state but
also apolitical cultural institutions and even Iranian government agencies. Digital espio-
nage and disruptive attacks against government critics have demonstrated to the Iranian
public that its online activities are not outside the reach of the state.

This report provides a historical analysis of the activities and observed capabilities of
Iranian threat actors who perform offensive cyber operations, most likely on behalf of
the Islamic Republic. For purposes of maintaining a consistent terminology, the cyber
activities covered in this report are framed in terms of “offensive cyber operations,” which
in the U.S. Department of Defense’s words are actions “intended to project power by
the application of force in or through cyberspace,”1 or through distinguishing the in-
tended effects (such as disruption, exfiltration, or destruction). This narrows the scope of
research to intelligence and other offensive actions, rather than the full realm of Iranian
government attempts to build influence online or control information.

Hackers working in coordination on cyber operations are described as “threat actors,”

Iran has demonstrated how
militarily weaker countries

can use offensive cyber
operations to contend with

more advanced adversaries.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 7

although groups can have a single member and their composition can change over time.
The terms “state-sponsored” or “state-aligned” are used throughout this report to reflect
the direct relationship between the attackers and the Iranian government that is account-
ed for throughout the operations.2

Forensic artifacts and other records collected from cybersecurity research provide un-
precedented insight into the security and intelligence priorities of the Iranian regime.
The true intent of an attacker is not always evident in an intrusion. The compromise of a
system for espionage or reconnaissance can later provide an electronic foothold used for
sabotage. While Tehran has conducted highly visible attacks against rivals during times
of conflict, the decade-long history of Iranian cyber operations reveals that the primary
reason for such campaigns appears to be espionage.

Iran has been the target of espionage and destructive coercive measures launched by for-
eign states, including not only the United States and Israel but also Canada, France, Rus-
sia, and the UK. These attacks further motivated Tehran to develop indigenous defensive
and offensive cyber capabilities as well as a credible retaliatory threat. These exchanges are
directly correlated to Iran’s domestic and geopolitical climate, which has been reflected in
the reduction of disruptive attacks since the sign-
ing of the 2015 nuclear deal, formally known as the
Joint Comprehensive Plan of Action (JCPOA).

The primary source of data used in this report is
documentation collected from attacks against a
variety of nongovernmental organizations (NGOs)
and other targets, both inside Iran and abroad.
Forensic investigation techniques provide a broader
perspective on the range of activities of threat actors,
helping to identify specific participants and their
potential connections to Iranian governmental enti-
ties. For example, the “sinkholing” of malware—the
interception of communications through the redirec-
tion of domain names—provides insight into both the perpetrators and the victims of
such campaigns. In other cases, the lack of professionalism by Iranian groups has led to
the disclosure of names, aliases, and email addresses of their members in malware code
and domain registration records.

This first-hand research complements numerous reports—based also on primary source
material—published by cybersecurity companies on specific Iran-related incidents or
threat actors. These publications provide alternative insights into Iran’s targeting of other
sectors outside the authors’ immediate perspective, such as defense companies and gov-

While Tehran has conducted
highly visible attacks against
rivals during times of conflict,
the decade-long history of
Iranian cyber operations
reveals that the primary
reason for such campaigns
appears to be espionage.

8 IRAN’S CYBER THREAT

ernments. An index of these reports will be made available online.3 Interviews with tar-
gets of Iranian campaigns—including activists and scholars based in Iran and abroad—
help elucidate Tehran’s motivations and place the attacks in a broader context. Interviews
with cybersecurity professionals similarly provide background on larger industry trends.

The intent of this report is to strengthen policy discussions of Iran’s cyber operations by
increasing public knowledge about the nature of such activities. Since cybersecurity re-
search is typically limited to disclosures of specific threat actors or incidents, such publi-
cations do not provide insight into larger motivations and observable trends. This report
differs in that it considers the historical patterns and the broader context of Iranian cyber
operations, particularly their relationship to changing political conditions. It also em-
phasizes the overlap between Iranian campaigns conducted against foreign government
institutions and/or corporate entities and those directed against human rights and civil
society organizations, commonly neglected stakeholders in cybersecurity policy debates.

A better understanding of the history and strategic rationale of Iran’s offensive cyber
operations must inform U.S. strategy toward Iran and future U.S. responses to Iran’s ac-
tions. This is especially true given the United States is reliant on an inadequately guarded
cyberspace and should anticipate that future U.S. cyber attacks against Iranian targets
could trigger retaliatory attacks on U.S. infrastructure. Iran’s recent history suggests such
an outcome.

9

IRAN: TARGET AND PERPETRATOR

C H A P T E R O N E

Since the first publications on Iranian cyber activities in the summer of 2012—disclosing
a malware agent named Madi—cybersecurity companies and Western government agen-
cies have routinely documented intrusions, disruptions, and other malicious activities
originating from Iran.4 Yet aside from attacks that sought to subvert foreign infrastruc-
ture, these reports have rarely provided context about Tehran’s offensive cyber operations
and the motivations for attacks.

Tehran’s perspective is shaped by the many attacks that have targeted its own infrastruc-
ture. Since Iran’s covert nuclear facilities were exposed by an opposition group in 2002,
numerous foreign actors have staged intrusion operations that sought to gain access to
Iran’s nuclear facilities, economic infrastructure, military apparatus, and governmental
institutions, for both espionage and sabotage.5

Indeed, the most prominent example of modern cyberwarfare was the sustained cam-
paign of sabotage—unprecedented in its sophistication and preparation—carried out by
the United States and Israel against Iran’s nuclear facilities. In what was known as Opera-
tion Olympic Games, the malware agent Stuxnet was used to sabotage components of
the Natanz uranium enrichment facility, resulting in the destruction of over 1,000 cen-
trifuges and setting back Iran’s nuclear progress by more than a year. This marked one of
the first known uses of offensive cyber operations as a coercive measure between states.6

While Stuxnet was solely intended to degrade Iran’s nuclear program, other campaigns
sought to sabotage the country’s financial and oil infrastructure. In May 2012, a consor-

10 IRAN’S CYBER THREAT

tium of researchers disclosed another destructive operation against Iran.7 Malware agents
known as Wiper and Flame, successors to Stuxnet, had been discovered when Iran’s Min-
istry of Petroleum and the National Iranian Oil Company computers were disabled, their
hard drives overwritten in a unilateral operation reportedly conducted by Israel.8

Coercive cyber operations targeting Iran continued following Operation Olympic
Games. In June 2012, amid stalled nuclear negotiations between Iran and international
powers, Tehran’s minister of intelligence claimed the country’s nuclear facilities were
subject to another “massive cyber attack.”9 Later that year, Iran alleged additional disrup-
tive operations targeting its Central Bank, Ministry of Culture, and drilling platforms
operated by the Iranian Offshore Oil Company.10

In addition to sabotage, foreign intelligence agencies have continually targeted Iranian
infrastructure for purposes of espionage, a fact made public to Iran through the intel-
ligence disclosures of Edward Snowden. A former U.S. National Security Agency (NSA)
worker, Snowden leaked a presentation on a tool known as Boundless Informant show-
ing Iran to be one of the most highly surveilled countries in the world: billions of Iranian
internet and telephone records have been collected by the intelligence agencies of the
United States and its partners. In fact, Iran is so frequently surveilled that a Canadian
espionage operation targeting Iran once stumbled across a French-run intelligence opera-
tion that had compromised the very same network.11

HOW IR AN EMBR ACED CYBER REPRESSION

Iran’s Supreme Leader Ayatollah Ali Khamenei has long believed Washington aspires to
overthrow the Islamic Republic by instigating mass mobilization along the lines of the
1989 Velvet Revolution that toppled the Communist regime in Czechoslovakia.12 Fol-
lowing similar logic, Iran’s first cyber operations were motivated by fears that the internet
facilitated external threats to regime stability. Tehran often labels the online dissent of its
citizenry as cyberwarfare orchestrated by its enemies, namely the United States, to subvert
the Islamic Republic. Western government support for unrestricted internet access and
Persian-language satellite television stations—such as BBC Persian TV—are perceived as
key elements of this strategy. The advent of social media sites, such as Facebook and Twit-
ter, and messaging apps, such as Telegram, are especially threatening given they challenge
the Iranian government’s long-standing monopoly over media and communications.

Khamenei’s greatest concerns were realized when the June 2009 contested reelection of
hardline president Mahmoud Ahmadinejad—amid widespread allegations of fraud—pro-
voked Iran’s largest popular uprisings since the country’s 1979 revolution. It was also a

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 1 1

pivotal moment in the Iranian government’s embrace of offensive cyber capabilities, as
this mass mobilization—known as the Green Movement—became one of the first known
targets of the regime’s operations. The online contest between the opposition, using the
internet to coordinate political resistance, and the government, attempting to repress mobi-
lization, set the stage for future conflicts, including those with foreign powers.

Soon after an estimated 2 million Iranians protested in Tehran on June 15, 2009, sup-
porters of the Green Movement began to battle the government over control of infor-
mation.13 When the authorities expelled foreign media, interfered with mobile phone
networks, and arrested prominent critics, the internet became a primary channel for
coordination amid the chaos. In response, the
U.S. Congress, then U.S. president Barack
Obama’s administration, and American tech-
nology companies sought to maintain Iranian
users’ access.14

During the Green Movement, pro-regime
hackers engaged in a multipronged strategy
of intrusions, disruption of websites, and
network surveillance. Between December
2009 and June 2013, a group calling itself the
Iranian Cyber Army defaced websites associ-
ated with Iran’s political opposition, Israeli
businesses, independent Persian-language me-
dia, and social media platforms, posting pro-government messages. When human rights
activists and opposition leaders called for street protests, critical websites were subject to
a deluge of malicious internet traffic to disrupt access, known as distributed denial-of-
service (DDoS) attacks.15 Government critics were spied on with malware posing as in-
formation on upcoming protest plans and public scandals.16 An Iranian hacker breached
the Dutch security company DigiNotar to fraudulently issue encryption certificates that
allowed Tehran to spy on all domestic Gmail users, one of the largest security breaches in
the history of the internet.17

Ultimately, the brutality, surveillance, and censorship exercised by the security forces
debilitated the Green Movement, and by 2011 public protests had subsided. Security
agencies had adapted to the modern digital environment, with interrogations by the
IRGC including an intimate review of an arrestee’s personal life based on printed cop-
ies of his or her online communications and social media. An IRGC chief later said that
suppressing the demonstrations required widespread arrests, massive repression, and cut-
ting off means of mass communication, such as cellphones and the internet.18 The Green

An Iranian hacker breached
the Dutch security company
DigiNotar to fraudulently issue
encryption certificates that
allowed Tehran to spy on all
domestic Gmail users, one of the
largest security breaches in the
history of the internet.

12 IRAN’S CYBER THREAT

Movement demonstrated to the Islamic Republic that the internet could be used as an
instrument of mass mobilization and posed an effective challenge to the regime’s long-
held information monopoly.

The tactics, tools, and threat actors that arose during this domestic challenge to regime
stability would foreshadow the cyber posture of Iran toward a wider set of internal and
foreign threats. A recurrent theme since the outset of Iran’s cyber operations is that Ira-
nian campaigns do not maintain clear boundaries between operations directed against its
internal opposition and those directed against foreign adversaries.19 The same infrastruc-
ture and tools used by Iranian threat actors for campaigns against the American defense
industry are also used to target Persian-language women’s development programs; the
same malware used in destructive attacks against Saudi government institutions had been
previously used for surveillance against members of the Green Movement opposition.

IR AN ’S OFFENSIVE CYBER CAPABILITIES

Cyber operations have provided Tehran less risky opportunities to gather information
and retaliate against perceived enemies at home and abroad. Before information com-
munication technologies were widely available, the Iranian government’s foreign intel-
ligence operations centered chiefly on recruiting agents to spy on and assassinate political
dissidents or the diplomats of rivals. These operations usually resulted in international
embarrassment when the attackers were caught and condemnation when they succeeded.

Compared to clandestine in-country operations,
offensive cyber capabilities provide stronger de-
niability and have thus far been less likely to lead
to retaliation upon discovery.

Over the past decade, offensive cyber opera-
tions have become a core tool of Iranian state-
craft, for the purposes of espionage, signaling,
and coercion. Accounts of Iran’s offensive cyber
operations follow a consistent pattern across

campaigns and among different threat actors. Operations focus on well-defined sets of
targets and are less sophisticated than the campaigns of state-sponsored threat actors
in other countries—to credibly signal threats and create deterrence requires assured
repeatability, a capability that Tehran generally still lacks.

Moreover, the level of professionalization, preparation, and investment necessary to
conduct an operation like Operation Olympic Games remains far outside the capacity of

Over the past decade, offensive
cyber operations have become

a core tool of Iranian statecraft,
for the purposes of espionage,

signaling, and coercion.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 1 3

Iranian threat actors. Unlike the cyber operations of the United States and Israel, which
are conducted by professional intelligence services supported by billion dollar budgets,
Iran’s offensive and defensive capabilities are disorganized and modestly funded.20 Thus,
while Iran frequently turns to disruptive attacks to apply pressure, it faces a ceiling of
capability and opportunity in its ability to threaten opponents. Tehran’s clandestine hu-
man intelligence gathering in foreign countries, particularly outside the Middle East, is
of similarly low sophistication.

Tehran rarely claims responsibility for offensive cyber operations attributed to it, in-
cluding those espousing support for the Islamic Republic, and has made contradictory
statements on its cyber posture. Iranian authorities have a history of embellishing the
country’s military capacity, including for cyber operations. In responding to a series
of disruptions of its own infrastructure in October 2012, then minister of intelligence
Heidar Moslehi asserted that “the Islamic Republic is so powerful in the cyber space that
[even] leaders of the arrogant powers admit and acknowledge our country’s successes.”21
However, IRGC commander Mohsen Kazemeini also claimed that the IRGC’s cyber-
warfare division was not tasked with conducting offensive operations.22 Official rhetoric
also appears to conflate the state’s effort to push online propaganda with offensive cyber
capabilities, leading to claims of tens of thousands of cyber warriors.

Iran has used reports of destructive incidents to portray itself as a victim of foreign ag-
gression, deflect attention away from its own actions, and boast of its ability to neutralize
potential attacks. When accused by the United States of having conducted a disruptive
attack against American banks, Iran’s Deputy Foreign Minister Hossein Jaberi Ansar re-
sponded that “the U.S. government, which put millions of innocent people at the risk of
an environmental disaster through cyber attacks against Iran’s peaceful nuclear facilities,
is not in a position to level accusations against the citizens of other countries, including
those of Iran, without substantiated evidence.”23 Iranian officials appealed to internation-
al institutions for relief after the country had been affected by the malware agents Flame
and Wiper, a move that aligned with its calls for greater United Nations (UN) control
over the internet.24

In public statements, Iran has often emphasized its defensive capabilities, announcing in
2015 that its Cyber Attacks Emergency Center had successfully managed to thwart U.S.
cyber attacks against the country’s industrial infrastructure.25 Iranian military officials
regularly announce new defense products developed by domestic contractors, the most
prominent example being the antivirus software Padvish.26 Despite these claims, Iran has
shown little success in fostering a mature cybersecurity industry and lags behind both
developed economies and key regional rivals in terms of investing in defense or formulat-
ing national policies to secure critical infrastructure.

14 IRAN’S CYBER THREAT

While the Iranian government has committed tens of millions of dollars to cybersecurity
in recent years, the scale of these investments pales in comparison to the billions spent

annually by the U.S. government or the hun-
dreds of millions spent individually by American
banks.27 Were Iran to focus on improving its de-
fensive capabilities, it would still face significant
constraints related to sanctions, bureaucratic
inefficiency, and a deficit of specialized expertise.
Given the sophistication shown by its adversar-
ies, assertions about the quick detection and
remediation of foreign intrusions into Iranian
networks should be viewed skeptically, a defen-
sive posture that is unlikely to change.

Despite its confident claims, Iran is generally
perceived as a third-tier cyber power, lacking an advanced indigenous cybersecurity
apparatus capable of carrying out sophisticated operations like China, Israel, Russia,
and the United States.28 While technical sophistication does not impede Iranians from
conducting successful cyber operations, those actions reflect a disorganization and lack of
professionalism that runs contrary to what would be expected of a state actor and limits
their capabilities. Tehran’s political and economic isolation has further constrained it
from acquiring technology and expertise from foreign governments or companies, and
little evidence exists that would indicate substantial cooperation with other nations in the
development of its offensive cyber capabilities.

THE DIFFERENCE BETWEEN ESPIONAGE AND SABOTAGE

Media accounts of cyber operations often paint incidents with a broad brush, labeling all
intrusions as attacks regardless of whether the outcome was destructive.29 Offensive cyber
operations, however, can be more accurately labeled according to their intent and impact,
distinguishing espionage and sabotage. Iranian actors have both engaged in intrusions
to extract information from foreign networks (espionage, information gathering) and
performed destructive actions to punish or coerce adversaries (sabotage), with a gray area
in the middle related to signaling and other motivations. Understanding this difference is
important in assessing Tehran’s strategy and the legality of its operations.

International law differentiates activities that are legal, though not desirable, from those
that are illegal and could prompt dangerous escalation.30 Just as international law differ-

Iran is generally perceived
as a third-tier cyber power,

lacking an advanced indigenous
cybersecurity apparatus capable

of carrying out sophisticated
operations like China, Israel,

Russia, and the United States.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 1 5

entiates traditional espionage from coercion or violence, these same principles also apply
to cyber espionage. Legal scholars have asserted that “mere intrusion into another State’s
systems does not violate the non-intervention principle.”31

Indeed, given the growing number of nations with offensive cyber capabilities, espionage
and information gathering through cyber operations has increasingly become accepted
as an international norm.32 While the United States naturally denounces Tehran’s target-
ing of State Department employees, for example, such incidents mirror similar espionage
operations against Iranian diplomats by U.S. and other Western intelligence agencies.33

International law experts have provided frameworks for determining what constitutes an
“armed attack” in cyberspace, based on severity, invasiveness, directness, and other fac-
tors. Such frameworks also reinforce the importance of terminology, differentiating, for
example, espionage against the Navy Marine Corps Intranet from a destructive incident
such as Iran’s attack on Saudi Arabia’s and the world’s largest oil company, Saudi Aram-
co.34 Relatedly, scholars have noted that Iran’s use of proxies in offensive cyber operations
does not absolve the government of legal obligations or repercussions for their outcome,
based in part on international case law from the 1979 Iranian hostage crisis.35

Consistent evaluation of the legality of Iranian cyber operations provides clearer public
benchmarks for assessing when Iran violates internationally respected principles and en-
gages in illegitimate behavior. As Tehran continues to conduct offensive cyber operations,
it is important for policymakers to assess the intent, scope, and legality of Iran’s actions
before considering counter responses.

17

IRAN’S CYBER ECOSYSTEM:
WHO ARE THE THREAT ACTORS?

C H A P T E R T W O

The Islamic Republic of Iran is unique in that its most powerful officials—namely Su-
preme Leader Khamenei and the Islamic Revolutionary Guard Corps—are inaccessible,
while its most accessible officials—including Foreign Minister Javad Zarif—are far less
powerful. Iran’s offensive cyber activities are almost exclusively overseen by the IRGC—
likely without the oversight of the country’s publicly “elected” officials—and composed
of a scattered set of independent contractors who mix security work, criminal fraud, and
more banal software development. While the relationships between proxies and govern-
ments can range from passive support to complete control, Iran’s indigenous threat actors
maintain an arm’s-length relationship to the state, with certain operations orchestrated to
meet the needs of the government.36

After successfully suppressing the 2009 Green Movement and first detecting the Stuxnet
attack in 2010, Iranian threat actors conducted sustained campaigns against domestic
and foreign adversaries. These indigenous operations appear to be performed by small
groups of individuals that have varying levels of technology experience with no more
than ten people per team. These campaigns and the resources produced by the groups
range from rudimentary to relatively professional, but most actors still face a low capac-
ity ceiling.37

Though U.S. officials and some cybersecurity companies have speculated that Tehran has
received technical assistance from countries like Russia and North Korea, the level of so-
phistication is commensurate with the established practices of amateur hacking commu-
nities inside Iran.38 While Iranians have demonstrated talents in social engineering and

18 IRAN’S CYBER THREAT

embedding themselves in compromised networks, this alone is not indicative of external
training or technological transfers.

On several occasions, Iranian threat actors have used off-the-shelf or pirated versions of
professional penetration testing tools to conduct campaigns, but there is little indication
of Tehran acquiring exploits or malware from foreign governments. Iran has acquired
hardware for internet surveillance from Chinese telecommunication firms and maintains
cooperative agreements with Russia on cybersecurity; however, these relationships differ
from providing Tehran with offensive cyber capabilities.39 No publicly documented or
privately observed attack has demonstrated the use of tools or resources that are beyond
the capacity of Iranian threat actors.

In principle, the tools and tactics used in cyber operations are subject to an exposure risk.
Unlike conventional weapons, malware attacks or other cyber activities lose their effec-
tiveness when discovered and when their functionality and infrastructure is documented.
Describing a missile does not provide effective countermeasures, but describing malware
can provide antivirus companies and system administrators the ability to protect systems.
State-aligned threat actors will likely not employ the most sophisticated tools and strate-
gies available to them unless the target is well protected and worth potentially exposing
tradecraft to compromise. However, unlike in other countries, there are not observed
examples from Iranian threat actors of escalation into more sophisticated attacks against
hardened targets.40

Iranian threat actors conduct campaigns with established toolkits that sometimes last for
years and ensnare hundreds of targets. However, the fluid nature and decentralization
of these groups make them relatively difficult to track. Malware that is publicly attrib-
uted to Tehran is often abandoned immediately on exposure, and identifiable members
appear to change groups over time. Some groups seem to split up, have members move
elsewhere, or even collaborate, further blurring lines.41 For example, while an IRGC-
affiliated group labeled Rocket Kitten was the most active operator for a two-year period
(2014–2016), attracting press attention as Iran’s premiere threat, it has since faded into
quiescence, eclipsed by the actor Oilrig.42

Despite their substantial financial impact, Tehran’s disruptive operations against foreign
targets have been technically simple. The compromise of a small number of IT personnel
enabled the destruction of data on computers maintained by Saudi Aramco, eventually
resulting in hundreds of millions of dollars in damage.43 In only a few campaigns have
Iranian threat actors shown the professionalism and sophistication approaching that
expected of a nation-state actor; in one such case, the operation could be tied directly to
the Ministry of Intelligence (Magic Kitten, discussed later).44

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 1 9

Success can often be attributed to security failures and to poor protection of infrastruc-
ture on the part of the victim, alongside opportunistic targeting and patience by the at-
tacker. The defacement of Voice of America’s websites by the Iranian Cyber Army, one of
the first disruptive attacks by Iran against the United States, was accomplished through
social engineering the news agency’s domain name service provider.45 Other basic security
failures gave Iranians a toehold in the networks of Las Vegas Sands Corp. after its owner,
Sheldon Adelson, advocated military force against Iran.46 Symantec, an American cyber-
security company, noted that the perpetrators of a recent Saudi-focused campaign had
invested a “significant amount of preparatory work for the operation,” but the custom
malware was described by Russian cybersecurity firm Kaspersky as “generally of low qual-
ity” partially derived from open-source toolkits.47

Similarly, a major attack on the American financial sector—known as Operation
Ababil—which caused hundreds of millions of dollars in damage, was described as one of
the largest DDoS attacks known at the time. Yet it took only a few young Iranian com-
puter experts, breaching thousands of websites that were running vulnerable software, to
pool enough bandwidth to overwhelm the infrastructure of banks and cause unpredicted
software failures.48 Thus, while Iranian threat actors have limited capacity, through basic
tradecraft and persistence they can still be effective at espionage and sabotage.

The overall sophistication and dedication observed in such campaigns has not significant-
ly changed in the decade that Iran has engaged in offensive cyber operations—the attacks
documented against Las Vegas Sands Corp. in 2014 are comparable to those used against
Saudi Arabia in renewed hostilities over the course of 2016-2017. Indeed, many research
disclosures cover groups that have been active for several years, using the same malware
with only incremental changes over the course of time.

While sophistication alone can be a superficial metric of posed threat, Iranian opera-
tions do not demonstrate the common technical precautions taken by other nation-state
actors (such as obfuscating malware), and, even with strong social engineering capabili-
ties, attacks are often betrayed by a lack of investment in nontechnical resources (such
as fluency in English or personal tailoring of messages).49 These resource constraints also
account for why Iranians are more effective at compromising dissidents—Iranian threat
actors understand their target’s context and language, as opposed to when they are tasked
with European languages or other cultures. Iran shows little indication of becoming a
first-tier cyber power in the foreseeable future unless it begins to further organize its
operations and invest in professionalism.

20 IRAN’S CYBER THREAT

MAGIC KIT TEN

In January 2015, the German news outlet Der Spiegel released previously un-
published documents on cyber espionage conducted by American intelligence
agencies.50 One of them revealed an NSA tactic labeled “fourth party collection,”
which is the practice of breaking into the command and control infrastructure
of foreign-state-sponsored hackers to look over their shoulders. The presentation
describes a real-life example of acquiring intelligence and stealing victims from a
group code-named VOYEUR by the NSA, otherwise known as Magic Kitten.

Magic Kitten appears to be among the oldest and most elaborate threat actors
originating in Iran. It is also distinct from other groups because of its apparent
relationship with the Iranian Ministry of Intelligence rather than the IRGC.
However, Magic Kitten’s activities mirror those of other groups, with the pri-
mary targets being Iranians inside Iran and Tehran’s regional rivals. The earliest
observed samples of Magic Kitten’s custom malware agent dates to 2007, well
before other known malware apparently originated, and the threat actor contin-
ues to be active.

Magic Kitten appears to exercise the most mature tradecraft of Iran-based threat
actors. It has opportunistically compromised dozens of websites at random
(including those of an Indian hospital, an Italian architect, and a well-known
Canadian comedian) to create a relay network to hide its operations. Such atten-
tion to tradecraft appears elsewhere in Magic Kitten’s operations, including in
the design of malware, which is modular in nature.

Magic Kitten has not been observed using sophisticated exploits and instead ap-
pears to rely on social engineering and other common tactics to deceive users. In
the case of the journalist Vahid Pour Ostad, the malware was sent by his former
Ministry of Intelligence interrogator with a threat attached and relied on private
records that would have been available only to government actors. This coordi-
nation represents both independent confirmation of the NSA’s attribution and
an extreme example of the strategies employed by Magic Kitten. Other samples
of the malware agent appear to have been delivered posing as Turkish asylum
forums for Syrian refugees.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 2 1

The NSA presentation also provides a window on Magic Kitten’s targets up to
May 2011, portraying an operation focused on North America, Europe, and the
Middle East. These campaigns continued through the June 2013 presidential
election of Hassan Rouhani, provoking a blogpost from Google about related
attacks.51 As the election approached, exposed logs showed the daily capture
of dozens of accounts connected to Iranian cultural and media figures, gradu-
ate students, and social activists (including individuals that would later join the
Rouhani administration). Magic Kitten continued to target Iranians after the
election, attempting to unmask pseudonymous internet users by baiting them
with content on women’s rights and the security establishment.

Like other Iranian operations, Magic Kitten maintains a strong secondary inter-
est in conducting espionage against regional targets and international foreign
policy institutions. CrowdStrike, another American cybersecurity company,
accounts for part of this focus on “international corporations, mainly in the
technology sector” and other political targets.52 An NSA slide with a victim map
portrays a broad-reaching operation targeting nearly every country in the Middle
East. Sinkhole data collected from expired domains previously used as relays and
other fallback infrastructure suggest that Magic Kitten, or the malware agent
used, continues to actively compromise individuals in Germany, Indonesia, Iraq,
Lebanon, the Netherlands, Palestine, Pakistan, Qatar, Sweden, Switzerland,
Thailand, and the United Arab Emirates. Notably, compromised individuals in
Iraq were also typically in Iraqi Kurdistan, mirroring a common pattern with
other threat actors.

A diagram within the NSA presentation suggests that the malware agent em-
ployed by Magic Kitten was also used at the time by Iran’s Shia Lebanese proxy
Hezbollah, under independent infrastructure. While Hezbollah has been known
to maintain its own offensive cyber operations and engage in intelligence sharing
with Iran, there has been little prior evidence of direct sharing of tools.53

22 IRAN’S CYBER THREAT

UNDER STANDING IR ANIAN GOVERNMENT
INVOLVEMENT AND AT TRIBUTION

It is often difficult to determine the origins and perpetrators of Iranian offensive cyber
operations, as these campaigns may disappear as quickly as they appear. Public expo-
sure often leads them to change tactics and abandon tools, making tracking even more
difficult. The history of cyber operations targeting Iranians and originating from Iran is
populated by groups that arise out of nowhere and conduct campaigns for ambiguous
reasons over a finite time span, then disappear. This unusually frenetic character conspic-

uously differentiates the Iranian hacking ecosys-
tem from that found elsewhere, particularly those
tied to state actors in advanced countries.

The amateur hackers connected to the Iranian
defacement community have long been politi-
cally engaged and have often vandalized foreign
sites for ostensibly nationalistic reasons.54 In one
of the first international incidents attributed
to Iran, domestic hacking groups in mid-2008
exchanged tit-for-tat defacements with competi-
tors in neighboring Arab countries after the of-
ficial sites of Grand Ayatollah Ali al-Sistani were
vandalized with anti-Shia content by an Emirati

hacker. Such defacement activities can often evolve into state-affiliated activities: one of
the participants in the anti-Sunni website-defacement campaign in 2008 was later linked
to the Iranian Cyber Army. This transition from patriotic hackers to state-aligned threat
actors, and the ambiguity between civic nationalism and state involvement, mirrors the
apparent development of cyber communities in China and elsewhere.55

In only two incidents have Iranian government entities taken direct credit for the de-
facement of political opposition sites, both attributed to branches of the Revolutionary
Guard. The first case was the March 2010 takedown of sites connected to the organiza-
tion Human Rights Activists in Iran, which was alleged to be training cadres to mobilize
against the regime like the Velvet Revolution. The attack relied on the arrest of a website
administrator inside the country rather than on complicated tactics. The arrests and
destruction of data had a lasting impact on the organization by instilling fear in members
and giving rise to rumors about collaboration with the government.

The second government-initiated campaign, carried out during a Shia holiday in Decem-
ber 2013, led to the defacement of nine human rights and independent media websites

The history of cyber
operations targeting Iranians

and originating from Iran is
populated by groups that arise

out of nowhere and conduct
campaigns for ambiguous

reasons over a finite time span,
then disappear.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 2 3

with a Quranic verse in Arabic and Persian. The IRGC’s Public Relations Department
announced that the operation had been conducted by the Revolutionary Guard’s Ker-
man Branch and claimed that the defaced websites had been established by the country’s
enemies and supported by internal seditionists.

In most cases, Iran uses cutout or proxy organizations, allowing it to keep some distance
from the disruptive incidents and propagandistic defacements. These cutouts represent
themselves as patriotic Iranians or pan-Islamic movements acting independently in
defense of the supreme leader, national sovereignty, and religious ideals. Conducting
offensive cyber operations through covert organizations provides Tehran plausible deni-
ability for any attacks, thereby protecting its claim to victimhood while also allowing the
state to signal its intentions to its opponents. These
tactics are effective: there is still no definitive public
agreement on who was behind the Yemen Cyber
Army’s attacks that led to stolen Saudi Arabian Min-
istry of Foreign Affairs documents being published
by WikiLeaks, with the consensus split between
Iran and Russia.56 The cutouts tend to develop their
own mythology and continue to be treated as active
threats past their expiration date, bolstering percep-
tions of Iran’s capability.

Nevertheless, a comprehensive study of Iran-linked
cyber operations often reveals Tehran’s hand in
such proxies. When the U.S. Justice Department
unsealed its Operation Ababil indictment in March
2016, it named two Iranian corporate entities that employed at least seven individuals
who had been contracted by the Iranian government.57 The indictment implicated three
of the participants as being part of the Sun Army, an Iranian cutout defacement group.
The Sun Army followed the typical pattern found with the Iranian Cyber Army and
other state-aligned defacements, arising out of nowhere to perform targeted political acts
over a short life span. Its first documented defacements, in February 2010, were of sites
connected to now-detained opposition leader Mehdi Karroubi. The vandalism accused
him of being a traitor and was timed to blunt planned antigovernment street protests.58

As Iran’s cybersecurity landscape has professionalized, some defacement groups have
sought to convert their infamy into corporate success. Based on the disclosure of personal
information about threat actors, there are indications that those engaged in Iranian of-
fensive cyber operations work within corporate entities (such as IT consultancies) or con-
tractors of Iranian security forces.59 For example, aspects of the Madi espionage campaign

Conducting offensive cyber
operations through covert
organizations provides
Tehran plausible deniability
for any attacks, thereby
protecting its claim to
victimhood while also
allowing the state to signal its
intentions to its opponents.

24 IRAN’S CYBER THREAT

implicated the Mortal Kombat Underground Security Team, a small Iranian group that
has attempted to sell spyware and other hacking tools since at least 2008.60 The frequent
overlap of legitimate digital commerce sites and servers used for intrusion campaigns
is demonstrative of these blurred lines—a company might simultaneously provide web
design services for businesses and hack for the government.61

The transition of amateur hackers into contractors for state security agencies is reflected
in basic qualities and patterns of life found across most threat actors. There are clear in-
dications that the threat actors documented are solely Iranians operating inside Iran, not
diaspora Iranians or non-Iranians. At the most basic level, they tend to follow the normal

patterns of life of office workers, being active during
the Iranian workweek (Saturday through Wednesday)
and dormant during Iranian holidays, particularly
the long holiday of Nowruz, the Persian New Year.

Disclosures of aliases and real names, which may be
discoverable because of a disregard for operational
security due to insulation from repercussions or a
lack of professionalism, help reveal both the lives and
the motivations of Iranian threat actors. While those

behind the groups may be nationalists or ideologically aligned with the regime, they do
not appear to be enrolled members of the military or security apparatus. These individu-
als and groups also differ in social and religious predilections; some participants promote
the use of narcotics and trade pornography on personal social media, while others are
devoutly religious and embed Islamic references in malware code. Iranian threat actors
have often used pornography as bait in their spearphishing campaigns and display an
irreverent sense of humor.

CRITERIA FOR INDEPENDENT ASSESSMENT
OF STATE INVOLVEMENT

Campaigns conducted against dissidents and others inside Iran provide the most direct
evidence of government involvement. Whereas it can be difficult to trace the conse-
quences of foreign espionage, for those on the ground the implications are more direct
and tangible.62 As a pattern builds between cyber operations and the offline actions of
security forces, the relationship between both becomes clearer.63 While these cases of col-
laboration are discernible in only a few threat actors, the patterns support a broader nar-
rative around the intrusion ecosystem.64 Indications that Iranians undertaking offensive
cyber operations are associated with the government include the following:

Iranian threat actors have
often used pornography as
bait in their spearphishing
campaigns and display an

irreverent sense of humor.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 2 5

• The campaigns have been conducted based on information that appears to have been
provided by security agencies. In certain cases, the campaigns have been carried out in
coordination with government employees and in advance of the arrest of the target.

• The targets of such operations align with the sensitivities of the Islamic Republic,
and certain individuals are targeted repeatedly by multiple threat actors over time.

• Persistent and costly campaigns have been sustained against thousands of targets
without an apparent financial motive and without clear indication of the end use of
the data obtained by intrusion.

In rare cases, potential ties to the government are even disclosed by the participants
themselves. A malware developer associated with the Rocket Kitten group, Yaser Balaghi,
was identified by name based on a pseudonym found in the malware’s code. In a résumé
from 2013, Balaghi listed past information security projects and a history of conducting
hacking projects under contract to an otherwise unnamed “cyber-organization.”65 Balaghi
is not alone in listing his hacking activities on his résumé; still other pseudonyms embed-
ded in malware code used against Saudi Arabia and internal dissidents can be associated
with LinkedIn profiles describing their experience as an “Information Security Research-
er” with a “Secret” group.

To add a complication common in cybersecurity research, it is often difficult to distin-
guish commonplace electronic fraud from politically motivated disruptions and state-
sponsored surveillance efforts, especially where the attacks are not sophisticated. In at
least one case, Iranians that had staged persistent attempts against U.S. foreign policy
organizations and two European foreign ministries had also maintained infrastructure
linked with commercial banking fraud.66 In another example, the same social engineering
skills used by an individual behind the Iranian Cyber Army defacements also proved suc-
cessful in a career in the commercial theft of domains and PayPal fraud. More recently,
in an indictment against an Iranian accused of attempting to extort HBO with stolen
copies of unreleased television episodes in the summer of 2017, the U.S. Department of
Justice claimed that the same individual had worked on behalf of the Iranian government
to target military systems and Israeli infrastructure.67

Analyses of Iranian offensive cyber operations often rest on the country’s strict domes-
tic controls as an indication of endorsement—that the government would not allow
something to happen that it didn’t want to occur. However, Tehran’s controls are not so
absolute, and many of the operations could occur surreptitiously given their simplicity.
Cyber activity emanating from Iran could theoretically be conducted without the state’s
sanction, consent, or even knowledge. Daily, millions of Iranians circumvent censorship
using antifiltering tools that allow them to bypass network restrictions and encrypt their

26 IRAN’S CYBER THREAT

communications against surveillance. These tools provide space for Iranians to engage
in actions against the government without persecution, and similarly can conceal cyber
activities. Therefore, an Iranian origin does not alone indicate state sponsorship.

Nor does the financial damage resulting from an operation, the political implications of
the campaign, or the number of targets necessarily directly correlate with the probability
of government involvement. The destructive operations conducted against Saudi Aramco
resulted in millions of dollars in damages, yet the malware was unsophisticated and the
attack did not require significant resources, putting the incident plausibly within reach
of a sole individual acting without sponsorship. Such straightforward metrics of harm,
then, are poorly informative of the degree of governmental involvement in cyber activi-
ties originating from Iran.

GOVERNMENT ENTITIES AND THRE AT ACTORS

The coordinated timing of cyber operations with politically motivated arrests are a strong
indication of the Iranian government’s direct involvement. Since at least July 2014 a
pattern has emerged: individuals in the custody of the IRGC are forced to provide ac-
cess to their online accounts and devices, which are then immediately used to conduct
spearphishing attacks associated with known threat actors.

A vivid example of this coordination is the case of Iranian-American Siamak Namazi, a
forty-six-year-old Dubai-based energy consultant and previously a scholar at the Wood-
row Wilson International Center for Scholars in Washington, DC. In October 2015, he
was arrested by Iranian security forces months after having had his passport confiscated
while visiting the country. Within hours of his arrest, Namazi’s Google and Facebook
accounts initiated conversations with his wide array of foreign policy and media contacts.
The intruder, pretending to be Namazi, sent contacts an article about the recent nuclear
deal and in poor English solicited edits on the document. This message was accompanied
by an email directing the target to a fake Google site requiring visitors sign in to their
account to view the document, a credential theft attempt connected to Rocket Kitten.
Numerous individuals were compromised in this campaign, including scholars, U.S.
State Department employees, and one prominent journalist whose Gmail account—
which included communications with former U.S. secretaries of state, CIA directors, and
other foreign ministers—was overtaken by the Iranian hackers for nearly two days.68 This
pattern has been repeated in numerous cases involving other Iranians, dual nationals, and
foreign nationals detained in Iran.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 27

Cyber operations have also been documented in preparation for arrests.69 A prominent
example of target selection prior to arrest is the case of Babak Zanjani, an Iranian-Danish
businessman who had been personally sanctioned by the United States and European
Union for involvement in Iranian sanctions evasion. After months of claims regarding his
role in the embezzlement of oil revenue, a process that included a parliamentary investi-
gation, at the end of December 2013 Zanjani was ar-
rested and subsequently charged with “corruption on
earth.”70 After an opaque judicial process, in March
2016 he was condemned to death, a sentence the
Ministry of Justice indicated could be commuted if
Zanjani cooperated in recovering Iran’s foreign assets.

A persistent effort targeted Zanjani’s personal accounts
and business infrastructure in the weeks immediately
preceding his arrest. Iranian threat actors sought access
to Zanjani’s iCloud services and successfully compro-
mised employees associated with his holding company,
the Sorinet Group.71 These activities indicate that in
advance of the arrest of Zanjani, the group (Flying
Kitten) had acquired access to the confidential infor-
mation of Sorinet subsidiaries and personnel; however,
it is not clear whether any material accessed during this time was used in the investigation
or prosecution of Zanjani. The case of Zanjani reflects a broader trend witnessed with other
cases; Iranian threat actors frequently pursue online the types of individuals commonly
persecuted by the Islamic Republic offline.

The association between Iranian-origin cyber activities and Iran’s intelligence agencies
is further supported by the fact that the data acquired during such operations is rarely
disclosed. The Navy Marine Corps Intranet breach, the Las Vegas Sands Corp. incident,
and the compromise of State Department employees have all led to the exfiltration of
substantial amounts of highly sensitive information. There is no indication of ulterior
motives, such as fraud, extortion, humiliation, or disclosure to the hardline press.72
The operations required costly infrastructure, including dedicated servers and dozens
of domain names, in addition to personnel time. The activities must have provided
some degree of income to their members, with the primary value being espionage. This
overarching trend points to probable relationships between certain threat actors and the
intelligence agencies, a business relationship that has been revealed when Iranians have
been indicted by the United States for hacking.

This overarching trend
points to probable
relationships between
certain threat actors and
the intelligence agencies,
a business relationship
that has been revealed
when Iranians have been
indicted by the United
States for hacking.

29

IRAN’S EXTERNAL TARGETS

C H A P T E R T H R E E

Given Iran’s inability to effectively challenge or deter better-prepared opponents, it has
employed opportunistic destructive attacks to demonstrate its ability to retaliate. Par-
ticularly in the Middle East, Tehran can implicitly threaten cyber operations against the
poorly defended economic and infrastructure resources of its opponents in the event of
hostilities. Indeed, the disclosure of targets and victims of Iran’s regional cyber operations
often include industries that appear to serve no other purpose than creating beachheads
in rival countries, such as banks and airports.

The intended effects of disruptive operations can vary, ranging from intimidation to
destruction for foreign targets, and from embarrassment to existential harm for domestic
opponents. The targeting or compromise of systems can alone be sufficient to communi-
cate Tehran’s willingness and capability to inflict damage on opponents. This echoes Iran’s
occasional threat to close the Strait of Hormuz—through which nearly 60 percent of the
world’s oil supply passes on any given day—during times of crisis. Given the opacity of
the Iranian government, however, the intended messages and expectations being signaled
from Tehran can be easily misinterpreted, risking unintended conflict or escalation.

Such destructive attacks are rare, however, compared to Iran’s espionage campaigns
against foreign governmental and economic institutions. Increasingly these campaigns
form not only the basis of retaliation during conflict but also an essential crisis response
mechanism for handling emerging threats. For example, days after a September 2015
stampede killed over 450 Iranians attending the Hajj pilgrimage, domain names im-
personating the Saudi government and Hajj Ministry were registered by known Iranian

30 IRAN’S CYBER THREAT

threat actors.73 As relations and communications rapidly deteriorated between the two
countries, particularly over the fate of a missing diplomat, cyber espionage became an
information gathering tool for Tehran.

Saudi Arabia aside, Denmark, Germany, Israel, and the United States are among the
countries that have publicly disclosed espionage attempts by Iranian groups against their
government, military, or scientific institutions.74 Tehran also targets neighboring coun-
tries throughout the Middle East. Despite the various threat actors that operate on behalf
of the Iranian government, their behavior patterns—including whom they target—are
generally consistent over time.

THE UNITED STATES AND EUROPE

In September 2012, a group calling itself the Izz ad-Din al-Qassam Cyber Fighters an-
nounced it had begun a campaign of DDoS attacks against the U.S. financial sector. Pri-
or to the campaign, the culprits had exploited vulnerabilities in the software of thousands

of websites in order to create an attack platform un-
der their control. With this army of servers located
within well-connected hosting companies, the at-
tackers could deluge their targets with high volumes
of malicious traffic. In the first phases of Operation
Ababil, the group targeted the U.S. banking infra-
structure. Unprepared for such a volume of traffic
(the U.S. Federal Bureau of Investigation stated the
highest rate observed approached 140 gigabits per
second, three times the capacity of the banks at the
time), the victims’ databases and systems crashed
from the dramatic increase in requests.

Subsequent phases of the campaign were less ef-
fective as the financial sector steadily improved its
defenses. By the fourth attempted attack, in July
2013, little visible impact resulted. Still, by the
FBI’s account, Operation Ababil locked hundreds

of thousands of banking customers out of accounts for long periods of time and resulted
in tens of millions of dollars in costs to remediate. An NSA briefing document also made
clear the motivation for Operation Ababil: “[Signals intelligence] indicates that these
attacks are in retaliation to Western activities against Iran’s nuclear sector and that senior
officials in the Iranian government are aware of these attacks.”75

An NSA briefing document
also made clear the

motivation for Operation
Ababil: “[Signals intelligence]

indicates that these attacks
are in retaliation to Western

activities against Iran’s
nuclear sector and that

senior officials in the Iranian
government are aware of

these attacks.”

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 3 1

Operation Ababil remains the most destructive Iranian attack on the United States.
While the International Atomic Energy Agency (IAEA) alleged that Tehran had elec-
tronically surveilled and tampered with the devices of visiting nuclear inspectors in 2011,
little had been known about Iranian cyber espionage prior to 2012.76 That summer pro-
vided the first public indication that Iranian threat actors had staged campaigns to spy
on rivals.77 The Madi malware campaign was reported to have compromised up to 800
victims over the course of a year. The countries and
entities targeted were a harbinger of future Iranian
cyber operations, including oil companies, U.S.
think tanks, government agencies, engineering firms,
financial institutions, and academia.

Several Western countries have provided evidence of
Iranian cyber operations in indictments and security
reports. In addition to Operation Ababil, Iranians
were alleged to have gained access to the unclassified
Navy Marine Corps Intranet, a system used to store
unclassified information and communications, for several months starting in August
2013.78 In the 2016 edition of an annual Ministry of Interior security assessment, the
German government cited Iran as a new source of cyber espionage against the country,
a disclosure that aligned with reports that the Bundestag had been affected by a malware
operation that targeted visitors of the Israeli newspaper Jerusalem Post.79

Overall, however, cases of successful Iranian intrusions into American and European
governmental infrastructure are rare, particularly highly secured, classified networks.
Government agencies are typically hardened beyond the capability of Iranian threat ac-
tors to penetrate them. Consequently, Iranians have sought softer U.S. targets, launching
spearphishing attempts on the personal email and social media accounts of U.S. govern-
ment employees. While personal accounts are less likely to contain classified government
information, they are also less likely to be properly secured, and often contain useful
information such as private material and traces of professional communications.

For example, Iranians attempted to compromise the personal email accounts of mem-
bers of the American team during the nuclear negotiations.80 Similarly, after the 2016
U.S. presidential election, Iranian threat actors focused on former Obama staff, Re-
publican members of Congress, supporters of Donald Trump’s campaign, conservative
media organizations, and nominees for political appointments in an apparent attempt
to acquire intelligence on the new administration.81 More recently these spearphishing
campaigns have targeted critics of Iran in the U.S. Congress while new sanctions have
been under consideration.

Iranians attempted to
compromise the personal
email accounts of members of
the American team during the
nuclear negotiations.

32 IRAN’S CYBER THREAT

Tehran tends to target the foreign government personnel and agencies that focus on Iran,
namely those in the United States or Europe who work on Iran policy or within Persian-
language media, including Voice of America television and Radio Farda. Iranian threat
actors have used the compromised accounts of prominent Iranian-Americans, interna-
tional businessmen, and other dual nationals arrested by the IRGC to impersonate them
and target the private email accounts of U.S. State Department personnel connected to
Iran policy.

In contrast to the release of private emails by WikiLeaks during the 2016 U.S. elec-
tion, which leveraged stolen emails for information warfare, Tehran’s compromise of
State Department employees’ emails did not lead to visible sabotage or the disclosure of
embarrassing material. While there have been dozens of attempts to target a wide array of
American politicians and government employees, these intrusions were mostly opportu-
nistic attempts that did not appear to escalate into more sophisticated operations.

Following the 2015 nuclear agreement, the incidence of covert action and retaliatory at-
tacks between Washington and Tehran decreased. Reports of disruptive cyber operations
against U.S. and Iranian infrastructure diminished, as Tehran focused more on domestic
political opponents and regional adversaries, such as Israel and Saudi Arabia. Just as Op-
eration Olympic Games provided Washington the ability to coerce Iran without direct
military intervention, Tehran now engages in offensive cyber operations to project its
regional power.

SAUDI AR ABIA

No other country appears to have been the subject of as many offensive cyber opera-
tions from Iranian state-sponsored threat actors as Saudi Arabia. The two countries are
ethnic (Arab vs. Persian), sectarian (Sunni vs. Shia), and above all geopolitical rivals,
on opposing ends of bloody proxy wars in Iraq, Syria, and Yemen and fierce politi-

cal battles in Bahrain and Lebanon. Relations between
Tehran and Riyadh have often been tense since the 1979
Islamic Revolution, and formal diplomatic ties have been
suspended intermittently due to political disputes. Most
recently, in January 2016, Saudi Arabia closed its Tehran
embassy after it was ransacked by an Iranian-government-
sanctioned mob.

Since the start of Iran’s cyber operations, Saudi political and
economic institutions have been compromised by Tehran

Saudi political and
economic institutions

have been compromised
by Tehran for purposes

of both espionage
and disruption.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 3 3

for purposes of both espionage and disruption. In various reports on Iranian malware
and credential theft campaigns—attempts to acquire passwords or account recovery
information—Saudi Arabia has been one of the most common sources of victims and
targets. This pattern reflects the two countries’ profound geopolitical and ideological dis-
putes (intent), and Saudi Arabia’s continued vulnerabilities in cyberspace (opportunity).

Iran’s August 15, 2012, attack on Saudi Aramco during the Muslim Eid holiday (and a
similar attack against Qatar’s RasGas Company two weeks later) is a prime example of
how Iran uses offensive cyber operations to retaliate against foreign adversaries. As covert
actions by foreign actors targeted Iran’s nuclear and oil
infrastructure, previously unknown groups began stag-
ing disruptive attacks against economic infrastructure in
Saudi Arabia and the United States, portraying them-
selves as independent hacktivists motivated by national-
ism and Islamic values.

To avoid attribution, retaliatory acts were conducted
using cutouts that provided them plausible deniability.
In the Shamoon attack, known by the name given to the
malware, tens of thousands of Saudi Aramco computers
were compromised, causing tens to hundreds of mil-
lions of dollars in damage. One group, self-identified as
the Cutting Sword of Justice, claimed responsibility for
the attack, which overwrote the hard drives of Aramco
computers with the image of a burning American flag, causing embarrassment to the
company. Unlike the cyber operations conducted against Iran by foreign entities, the
retaliatory attacks carried out by Tehran sought maximum visibility.

Initial analysis of the incident found that Shamoon was likely inspired by the Wiper mal-
ware that had targeted Iran in April 2012, given both destroyed stored data as a method of
sabotage. Tehran was potentially motivated by retaliation for cyber operations against its
oil production infrastructure. Shamoon’s message appeared clear: Iran may not always be
able to defend itself against more advanced cyber capabilities, but it can impose substantial
retaliatory costs against U.S. allies.

The tit-for-tat cycle of covert destructive attacks and symbolic retaliation seen with
Shamoon and Ababil reflects Iranian security tactics witnessed in offline hostilities.
Between 2010 and 2012, for example, several Iranian nuclear scientists were assassinated
under mysterious circumstances, allegedly by the United States or Israel.82 In apparent
retaliation, Tehran attempted, unsuccessfully, to assassinate Israeli officials in unexpected
places like Georgia, India, and Thailand. This cycle, a recurrent theme in Iran’s covert

Shamoon’s message
appeared clear: Iran
may not always be able
to defend itself against
more advanced cyber
capabilities, but it can
impose substantial
retaliatory costs against
U.S. allies.

34 IRAN’S CYBER THREAT

actions, showed Tehran’s ability to learn from attacks and retaliate in a similar fashion,
providing a potential framework for understanding its signaling and motivations in con-
ducting disruptive cyber operations.83

Compared to Iran’s other adversaries (namely the United States and Israel), Saudi govern-
mental and economic institutions have yet to sufficiently implement systems and protocols
to increase national cybersecurity. Iranian actors have targeted a broad range of economic,
military, and political institutions in Saudi Arabia—including Saudi Aramco and its foreign
partners, the King Faisal Foundation, the Ministries of Commerce and Foreign Affairs,
the Saudi Stock Exchange, and even Saudi Arabian human rights advocates. Researchers
have documented multiple cases in which Saudi companies and organizations were com-
promised, in one event leading to the exfiltration of vast sums of archival proprietary data
spanning multiple years from one industrial development corporation.84

Weak Saudi cyber defenses have not only made the country vulnerable to Iranian coer-
cion but also made Riyadh a soft target for Tehran’s retaliation against destructive cyber
operations performed by third countries. If Iran cannot cause significant damage to
the United States during times of conflict, then damaging the economic institutions of
American allies will suffice.

The campaign of coercive pressure continues as well: the Saudi Ministry of Defense and
other networks sustained DDoS attacks at the same time as the attack on the embassy.85
When the Shamoon malware agent used in the Aramco incident reappeared in an
updated form (labeled as Shamoon 2 by researchers) from November 2016 to January
2017, it destroyed databases and files belonging to both the government and private
sector, including the General Authority of Civil Aviation, the Ministry of Labor, the
Saudi Central Bank, and natural resource extraction companies.86 Shamoon 2 contained
references to Yemen and overwrote the victims’ hard drives with an image of the drowned
Syrian refugee child Alan Kurdi, once again signaling the attacks were retaliation for
Saudi policies in Syria and Yemen.87

ISR AEL

One of the consistent pillars in Iran’s foreign policy has been opposition to Israel’s
existence and support for anti-Israeli militant groups, such as Hezbollah, Hamas, and
Palestinian Islamic Jihad. Despite this, however, Tehran has been far less successful in
cyber operations targeting Israeli institutions for disruption and espionage. The docu-
ments used as bait in the Madi operation were commonly written in Hebrew or refer-
enced Israeli security policies, and researchers have documented fifty-four compromised
entities in Israel during that campaign.88 During the conflict between Israel and Gaza

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 3 5

in the summer of 2014, known as Operation Protective Edge, authorities claimed that
the Israel Defense Forces’ infrastructure was targeted by DDoS attacks launched by a
wide range of belligerents, including Tehran.89 These DDoS attacks would align with the
known capabilities of Iranian threat actors, including the tactics used against the United
States and dissidents.

Despite a history of DDoS attacks and defacements of Israeli websites, Tehran’s ability
to inflict major costs on Israel through cyber operations has thus far been limited and
perhaps diminishing.90 Given the sophistication of Israel’s cyber defense, Tehran has been
forced to focus mainly on soft targets, for narrow espionage opportunities and the poten-
tial disruption of civilian resources in the event of conflict.

Iranian targeting of Israelis, like U.S. nationals, emphasizes individuals focused on Iran
and regional policies. Tehran has engaged in spearphishing attempts against academic
institutions, national security officials, diplomats, members of the Knesset, and Israeli
aerospace companies. Similarly, Iranian actors have commonly created malicious do-
mains that have emulated those owned by the American Israel Public Affairs Committee
(AIPAC) and have targeted employees of both liberal and conservative Jewish organiza-
tions in the United States and elsewhere.

While Iran has had some success in compromising smaller civilian institutions, it has not
visibly attempted to use these breaches coercively. The lack of immediate weaponization
of breaches is demonstrative of how strategic calculations shape outcomes. The destruc-
tion of banking information or medical data over nonexistential challenges to the Islamic
Republic is perhaps not worth inviting retaliation from Israel (a threat that Saudi Arabia
lacks). Tehran’s desire for signaling a credible retaliatory threat against Israel through of-
fensive cyber operations may also be sufficiently served by the mere compromise of such
institutions. Cyber capabilities have certainly not altered the power dynamics between
Iran and Israel, and the difference in technical capacities likely shapes Iran’s posture
toward its adversary.

REGIONAL ALLIES AND ADVERSARIES

While Tehran’s disruptive cyber operations in the region have primarily targeted Saudi
Arabia, multiple Iranian threat actors have been observed targeting nearly every Middle
Eastern, North African, and bordering country. For example, Magic Kitten successfully
compromised victims across the Middle East and South Asia.91 This pattern has been
repeated during Madi and subsequent operations up to the present.

36 IRAN’S CYBER THREAT

Cyber espionage has provided Tehran further insights about its often politically unstable
neighbors. Iranian threat actors have shown a recurrent interest in the infrastructure
of neighboring countries, including Afghanistan’s National Radio, Ministry of Educa-
tion, and government network.92 Other indicators also suggest an interest in Pakistan’s
and Afghanistan’s security and defense organizations.93 Fictitious social media profiles
and spearphishing campaigns have commonly targeted Iraqis, notably engineers within
telecommunications networks and political elites. Iranian groups have also maintained an
extremely active interest in the political institutions of Iraqi Kurdistan.94

In addition, multiple Iranian threat actors have engaged in spearphishing attempts
against dozens of individuals affiliated with human rights organizations, political move-
ments, and independent media outlets in Yemen, where Tehran is engaged in a proxy war
with Saudi Arabia.95 The Israeli cybersecurity company ClearSky found that 11 percent
of the targets of one Iranian credential theft campaign (Rocket Kitten) in 2015 were
connected to Yemen. These operations specifically support Iran’s position in the Yemeni
conflict, with recent attempts targeting prominent critics of the Houthis, the Shia Mus-
lim group that Iran has been supporting in the country’s civil war.

Iranian actors have also reportedly targeted Syrian opponents of President Bashar al-
Assad’s regime in limited cases, including exiled Syrian dissidents.96 There has been spec-

ulation that Iran has also supported the offensive cyber
operations of its traditional allies Syria and Hezbollah,
notably after Syrian dissidents became the target of
sustained malware campaigns starting in 2012. Yet
there is only limited evidence of technical cooperation,
and little reason why either would be dependent on
Iran for capabilities.

While there are credible indications that Tehran has
provided Syria traditional electronic warfare equipment,
the Assad regime apparently didn’t require extensive
help with developing offensive cyber capabilities. An
indigenous ecosystem of hackers organized by Assad’s
relatives has proven effective at targeting the regime’s

opponents from early into the civil war. Small groups of hackers in Syria have typically used
spyware that is popular among Arab hacking communities against opponents of Assad.
Conversely, while little is known about Hezbollah’s offensive cyber capabilities, in one 2015
report that described their malware and operations, the Lebanese group had seemingly
outpaced its Iranian patron.97

While there are credible
indications that Tehran has

provided Syria traditional
electronic warfare equipment,

the Assad regime apparently
didn’t require extensive help

with developing offensive
cyber capabilities.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 37

The lack of external evidence of cooperation does not preclude other coordinated efforts
or intelligence sharing, but basic cyber operations are easier than electronic warfare—such
as signal jamming, radar collection, and signal location—or other military domains that
require a defense industrial base.98 None of the known capabilities or incidents involved
specialized knowledge that required external support, and all have independent profiles on
how their operations are conducted. Iranians have not used the same commodity spyware
as Syrian groups, suggesting that pro-Assad groups owe more to local hacking scenes than
other states. Moreover, Iran’s lack of cooperation with allies or friendly foreign powers may
reflect other factors influencing decisions to share resources. Allies still spy on allies: Iran
could also want to withhold its toolkit to provide some oversight in contentious situations,
such as monitoring the stability and loyalty of the Assad regime.

COMMERCIAL TARGETS

Unlike China, Iran has limited use for commercial espionage given its lack of an indus-
trial production sector that could utilize stolen intellectual property. Iran’s industrial
espionage activities serve to boost its commodities industries and military technological
prowess rather than its domestic manufacturing sector. Nor has Iran attempted to offset
the impact of economic sanctions through large-scale financial crime, as North Korea ap-
pears to do.99 Based on public reports and directly observed campaigns, the commercial
entities targeted by Iranian threat actors typically fall into four categories:

• Aerospace and civil aviation

• Defense industrial base and security sector

• Natural resources and extractive industries

• Telecommunications firms

Evidence of Iran’s interest in the theft of defense secrets comes from several cybersecurity
reports, observed incidents, and U.S. indictments. Nima Golestaneh, an Iranian national
extradited to the United States from Turkey, pleaded guilty to supporting the October
2012 hack of Vermont-based defense company Arrow Tech Associates in an operation to
acquire copies of their weapon system simulations to sell the software to Iranian govern-
ment and military entities.100 This would prove to be a harbinger of later efforts.

In early 2014, in parallel to targeting Iranian women’s development programs and others,
one threat actor (Flying Kitten) impersonated a website for an aerospace systems con-
ference to spread malware to defense contractors, a tactic still used against the industry

38 IRAN’S CYBER THREAT

today. Another Iranian threat actor over the course of 2015 to 2016 repeatedly created
phony corporate websites for Oshkosh Corporation, an American defense company, to
capture credentials from its private internal business network, and continued to target
aviation companies, including jet engine manufacturers and satellite companies. Reports
of attempts of military espionage by Iranian threat actors are extremely common and
include a broad set of industries, most notably aerospace technologies.

Yet these operations appear to have had limited success. Given their involvement in the
defense industry, coupled with related concerns about Chinese industrial espionage,
companies like Oshkosh prioritized information security in ways that NGOs have not.
Consequently, while there is indication that employees are commonly targeted, even
compromised, reports of the theft of highly sensitive defense secrets by Iran are rare.

The targeting of defense companies is also motivated by regional politics rather than
solely theft of military technologies. Several defense industry companies targeted by Ira-
nian threat actors, including Oshkosh Corporation, are substantially involved in provid-
ing security and military assistance to Saudi Arabia and other Gulf states. Many of the
American companies—including Oshkosh Corporation—that were designated by the
Iranian Ministry of Foreign Affairs in March 2017 under retaliatory human rights sanc-
tions for their involvement with the Israeli military have also been targeted by Iranian
cyber operations.101

As in other areas, it is difficult to derive intent purely from who was targeted or im-
personated. In certain cases, it appears Iranian threat actors have compromised Middle
East–based information technology consultants in pursuit of the governments or busi-
nesses who are their clients. These operations often target company employees based in
the Middle East, potentially to acquire information on the military capabilities of rivals
or access to other targets (such as supply-chain attacks). One more recent campaign
masquerading as Boeing and Northrop Grumman appeared focused on Saudi Arabia’s
military and commercial aviation sectors.102

Similarly, Iran’s targeting of telecommunications firms, banks, and civil aviation compa-
nies could provide them a foothold in critical infrastructure, one that could potentially
cause substantial economic harm and even endanger lives. Thus far, however, Tehran ap-
pears to have used such targeting for reconnaissance purposes, mirroring other countries’
cyber activities.103 However, there are legitimate reasons to be concerned that Tehran’s
intention in targeting critical infrastructure is to hold social and economic assets in ad-
versarial countries at risk in the event it needs to escalate or retaliate during conflict.

39

IRAN’S INTERNAL TARGETS

C H A P T E R F O U R

The history of Iranian offensive cyber operations has demonstrated that the same threat
actors responsible for espionage against the private sector engage in surveillance of hu-
man rights defenders, and with considerably more success, given the latter’s resource
constraints. Through the lens of such attacks, the relationship between Iran-originated
cyber activities and the government as well as the motivations for such operations are
made clearer. These communities foreshadow the tactics and tools that will be employed
against other targets, and increased information will enable more effective education and
mitigation strategies.

While the internet has afforded Tehran’s security agencies new possibilities for surveilling
and intercepting the communications of its citizens, concurrent information technolo-
gies also limit the reach of the state. Iran was one of the first countries in the Middle East
to connect to the internet, and as a result over half of the population was frequently us-
ing the internet as of March 2017.104 Iranian internet users have been quick to embrace
social media and chat applications in large numbers as forums where there are more
social freedoms.

As Iranian citizens have moved their communications to internet platforms hosted out-
side Iran and protected their communications from eavesdropping by using encryption,
they have also evaded the more traditional means by which Iranian law enforcement and
intelligence agencies perform surveillance.105 Whereas local hosting providers and social
media could be compelled to remove content and disclose account ownership informa-
tion, platforms hosted outside Iran are beyond the direct reach of the state.

40 IRAN’S CYBER THREAT

The Iranian government has sought to compel foreign firms to comply with requests for
user data, without great success.106 Domestic alternatives to foreign services, supported
by the state under its national internet plan, have failed to attract significant adoption
(Iranian officials themselves tend to use communication tools and social media applica-
tions developed in the United States).107 Moreover, millions in the Iranian diaspora—
many of whom left Iran because of state repression—live in countries with no security
cooperation agreement with Tehran and are less inclined to communicate over insecure
Iranian platforms. As a result, in contrast to the first two decades after the revolution,
Iranians’ communications and personal activities are increasingly out of the state’s reach.
This dynamic has fundamentally altered the nature of state controls.

The Iranian government has struggled to respond to the challenges posed by the internet
to the state’s information and communication monopoly. Among their first responses
was mandatory content filtering, which entailed blocking access to any sites considered
pornographic, antireligious, or politically subversive. With the increased availability of
circumvention tools, however, filtering became less effective. Subsequently, basic offen-
sive cyber operations, such as disrupting adversarial sites during the Green Movement,
gave the regime the ability to reassert some control over information flows and project
the illusion of the Islamic Republic’s dominance over the internet.

Iranian cyber operations are highly adaptable as the online platforms and tools used by
the public change. For example, after Iranians shifted to Telegram because of its unfil-
tered public chat feature and security claims, so too did the attention of Iranian threat
actors. Alongside credential theft operations targeting Telegram users, one threat actor
appears to have gone as far as mapping all the Telegram accounts connected with Iranian
telephone numbers. This information-gathering operation had deeper ties to efforts to
target the chat application’s users and aligned with recurrent arrests of administrators
from critical Telegram groups. This learning process is repeated elsewhere, including for
mobile phones and Macintosh computers.108

Across discrete sets of threat actors and different periods of time, state-aligned offen-
sive cyber operations routinely focus on similar classes of targets, primarily:

1. Government officials

2. Reformist politicians

3. Media professionals

4. Religious minorities

5. Cultural figures

6. Opposition groups, terrorist organizations, and ethnic separatist movements

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 41

GOVERNMENT OFFICIALS

Numerous Iranian threat actors have sought to compromise members of Hassan Rou-
hani’s government, the administration of former president Mahmoud Ahmadinejad, and
the state’s bureaucratic institutions. The operations target not only government officials
but also their relatives, including a sustained campaign directed against Rouhani’s imme-
diate and extended family (particularly his brother and adviser, Hossein Fereydoun).109
Magic Kitten, the earliest known threat actor, from the outset engaged in intrusions of
the Islamic Republic of Iran Broadcasting state television network and the Center for
Strategic Research, the think tank research arm within the Iranian government’s Expedi-
ency Council that was headed by Rouhani at the time.

Campaigns targeting the Iranian government are ongoing. The targeting of members of
government—individuals that have already been vetted by the regime—reflects the im-
portance of cyber surveillance as a tool of the hardline security establishment to monitor
potential rivals for power and accrue sensitive information about people’s lives that could
potentially be used for blackmail or humiliation.

The Iranian Ministry of Foreign Affairs provides the most prominent and visible example
of intergovernmental spying. Iranian diplomats have been frequent targets of spearphish-
ing attempts conducted by IRGC-affiliated threat actors since the beginning of the
Rouhani administration. These activities align with accusations in the hardline press that
the nuclear deal betrayed Iranian interests.110 The hacking attempts also mirror a history
of arrests and pressure brought to bear on members of the diplomatic service accused of
spying, including the August 2016 detention of Abdolrasoul Dorri-Esfahani, who served
on Iran’s nuclear negotiating team for the JCPOA.111 Whereas diplomacy requires inter-
acting with officials from foreign governments and external experts, these contacts can
quickly be portrayed as engaging in espionage for foreign powers.

While Foreign Minister Javad Zarif and other figures have been the targets of social
media defacements and threats, the campaigns conducted by the indigenous threat actors
outlined in this report differ in their intent from simple hacktivism or vandalism. The
objective is the collection of personal information from private accounts on interna-
tional platforms and the monitoring of intimate political and professional networks of
government officials.112 These tactics include the typical credential theft attempts against
personal email accounts seen elsewhere; however, special effort has been made to com-
promise government officials and their family members through elaborate deception
and by using privileged resources.113 Once compromised, those accounts have been then
turned on their diplomatic contacts and peers. Zarif, and other senior diplomats, have
been repeatedly impersonated and targeted by different IRGC-affiliated threat actors, as
early as 2013 and as recently as February 2017.114

42 IRAN’S CYBER THREAT

The diplomatic core is not the only target of intragovernmental spying: several cabinet
officials of the Rouhani administration have had their personal email accounts targeted
and compromised.115 The cyber operations conducted by Iranian threat actors have
extended beyond immediate members of government to target members of the Shia
religious establishment, which undergirds the state’s ideology and political affairs. Cam-
paigns have compromised multiple individuals located in Qom, the center of Iranian
religious matters, including hosts within the Center for Services of Islamic Seminaries
and Islamic Propagation Office of Qom.

REFORMIST POLITICIANS

The accounts of Iranian reformers are a primary target for Iranian threat actors. Though
reformers profess loyalty to the revolution and the Islamic Republic, they favor less state
intervention in society and a less confrontational foreign policy, prioritizing the country’s
national interests before revolutionary ideology. Consequently, they have been increasingly
purged from Iranian politics and there is a media and travel ban against their most promi-
nent leader, former president Mohammad Khatami (who served from 1997 to 2005).116

After the Green Movement, associates of the former reformist presidential candidates
Mehdi Karroubi and Mir-Hossein Mousavi were aggressively targeted by the regime
to try and stifle their activities, even those who had fled under threat of prosecution.
Unwilling to allow a repeat of the Green Movement, the regime tightened information
controls in the run-up to the 2013 presidential election of Hassan Rouhani. Access to
popular anticensorship tools was cut off, and internet speeds were throttled until after
the election results were announced.117 During this time, several Iranian actors began to
concurrently target the accounts of Iranian political dissidents.118 Offline, the families of
international Persian-language media employees were harassed, and reporters inside Iran
were subject to censorship or arrest.119

One of the first known cases of politically motivated hacking in Iran was when the blog
of Mohammad-Ali Abtahi, the former vice minister of the Ministry of Culture and
Islamic Guidance under Khatami, was defaced after he wrote about the arrest of bloggers
in 2005.120 Since then, Abtahi has been repeatedly targeted and impersonated by differ-
ent Iranian threat actors in credential theft and social engineering operations.121 Abtahi’s
experience is emblematic of such group’s priority on reformists. Public figures in the re-
formist movement from all different segments of society and politics have been targeted.
Not only the overtly repressed activists connected to Khatami, Karroubi, and Mousavi
but former government officials, religious scholars, politicians, and professors.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 4 3

The cyber operations against reformists have been broad, successful, and frequent. One
threat actor maintained access to a computer used by a reformist cleric and a deputy at a
prominent Iranian university for months, watching him conduct political operations and
media interviews.122 Similarly, in December 2015 the Facebook account of Gholam Ali
Rajaee, a political activist close to former president Akbar Hashemi Rafsanjani, was used
to spearphish the accounts of journalists and others.123
The previous year, that same threat actor, Rocket Kit-
ten, had also successfully compromised a number of
former parliament members and other reformists in
the diaspora, some of whom were later arrested.

Young activists mobilizing for reformists were targeted
with malware and credential theft operations in the
lead up to the February 2016 parliamentary election,
particularly those connected to female candidates. The targeting often aligns with offline
pressure from the IRGC and Intelligence Ministry: when the office of one reformist close
to Rouhani was raided in May 2017, he was targeted in repeated spearphishing attempts.
Despite the ascent of moderates to more positions of power, reformists remain a primary
target of the government’s cyber capabilities.

MEDIA PROFESSIONALS

Iranian cyber operations have repeatedly focused on journalists working with reformist
media outlets and international satellite broadcasters that fall immediately outside the
strict state-sanctioned narratives. Multiple Iranian threat actors conducted numerous
credential theft attempts, using fake service notifications, against Iran-based foreign cor-
respondents and Iranian journalists working for prominent publications such as Shargh
and the Iranian Labor News Agency. Similarly, freelance reporters inside Iran are fre-
quently compromised through fictitious personas that send them malware purporting to
be news content. These campaigns have often targeted publications that would later be
closed and journalists who would be detained by Iranian security forces. These incidents
are also often timed with elections, normally periods when the government has more ag-
gressively prosecuted journalists.

The case of Jason Rezaian, the Washington Post’s former correspondent in Iran, is illustra-
tive of state-aligned threat actors’ focus on foreign press working in Iran. Before his arrest
on July 22, 2014, and eighteen-month imprisonment by the IRGC, Rezaian had been
the target of concerted intrusion efforts by Flying Kitten. The threat actor attempted to

The cyber operations
against reformists have
been broad, successful,
and frequent.

44 IRAN’S CYBER THREAT

compromise Rezaian’s Hotmail and Gmail accounts on multiple occasions through cre-
dential theft attempts launched from fictitious security addresses; these attempts warned
of spam being sent from the account and of other hacking threats. The emails were not
themselves technically sophisticated, as the English used in the messages was poor and
the approach was amateurish. However, the behavior in these incidents was unique in
that Rezaian’s accounts were singled out from a small set of targets several months prior
to his arrest.

RELIGIOUS MINORITIES

Iranian religious minorities are obvious targets of the Iranian security forces, most
notably adherents of the highly persecuted Baha’i faith, who have long been accused of
promoting conspiracies against the Islamic government.124 With the widespread adoption
of the internet, the Baha’i leadership, based mostly in the United States and Haifa, Israel,
enjoyed new organizational and communication opportunities otherwise denied to them
offline. Those same technologies, however, also gave the Iranian state new capabilities for
intelligence gathering and propaganda dissemination against the Baha’i.

In April 2014, the Gmail account of a former director of external affairs for the U.S. Baha’i
organization was accessed from inside Iran. The director had a history of international
advocacy on behalf of the Baha’i Assembly that included testifying before Congress on the

status of religious minorities in Iran. This made her a
natural target for Iran. Fictitious LinkedIn and social
media profiles previously employed against the U.S. de-
fense industry, including one claiming to be former UN
ambassador John Bolton, were used to target the Baha’i
director with credential theft attempts posing as reports
on religious persecution.

Prominent members of the faith, including the di-
aspora relatives of imprisoned Baha’i leaders in Iran,
continue to be subjected to sustained cyber opera-
tions. Similarly, cutout groups as recently as February

2017 defaced Baha’i sites with pro-regime propaganda coinciding with events such as
the anniversary of the Islamic Revolution. The ongoing targeting of the Baha’i and the
defacement of their sites underscores the Iranian regime’s concern with organizations it
perceives as subversive and its use of disruptive attacks to buttress the ideological agenda
of the state.

The ongoing targeting of the
Baha’i and the defacement

of their sites underscores
the Iranian regime’s concern

with organizations it
perceives as subversive.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 4 5

The religious targets of Iranian cyber operations have not been limited to aggressively
marginalized groups such as the Baha’is but also include recognized religious commu-
nities such as Christians, Jews, Zoroastrians, and Sunni Muslims. In one example, a
mainstream Jewish community leader in Tehran was compromised through malware and
surveilled as he went about coordinating events and managing a local religious publica-
tion. Still other spearphishing campaigns have routinely targeted evangelical Christian
converts, atheists, or new age religious sects. More broadly, a malware campaign posing
as information on the persecution of Christian converts was sent to human rights orga-
nizations, and fictitious profiles have posed as religious minorities to infiltrate evangelical
Persian-language networks.125

CULTUR AL FIGURES

Iran-originating spearphishing campaigns have also targeted Iranian cultural figures—in-
cluding artists, musicians, comedians, cartoonists, and satirists—regardless of whether
they reside in Iran or abroad.

These campaigns have included the targeting and compromise of social media and email
accounts for the Germany-based musician Shahin Najafi, multiple pop stars that left Iran
after the Islamic Revolution, a Persian-Israeli singer, and an Iranian-born female metal
musician based in the United States, among others. There have also been intrusions into
devices and accounts associated with less prominent underground artists inside Iran and
networks of fictitious social network profiles connected with Iranian death metal rock
bands and hip-hop groups. These themes of targeting famous pop musicians and their
staff—both inside Iran and abroad—are recurrent and do not focus solely on individuals
critical of the establishment.

Iranian security forces have publicly acknowledged their operations to identify individuals
involved in “immoral behavior” online. In January 2016, several Iranian fashion models
popular on social media were arrested for their activities online and forced to delete their
accounts, an effort labeled by the IRGC as Operation Spider. At the same time, the arrests
of employees of the foreign-based AAA Music television channel led to their social media
accounts being defaced with a message, purportedly from the Ministry of Intelligence,
about the illegality of the network. In interviews with and public statements by those
rounded up in Operation Spider, these individuals were commonly operating openly, and
the defacements were conducted after they were forced to hand over passwords.

Operation Spider was not the first of its kind: the activities of Flying Kitten suggest an
earlier interest in surveillance of the Iranian fashion industry.126 In early 2014, the threat

46 IRAN’S CYBER THREAT

actor compromised the computer of a social media model that was popular for portray-
ing a fashionable lifestyle without wearing the state-mandated hijab.127 After the intru-
sion she retreated offline, stopped logging on to modeling sites, and deleted her Facebook
account. Her image was also appropriated for further operations against other commu-
nities. The opaque nature of campaigns such as Operation Spider obscures how Iranian
authorities track down people like online models. However, incidents such as the Flying
Kitten compromise and the infiltration of LGBT-support networks and sex worker social
media communities by others suggest a relationship between both efforts.

OPPOSITION GROUPS, TERRORIST ORGANIZ ATIONS,
AND ETHNIC SEPAR ATIST MOVEMENTS

Despite its labeling of civil dissent as a threat to national security, Iran does face real
threats of terrorism and organized crime from nonstate actors, evidenced by the self-pro-
claimed Islamic State’s June 2017 attacks on its parliament and the mausoleum of former
Iranian supreme leader Ayatollah Ruhollah Khomeini. While documentation of Iranian
cyber operations by international researchers has typically assumed that all domestic
targets of intrusion campaigns are political dissidents, a small portion of these campaigns
focus on areas in which law enforcement hacking has become internationally normalized,
chiefly in the collection of evidence and intelligence on violent terrorist activities and
financial crime.

For instance, Iranian threat actors have actively sought to compromise the digital opera-
tions of Sunni jihadi movements through credential theft, malware, and other intru-
sions.128 To compromise Islamist organizations, Iranian actors have leveraged bait docu-
ments and messages in Persian and Arabic and posed as media organizations such as Al
Jazeera and Al Arabiya. Flying Kitten attempted to spread malware by posting comments
on Al Arabiya’s Facebook page purporting to promote jihadism. These intelligence efforts
have targeted jihadi groups across the Middle East and North Africa, Pakistan, and Af-
ghanistan, including the Islamic State and al-Qaeda, while focusing on Iraqi and Persian-
language groups.129

Security-related cyber operations extend as well to fringe political organizations that have
previously engaged in hostilities against the Islamic Republic.130 Iranian threat actors
have successfully compromised individuals affiliated with front groups for Mojahedin-e
Khalq (MeK) opposition group, including the Iranian American Society of Texas and
the Simay Azadi television station. These intrusions provided access to private Facebook
discussion groups and intra-organizational planning for MeK rallies, Telegram channels,

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 47

and MeK television programming. Given the MeK’s past disclosures on Iran’s nuclear
program, which the organization has claimed were conducted through an in-country
network of collaborators, these activities also constitute a counterespionage program.

Iranian threat actors also maintain a significant focus on disenfranchised ethnic minori-
ties advocating for greater autonomy. One recurrent target has been Baluchi groups, a
Sunni Muslim population located in both Iran and Pakistan. The news outlets and social
media accounts of Baluchi militant organizations, such as Jundallah, have repeatedly
been targeted by Tehran. These operations include breaching multiple Jundallah affili-
ated sites as early as July 2010 to push malware to their visitors, a “watering hole attack”
designed to surveil violent separatists that would be of interest to Iranian security agen-
cies.131 In other cases, from a different threat actor, Jundallah was targeted using malware
hosted on domains purporting to be related to the Free Syrian Army and sent in emails
claiming to provide documentation of attacks against the IRGC.

Tehran has also devoted considerable resources to cy-
ber operations targeting Kurdish organizations inside
Iran and abroad. Malware samples from April 2015
targeted the Free Life Party of Kurdistan (PJAK), a
militant Iranian faction of the Marxist-Leninist Kurd-
istan Workers’ Party (PKK).132 The same threat actor
appears to have successfully compromised a Kurdish
satellite television station, Newroz TV, aligned with
the PKK. Newroz TV was also compromised by the
Flying Kitten malware in 2014, indicating an overlap
not only in the threat actors’ mandates but also in their exact targets. Still other groups
have used fictitious LinkedIn profiles to connect to representatives of the Kurdistan
Regional Government in Iraq. Judging from computer names and other indicators, many
more of those compromised by Iranian malware were in Iran’s Kurdistan province, while
others were found in Iraqi Kurdistan, or among the Kurdish population in Europe.

CIVIL SOCIETY

The internet has facilitated communication and organization between Iranians and
foreign and diaspora organizations, but it has also increased the Iranian government’s op-
portunities for surveillance and repression against foreign-based operations.

Though many foreign civil society organizations have been the subject of sustained at-
tempts at infiltration and disruption by Iran, few appear to have incurred attacks of such
persistence and aggression as those against the Eurasia Foundation, an NGO in Washing-

The internet has increased
the Iranian government’s
opportunities for
surveillance and repression
against foreign-based
operations.

48 IRAN’S CYBER THREAT

ton, DC, that conducts development programs in former Soviet countries, the Middle
East, and China. As part of its Iran-focused social development programs, the Eurasia
Foundation in October 2009 launched the Khorshid School of Entrepreneurship, which
promoted women’s entrepreneurship through distance learning courses and the creation
of professional networking opportunities.

Eurasia Foundation’s programs and organizational history connect closely with Khame-
nei’s fears of a Velvet Revolution. It would later launch several more online Persian-
language programs covering a range of issues, from social entrepreneurship to family law.
The first intrusion attempt occurred shortly after an article was published in the hardline
Iranian newspaper Kayhan in February 2014. It accused the Eurasia Foundation of en-
gaging in social engineering by establishing networks of women and teachers to foment
grassroots economic, political, and social pressure on the regime—all under the direction
of the U.S. Agency for International Development and the U.S. State Department. Ten
days after the article appeared, Flying Kitten began its spearphishing campaign against
the Eurasia Foundation. For the next two years, the Eurasia Foundation would continue
to be the target of malware, credential theft, and social engineering by diverse threat ac-
tors with diverse strategies.133

The campaign against the Eurasia Foundation is emblematic of Iran’s long and ongo-
ing history of cyber operations against U.S.-based NGOs. U.S. think tanks have been a
focus of interest, with targets such as the American Enterprise Institute and the Council
on Foreign Relations singled out by multiple Iranian threat actors. The same Iranians
that targeted the Eurasia Foundation in December 2015 also impersonated the network
administrators at multiple Washington, DC, foreign policy institutions critical of the
Iranian government to compromise employees.

Nor are these efforts directed only at Iran’s detractors. Organizations advocating im-
proved relations with Iran or nonpolitical researchers have been routinely targeted—the
common denominator appears to be simply a policy interest in Iranian affairs.

49

CONCLUSIONS AND PRESCRIPTIONS

While Iran’s offensive cyber operations have required modest resources to develop, they
have allowed Tehran to project itself as an emerging cyber power able to cause significant
harm to its adversaries. The country’s security establishment has used these resources to
signal to domestic and international audiences its ability to confront political subversion
and retaliate against attacks on its infrastructure. These actions have brought interna-
tional attention to Iran as a considerable force, perhaps beyond its actual capabilities, but
have been ambiguous enough to allow Tehran to portray itself as a victim of the coercive
measures of foreign states.

As judged from evidence of coordination between security agency actions and observed
cyber operations, the campaigns of Iranian threat actors almost certainly have a direct re-
lationship with government entities, specifically the Islamic Revolutionary Guard Corps
and the Ministry of Intelligence. Given this alignment and collaboration, Iranian threat
actors are described here as state-sponsored. However, since the threat actors are com-
monly private contractors in small security companies, these relationships are sometimes
nebulous and the operators are not integrated into the state’s forces.134

Iranian cyber operations often reflect law enforcement behavior normalized by other
countries in response to advancing information technologies, such as the hacking of
devices to wiretap encrypted internet communications. International standards forums
and telecommunication equipment vendors have legitimized the expectation of lawful
interception of communications, and the Iranian government faces similar challenges of
providing domestic security against terrorist organizations and crime that other coun-

50 IRAN’S CYBER THREAT

tries encounter. These interests are expressed frequently in campaigns, which include the
documentation of persistent targeting of militant organizations—both domestic and
regional—that are hostile to the Iranian government, including Baluchi separatists and
the Islamic State.

With the exception of Saudi Arabia, Iran appears to have had little success in compro-
mising hardened government institutions or well protected organizations. After two
decades of cyber crime, governments and private corporations have developed security
policies and maintain collaborative relationships with external security organizations (for
example, computer emergency readiness teams, or CERTs) that allow them to defend
against attacks. In the office environment, companies can provide dedicated technical
resources, exercise centralized control over devices, offer user education, and install pro-
tective network equipment that reduces risk. Such resources enable the private sector and
governments to respond to threats and improve awareness collectively as a community.

Private threat intelligences companies and governmental agencies, such as the FBI’s Cyber
Watch (CyWatch), provide corporations with regular reports on common security risks,
including information on the attacker’s documented tools and infrastructure. The FBI has
produced industry notifications on Iranian intrusion activities based on reports sourced
from the private sector, and U.S. government entities have identified Iranian malware
through information supplied from threat intelligence companies. When multiple comput-
ers in the Voice of America’s Persian service were infected by Iranian malware named Infy,
the agent’s origin was identified by network administrators through a private report gener-
ated by a threat intelligence company that was made available to the agency.135

Such resources are not readily available to individuals—especially those residing in
Iran—who find themselves alone and unprepared when targeted by even the most
unsophisticated threat actors. While American banks quickly invested in countermea-
sures that limited the effectiveness of subsequent DDoS attempts in Operation Ababil,
Persian-language social media platforms and media organizations subject to the same
attacks commonly turned off services rather than pay thousands of dollars in band-
width costs.136 One FBI notice sent to the private sector even documented fictitious
profiles that were also used to target the Baha’i community.137 However, the FBI and
cybersecurity companies do not commonly notify at-risk communities of threats to
their safety and privacy. This divergence and exclusion represents the differences in
opportunities afforded to nongovernmental and noncorporate targets of state-aligned
threat actors.

The increased attention to user security by information technology companies in re-
cent years has directly benefited the targets of Iran. Persian-language digital literacy and

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 51

information security education programs have been developed through foreign assistance
to cater to at-risk audiences, teaching concepts such as password management and how
to recognize social engineering. Widely available account features such as two-factor
authentication, which requires a user to provide a code sent through text message or an
application to log into accounts, have demonstrably made it more difficult for Iranians
to conduct credential theft. Private companies, such as Google and Cloudflare, as well as
government funders, have supported DDoS-mitigation services that provide civil society
organizations with enterprise-level defense resources to protect against such attacks at no
cost, leading to a marked decrease in their frequency.

As a result, a well-educated user with two-factor authentication and an iOS device is a
more difficult target for Iranian threat actors to compromise. However, while technologi-
cal options for protecting accounts and devices have improved in recent years, in the end
the biggest vulnerability remains the user.

Attempts to forecast the future of Iranian cyber operations are constrained by the secrecy
on the part of the Iranian state about its activities and an uncertain geopolitical climate.
Like most countries, Tehran does not appear to have a clear doctrine as to when it will
engage in disruptive operations and retaliate in cyberspace. Nor is it likely to. In line
with its asymmetric strategies in traditional warfare, Tehran has often benefited from
ambiguity. This may explain why it denies operations attributed to it, as well as why it
did not immediately incorporate threat actors into the military apparatus.

Having been the target of sustained cyber espionage and destructive attacks, Iran is
bound to seek the same capabilities used against it. These capabilities provide Tehran op-
portunities to impose costs during potential hostili-
ties. While Iran may not appear able to perform syn-
chronized multistage attacks wherever it would like,
it can repeatedly hammer away at soft targets in cam-
paigns of attribution. Renewed hostilities between
Iran and the United States could be expected to
involve the targeting of vulnerable economic, civil-
ian, and governmental services with data destruction,
DDoS, and other disruptive attacks. Under current
perceptions of Iranian offensive cyber capabilities, it
is unclear that it would be prepared and able to launch attacks against the power grid or
industrial control systems, such as those conducted against Ukraine.138 Instead, attacks
would follow the path of least resistance—targeting state and local governments rather
than federal infrastructure, or unprepared sectors that have not been previously targeted
such as transportation and logistics rather than the financial services. Attempts by one

Having been the target of
sustained cyber espionage
and destructive attacks, Iran
is bound to seek the same
capabilities used against it.

52 IRAN’S CYBER THREAT

Iranian to meddle with a local New York dam and other reports about the compromise
of state agencies are demonstrative of the abundance of opportunities for Iran to retaliate
against the United States.139

Moreover, although Iran has been described as a rational actor, it is not unitary, as the
overlapping operations and intragovernmental surveillance conducted by the Ministry of
Intelligence and IRGC demonstrate.140 The motivations, coordination, and authorization
of Iranian state-aligned campaigns may differ from the policy position of other branches
of government, and the use of offensive cyber capabilities is less visible to observers than
the mobilization of troops. Iran’s security apparatus can easily conduct hostilities in cy-
berspace without the consent or awareness of the rest of the government.

Disruptive activities conducted by Iranian threat actors have decreased overall since the
interim nuclear deal signed in November 2013—known as the Joint Plan of Action
framework. The rhetoric of government and military officials has also evolved over time.
In recent years, particularly under the Rouhani administration, fewer blusterous state-
ments have been made regarding Iran’s cyber operations.141 While Tehran is less likely to
engage in disruption of American or European infrastructure amid current circumstanc-
es, it has engaged in cyber espionage and will continue to do so. The perceived success of
previous campaigns has solidified the principle of offensive cyber operations as an effec-
tive means for Iran to continue to conduct espionage and surveillance against regional
adversaries and political opponents.

Yet Iran will continue to be limited by resource constraints for the foreseeable future.
Tehran has rarely appeared able to conduct large-scale exfiltration of classified business
and government data, differing, for example, from Chinese efforts to steal Boeing’s in-
dustrial secrets or extensive databases from the U.S. Office of Personnel Management.142
What’s more, the threshold of difficulty for compromising such targets will increase over
time, and it is unclear whether Iranian capabilities will improve proportionally.

Iran’s massive brain drain, with many of its brightest engineers leaving for political and
economic reasons, imposes further constraints on the development of its cyber capabili-
ties. Iran’s minister of science, research and technology estimated that 150,000 highly
talented people emigrate from Iran every year, a $150 billion annual economic loss.143
When Iranian engineers leave for Silicon Valley and Europe, the country’s capacity for
effective offensive and defensive cyber operations goes with them.

In the absence of a historical comparison of Iranian cyber operations, new incidents or
the rise of new groups is often incorrectly perceived as a dramatic improvement to capac-
ity. Despite systemic challenges stemming from bureaucratic dysfunction and under-
investment in cybersecurity, Iran has the potential to foster more effective operations.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 5 3

Attempts by the government, universities, and the private sector to create a professional
cybersecurity community, such as hosting Capture the Flag tournaments, will inevitably
result in a deeper talent pool. Observing other nation-state actors provides a set of bench-
marks that can be a reliable indicator of improvement or change in posture, including:

• coordination of threat actors, more consistent improvement to domestically pro-
duced malware, and the development of purpose-built tools that could suggest the
consolidation of capability, specialization of personnel, and even incorporation into
the state;

• investments in operational security, ranging from reducing the exposure of informa-
tion on operators to increased investment in concealment (such as Magic Kitten’s
relay network);

• improvements in background research and foreign language abilities within opera-
tions, such as more personalization of social engineering attempts, that would reflect
the inclusion of nontechnical support staff; and

• execution of operations that include zero-day exploits or target core infrastructure
(for example, compromising network devices, routing protocol hijacks, and telecom-
munications signaling manipulation), suggesting more investment in resources for
systemic cyber operations.

Despite Iran’s current lack of technical sophistication, simple means can still be effective
at imposing political and economic costs, as evidenced by Russia’s successful compromise
and subsequent leaking of the internal communications of Democratic Party institutions
and operatives before the 2016 U.S. election. Some of the most damaging materials used
in the operation came via a simple breach of a Gmail account, an opportunity available
to anyone. This also reinforces the challenge of discerning intent—what initially appears
as espionage can later turn into an attack.144

Given Iran’s dispersed ecosystem of threat actors, deterring Tehran from engaging in
offensive cyber operations is as challenging as other efforts to address security issues
involving the country. Cyber activities are less likely to lead to regional destabilization
than are offline Iranian threats, and historically, Tehran’s disruptive attacks against non-
Iranian targets have been retaliation during hostilities rather than instigation toward
new conflicts. To maintain credibility at a time when Western surveillance activities
are publicly exposed through leaked confidential documents, effective policy responses
need to differentiate espionage or signaling from sabotage or the infringement of human
rights, actions that violate international norms. It is also important to recognize that
Iranian offensive cyber operations do not require technology transfers or the support of
other states. Members of Iranian threat actors—primarily low-level software developers

54 IRAN’S CYBER THREAT

working within a small number of companies—will continue to be tough to identify,
prosecute, and punish.

Naming and shaming may chill participation in state-aligned operations, especially
among talented individuals looking to travel outside the country or study abroad.
However, it is unclear whether those publicly identified with Operation Ababil or other
campaigns have changed their involvement after being outed. Moreover, the loosely
connected and small groups are not cost-effective targets for retaliatory cyber operations.
In the end, Iran maintains a large enough pool of sufficiently capable programmers to
conduct basic campaigns. Therefore, while exposing Iranian cyber operations and opera-
tors may degrade and delay the development of better cyber capabilities, it will not fully
deter Iran.

POLICY APPROACHES TO IR AN’S CYBER THRE AT

This leaves a select number of policy options, primarily (1) utilizing existing frameworks
for targeted sanctions or indictments, (2) improving information sharing on threats
across communities, and (3) supporting initiatives to improve information security.

The comprehensive sanctions regime against Iran is unlikely to substantially interfere
with its development of offensive cyber capabilities. Iranians commonly use servers
outside the country, typically hosted on networks in Europe and Russia that provide
service to other cyber crime networks (bulletproof hosting) or registered using false
information.145 Since the resources necessary to improve capacity are organizational and

professional development rather than computers or
infrastructure, there are few technological items or
services that could potentially be deterred. Further-
more, overly broad sanctions regimes that attempt to
constrain malicious cyber activities would be more
likely to have substantial collateral damage on the
free flow of information to Iran, as Iranian civil soci-
ety has widely argued.

Where sanctions are appropriate, the U.S. Treasury
Department’s Office of Foreign Assets Control
maintains targeted programs that can be brought
to bear against international entities that augment
Iran’s capacity for surveillance against its population
(Executive Order 13606146) and those responsible for

The U.S. Treasury
Department’s Office of
Foreign Assets Control

maintains targeted
programs that can be

brought to bear against
international entities that

augment Iran’s capacity
for surveillance against

its population.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 5 5

cyber operations against American infrastructure (Executive Order 13694).147 Sanctions
and other financial mechanisms could be used to deter foreign countries or other actors
from providing support to Iranian offensive cyber operations. Executive Order 13606
offers an example in its authority to designate any entity, whether in Iran or elsewhere,
that has facilitated the Iranian government in its “computer and network disruption,
monitoring, and tracking.” While the order focuses on human rights, similar language
could focus on Tehran’s attacks against critical infrastructure and espionage. The narrowly
tailored extension of these authorities could help ensure that Iran’s cyber operations do
not benefit from technology transfers or foreign assistance as Tehran expands its security
and commercial ties, especially to countries such as Russia and China.

Additionally, the Justice Department has issued indictments against Iranians implicated
in disruptive campaigns (the same individuals allegedly responsible for Operation Ababil
were also designated under Executive Order 13694) and has successfully obtained the
extradition from a third country of a hacker involved in the theft of military secrets.148
Because of the small operational footprint of the groups, targeted sanctions or legal pro-
ceedings are more symbolic than disruptive, but few other opportunities exist to impose
consequences on individuals who participate in operations.

Given the level of rudimentary nature of its cyber operations, a purely political or legal
response that is focused solely on deterring Iran would be ineffective toward addressing
national cybersecurity risks. Any system that can be breached by Iranian groups is equally
susceptible to others with similar sets of motivations, notably North Korea and Hamas.
An effective policy response to the threats posed by Iran must focus on securing critical
infrastructure overall.

Information sharing has been one of the most common strategies pursued by the United
States, Europe, and the private sector to reduce the effectiveness of Iranian cyber opera-
tions. After the Aramco attack, the United States used its superiority in monitoring and
attributing Iranian activities to strengthen intelligence relationships with its Arab allies
in the Persian Gulf.149 This is an immensely valuable resource that should be extended
where possible, and further support can be provided to regional allies. Similarly, the FBI
has provided notifications to and facilitated information sharing with the private sector
on specific Iranian campaigns. These efforts can be expanded to include more partners
and to provide data to civil society organizations.

Unlike traditional security issues, private individuals are more exposed to cyber op-
erations owing to the transnational and virtual nature of threats. This brings in more
stakeholders, and increases the burden on individuals to protect themselves from crime
and espionage. Responsibility to protect those users rests equally on the private sector
and governments. Fortunately, internet platforms and communications services, like

56 IRAN’S CYBER THREAT

Facebook and Google, have played a positive role in providing the tools to help individu-
als defend against attacks—even going so far as notifying users when they have been
targeted by state-aligned campaigns, including those from Iran. These initiatives raise the
bar for attackers and should be seen within tech companies as a core obligation of keep-
ing at-risk users safe.

Discussions about securing dissidents would be incomplete without highlighting the
pioneering role of the United States government and European development agencies
in providing secure communications tools to activists—often referred to as the Internet
Freedom agenda. Government funding has provided early stage investment for research-
ers and developers to produce prototypes and deployable products to protect activists and
civil society that would not be the focus of the private sector. A significant proportion, if
not majority, of Iranians that bypass the censorship regime do so using safe and reliable
tools funded by the State Department and Broadcasting Board of Governors. Both have
also supported the development of encryption tools such as Signal that have even been
adopted by tech companies within their own messaging applications, demonstrating the
importance of Internet Freedom as a public-private cooperation.

The United States and European Union should continue to promote programs and
norms on internet access and cybersecurity that prioritize the free and secure flow of
information against challenges from countries such as Iran, China, and Russia. Aside
from funding for civil society, this includes promotion of democratic values within
internet governance frameworks, such as the Internet Corporation for Assigned Names
and Numbers (ICANN) and the International Telecommunications Union (ITU). This
also highlights the importance of domestic policy on Internet Freedom efforts: proposals
to weaken information security products such as encrypted messaging applications would
harm individuals in countries where rule of law is weak and backdoor access in commu-
nications networks is commonly repurposed for repression.

As the history of Iranian offensive cyber operations demonstrates, the same actors
responsible for espionage against the private sector engage in surveillance of human
rights defenders, and with considerably more success, owing to the targets’ resource
constraints. These at-risk communities provide a canary for the tactics and tools that
will be employed against other targets, and increased information exchange will enable
more effective education and mitigation strategies for all. Policymakers have long under-
stood that the changes that will lead Iran to be a productive member of the international
community will come from within. The safety and security of the Iranian civil society
organizations and democratic voices targeted by government cyber operations should
be recognized and protected as the critical stakeholders within cybersecurity and foreign
policy discussions that they are.

57

GLOSSARY

Campaign: A set of activities carried out by threat actors for some particular purpose.

Credential theft: The process of stealing credentials associated with online platforms,
such as passwords or account recovery information.

Distributed denial-of-service (DDoS): An attempt to make an online service unavail-
able by overwhelming it with traffic from multiple sources.

Offensive cyber operations: Cyberspace operations intended to project power by the
application of force in or through cyberspace.

Sinkhole: Redirection of malicious internet traffic so that it can be captured and ana-
lyzed by security researchers.

Spearphishing: A targeted attack that uses a deceptive email to trick the recipient into
performing some kind of dangerous action for the adversary.

Supply chain attack: The strategic compromise of a particular entity, such as a vendor,
with the intent to indirectly compromise another, primary target, such as the vendor’s
clients.

Threat actor: An individual or group involved in malicious cyber activity.

Watering hole attack: The compromise of a selected website in order to stage intrusion
attempts through malware to the visitors of the site.

59

NOTES

1 “Department of Defense Dictionary of Military and Associated Terms,” Federation of American
Scientists, amended February 15, 2016, https://fas.org/irp/doddir/dod/jp1_02.pdf.

2 The authors cannot identify under what level of authority the attacks are authorized and whether Iran
will professionalize such operations under state security forces. However, they can say with high
confidence that such activities are coordinated with the Iranian government. See Jason Healey, “Beyond
Attribution: Seeking National Responsibility for Cyber Attacks,” Atlantic Council, February 22, 2012,
http://www.atlanticcouncil.org/publications/issue-briefs/beyond-attribution-seeking-national-
responsibility-in-cyberspace.

3 This material will posted on “Iran Threats,” Github, https://iranthreats.github.io.
4 GReAT, “The Madi Campaign – Part I,” SecureList, July 17, 2012, https://securelist.com/blog/

incidents/33693/the-madi-campaign-part-i-5.
5 David E. Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,” New York Times, June 1,

2012, http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-
against-iran.html.

6 The preparation for Operation Olympic Games was substantial. Intelligence agencies in the United
States and Israel obtained confidential information about the specific configuration of the centrifuge
controllers in Natanz, built a test environment based on comparable hardware seized from Libya, and
then deployed the malware agent through human assets inside Iran to reach computers disconnected
from the internet. These operations were sustained over years. Later versions of Stuxnet exploited several
previously unknown vulnerabilities and sought to strategically infect other computers in Iran in the
event that they were connected to the Natanz systems.

7 Iran’s National Computer Emergency Response Team, Kaspersky Lab, and CrySyS Lab.
8 Ellen Nakashima, Greg Miller, and Julie Tate, “U.S., Israel Developed Flame Computer Virus to Slow

Iranian Nuclear Efforts, Officials Say,” Washington Post, June 19, 2012, https://www.washingtonpost
.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-
officials-say/2012/06/19/gJQA6xBPoV_story.html.

60 IRAN’S CYBER THREAT

9 “Iran Says Detected ‘Massive Cyber Attack:’ State TV,” Reuters, June 21, 2012, https://www.reuters
.com/article/us-iran-cyber-nuclear/iran-says-detected-massive-cyber-attack-state-tv-idUS-
BRE85K1EA20120621.

10 “Iran ‘Fends Off New Stuxnet Cyber Attack,’” BBC News, December 25, 2012, http://www.bbc.com/
news/world-middle-east-20842113.

11 Communications Security Establishment Canada, “SNOWGLOBE: From Discovery to Attribution,”
accessed December 4, 2017, a presentation discussing the French malware otherwise known as Babar,
available at http://www.spiegel.de/media/media-35683.pdf.

12 Karim Sadjadpour, “Reading Khamenei: The World View of Iran’s Most Powerful Leader,” Carnegie
Endowment for International Peace, March 10, 2008, http://carnegieendowment.org/files/sadjadpour_
iran_final2.pdf.

13 “15 June 2009 – Tehran – Iran – Protest continued – Protesters Are Going to Freedom (Azadi Sq),”
YouTube video, 1:02, posted by “saeidkermanshah,” June 15, 2009, https://www.youtube.com/
watch?v=9_hr7G4At84.

14 A common example of this collaboration is when Twitter had planned to conduct maintenance after the
June 2009 election. The State Department requested that the company delay the downtime in consider-
ation of the protests. See Sue Pleming, “U.S. State Department Speaks to Twitter Over Iran,” Reuters,
June 16, 2009, http://www.reuters.com/article/us-iran-election-twitter-usa-idUS-
WBT01137420090616. More aggressively, in an opinion piece in the Wall Street Journal, a former
under secretary of state and an assistant secretary of defense advocated for increased funding for
communications tools and foreign broadcasting efforts with the express intent to “undermine the
regime in Tehran.” See James K. Glassman and Michael Doran, “The Soft Power Solution in Iran,” Wall
Street Journal, January 21, 2010, http://www.wsj.com/articles/SB100014240527487045410045750113
94258630242.

15 The day before the March 2012 Iranian parliamentary elections, employees of the BBC were unable to
access their email owing to a DDoS attack attributed to Iran. The Mujahedin-e Khalq has also claimed
that when its former encampment in Iraq, Camp Liberty, was attacked in February 2013, its websites
were subjected to a sustained DDoS attack designed to interfere with reporting. “Cyber-attack on BBC
Leads to Suspicion of Iran’s Involvement,” BBC News, March 14, 2012, www.bbc.com/news
/technology-17365416.

16 One document used as bait in the malware campaign appears to be a secret letter from the Ministry of
Intelligence to members of the religious establishment in Qom concerning the protests over subsidies.
Another displayed maps in Tehran describing protest routes toward Azadi Square, mirroring the
activities on the ground. The malware agent would arise again over time in attempts to compromise the
American defense industrial base in May 2014, and again in the Shamoon 2 attacks.

17 Black Tulip: Report of the Investigation Into the DigiNotar Certificate Authority breach (Delft: Fox-IT BV,
2012), https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2012/08/13/
black-tulip-update/black-tulip-update.pdf. In a confidential document on its own ability to monitor
secure traffic, the UK Government Communications Headquarters (GCHQ) provides an account of
the DigiNotar event, discovered in the course of its own espionage on Iran. GCHQ asserts that an
Iranian intelligence agency added a specific rule in an internet router that forced Google’s traffic
through an alternative route inside the country. “Profiling SSL and Attributing Private Networks,”
GCHQ, December 28, 2014, https://edwardsnowden.com/2015/01/07/profiling-ssl-and- attributing-
private- networks/.

18 Akbar Ganji, “Iran’s Green Movement Five Years Later – ‘Defeated’ But Ultimately Victorious,”
Huffington Post, accessed December 4, 2017, https://www.huffingtonpost.com/akbar-ganji/iran-green-
movement-five-years_b_5470078.html.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 61

19 The most conspicuous and potentially only counterexample could be Oilrig, which across a multiple
year history appears primarily focused on foreign targets and has not been publicly linked to attacks
against Iranians.

20 Figures for both the United States and Iran are kept secret, however, a leaked intelligence budget for the
2013 provides some insight into how cyber operations are funded. Barton Gellman and Ellen Nakashi-
ma, “U.S. Spy Agencies Mounted 231 Offensive Cyber-Operations in 2011, Documents Show,”
Washington Post, August 30, 2013, https://www.washingtonpost.com/world/national-security/us-spy-
agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-
119e-11e3-b4cb-fd7ce041d814_story.html.

21 “Minister: Iran Faces 500 Daily Cyber Attacks,” Khabar Online, November 10, 2012, http://english
.khabaronline.ir/detail/183007.

22 “We just want to monitor (enemies’) cultural and social moves in cyber,” quoted in “IRGC to Set Up
Division to Defend Iran Against Cyber Threats,” Sahar TV, October 16, 2012, http://english.sahartv.ir/
news/irgc-to-set-up-division-to-defend-iran-against-cyber-threats-1638.

23 “Statement by Foreign Ministry Spokesman for Indictment of US Justice Department Against Seven
Iranian Citizens,” Iranian Ministry of Foreign Affairs, March 26, 2016, http://mfa.gov.ir/index.aspx?fke
yid=&siteid=1&pageid=2122&newsview=385735.

24 Alexander Gostev, “What Is Flame Malware?,” Kaspersky Lab, accessed December 5, 2017, https://
www.kaspersky.com/flame.

25 “US Cyber Attack on Iranian Oil Ministry Foiled,” FARS News Agency, May 26, 2015, http://
en.farsnews.com/print.aspx?nn=13940305001092.

26 “Iran Unveils 12 Cyber Products,” FARS News Agency, December 14, 2013, http://en.farsnews.com/
newstext.aspx?nn=13920923001322.

27 “Iranian Internet Infrastructure and Policy Report: Special Edition – The Rouhani Review (2013–15),”
Small Media, 2015, https://smallmedia.org.uk/sites/default/files/u8/IIIP_Feb15.pdf; Office of the Press
Secretary, “Fact Sheet: Cybersecurity National Action Plan,” White House, press release, February 9,
2016, https://obamawhitehouse.archives.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-
national-action-plan; and Steve Morgan, “Bank of America’s Unlimited Cybersecurity Budget Sums Up
Spending Plans in a War Against Hackers,” Forbes, January 27, 2016, https://www.forbes.com/sites/
stevemorgan/2016/01/27/bank-of-americas-unlimited-cybersecurity-budget-sums-up-spending-plans-
in-a-war-against-hackers/#694de941264c.

28 Barbara Slavin and Jason Healey, “Iran: How a Third Tier Cyber Power Can Still Threaten the United
States,” Atlantic Council, July 29, 2013, http://www.atlanticcouncil.org/publications/issue-briefs/
iran-how-a-third-tier-cyber-power-can-still-threaten-the-united-states.

29 Recent espionage incidents targeting U.S. State Department employees have been described in the press
as “attacks” that sought to “jab at the United States and its neighbors without provoking a military
response.” Despite the implication of aggression, the incident appeared to be motivated for espionage.
David E. Sanger and Nicole Perlroth, “Iranian Hackers Attack State Dept. via Social Media Accounts,”
New York Times, November 24, 2015, http://www.nytimes.com/2015/11/25/world/middleeast/
iran-hackers-cyberespionage-state-department-social-media.html.

30 Michael N. Schmitt, “Cyber Operations and the Jus Ad Bellum Revisited,” Villanova Law Review
(December 2011): 569–605.

31 Michael N. Schmitt, Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge:
Cambridge University Press, 2013). U.S. officials have acknowledged that international law applies to
actions in cyberspace as well. Patrick Tucker, “NSA Chief: Rules of War Apply to Cyberwar, Too,”
Defense One, April 20, 2015, http://www.defenseone.com/technology/2015/04/nsa-chief-rules-war-
apply-cyberwar-too/110572/.

62 IRAN’S CYBER THREAT

32 Carmen-Cristina Cîrlig, “Cyber Defence in the EU: Preparing for Cyber Warfare?,” briefing, European
Parliament, October 2014, http://www.europarl.europa.eu/EPRS/EPRS-Briefing-542143-Cyber-
defence-in-the-EU-FINAL.pdf.

33 As has been documented in intelligence material leaked by Edward Snowden: “Iran – Current Topics,
Interaction With GCHQ,” Intercept, February 10, 2015, https://theintercept.com/
document/2015/02/10/iran-current-topics-interaction-gchq/.

34 International law also differentiates interference, nonviolent operations such as propaganda, and
psychological operations, so long as they are not sufficiently coercive. Schmitt, “Cyber Operations and
the Jus Ad Bellum Revisited.”

35 Tim Maurer, Cyber Mercenaries: The State, Hackers, and Power (Cambridge: Cambridge University Press,
2018).

36 Ibid.
37 The tools and resources developed by Tehran have been almost uniformly described by outside

investigators as unsophisticated, particularly in comparison with malware produced by other state and
nonstate actors. The information security company Mandiant affirmed this observation in a 2014
report: “Mandiant’s observations of suspected Iranian actors have not provided any indication that they
possess the range of tools or capabilities that are hallmarks of a capable, full-scope cyber actor. They rely
on publicly available tools and capitalize solely on Web-based vulnerabilities—constraints that suggest
these cyber actors have relatively limited capabilities.” See: Mandiant, “M-Trends 2014 Annual Threat
Report: Beyond the Breach by Mandiant, a FireEye Company,” accessed December 5, 2017, https://
www2.fireeye.com/fireeye-mandiant-m-trends-report.

38 For example, former representative Peter Hoekstra speculated at a U.S. House hearing that Iran’s
advances in cyberwarfare came from the “cooperation they have with Russia.” Other former and current
officials have commented, often on background, that Russia was a potential partner in warfare. For the
subcommittee hearing on Iran’s support terrorism worldwide, see the following: “Iran’s Support for
Terrorism Worldwide,” Foreign Affairs Committee, March 4, 2014, https://foreignaffairs.house.gov/
hearing/joint-subcommittee-hearing-irans-support-for-terrorism-worldwide/. Elsewhere, claims have
been made by lesser known cybersecurity companies, but these analyses have been flawed and not well
accepted. For more on these flawed analyses, see: Collin Anderson, “Bears and Kittens, and Startup
Cybersecurity Companies,” Medium, May 18, 2017, https://medium.com/@collina/bears-and-kittens-
and-startup-cybersecurity-companies-5c8e037ea75c.

39 Steve Stecklow, “Exclusive: Huawei Partner Offered U.S. Tech to Iran,” Reuters, October 25, 2012,
http://www.reuters.com/article/us-huawei-iran/exclusive-huawei-partner-offered-u-s-tech-to-iran-idUS-
BRE89O0E520121025; and “Iran and Russia Announce Plans for Cyber Security Cooperation,”
YouTube video, 2:03, posted by “PressTV News Videos,” March 15, 2017, https://www.youtube.com/
watch?v=NaCukjiECWM.

40 This could be either indicative of the ceiling of Iran’s capabilities or reflective of Iran not facing the sort
of existential threat that would provoke it to use any latent resources in its arsenal. The former appears
more likely.

41 Rocket Kitten and Flying Kitten are examples of how the line demarcating intrusion groups is not
always clear. The structural similarities of certain intrusion tools and the reuse of lesser known infra-
structure indicate that parts of Flying Kitten and Rocket Kitten may have had a common heritage,
including common members and shared tools; see: Collin Anderson, “Flying Kitten to Rocket Kitten, A
Case of Ambiguity and Shared Code,” Iran Threats, December 5, 2017, https://iranthreats.github.io/
resources/attribution-flying-rocket-kitten/. In the Shamoon 2 campaign, McAfee attributed unusual
errors to the “involvement of different groups/individuals with different skills, whereas in 2012 we
believe one group was responsible for the attack.” See: Christiaan Beek and Raj Samani, “The State of

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 6 3

Shamoon: Same Actor, Different Lines,” McAfee, April 25, 2017, https://securingtomorrow.mcafee
.com/executive-perspectives/state-shamoon-actor-different-lines/.

42 The authors associate Rocket Kitten with the IRGC due to its involvement in post-arrest hacking. For
more on Rocket Kitten, see: “Rocket Kitten 2 – Follow-Up on Iran Originated Cyber-Attacks,”
ClearSky Cybersecurity (blog), September 1, 2015, http://www.clearskysec.com/rocket-kitten-2. For
more on Oilrig, see: Robert Falcone and Bryan Lee, “The OilRig Campaign: Attacks on Saudi Arabian
Organizations Deliver Helminth Backdoor,” Palo Alto Networks, March 26, 2016, https://
researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-
organizations-deliver-helminth-backdoor/.

43 Reportedly, the attacker found sensitive passwords saved in a file named “Administrator Passwords.”
See: Sam Jones, “Cyber Warfare: Iran Opens a New Front,” Financial Times, April 26, 2016, http://app
.ft.com/cms/s/15e1acf0-0a47-11e6-b0f1-61f222853ff3.html?sectionid=companies. No official numbers
have been provided on the economic loss, and in its annual review report for the year, Aramco
downplayed the impact of the attack. “Shaping Tomorrow: 2012 Annual Review,” Saudi Aramco, April
10, 2013, http://www.saudiaramco.com/en/home/news-media/publications/corporate-reports/
annual-review-2012.html.

44 The caveat attending this statement is that it is possible more incidents and actors have yet to be
disclosed.

45 Based on a Freedom of Information Act request by the authors to the Broadcasting Board of Governors
on cybersecurity incidents related to Iran, which returned details of the attack, involving compromising
the VOA’s account through impersonation with falsified documents sent through a fax.

46 The intruders were able to find a weakness in a web development server for the Bethlehem, Pennsylva-
nia, location, and doing so then gave them access to the internal corporate network. Benjamin Elgin
and Michael Riley, “Nuke Remark Stirred Hack on Sands Casinos That Foreshadowed Sony,” Bloom-
berg, December 10, 2014, http://www.bloomberg.com/news/articles/2014-12-11/nuke-remark-stirred-
hack-on-sands-casinos-that-foreshadowed-sony.

47 Symantec Security Response, “Shamoon: Back From the Dead and Destructive as Ever,” Symantec
Connect (blog), November 30, 2016, https://www.symantec.com/connect/blogs/shamoon-back-dead-
and-destructive-ever; “From Shamoon to StoneDrill: Wipers Attacking Saudi Organizations and
Beyond,” Kaspersky Lab, July 3, 2017, https://securelist.com/files/2017/03/Report_Shamoon_Stone-
Drill_final.pdf.

48 ITSec Team, one of the companies cited in the indictment, has a known track record as the developer of
a web penetration testing product (Havij Pro), and is attributed in a number of vulnerability disclosures
and tools for controlling remote systems that have been made available to security researchers. The
infrastructure used in the attacks even remains publicly exposed to the internet years after its use.

49 Seth Hardy, et al., “Targeted Threat Index: Characterizing and Quantifying Politically-Motivated
Targeted Malware,” 23rd USENIX Security Symposium (2014): 527–41, https://www.usenix.org/
node/184440.

50 Jacob Appelbaum, Aaron Gibson, Claudio Guarnieri, et al., “NSA Preps America for Future Battle,”
Der Spiegel, January 17, 2015, http://www.spiegel.de/international/world/new-snowden-docs-indicate-
scope-of-nsa-preparations-for-cyber-battle-a-1013409.html.

51 Curiously, when Google disclosed the spearphishing campaigns that Magic Kitten was involved in, it
noted to the New York Times that there was a relationship between the operation and the DigiNotar
incident. Nicole Perlroth, “Google Says It Has Uncovered Iranian Spy Campaign,” Bits (blog), New York
Times, June 12, 2013, https://bits.blogs.nytimes.com/2013/06/12/google-says-it-has-uncovered-iranian-
spy-campaign/.

64 IRAN’S CYBER THREAT

52 “CrowdStrike Global Threat Report: 2013 Year in Review,” CrowdStrike, January 2014, https://
scadahacker.com/library/Documents/Threat_Intelligence/CrowdStrike%20-%20Global%20Threat%20
Report%202013.pdf.

53 The lack of clarity in the slides is also compounded by the age of the document and could reflect an
arrangement that is no longer in effect. However, within observations of activity, there does appear to be
a clustering of victims, with some samples of the malware agent specifically used to compromise
Lebanese and Qatari victims, but not Iranians or other targets of exclusive interest to Iran.

54 Members of the infamous Ashiyane hacking community and others commonly broke into Arabic media
and U.S. government sites with political messages, such as protesting alternative names for the Persian
Gulf, Western perceptions of Islam, nuclear rights, the administration of George W. Bush, and the
crimes of other countries—often in broken English and always bearing attribution. In a few cases these
campaigns were sustained over longer periods of time and were intended to make a point, especially
when it came to Israeli and Saudi targets. “Al Khaleej Newspaper Website Hacked,” Gulf News, March
7, 2017, http://gulfnews.com/news/uae/general/al-khaleej-newspaper-website-hacked-1.106195;
Zone-H mirror page, “fdfhome.gsfc.nasa.gov hacked. Notified by Mafia Hacking Team,” archived on
May 26, 2005, http://www.zone-h.org/mirror/id/7494752; Zone-H mirror page, “lvis.gsfc.nasa.gov
hacked. Notified by Ashiyane Digital Security Team,” archived on August 11, 2005, http://www.zone-h
.org/mirror/id/2757516; Zone-H mirror page, “technology.jpl.nasa.gov hacked. Notified by hamid,”
archived on December 28, 2005, http://www.zone-h.org/mirror/id/3183620.

55 Aspects of this can be found in the individuals documented in Dan McWhorter, “APT1: Exposing One
of China’s Cyber Espionage Units,” Mandiant, 2013, https://www.fireeye.com/content/dam/
fireeye-www/services/pdfs/mandiant-apt1-report.pdf.

56 Sheera Frenkel, “Meet the Mysterious New Hacker Army Freaking Out the Middle East,” BuzzFeed
News, June 24, 2015, https://www.buzzfeed.com/sheerafrenkel/who-is-the-yemen-cyber-army; and
Brian Bartholomew and Juan Andres Guerrero-Saade, “Wave Your False Flags! Deception Tactics
Muddying Attribution in Targeted Attacks,” Virus Bulletin Conference (October 2016): 1–11, https://
cdn.securelist.com/files/2016/10/Bartholomew-GuerreroSaade-VB2016.pdf.

57 In its indictment, it even went as far as claiming that one individual had received relief from mandatory
military service in return for participation. United States of America v. Ahmad Fathi et al., unsealed
March 24, 2016, https://www.justice.gov/opa/file/834996/download. The attribution for the campaigns
and indication of the American intelligence community’s early attribution of the participants are
evident in screenshots from a presentation on the NSA’s CyberCOP program from April 2013, which
describes the scale of the DDoS attacks and the infrastructure behind the botnet in its later phases of
operation. See: “CyberCOP,” presentation, CyberCOP Product Manager, April 11, 2013, http://www
.ndr.de/ratgeber/verbraucher/cybercop100.pdf.

58 Zone-H mirror page, “www.karroubi.ir hacked. Notified by Sun Army,” archived on February 17, 2010,
http://www.zone-h.org/mirror/id/10269967.

59 Florian Egloff, “Cybersecurity and the Age of Privateering: A Historical Analogy,” Cyber Studies
Program Working Paper no. 1 (Oxford: University of Oxford, March 2015), http://www.politics.ox.ac
.uk/materials/centres/cyber-studies/Working_Paper_No.1_Egloff.pdf.

60 Richard Barger, “There’s Something About Mahdi,” Threat Connect, July 23, 2012, https://www
.threatconnect.com/blog/there-is-something-about-mahdi/; and “Summary of Mortalkombat.com,”
Wayback Machine Internet Archive, accessed September 17, 2017, https://web-beta.archive.org/
web/20080415000000*/m0rtalkombat.com.

61 Flying Kitten has also established Pars Security (Pars Pardazesh Hafez Shiraz). The FBI had made similar
allegations not only for the culprits of Operation Ababil, companies named Mersad and ITSecTeam,
but also in the Arrow Tech Associates theft. The FBI’s indictment claims that two other individuals

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 6 5

formed a company, Andisheh Vesal Middle East Company, to steal software on behalf of the Iranian
government. United States of America v. Mohammed Saeed Ajily and Mohammed Reza Rezakhah,
unsealed July 17, 2017, https://www.justice.gov/opa/press-release/file/982106/download.

62 For those on the ground the threats posed are more complex and multifaceted. For example, Iranian
telecommunications firms appear to have cooperated with the government in order to provide access to
the recovery and two-factor authentication codes sent by text. These then allowed access to Google,
Telegram, and other accounts on foreign platforms.

63 The most significant counterevidence of state-alignment is that when the Infy group was disclosed by
Palo Alto in May 2016, the domains used in the communications of the malware were filtered by the
censorship apparatus, blocking access to those victims. There are explanations for this action that would
not conflict with the theory that Infy was acting on behalf of the government, including that the
censorship was intended to hide evidence of the operation from the Iranian public.

64 Specifically, we observed direct interactions between the Iranian state and the groups Charming Kitten,
Flying Kitten, Magic Kitten, and Rocket Kitten. More tenuous links exist for Infy based on this criteria.

65 “Rocket Kitten: A Campaign With 9 Lives,” Check Point Software Technologies Ltd., November 9,
2015, https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf.

66 The incident was orchestrated by a threat actor who had registered domains under cmprus1394[@]
mail[.]ru and teymurov1984[@]gmail[.]com, which impacts a vast network of espionage and criminal
activity.

67 United States of America v. Behzad Mesri, a/k/a “Skote Vahshat,” unsealed November 21, 2017, https://
www.justice.gov/usao-sdny/press-release/file/1013001/download.

68 Robin Wright, “An American Hostage in Iran – Again,” New Yorker, October 30, 2015, http://www
.newyorker.com/news/news-desk/an-american-hostage-in-iran-again.

69 A dual national who had previously worked with a foreign broadcaster was arrested two weeks after his
email was also compromised after a phishing attempt. According to one account, the attacker attempted
to extract a ransom to keep the victim’s private information, which was ignored. Then, after the arrest,
the accounts were again used to target others.

70 “Iranian Billionaire Babak Zanjani Sentenced to Death,” BBC News, March 6, 2016, http://www.bbc
.com/news/world-middle-east-35739377.

71 These intrusions reflected a studied understanding of Sorinet’s operations and included names such as
“Baharak Zanjani” that appear on the corporate registrations of the company’s subsidiaries but are
believed to be false identities. See article in Farsi, Young Journalists Club, February 2, 2013, http://
www.yjc.ir/fa/news/4744029/%D9%85%D8%A7%D8%AC%D8%B1%D8%A7%DB%8C-%D8%
AE%D9%88%D8%A7%D9%87%D8%B1%D8%A7%D9%86-
%D8%AC%D8%B9%D9%84%DB%8C-%D8%A8%D8%A7%D8%A8%DA%A9-%D8%B2%D9
%86%D8%AC%D8%A7%D9%86%DB%8C.

72 Iranian security and intelligence agencies have however frequently used blackmail and humiliation to
intimidate or coerce individuals, including BBC Persian journalists. It is possible that material compro-
mised through intrusions has been used for political manipulation, as this would be difficult to observe
without acknowledgement from the victim. For examples of blackmail threats, see: Elise Knutsen,
“Iranian Agents Blackmailed BBC Reporter With ‘Naked Photos’ Threats,” Arab News, November 19,
2017, http://www.arabnews.com/node/1195681/media.

73 Based on monitoring of known registration information used by Charming Kitten, suspicious domains
include saudi-government[.]com and saudi-haj[.]com.

74 “Verfassungsschutzbericht 2015” (in German), German Ministry of the Interior, June 2016, https://
www.verfassungsschutz.de/de/download-manager/_vsbericht-2015.pdf; “Phishing uden fangst:
Udenrigsministeriet under angreb” (in Danish), Center for Cybersikkerhed, Ministry of Defense,

66 IRAN’S CYBER THREAT

January 2016, https://fe-ddis.dk/cfcs/CFCSDocuments/Phishing%20uden%20fangst.pdf; and
“Security Warning-Shamoon 2,” CERT.sa, accessed December 5, 2017, http://www.cert.gov.sa/index
.php?option=com_content&task=view&id=714&Itemid=0.

75 U.S. National Security Agency, “Iran – Current Topics, Interaction With GCHQ,” Intercept, written
January 8, 2007, published February 10, 2015, https://theintercept.com/document/2015/02/10/
iran-current-topics-interaction-gchq/.

76 David Crawford, “U.N. Probes Iran Hacking of Inspectors,” Wall Street Journal, May 19, 2011, http://
www.wsj.com/articles/SB10001424052748704281504576331450055868830. The IAEA would later
be targeted by an Iranian hacktivist group, calling itself Parastoo, in November 2012, when a web server
was compromised, and the information on its employees was posted online, with the implied threat of
another Aramco attack. For Parastoo’s statement, see http://cryptome.org/2012/11/parastoo-hacks-iae
a.htm.

77 First disclosed by Kaspersky Lab and Seculert in July 2012; see “The Madi Campaign – Part I,”
SecureList. While researchers noted the religious implications of the inclusion of the word “mahdi.txt”
in the malware’s operations, other versions appeared to include other Persian names and words such as
“otahare.” It seems more likely that the inclusion was not meant as a religious declaration.

78 Later attributed by Cylance as Operation Cleaver. Unnamed U.S. government officials had character-
ized the breach as “carried out by hackers working directly for Iran’s government or by a group acting
with the approval of Iranian leaders,” see: “U.S. Says Iran Hacked Navy Computers,” Wall Street
Journal, September 27, 2013,https://www.wsj.com/articles/us-says-iran-hacked-navy
-computers-1380314771.

79 ClearSky, “Jerusalem Post and Other Israeli Websites Compromised by Iranian Threat Agent CopyKit-
ten,” ClearSky Cybersecurity (blog), March 30, 2017, http://www.clearskysec.com/copykitten-jpost/; and
“Brief Summary, 2016 Report on the Protection of the Constitution: Facts and Trends,” German
Ministry of the Interior, 2016, https://www.verfassungsschutz.de/embed/annual-report-2016-summary
.pdf.

80 Hillary R. Clinton investigation records, https://vault.fbi.gov/hillary-r.-clinton. See in particular
Document 3, an FBI Interview from February 3, 2016.

81 Direct observation of the targets of the Charming Kitten group. The email addresses and names of those
targeted in these campaigns appear to have been sourced from the Podesta emails released by
WikiLeaks.

82 Alan Cowell, “Blast Kills Physics Professor in Tehran,” New York Times, January 12, 2010, http://www
.nytimes.com/2010/01/13/world/middleeast/13iran.html; and Dan Raviv and Yossi Melman,
Spies Against Armageddon: Inside Israel’s Secret Wars (BookBaby, 2014).

83 The attempted bombings occurred February 13, 2012, one month after the assassination of Mostafa
Ahmadi Roshan (on January 11, 2012) and four years after the death of Imad Mughniyah (on February
12, 2008).

84 First hand observation of the activities of the Charming Kitten group, similar to the successful
operation described in the Operation Cleaver report by Cylance.

85 “Top Daily DDoS Attacks Worldwide: Saudi Arabia,” Digital Attack Map, January 2, 2016, http://
www.digitalattackmap.com/#anim=1&color=0&country=SA&list=1&time=16802.6&view=map.

86 “From Shamoon to StoneDrill,” Kaspersky Lab.
87 “‘Sophisticated’ and ‘Genius’ Shamoon 2.0 Malware Analysis,” Coding and Security, December 3,

2016, https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis.
88 Symantec Security Response, “The Madi Attacks: Series of Social Engineering Campaign,” Symantec

Connect (blog), July 17, 2012, https://www.symantec.com/connect/blogs/madi-attacks-series-social-
engineering-campaigns.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 67

89 Kirk Soluk, “DDoS and Geopolitics – Attack Analysis in the Context of the Israeli-Hamas Conflict,”
Arbor Networks, August 5, 2014, https://www.arbornetworks.com/blog/asert/ddos-and-geopolitics-
attack-analysis-in-the-context-of-the-israeli-hamas-conflict/.

90 Although one Israeli intelligence official has stated that “they are not the state of the art, they are not the
strongest superpower in the cyber dimension, but they are getting better and better,” disclosing that Iran
continues to attempt to compromise Israeli systems. Ari Rabinovitch, Tova Cohen, and Dan Pleck,
“Iran’s Hacking Ability Improving: Israeli General,” Reuters, October 31, 2017, https://www.reuters
.com/article/us-cyber-summit-padan/irans-hacking-ability-improving-israeli-general-idUSKBN-
1D02O0.

91 U.S. National Security Agency, “(U) Fourth Party Opportunities: I Drink Your Milkshake,” Der Speigel,
published January 17, 2015, http://www.spiegel.de/media/media-35684.pdf.

92 Directly collected indicators from a sinkhole of malware associated with the Infy group.
93 For example, in Check Point’s Rocket Kitten report, included in the group’s infrastruture were domains

mirroring the Afghan Ministry of Defense. Similar domains and targets can be found later that are
connected to the same group.

94 Directly collected indicators from the Infy group; discussed further in relation to Iran’s targeting of
ethnical minority groups.

95 Directly collected indicators from the Flying Kitten group. The recipients of these spearphishing
campaigns included a wide range of journalists and political groups, such as the Coordination Council
of Yemen Revolution Youth, Yemen Center for Human Rights, Social and Democracy Forum of Yemen,
and Yemen Parliamentarians Against Corruption. The leaked NSA slide indicates that Magic Kitten also
breached Yemeni computers, but the nature of the targets is unclear, and the document predates the
onset of the civil war in Yemen.

96 “Group5: Syria and the Iranian Connection,” Citizen Lab, August 2, 2016, https://citizenlab
.org/2016/08/group5-syria/.

97 “Volatile Cedar: Threat Intelligence and Research,” Check Point Software Technologies Ltd., March 30,
2015, https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf.

98 One striking and related claim made in November 2017 was that the Iranian threat actor Oilrig had
compromised Lebanese politicians in order to run an information operation in support of Hezbollah in
the 2018 general election. See: Patrick Saint-Paul, “Téhéran sponsor d’un piratage massif contre le
gouvernement d’Hariri” (in French), Le Figaro, November 26, 2017, http://www.lefigaro.fr/
international/2017/11/26/01003-20171126ARTFIG00124-teheran-sponsor-d-un-piratage-massif-
contre-le-gouvernement-d-hariri.php.

99 Michael Corkery and Matthew Goldstein, “North Korea Said to Be Target of Inquiry Over $81 Million
Cyberheist,” New York Times, March 22, 2017, https://www.nytimes.com/2017/03/22/business/
dealbook/north-korea-said-to-be-target-of-inquiry-over-81-million-cyberheist.html?mcubz=0; “Lazarus
Under the Hood,” Kaspersky Lab, April 3, 2017, https://securelist.com/files/2017/04/Lazarus_Under_
The_Hood_PDF_final.pdf.

100 United States of America v. Mohammed Saeed Ajily and Mohammed Reza Rezakhah.
101 “Iran Sanctions 15 U.S. Firms, Citing Human Rights Abuses and Israel Ties,” Reuters, March 26, 2017,

http://www.reuters.com/article/us-iran-usa-sanctions-idUSKBN16X0DL.
102 Jaqueline O’Leary, Josiah Kimble, Kelli Vanderlee, and Nalani Fraser, “Insights Into Iranian Cyber

Espionage: APT33 Targets Aerospace and Energy Sectors and Has Ties to Destructive Malware,”
FireEye, September 20, 2017, https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-
into-iranian-cyber-espionage.html.

103 Ryan Gallagher, “The Inside Story of How British Spies Hacked Belgium’s Largest Telco,” Intercept,
December 13, 2014, https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/.

68 IRAN’S CYBER THREAT

104 “Iran Telecoms, Internet Report 2016-2017,” Financial Tribune, April 26, 2017, https://
financialtribune.com/articles/economy-sci-tech/63062/iran-telecoms-internet-report-2016-17.

105 For example, the mobile chat applications and voice over internet protocol (VOIP) services, such as
Viber, Skype, and Telegram, that became popular replacements for standard telephony and text
messaging bypass the lawful interception capacities traditionally embedded in phone systems.

106 One significant example is Telegram, which has reached over 40 million users in Iran as of 2017. As a
result of its use of encryption, it is not susceptible to the filtering of specific content or keywords. While
both Iranian authorities and Telegram have never been fully forthcoming about their relationship, it is
clear that the former has attempted to incentivize and threaten Telegram into complying with requests
for the removal of content—including briefly blocking the service in October 2015. While it appears
that Telegram does take down pro–Islamic State content, it has not thus far complied with other
requests.

107 Collin Anderson, “How Iran Is Building Its Censorship-Friendly Domestic Internet,” Backchannel
(blog), Wired, September 23, 2016, backchannel.com/how-iran-is-building-its-censorship-friendly-
domestic-internet-11db69aae96d.

108 Joseph Menn and Yeganeh Torbati, “Exclusive: Hackers Accessed Telegram Messaging Accounts in
Iran—Researchers,” Reuters, August 2, 2016, http://www.reuters.com/article/us-iran-cyber-telegram-
exclusive-idUSKCN10D1AM.

109 Fereydoun has been the target of a corruption investigation, which has been perceived as an attempt to
undermine Rouhani. Regardless of the legitimacy of these claims, the attempts against Fereydoun began
early in Rouhani’s first term and targeted his family. This extended into impersonating Zarif to target
Fereydoun and vice versa. The long-term focus suggests the targeting was related to politics rather than
the criminal investigation.

110 Aresu Eqbali, “Back Home, Iran’s Leader Tries to Sell Nuclear Deal,” Wall Street Journal, July 16, 2015,
http://www.wsj.com/articles/back-home-irans-leader-tries-to-sell-nuclear-deal-1437081590.

111 Aresu Eqbali and Asa Fitch, “Iran Accuses Man Involved in Nuclear Deal Negotiations of Spying,” Wall
Street Journal, August 28, 2016, https://www.wsj.com/articles/iran-accuses-man-involved-in-nuclear-
deal-negotiations-of-spying-1472416462.

112 Hanif Kashani, “Zarif, Attacked But Unscathed,” Iran Wire, September 17, 2013, https://en.iranwire
.com/features/2665/.

113 Such as the use of mobile phone interception to capture login credentials for Telegram and Google
accounts. In other cases, elaborate ruses appeared to be set up based on private political information in
order to convince the target to run malware.

114 Based on data acquired through forensic investigations of Flying Kitten and Charming Kitten’s
credential theft campaigns.

115 On April 19, 2016, the Google and Facebook accounts of Shahindokht Molaverdi, at that time Iran’s
vice president for Women and Family Affairs, were compromised by Rocket Kitten in order to conduct
a spearphishing campaign against women’s rights activists.

116 The ban was imposed in February 2015. “Rouhani and Judiciary Clash Over Ban on Publishing Images
of Former President Khatami,” Center for Human Rights in Iran, December 21, 2015, https://www
.iranhumanrights.org/2015/12/khatami-media-ban-and-etelaat-newspaper/.

117 Collin Anderson, “Dimming the Internet: Detecting Throttling as a Mechanism of Censorship in Iran,”
arXiv.org, June 18, 2013, http://arxiv.org/abs/1306.4361.

118 Specifically, Flying Kitten, Infy, and Magic Kitten.
119 “Iran Accelerates Crackdown on Media and Dissidents Prior to Election,” International Campaign for

Human Rights in Iran, June 10, 2013, https://www.iranhumanrights.org/2013/06/iran_election/.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 69

120 Parthisan, “Abtahi’s Blog Was Hacked for Revealing Torture Details,” Persian Students in the United-
Kingdom, January 2, 2005, hosted by Internet Archive, https://web.archive.org/web/20050123083526/
http://www.persianstudents.org/archives/001269.html.

121 Based on observation of the Rocket Kitten’s social engineering attempts against foreign human rights
activists that appeared to use a breached account belonging to Abtahi.

122 Based on data acquired from a malware command and control server found through forensic investiga-
tion of Flying Kitten activity.

123 Gholam Ali Rajaee, “Warning!” (in Farsi), December 27, 2015, http://www.gholamalirajaee.blogfa.
com/post/1152/%D9%87%D8%B4%D8%AF%D8%A7%D8%B1.

124 “Iran: Baha’is Educating Their Youth Is a ‘Conspiracy’ Against the State,” Baha’i World News Service,
July 27, 2011, http://news.bahai.org/story/843. In response to this persecution, the Baha’i community
has become particularly adept at using the internet for international advocacy and countering exclusion,
including offering online distance learning classes from the Baha’i Institute for Higher Education.

125 The Infy malware agent, as directly observed in January 2016.
126 Shima Shahrabi, “Iran’s New Criminals: Fashion Models,” Iran Wire, February 2, 2016, https://

en.iranwire.com/features/7058.
127 Based on data acquired from a malware command and control server found through forensic investiga-

tion of Flying Kitten activity.
128 FireEye (through its iSIGHT Partners) has also noted that threat actors focused on the Islamic State as

the militant group was expanding its territory across Iraq, an interest expressed by the threat actors well
before 2015. David E. Sanger and Nicole Perlroth, “Iranian Hackers Attack State Dept. via Social
Media Accounts,” New York Times, November 24, 2015, http://www.nytimes.com/2015/11/25/world/
middleeast/iran-hackers-cyberespionage-state-department-social-media.html.

129 In one case a shared computer in Erbil, Iraq, used by a Kurdish supporter of a Jordanian jihadi figure
was compromised through the malware, which was delivered as personal pictures sent by a fictitious
female social network profile. The same group maintained phishing sites with hard-coded references to
Facebook pages associated with the Islamic State’s “Ministry of Information,” Tunisian Islamic Awaken-
ing, Lashkar-e-Khorasan (Pakistan), and al-Qaeda affiliates, among other Islamist movements. This
targeting was broad, but more effort was spent on Persian-language or Iran-oriented actors, targeting
Facebook pages as small as one with five members and one public post, a “Salafe Kurdistan” page.

130 The operations reflect old rivalries from the Islamic Revolution being played out, as Flying Kitten
sought access to accounts and sites associated with Marxist-Leninist Fedaian and other Communist
parties as well.

131 Some of the first observed operations of the Infy group targeted Taftaan News Agency and the Jonbesh e
Moqavemat e Mardomi e Iran separatist group, and compromised computers in the province of Sistan
and Balochistan over the course of several years. Shortly after the suspected time of intrusion, at least
one of the affected blogs warned its visitors that an old email address connected to the site had been
compromised by Iranian intelligence agencies. The following day the administrators closed the site,
claiming technical issues.

132 Several Infy malware samples had names such as “pjak.pps” and other references to Marxist ideologies
(such as “kargar.pps,” or “worker”).

133 For example, current and former employees of the organization, both with the Iran Program and
general operations staff, have been engaged by several fictitious personas on LinkedIn and Facebook,
including the persona “Victoria Roberts,” the LinkedIn profile name described earlier as connecting
predominantly with defense companies. The existing networks of these profiles reflect a specific interest
in the American foreign policy establishment, international development programs, and the defense
industrial base.

70 IRAN’S CYBER THREAT

134 Healey defines “state-integrated” as the “national government integrates third-party attackers and
government cyber forces, with common command and control.” This still allows for informal coordina-
tion with external parties so long as the government remains in control. While Iranian threat actors
receive tasking from the government, there is little indication that any of them are formal members of
the security forces.

135 Based on a Freedom of Information Act request by the authors to the Broadcasting Board of Governors
on cybersecurity incidents related to Iran.

136 David M. Faris and Babak Rahimi, eds., Social Media in Iran: Politics and Society After 2009 (Albany,
NY: SUNY Press, 2015).

137 An FBI notice sent to private industry on May 29, 2014, described a similar set of personas that
expanded on the iSIGHT Partners’ (now FireEye) Operation Newscaster report that was released a few
days prior. While iSIGHT Partners identified fourteen accounts of American or European background,
the FBI provided a list of fifty-six unique personas, of which fifteen had family names that appeared to
be Persian and had not been identified in the previous report. The accounts identified by the FBI have
been since deleted, but appeared to have been Iran-focused. Federal Bureau of Investigation, “FBI
Notification: Malicious Cyber Actors Targeting U.S. Government Networks and Employees,” Public
Intelligence, June 23, 2014, https://publicintelligence.net/fbi-cyber-targeting-gov-networks/.

138 John Hultquist, “Sandworm Team and the Ukrainian Power Authority Attacks,” Threat Research (blog),
FireEye, January 7, 2016, https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sand-
worm-team.html.

139 “A Dam, Small and Unsung, Is Caught Up in an Iranian Hacking Case,” New York Times, March 25,
2015, https://www.nytimes.com/2016/03/26/nyregion/rye-brook-dam-caught-in-computer-hacking-
case.html. FireEye (which owns Mandiant) has described multiple cases of “Iran-based network
reconnaissance activity,” including unauthorized intrusions into several U.S. state government agencies.
“FireEye Releases Annual Mandiant Threat Report on Advanced Targeted Attacks,” FireEye, April 10,
2014, http://investors.fireeye.com/releasedetail.cfm?ReleaseID=839454.

140 Alex Vatanka, “The Iranian Industrial Complex: How the Revolutionary Guards Foil Peace,” Foreign
Affairs, October 17, 2016, https://www.foreignaffairs.com/articles/iran/2016-10-17/iranian-industrial-
complex.

141 For example, when Iranian state–aligned media have covered such issues in recent years, it has typically
been through republishing English-language reports without substantial further comment or by
reporting on denials by the government, such as when Mashregh News covered Citizen Lab’s August
2015 “London Calling” report and took issue with claims about attribution.

142 Adam Segal, “Why China Hacks the World,” Christian Science Monitor, January 31, 2016, http://www
.csmonitor.com/World/Asia-Pacific/2016/0131/Why-China-hacks-the-world.

143 “Iran Loses $150 Billion a Year Due to Brain Drain,” MEHR News Agency, January 8, 2014, http://
en.mehrnews.com/news/101558/Iran-loses-150-billion-a-year-due-to-brain-drain.

144 Secure Works Counter Threat Unit, “ThreatGroup-4127 Targets Hillary Clinton Presidential Cam-
paign,” Secureworks.com, June 16, 2016, https://www.secureworks.com/research/threat-group-
4127-targets-hillary-clinton-presidential-campaign.

145 The compromises of several certificate authorities by “ComodoHacker,” the individual responsible for
the DigiNotar breach, appear to have used a stolen Israeli credit card for registering domains used in the
attack.

146 Office of the Press Secretary, “Executive Order: Blocking the Property and Suspending Entry Into the
United States of Certain Persons With Respect to Grave Human Rights Abuses by the Governments of
Iran and Syria via Information Technology,” White House, news release, April 23, 2012, https:/
/www.treasury.gov/resource-center/sanctions/Programs/Documents/2012iran_syria_eo.pdf.

CA R N EG I E E N D OWM E N T FO R I N T E R N AT I O N A L P E AC E 7 1

147 “Sanctions Related to Significant Cyber-Enabled Malicious Activities,” U.S. Department of the
Treasury, last modified August 9, 2017, https://www.treasury.gov/resource-center/sanctions/Programs/
pages/cyber.aspx.

148 Members of Iranian threat actors do travel to countries that the United States has successfully received
extraditions from.

149 Cory Bennett, “White House Pledges Cyber Cooperation With Gulf Leaders,” Hill, May 14, 2015,
http://thehill.com/policy/cybersecurity/242162-white-house-pledges-cyber-cooperation-with-gulf-
states; and Ellen Nakashima, “As Cyberwarfare Heats Up, Allies Turn to U.S. Companies for Expertise,”
Washington Post, November 22, 2012, https://www.washingtonpost.com/world/national-security/
as-cyberwarfare-heats-up-allies-turn-to-us-companies-for-expertise/2012/11/22/a14f764c-192c-11e2-
bd10-5ff056538b7c_story.html?utm_term=.63ff1d99cfba.

Reproduced with permission of copyright owner. Further
reproduction prohibited without permission.

From the Cuckoo’s Egg to Global Surveillance:
Cyber Espionage that Becomes Prohibited

Intervention

Nicolas Jupillat†

I. Introduction ……………………………………………………………… 934
 
II. Misconceptions about the Regulation of State Conduct

in Cyberspace …………………………………………………………… 937
 
A. From “Code is Law” to “Law is Law” ……………………. 937
 
B. International Law is the Law of Nations ………………….. 938
 
C. International Law is Law ………………………………………. 939
 
D. Cyberspace and Normative Opportunism ………………… 940
 

III. Sovereignty ……………………………………………………………… 940
 
A. Generally …………………………………………………………….. 940
 
B. Sovereignty in Cyberspace ……………………………………. 942
 
C. Non-Intervention ………………………………………………….. 945
 

1.
  The Origin of the Coercion Concept ………………… 948
 
2.
  The Meaning of Coercion ……………………………….. 949
 

IV. Espionage Generally …………………………………………………. 951
 
A. Wartime ……………………………………………………………… 951
 
B. Peacetime ……………………………………………………………. 953
 

1. Definition ………………………………………………………. 953
 
2. Unsettled Law ………………………………………………… 954
 
3. Exceptions to the Case Law Gap ………………………. 959
 

C. International Domains and Organizations ……………….. 961
 
1. Domains ………………………………………………………… 962
 
2. Organizations …………………………………………………. 966
 

IV. Cyber Espionage ………………………………………………………. 967
 
A. What Cyber Espionage is and how it Differs from

Traditional Espionage …………………………………………. 967
 
1. Computer Network Exploitation ……………………….. 968
 
2. Communications Intelligence (“COMINT”) ……….. 970
 
3. Secret Information-Sharing ………………………………. 972
 

B. Why Should Cyber Espionage Be Deterred? ……………. 974
 

† Visiting Professor, University of Detroit Mercy School of Law and Center for Cyber
Security and Intelligence Studies, Google Policy Fellow at the Canadian Internet Policy
and Public Interest Clinic, IEEE Global Initiative for Ethical Considerations in Artificial
Intelligence and Autonomous Systems Law Committee.

934 N.C. J. INT’L L. [Vol. XLII

C. How And When Cyber Espionage Becomes Illegal ….. 978
 
1. How ………………………………………………………………. 978
 
2. When: Scale and Coercion ……………………………….. 979
 
3. When: Context and Threat of Disclosure

(Information Warfare) ……………………………………. 981
 
V. Functionalism and other Moot Preclusions of State

Responsibility ………………………………………………………….. 984
 
VI. Conclusion ………………………………………………………………. 987
 

I. Introduction
The Cuckoo’s Egg is the nickname of a persistent computer

intrusion that occurred at the Lawrence Berkeley National
Laboratory in 1986.1 It is the very first documented case of cyber
espionage.2 As a matter of fact, cyber espionage marked the
beginning of what is now commonly referred to as cyber warfare,
and continues to be its most common manifestation today,
consistently ahead of cyber sabotage among state-sponsored
operations.3 Recent examples confirm the extent of the
phenomenon and its consequences, from the multiple high-profile
Chinese operations observed since 2003,4 to the 2013 Snowden
disclosures of the U.S. National Security Agency’s mass-scale
foreign surveillance programs,5 and the recent Democratic

1 See generally CLIFFORD STOLL, THE CUCKOO’S EGG (1989) (detailing a first-
person account of how the author tracked the person who hacked the Lawrence Berkeley
National Laboratory computer).
2 See generally A FIERCE DOMAIN: CONFLICT IN CYBERSPACE, 1986 TO 2012
(Jason Healey et al. eds., 2013) (providing a history of disruptions and other cyber
attacks).
3 Cyber sabotage is referred to as cyber warfare to the exclusion of espionage. See
Paolo Passeri, 2016 Cyber Attacks Statistics, HACKMAGEDDON (Jan. 19, 2017),
http://www.hackmageddon.com/ [https://perma.cc/UW8D-MKS9].
4 Starting in the early 2000’s with Titan Rain and Byzantine Hades and more
recently with the 2015 U.S. Office of Personnel Management data breach which lost 21.5
million personnel files, including sensitive information such as health and financial
history, arrest records, and fingerprint data. See Symantec, 2016 Internet Security Threat
Report, 21 INTERNET SEC. THREAT REPORT 1, 37 (Apr. 2016); see also INFO. WARFARE
MONITOR, TRACKING GHOSTNET: INVESTIGATING A CYBER ESPIONAGE NETWORK (2009)
(alleging global surveillance program akin to NSA programs known as GhostNet
discovered in 2009).
5 See Bruce Schneier, There’s No Real Difference Between Online Espionage and
Online Attack, ATLANTIC (Mar. 6, 2014),
http://www.theatlantic.com/technology/archive/2014/03/theres-no-real-difference-
between-online-espionage-and-online-attack/284233/ [https://perma.cc/V8PW-BCGM]

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 935

National Committee hack attributed to Russia in the context of the
2016 United States Presidential election campaign.6 As early as
2013, United States Director of National Intelligence James
Clapper had already warned the Senate Intelligence Committee
“that cyber-attacks and cyber espionage [had] supplanted terrorism
as the top security threat facing” the United States.7

However, the international community has been ostensibly
slow to tackle the issue. The 2015 Report of the United Nations
Group of Governmental Experts on Developments in the Field of
Information and Telecommunications in the Context of
International Security only reasserts the right to privacy in the
digital age, relegating cyber espionage and extraterritorial
surveillance as mere human rights concerns.8 Merely noting the
“need to preserve global connectivity and the free and secure flow
of information,”9 the Report, though intended as a code of
responsible state conduct in cyberspace, fails to deal with the most
pressing of current cyber threats, and instead focuses on longer
term, if not conceptual, computer security threats such as cyber use
of force.10 And yet, the material and political implications of cyber
espionage are such that it can no longer be ignored. Cyber
espionage contributes to tension escalation across the world, and
may cause significant incidental damage to computer network
infrastructure. It may also constitute a threat to the unified domain
name system upon which the global internet relies, especially as
more states could seek to withdraw from a global internet that in

(discussing other sophisticated surveillance networks, such as Red October and The
Mask, which are attributed to Russia and Spain, respectively).
6 See Spencer Ackerman & Sam Thielman, US Officially Accuses Russia of
Hacking DNC and Interfering with Election, GUARDIAN (Oct. 8, 2016, 9:09 AM),
https://www.theguardian.com/technology/2016/oct/07/us-russia-dnc-hack-interfering-
presidential-election [https://perma.cc/UE5A-ETGS].
7 Mark Hosenaball & Patricia Zengerle, Cyber Attacks Leading Threats Against
U.S.: Spy Agencies, REUTERS (Mar. 12, 2013, 3:07 PM),
http://www.reuters.com/article/us-usa-threats-idUSBRE92B0LS20130312
[https://perma.cc/A4GV-Z7AB].
8 See Group of Government Experts on Developments in the Field of Information
and Telecommunications in the Context of International Security, Report of the Group of
Governmental Experts on Developments in the Field of Information and
Telecommunication in the Context of International Security, U.N. DOC. A/70/174 (July
22, 2015) [hereinafter U.N. DOC. A/70/174].
9 Id. ¶ 30.
10 See id.

936 N.C. J. INT’L L. [Vol. XLII

large part enables mass-scale and remote data collection.11 The
intensity of the threat can only increase with our growing reliance
on telecommunications infrastructure, the development of the
internet of things, and machine learning.

Under international law, this lack of direction is aggravated by
the persistent uncertainty surrounding the legality of espionage,12
as well as the definition of non-intervention.13 There is a need to
specify the interpretation of existing rules of international law,
especially if we are to maintain international peace and security
and friendly relations among states. Foreign surveillance has
recently prompted a fair amount of literature, mainly focused on
its deleterious human rights consequences, and the need to
reaffirm the extraterritorial applicability of treaty law.14
Nevertheless, little has been said about the rights of states to object
to what can also appear to be a serious violation of their
sovereignty. This paper aims to lay the foundations for a
productive conversation on the evolving definition of espionage,
intervention, and sovereignty in the digital age. It also highlights
the need for further cross-disciplinary research in the fields of law,
cyber warfare, and intelligence-gathering technology.

11 See Sascha Meinrath, The Future of the Internet: Balkanization and Borders,
TIME (Oct. 11, 2013), http://ideas.time.com/2013/10/11/the-future-of-the-internet-
balkanization-and-borders/ [https://perma.cc/XYA2-XAT5].
12 A. John Radsan, The Unresolved Equation of Espionage and International Law,
28 MICH. J. INT’L L. 595, 596–97 (2007).
13 See SIR MICHAEL WOOD, THE PRINCIPLE OF NON-INTERVENTION IN
CONTEMPORARY INTERNATIONAL LAW: NON-INTERFERENCE IN A STATE’S INTERNAL
AFFAIRS USED TO BE A RULE OF INTERNATIONAL LAW: IS IT STILL? 2 (Feb. 27, 2007),
https://studylib.net/download/8433936 (Summary of the Chatham House International
Law Discussion Group meeting held on Feb. 27, 2007).
14 See Francesca Bignami, Towards a Right to Privacy in Transnational
Intelligence Networks, 28 MICH. J.INT’L L. 663, 665 (2007); see also Ilina Georgiva, The
Right to Privacy under Fire – Foreign Surveillance under the NSA and the GCHQ and
Its Compatibility with Art. 17 ICCPR and Art. 8 ECHR, 31 UTRECHT J. INT’L & EUR. L.
104, 104–30 (2015); Marko Milanovic, Human Rights Treaties and Foreign
Surveillance: Privacy in the Digital Age, 56 HARV. INT’L L.J. 81, 81 (2015); Beth Van
Schaack, The United States’ Position on the Extraterritorial Application of Human
Rights Obligations: Now is the Time for Change, 90 INT’L. L. STUD. 20, 20 (2014).

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 937

II. Misconceptions about the Regulation of State Conduct in
Cyberspace

A. From “Code is Law” to “Law is Law”
There is a common misconception about the relationship

between code and the law. Lawrence Lessig, among other
intellectuals, has posited that code was the law of cyberspace.15
Notwithstanding certain nuances to this idea, his theory boils
down to arguing that code is what regulates and governs
cyberspace.16 Thankfully, this intellectual trend is waning, as
other intellectuals are now recognizing that not only does law have
its place, but also that code and law operate on two different
planes of reality.17 Urs Gasser, the executive director for
Harvard’s Berkman Klein Center for Internet & Society confirms
that “gradually, that approach is starting to change.”18 “Post-
Snowden, there’s a renewed emphasis on ‘law as law,’ to regulate
code.”19 In fact, it stands to reason that code is to cyberspace what
the natural laws of physics are to the real world. Code determines
what is possible in cyberspace the same way that the laws of
physics determine what is possible in reality. But it certainly does
not tell us what is allowed or not. In real life, one can use a chair
to hurt someone by breaking it on their back, if that is the
intention. The material is light enough to be lifted, yet rigid
enough to cause harm. The laws of physics make that possible,
but that quite obviously does not make it legal. The same goes for
cyberspace. Code may make it possible to steal information, but it
does not make it lawful.

15 See LAWRENCE LESSIG, CODE: AND OTHER LAWS OF CYBERSPACE 7–8 (2000)
[hereinafter CODE AND OTHER LAWS]; see also Lawrence Lessig, Code is Law: On
Liberty in Cyberspace, HARV. MAG. (Jan. 1, 2000),
http://harvardmagazine.com/2000/01/code-is-law-html [https://perma.cc/URH4-XET5].
16 See CODE: AND OTHER LAWS, supra note 15.
17 See David Pogue, Don’t Just Chat, Do Something, N.Y. TIMES: BOOKS (Jan. 30,
2000), http://www.nytimes.com/books/00/01/30/reviews/000130.30poguet.html
[https://perma.cc/6Q66-8L43].
18 See Robert Levine, The ‘Right to be Forgotten’ and Other Cyberlaw Cases Go to
Court, BLOOMBERG (June 23, 2016, 2:48 PM),
https://www.bloomberg.com/news/articles/2016-06-23/the-right-to-be-forgotten-and-
other-cyberlaw-cases-go-to-court [https://perma.cc/A37L-TUQJ].
19 Id.

938 N.C. J. INT’L L. [Vol. XLII

B. International Law is the Law of Nations
The classical foundations of international law, which are

commonly attributed to the Dutch jurist Hugo Grotius,20 date back
to the seventeenth century, with premises in the sixteenth century
contributions of French jurist Jean Bodin to the concept of
sovereignty.21 Also known as the “Westphalian system,” named
after the Treaty of Westphalia of 1648, which concluded the Thirty
Years War in Europe, the international legal order is comprised of
nation-states who exercise exclusive political authority over their
own territories,22 and form international norms through mutual
consent,23 either by contracting with one another through treaties
or through uniform state practice, which may concur to the
formation of international customary law when performed in
conjunction with opinio juris, which refers to a state acting with a
sense of legal obligation.24

States remain the primary subjects of international law. The
fact that a myriad of non-state actors are involved in shaping
cyberspace does not mean that they “govern” or “regulate”
cyberspace. States retain this consubstantial prerogative. Let us
consider human societies as a metaphor for the world community.
Emergent qualities inevitably derive from the sum of all individual
behavior, but that does not make each individual a member of the
governing body. Likewise, as much as non-state actors also
concur to shaping the world community, they still do not form part
of the governing body. The governing body is the community of
states. Non-state actors cannot enter intro international
conventions, and their behavior is not norm-creating. They are
bound by the domestic and international legal systems, where only
states legislate and enforce the law. Non-state actors are objects of
international law, with certain rights and obligations that are only
granted or imposed by virtue of state will.

20 See EMER DE VATTEL, THE LAW OF NATIONS OR PRINCIPLES OF THE LAW OF
NATURE APPLIED TO THE CONDUCT AND AFFAIRS OF NATIONS AND SOVEREIGNS § 7
(Joseph Chitty ed., trans., T. & J. W. Johnson, Law Booksellers 6th ed., 1844) (1797)
[hereinafter THE LAW OF NATIONS].
21 See WM. A. DUNNING, Jean Bodin on Sovereignty, 11 POL. SCI. Q. 82, 84 (1896).
22 See THE LAW OF NATIONS, supra note 20, § 205.
23 See id. at v.
24 Opinio Juris Sive Necessitatis, BLACK’S LAW DICTIONARY (10th ed., 2014).

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 939

C. International Law is Law
International law is sometimes discarded as ineffective due to

unrealistic expectations. The fact that the law does not always
influence individual or state behavior the way that was intended
does not make it irrelevant. U.S. domestic criminal law being
broken on a regular basis does not make us question the relevance
of the U.S. legal system as a whole. As Quincy Wright says the
“[l]aw . . . formulates the values, not the behavior, of the
community.”25 This more generally illustrates a traditional
tension, among international legal scholars, between the realists,
who believe that force alone can change state behavior, and the
idealists, who contend that ideas and values also shape state
behavior.

States want to be seen acting in compliance with international
law, and will go to great length to have their positions drafted
using language borrowed from international law to give more
authority to their arguments. International law is a language. In
the first presidential debate of the 2016 U.S. election, Secretary
Hillary Clinton made clear references to international law when
asked about cyber warfare, even correcting herself to use more
specific international law terminology.26 She and other higher
officials often use international legal terminology to signify that
international law applies, and that current and future actions and
declarations are potentially norm-creating.27 States may only be
bound by International Court of Justice decisions when they agree
to the jurisdiction of the Court in advance (through a
compromissory clause or optional clause declaration) or on a case-
by-case basis (through special agreement or forum prorogatum),
but the international legal order is first and foremost founded on
the premise of reciprocity.28 This principle can be summed up as

25 Quincy Wright, Espionage and the Doctrine of Non-Intervention in Internal
Affairs, in ESSAYS ON ESPIONAGE AND INTERNATIONAL LAW 8 (Roland Stanger ed., 1962).
26 See Aaron Blake, The First Trump-Clinton Presidential Debate Transcript,
Annotated, WASH. POST: FIX (Sept. 26, 2016),
https://www.washingtonpost.com/news/the-fix/wp/2016/09/26/the-first-trump-clinton-
presidential-debate-transcript-annotated/?utm_term=.b341fd1057c0
[https://perma.cc/6H53-KJ3U] (“[W]e are seeing cyber attacks coming from states,
organs of states.”).
27 See id.
28 See Francesco Paris & Nita Ghei, The Role of Reciprocity in International Law,
36 CORNELL INT’L. L.J. 93, 93–94 (2003) (explaining why reciprocity is important in

940 N.C. J. INT’L L. [Vol. XLII

“don’t do unto others what you don’t want others to do unto you.”
This is what holds the international community together.

D. Cyberspace and Normative Opportunism
On the other side of unrealistic expectations, there are claims

that existing norms and principles do not apply to new technology.
There is a tendency, sometimes motivated by political
opportunism, to claim the need for new rules and radically new
interpretations of existing norms and principles. The novel and
different character of cyberspace prompts certain observers to
think that “old” concepts of borders and sovereignty ought to be
radically reinvented.29 I do not share this view. The White House
took a far more reasonable approach in 2011: though there might
be a need for minor adjustments, international law is not
obsolete.30 International law is well drafted and broad enough to
encompass new technological developments.31 It would appear
hazardous to throw away long-established concepts and principles,
as this would only create more uncertainty, which could have far-
reaching consequences, including outside of cyberspace.

III. Sovereignty

A. Generally
Sovereignty has an internal and an external component.

Internally, sovereignty refers to a state’s exclusive jurisdiction
over its own territory. In addition to land, territory includes
territorial waters and airspace. As arbitrator Max Huber explained
in the Island of Palmas Arbitration Award: “sovereignty in the

international law).
29 Sean P. Kanuck, Information Warfare: New Challenges for Public International
Law, 37 HARV. INT’L L.J. 243, 288 (1996) (“Cyberspace and information alike transcend
physical boundaries, thereby requiring a legal paradigm that looks beyond merely the
locus of events.”).
30 THE WHITE HOUSE, INTERNATIONAL STRATEGY FOR CYBERSPACE 9–10 (2011).
31 See Hague Convention (II) with Respect to the Laws and Customs of War on
Land, July 29, 1899, 32 Stat, 1803, Martens Nouveau Recueil [hereinafter Hague II]
(Martens Clause: “Until a more complete code of the laws of war is issued, the High
Contracting Parties think it right to declare that in cases not included in the Regulations
adopted by them, populations and belligerents remain under the protection and empire of
the principles of international law, as they result from the usages established between
civilized nations, from the laws of humanity and the requirements of the public
conscience.”).

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 941

relations between states signifies independence. Independence in
regards to a portion of the globe is the right to exercise therein, to
the exclusion of any other State, the functions of a State.”32
Externally, sovereignty translates as state equality before the law.
States have the same rights and obligations in their relations with
one another.

Sovereignty is a principle of freedom and political
independence. Despite being often confused with power,
sovereignty only implies freedom, the freedom to choose its own
policy orientations, including alliances and economic
dependencies whenever self-sufficiency is not attainable, and it
rarely is.

Sovereignty and extraterritorial jurisdiction. It is generally
recognized that a state’s jurisdiction may extend beyond its
borders in certain specific cases. Those include flag vessels, and
registered air or space crafts in international domains. On rarer
occasions, will extraterritorial jurisdiction be recognized on
criminal offense that unfolded on another state’s territory. The
protective principle claim of extraterritorial jurisdiction can be
made when a state’s national security is at stake. The active and
passive personality principles apply based on the nationality of the
perpetrator on the one hand, and that of the victim on the other.
Finally, universal jurisdiction is the idea according to which a
court may have jurisdiction over any case where international
criminal law, as well as certain peremptory norms of international
law, are violated, regardless of where the crime took place and
nationality of the individuals involved. This form of jurisdiction is
controversial and only concerned with the most heinous crimes.
At any rate, extraterritorial jurisdiction does not in any way imply
that a state has extraterritorial authority over any given matter. A
state may not intervene in the internal affairs of other states on a
claim of extraterritorial jurisdiction. If no extradition treaty exists
between the state seeking jurisdiction over a case and the state
where the perpetrator or victim is located, then there is very little
recourse for the state seeking jurisdiction to have the individual in
question tried by their own domestic court system. At best, states
may seek to exercise their right to grant diplomatic protection to
their own nationals not residing or otherwise not located on their

32 Island of Palmas (Netherlands v. United States), 2 R.I.AA. 829, 838 (Perm. Ct.
Arb. 1928).

942 N.C. J. INT’L L. [Vol. XLII

territory.

B. Sovereignty in Cyberspace
The “cyber” prefix derives from the word cybernetics, which

refers to the science of communication and automatic control
systems in both machines and living things.33 William Gibson
coined the term cyberspace in 1982 in his novel “Burning
Chrome,”34 after the creation of the ARPAnet in 1969, and soon
after the creation of the web in 1980. There are multiple
definitions of cyberspace, but I will retain that of the NATO CCD
COE. In 2013, the North Atlantic Treaty Organization’s
Cooperative Cyber Defence Centre of Excellence convened a
group of international experts to discuss the applicability of
international law to cyber warfare.35 Their work, known as the
Tallinn Manual, defines cyberspace as the “environment formed
by physical and non-physical components, characterized by the
use of computers and the electro-magnetic spectrum, to store,
modify, and exchange data using computer networks.”36 It
therefore includes devices that are not constantly connected to it,
such as memory sticks. Some states, such as Russia, will more
commonly employ the phrase “information space” to include the
cognitive realm, whereby anything that influences the human
psyche is part of cyberspace.37 Cyberspace is a widely-used term
despite some debate over its relevance, especially as a “space.”38
Quite obviously, cyberspace is unlike sea, land, air, and outer
space. One cannot inhabit cyberspace, or make any territorial
claims over cyberspace proper or any portion thereof. It is

33 Cybernetics, OXFORD ONLINE DICTIONARY,
https://en.oxforddictionaries.com/definition/cybernetics [https://perma.cc/Q4NV-
LVUD].
34 See Scott Thill, March 17, 1948: William Gibson, Father of Cyberspace, WIRED,
Mar. 17, 2009,
https://archive.wired.com/science/discoveries/news/2009/03/dayintech_0317
[https://perma.cc/PN42-PE34].
35 See U.N. Doc. A/70/174, supra note 8.
36 TALLINN MANUAL ON THE INTERNATIONAL LAW APPLICABLE TO CYBER
WARFARE 258 (Michael N. Schmitt, ed., Cambridge University Press 2013) [hereinafter
TALLINN MANUAL].
37 See KEIR GILES & WILLIAM HAGESTAD II, DIVIDED BY A COMMON LANGUAGE:
CYBER DEFINITIONS IN CHINESE, RUSSIAN, AND ENGLISH §§ 5(B)–(C) (2013).
38 Martin C. Libicki, Cyberspace Is Not a Warfighting Domain, 340 AM. J.L. &
POL’Y INFO. SOC’Y 325–340 (2012).

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 943

therefore not so much a “space,” as it is rather a network of
networks. Air Law would probably give a more relevant basis for
further comparative work, as it is a legal framework conceived to
be applied to networks (airports being nodes connected by
international travel routes), and is also an earlier compromise
between global private and public interests.39

The fact that there was no central government, no central
planning in the development of the internet has prompted many
libertarian, not to say anarchist thinkers to deny the applicability of
the concept of sovereignty in cyberspace.40 Yet, though the
internet certainly poses a number of new challenges, it is far from
being ungoverned or irrelevant to state action.

By denying state sovereignty, such ideologies are negating
fundamental and legitimate public order functions traditionally
performed by states under the social contract. A borderless world,
either on or off line is a myth, as other forms of regulation and
decision-making processes would inevitably emerge and fill the
void. Nothing guarantees that such decisional structures would not
tend towards some sort of centralization, or would necessarily be
more likely to serve the collective good. Such a world would not
necessarily be more democratic by nature. The rule of law within
a state with a democratically elected government is the sole system
that retains a semblance of legitimacy, despite the normative
opportunism engendered by the novelty of the internet.

The Tallinn Manual, provides a series of draft rules that
constitute a strong indication of how international law will apply
to cyber warfare.41 Even though these rules are non-binding as
such, the International Court of Justice, whose function is to settle

39 LUCIEN RAPP, HAGUE ACADEMY OF INTERNATIONAL LAW, LEGAL IMPLICATIONS
OF GLOBAL TELECOMMUNICATIONS § 65, at 44 (1998) (“Faut-il s’étonner que le transport
aérien fournisse ainsi un cadre à l’effort nécessaire de reconstruction d’un régime
institutionnel et juridique des activités des télécommunications? . . . depuis le début du
siècle, les thèses de la souveraineté des Etats et de la liberté de l’air se sont affrontées au
cours des diverses réunions d’associations internationales de juristes.”).
40 In discussing his 1996 Declaration of Independence of Cyberspace, John Perry
Barlow stated the following: “[the Internet] is inherently extra-national, inherently anti-
sovereign and your [states’] sovereignty cannot apply to us. We’ve got to figure things
out ourselves.” See TIM JORDAN, CYBERPOWER: THE CULTURE AND POLITICS OF
CYBERSPACE AND THE INTERNET 182–183 (2002).
41 See TALLINN MANUAL, supra note 36, at 5–6.

944 N.C. J. INT’L L. [Vol. XLII

disputes in accordance with international law, recognizes academic
work as a subsidiary source of the law.42 The Tallinn Manual
asserts that “although no State may claim sovereignty over
cyberspace per se, States may exercise sovereign prerogatives over
any cyber infrastructure located on their territory, as well as
activities associated with that cyber infrastructure,” whether public
or privately owned.43 The physicality of cyberspace is therefore
the first entry point of cyberspace into sovereign territory. This
physical layer is fundamental, as cyberspace relies on physical
infrastructure (cables, computers, satellites, etc.) to exist. This
idea is confirmed by two UN Group of Governmental Experts
Reports on Developments in the field of information and
communication technology in the context of international security
with the following language: “State sovereignty and international
norms and principles that flow from sovereignty apply to State
conduct of ICT-related activities, and to their jurisdiction over ICT
infrastructure within their territory.”44

The need to reaffirm sovereignty in cyberspace may seem
paradoxical both in practice and in theory. But I believe it is
important for at least two reasons. First, preserving sovereignty is
important to prevent internet fragmentation (a.k.a. balkanization of
the internet). If state sovereignty is preserved, there will be less
temptation for states to withdraw into national intranets or join
alternate domain name systems where they feel their interests will
be better preserved. Secondly, in the context of global
surveillance, as with other globalized threats to fundamental rights,
sovereignty may unexpectedly act as an additional rampart against
the erosion of privacy. The United Nations Human Rights
Committee and other human rights treaty bodies are only quasi-
judicial bodies that cannot enforce compliance.45 Furthermore,
despite the existence of inter-state complaint mechanisms, no state

42 U.N. Charter Statute of the International Court of Justice art. 38(1)(d), 59 Stat.
1031, U.N.T.S. 993 (“The teachings of the most highly qualified publicists of the various
nations, as subsidiary means for the determination of rules of law.”).
43 See TALLINN MANUAL, supra note 36, at 15–18 (Rule 1).
44 See U.N. Doc. A/70/174, supra note 8.
45 See UN Human Rights Treaty Bodies, INT’L JUST. RESOURCE CTR.,
http://www.ijrcenter.org/un-treaty-bodies/ [https://perma.cc/Y5ZD-L38Q] (detailing each
treaty body monitors compliance in their respective issue area rather than specifically
having the power to enforce any specific laws or regulations).

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 945

has yet resorted to them,46 and the extraterritorial application of
human rights treaty bodies remains at issue. From the concept of
sovereignty derives a responsibility for states to invoke their
territorial integrity and political independence to protect their own
nationals against human rights violations committed on their soil
by foreign states.47 This can be argued to be somewhat akin to a
“reverse” responsibility to protect.48

C. Non-Intervention
The principle of non-intervention in the internal and external

affairs of other states is the corollary of state sovereignty.49 It
includes the prohibition of use of force, as set forth in Article 2.4
of the Charter of the United Nations and other forms of prohibited
interventions.50 Prohibited intervention is intervention in a state’s
sovereign affairs, a matter where the said state should decide
freely, and is coercive in nature.51 Non-intervention is broader
than the principle of territorial integrity, as it includes both a
state’s internal and external affairs.52 It is also referred to as “non-

46 See Human Rights Bodies—Complaints Procedures, U.N. HUM. RTS. OFF. HIGH
COMMISSIONER,
http://www.ohchr.org/EN/HRBodies/TBPetitions/Pages/HRTBPetitions.aspx#interstate
[https://perma.cc/G5XU-XK4F].
47 See Oren Gross, Cyber Responsibility to Protect: Legal Obligations of States
Directly Affected by Cyber-Incidents, 48 Cornell Int’l L.J. 481, 492 (2015)
(“Justifications for sovereignty no longer rest exclusively on sovereignty’s own
presumptive legitimacy, but rather expand to incorporate justifications that derive from
the individuals whose rights are to be protected, and from their right to a safe framework
in which they can enforce their autonomy and pursue their interests.”).
48 R2P is short for “Responsibility to Protect,” a doctrine that posits the
responsibility (and right) of states to intervene in the internal affairs of other states, and
potentially use force, for the purpose of putting an end to the worst human rights
violations. Background Information on the Responsibility to Protect, OUTREACH
PROGRAMME ON RWANDA GENOCIDE & U.N.,
http://www.un.org/en/preventgenocide/rwanda/about/bgresponsibility.shtml
[https://perma.cc/Z5MA-LJZN].
49 LASSA OPPENHEIM, OPPENHEIM’S INTERNATIONAL LAW: PEACE 428 (9th ed.,
1992).
50 U.N. Charter art. 2, ¶ 4.
51 See OPPENHEIM, supra note 49, at 432.
52 See Non-Intervention (Non-interference in Domestic Affairs), ENCLOPEDIA
PRINCETONIENSIS, https://pesd.princeton.edu/?q=node/258 [https://perma.cc/Z3PY-
2AGV] [hereinafter Non-Intervention]; see also U.N. Charter.

946 N.C. J. INT’L L. [Vol. XLII

interference.”53 The principle was first formulated by de Vattel in
the eighteenth century.54

The treaty law of non-intervention stems from the 1933
Montevideo Convention and its 1936 additional protocol on non-
intervention, wherein the United States reservations read,
“interference with the freedom, the sovereignty, or other internal
affairs, or the processes of the Governments of other nations.”55

In 1926, the premise of the prohibition of intervention in case
law appeared in the Lotus case judgment, in which the Permanent
Court of International Justice indicated that a “state . . . may not
exercise its power in any form in the territory of another state.”56

In the 1949 Corfu Channel case, the International Court of
Justice also regarded “the alleged right of intervention as the
manifestation of a policy of force, such as has, in the past, given
right to the most serious abuses and as such cannot, whatever be
the present defects in international organization, find a place in
international law.”57

The principle was then reaffirmed in Article 2.7 of the 1945
Charter of the United Nations, which extends it to international
organization action by providing that “[n]othing contained in the
present Charter shall authorize the United Nations to intervene in
matters which are essentially within the domestic jurisdiction of
any state or shall require the Members to submit such matters to
settlement under the present Charter; but this principle shall not
prejudice the application of enforcement measures under Chapter
VII.”58 Under Article 41 of the 1961 Vienna Convention on
Diplomatic Relations, the parties specified that diplomats should
not “interfere in the internal affairs” of the host state.59

Two major United Nations General Assembly (“UNGA”)

53 Non-Intervention, supra note 52.
54 M. DE VATTELL, DROIT DES GENS OU PRINCIPES DE LA LOI NATURELLE ¶ 37 (1758).
55 Montevideo Convention on the Rights and Duties of States, COUNCIL FOREIGN
REL., http://www.cfr.org/sovcorfereignty/montevideo-convention-rights-duties-
states/p15897 [https://perma.cc/7WM4-6CDA] (referring to the United States’
reservations).
56 S.S. Lotus (Fr. v. Turk.), Judgment, 1927 P.C.I.J. (ser. A) No. 10, at ¶ 39 (Sept.
7).
57 Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. Rep. 4, ¶ 121 (Apr. 9).
58 U.N. Charter art. 2, ¶ 7.
59 Vienna Convention on Diplomatic Relations art. 41, ¶ 1, Apr. 18, 1961, 23
U.S.T. 3374, 500 U.N.T.S. 95 [hereinafter Vienna Convention].

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 947

Resolutions also reaffirmed this principle, one of which being
entirely dedicated to it.60 UNGA Resolution 2625 of 1970 states
that “armed intervention and all other forms of interference or
attempted threats against the personality of the state or against its
political, economic and cultural elements, are in violation of
international law.”61 UNGA Resolution 2131 reads, “[D]irect
intervention, subversion and all forms of indirect intervention . . .
constitute a violation of the Charter of the United Nations.”62
These UNGA resolutions affirm, “the practice of any form of
intervention not only violates the spirit and letter of the Charter of
the United Nations but also leads to the creation of situations
which threaten international peace and security.”63 They also go
on to say, using remarkably broad language, that no state has “the
right to intervene, directly or indirectly, for any reason whatsoever,
in the sovereignty of any other state.”64 Though United Nations
General Assembly Resolutions are generally not regarded as
legally binding,65 these two can be argued to be codifications of
international customary law. In the 1986 case concerning the
Military and Paramilitary Activities in and Against Nicaragua, the
International Court of Justice confirmed the customary nature of
the principle by stating that the “principle of non-intervention
involves the right of every sovereign State to conduct its affairs
without outside interference; though examples of trespass against
this principle are not infrequent, the Court considers that it is part
and parcel of customary international law . . . . [I]nternational law
requires political integrity . . . to be respected.”66

Prohibited intervention is not limited to use of force. In the
2005 case concerning Armed Activities on the Territory of the
Congo, the International Court of Justice made it clear that the
principle of non-intervention prohibits a state from “interven[ing],

60 See G.A. Res. 2625 (XXV) (Oct. 24, 1970); see also G.A. Res. 2131 (XX) (Dec.
21, 1965).
61 See G.A. Res 2625, supra note 60.
62 See G.A. Res 2131, supra note 60.
63 See G.A. Res. 2625, supra note 60; see also G.A. Res. 2131, supra note 60.
64 See G.A. Res. 2625, supra note 60; see also G.A. Res. 2131, supra note 60.
65 Are UN Resolutions Binding?, DAG HAMMARSKJOLD LIBRARY (Jan. 9, 2017),
http://ask.un.org/faq/15010 [https://perma.cc/DFB8-E2VW].
66 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.),
Judgment, 1986 I.C.J. Rep. 14, ¶ 202 (June 27).

948 N.C. J. INT’L L. [Vol. XLII

directly or indirectly, with or without armed force, in support of an
internal opposition in another State.”67 Below the use of force
threshold, intervention seems characterized when there is either
intrusion or coercion.

Following, the unauthorized intrusion into the territory of
another state, to the exclusion of minor border incidents, are
prohibited. This is a corollary of the territorial integrity principle,
which itself is derived from the sovereign right of states to freely
decide who and what enters their borders. Quincy Wright goes as
far as to say that “any penetration of the territory of a state by
agents of another state in violation of the local law is also a viola-
tion of the rule of international law imposing a duty upon states to
respect the territorial integrity and political independence of other
states.”68 There is therefore no damage necessary for unauthorized
penetration to be constituted.69 Does intrusion have to be
physical? If state sovereignty extends to cyber infrastructure
located on a state’s territory, then there is a presumption of
sovereignty over data located therein. But whether cyber intrusion
equals physical intrusion remains to be seen. Presumably, the
coercion criterion offers a more reliably applicable concept in
cyberspace, as it does not imply or require intrusion to be
manifested.

1. The Origin of the Coercion Concept
UNGA Resolution 2625, and UNGA Resolution 2131 first

introduced the idea of coercion by putting forth that no state may
use “any . . . type of measures to coerce another State in order to
obtain from it the subordination of the exercise of its sovereign
rights and to secure from it advantages of any kind.”70

In the Nicaragua case, the International Court of Justice
enshrined the concept, and referred to it as “[t]he element of
coercion, which defines, and indeed forms the very essence of,
prohibited intervention.”71 The Court added that “the principle

67 Armed Activities on the Territory of The Congo (Dem. Rep. Congo v. Uganda),
Judgment, 2005 I.C.J. Rep. 168, ¶ 164 (Dec. 19).
68 Wright, supra note 25, at 12.
69 David Weissbrodt, Cyber-Conflict, Cyber-Crime, and Cyber-Espionage, 22
MINN. J. INT’L L. 347, 363 (2013).
70 G.A. Res. 2625, supra note 60; see also G.A. Res. 2131, supra note 60.
71 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.),

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 949

forbids all States or groups of States to intervene directly or
indirectly in the internal or external affairs of other States” and
that “a prohibited intervention must [accordingly] be one bearing
on matters in which each State is permitted, by the principle of
State sovereignty, to decide freely. . . .”72 One of these is the
choice of a political, economic, social and cultural system and the
formulation of foreign policy. “Intervention is wrongful when it
uses . . . methods of coercion” in regard to such choices, which
must remain free ones.73

2. The Meaning of Coercion
Still in the Nicaragua case, the Court adds that “[t]he element

of coercion . . . is particularly obvious in the case of an
intervention which uses force.”74 The term “obvious” employed
here suggests that not only is prohibited intervention not limited to
cases of use of force, but that the element of coercion itself also
encompasses situations that fall below the use of force threshold.

The 1969 Vienna Convention on Law of Treaties provides that
“a treaty shall be interpreted in good faith in accordance with the
ordinary meaning to be given to the terms of the treaty in their
context and in the light of its object and purpose.”75 Coercion
implies constraint, of at least two kinds. You may be coerced into
doing something (“Do this . . . or else”). Here, force or
intimidation is used to induce compliance against the victim’s will.
This has little application in the context of espionage, as espionage
is not used to compel a state to do or abstain from doing
something, or act in any particular way. Espionage is neither force
nor the threat thereof. Nevertheless, coercion is also constituted
when you have to undergo something being done to you against
your will. Here, the coercive power uses its position of superiority
to do whatever they please despite the victim’s lack of consent.
This second definition of coercion is especially relevant to certain
cases of cyber espionage and mass surveillance operations, which
continue to exist despite strong opposition from target states.

Oppenheim wrote that “the interference must be forcible or

Judgment, 1986 I.C.J. Rep. 14, ¶ 205 (June 27).
72 See id. ¶ 206.
73 Id. ¶ 205.
74 Id.
75 Vienna Convention, supra note 59, art. 31.

950 N.C. J. INT’L L. [Vol. XLII

dictatorial, or otherwise coercive, in effect depriving the state
intervened against of control over the matter in question,”76 which
scholars, such as Ziolkowski, have interpreted to mean
intervention necessarily implies forcing a state to change its
policy, thus preferring the first definition of coercion exposed
above.77 According to this view, no form of espionage would
indeed be coercive. Though it does affect state behavior, as they
acquire encryption capabilities and lay new submarine cables to
bypass certain access points,78 this is not the behavior the spying
state intends to elicit. Arguably, spying is not meant to elicit any
particular behavior, much less any behavior that would make
further spying more challenging. However, the words of
Oppenheim could also be interpreted to validate the second
definition of coercion. What control over foreign or domestic
policy does one state retain in the face of mass-scale data
collection? Edwin de Witt Dickinson writes, “coercion is present
if intervention cannot be terminated at the pleasure of the state that
is subject to the intervention,” therefore, including any acts
performed against a state’s will.79 This is a strong validation of the
second definition of coercion, which I would argue applies in full
force in the context of cyber espionage.

McDougall and Feliciano go even further by asserting that
coercion is “doing something against the value of sovereignty,” in
other words, against the spirit of sovereign independence.80
Privacy policy is an area in which states must be able to decide

76 See OPPENHEIM, supra note 49, at 432.
77 Katharina Ziolkowski, Peacetime Cyber Espionage – New Tendencies in Public
International Law, in PEACETIME REGIME FOR STATE ACTIVITIES IN CYBERSPACE:
INTERNATIONAL LAW, INTERNATIONAL RELATIONS AND DIPLOMACY 425, 433 (Katharina
Ziolkowski ed., 2013) [hereinafter PEACETIME REGIME FOR STATE ACTIVITIES IN
CYBERSPACE] (“Scholars assert that illegal coercion implies massive influence, inducing
the affected state to adopt a decision with regard to its policy or practice which it would
not entertain as a free and sovereign state.”).
78 Nancy Scola, Brazil Beings Laying Its Own Internet Cables to Avoid U.S.
Surveillance, WASH. POST (Nov. 3, 2014), https://www.washingtonpost.com/news/the-
switch/wp/2014/11/03/brazil-begins-laying-its-own-internet-cables-to-avoid-u-s-
surveillance/?utm_term=.4ec79e4e3fea [https://perma.cc/93TE-HMG2].
79 EDWIN DE WITT DICKINSON, THE EQUALITY OF STATES IN INTERNATIONAL LAW
260 (1920).
80 Myres S. McDougal & Florentino P. Feliciano, International Coercion and
World Public Order: The General Principles of the Law of War, 67 YALE L.J. 771, 782
(1958).

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 951

freely, including what level of human rights protection is
appropriate depending on cultural norms and political context.

The UN Group of Governmental Expert consensus report of
June 2015 on principles of responsible state behavior in
cyberspace reasserted that international law applied to the use of
information and communications technologies, including
sovereignty and non-intervention:

In their use of ICTs, States must observe, among other principles
of international law, State sovereignty, the settlement of disputes
by peaceful means, and non-intervention in the internal affairs of
other States.81

IV. Espionage Generally

A. Wartime
While not providing a definition of espionage, the law of

armed conflict does, however, define the agent of espionage. A
spy is an individual acting clandestinely or under false pretense to
obtain information “in the zone of operations of a belligerent, with
intention of communicating it to a hostile third party.”82 The terms
“spy” and “espionage,” are used in the Hague Regulations, Geneva
Convention IV and Additional Protocol I.83

Legal scholars have further defined a wartime spy as someone
who “penetrates secretly, or in disguise, or under false pretenses
within the lines of an enemy”84 to “[obtain] military information”85
or “discover the state of his [sic] affairs, to pry into its designs”86
for the benefit of the opposing army.87 The nature of the

81 See U.N. DOC. A/70/174, supra note 8, ¶ 28(b).
82 Hague Convention Respecting the Laws and Customs of War on Land (Hague
IV) art. 29, Oct. 18, 1907, 36 Stat. 2277, 1 Bevans 631.
83 Practice Relating to Rule 107 Spies, INT’L COMMITTEE RED CROSS, https://ihl-
databases.icrc.org/customary-ihl/eng/docs/v2_rul_rule107_sectionb
[https://perma.cc/GA6M-2X37] [hereinafter Spies] (outlining how Article 30 of the 1899
Hague Regulations, Article 30 of the 1907 Hague Regulations, Article 5 of the 1949
Geneva Convention IV, Article 46(1), and Article 45(3) of the 1977 Additional Protocol
I address spies).
84 See WILLIAM EDWARD HALL, A TREATISE ON INTERNATIONAL LAW 537 (1895);
see also OPPENHEIM, supra note 49.
85 See HALL, supra note 84, at 537.
86 H.W. HALLECK, INTERNATIONAL LAW, OR, RULES REGULATING THE INTERCOURSE
OF STATES IN PEACE AND WAR 406 (1861).
87 See HALL, supra note 84 at 537; see also HALLECK, supra note 86.

952 N.C. J. INT’L L. [Vol. XLII

information collected seems to have been the object of some
debate, with the Tallinn Manual regarding the military nature of
the information unnecessary for the characterization of espionage
while the Harvard Air and Missile Warfare Manual considers that
that information must be of some military character.88 Arguably,
this debate does not apply in peacetime, where the collection of
information not related to military activity equally qualifies as
espionage.

The purpose of identifying espionage operations under the law
of armed conflict is also much more specific. Wartime espionage
is a clandestine, yet lawful practice.89 From a law of armed
conflict standpoint, espionage is akin to a ruse de guerre, and does
not constitute a wrongful act, and therefore does not give rise to
state responsibility.90 And if conducted during conflict by any
entity that is not a party to the conflict, it is left unregulated.91

Spying does, however, have consequences for the spy or agent
sent by either party to a conflict. A spy indeed does not benefit
from combatant immunity or prisoner of war status upon capture.92
This is interestingly severe, as it seeks the individual agent’s
responsibility, not that of the sending state. By targeting spies
alone, state parties to The Hague and Geneva conventions may
have wanted to ensure espionage would remain part of the wartime
arsenal while still discouraging its recourse as much as possible.
The Tallinn Manual experts go as far as to say that (cyber)
espionage operations would make a civilian a direct participant in
hostilities, therefore making such civilian targetable by enemy
forces whose information was collected for the benefit of the
opposing side.93 However, a person in uniform who conducts
reconnaissance missions is not considered a spy and therefore

88 TALLINN MANUAL, supra note 36, at 194 (Rule 66(b)(8)); see also Manual on
International Law Applicable to Air and Missile Warfare, HARV. PROGRAM ON
HUMANITARIAN POL’Y & CONFLICT RES. r. 118,
http://ihlresearch.org/amw/HPCR%20Manual.pdf [https://perma.cc/MEU6-GNU5].
89 See HALLECK, supra note 86, at 406–07.
90 United States of America Practice Relating to Rule 57 Ruses of War, INT’L
COMMITTEE RED CROSS (Feb. 28, 2017), https://ihl-databases.icrc.org/customary-
ihl/eng/docs/v2_cou_us_rule57 [https://perma.cc/3RJQ-C5GS].
91 TALLINN MANUAL, supra note 36, at 194 (Rule 66(b)(7)).
92 See Spies, supra note 83 (referencing the Oxford Manual, which prohibits
individuals captured as spies from demanding prisoner-of-war treatment).
93 TALLINN MANUAL, supra note 36, at 194 (Rule 66(b)(4)).

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 953

retains combatant status.94 Interestingly, the 1949 Geneva
Convention IV provides for humane treatment and fair trial of
spies to limit the effects of the loss of prisoner of war status.95 A
spy who successfully rejoins the armed forces to which the spy
belongs regains combatant immunity.96 In other words, past
spying activities do not make the individual lose combatant status
forever. This convoluted legal framework that sanctions spies in
some circumstances but not the sending state is a revealing prelude
to the ambivalent law of espionage in peacetime. Furthermore, the
legality of espionage in times of war derives from the lack of
obligation to respect the territory or government of an opponent
state party to a conflict. But that cannot hold true in peacetime,
where there is an obligation to respect territorial integrity and
political independence.97

B. Peacetime

1. Definition
As there are no general treaty provisions regarding espionage

in peacetime, a definition of espionage can only be extrapolated
from the law of armed conflict with some necessary adjustments.

Oppenheim proposed a broader definition of a spy, which
begins to cover both wartime and peacetime operations.
According to him, spies are “secret agents of a State sent abroad
for the purpose of obtaining clandestinely information in regard to
military or political secrets.”98 From this definition of spy derives
the confirmation that espionage is data collection characterized by
its clandestine nature and the fact that it is state-sponsored. But it
is arguably no longer limited to gathering military or political
secrets. Espionage is a much broader phenomenon that targets
much more than just foreign governments. Espionage can be
economic and industrial, or take the form of extraterritorial
surveillance. The term “surveillance” is used in reference to
domestic surveillance, but its new extraterritorial component

94 See HALL, supra note 84; see also HALLECK, supra note 86.
95 Geneva Convention Relative to the Treatment of Prisoners of War art. 5, Aug.
12, 1949, 6 U.S.T. 3316, 75 U.N.T.S. 137.
96 Hague II, supra note 31, art. 31.
97 U.N. Charter art. 4, ¶ 1.
98 HALL, supra note 84, at 770, 772.

954 N.C. J. INT’L L. [Vol. XLII

makes it a subcategory of espionage.99 Indeed, very much like
traditional espionage, extraterritorial surveillance also includes
state-sponsored operations intended to be covert, aimed at targets
located abroad, and concerned with gathering knowledge—facts or
propositions to which a degree of probability can be assigned—
that inform national security decision makers.100

I will therefore define peacetime espionage as a clandestine
state-sponsored intelligence-gathering operation, or series of
operations, conducted through physical penetration into foreign
territory (“HUMINT”) or remote data collection techniques
(CYBINT, SIGINT (including COMINT and ELINT), IMINT,
and others).

2. Unsettled Law
The international law of espionage is at best unsettled,101 if not

ambiguous.102 “There is no international jurisprudence on
peacetime espionage . . . .”103 It is also worth noting that, while
national laws universally condemn espionage,104 it is dubious that
an act that violates domestic law necessarily entails state
responsibility under international law.105 Therefore, one must look
to international customary law to attempt to settle this issue. As

99 Dinah PoKempner, Cyberspace and State Obligations in the Area of Human
Rights, in PEACETIME REGIME FOR STATE ACTIVITIES CYBERSPACE, supra note 77, at 239,
253 (“Surveillance or monitoring of communications by the authorities or agents of
another State is typically espionage.”).
100 Myres S. McDougal et al., The Intelligence Function and World Public Order,
46 TEMPLE L.Q. 365, 367 (1973).
101 James Kraska, Putting Your Head in the Tiger’s Mouth: Submarine Espionage in
the Territorial Sea, 54 COLUM. J. TRANSNAT’L L. 164, 172 (2015).
102 See PoKempner, Cyberspace and State Obligations in the Area of Human Rights,
in PEACETIME REGIME FOR STATE ACTIVITIES CYBERSPACE, supra note 77, at 253 (“While
espionage is usually a criminal offence in municipal law, there is generally a legal
disconnect regarding peacetime espionage in international law, making an international
rule of prohibition or permission difficult to articulate.”).
103 Craig Forcese, Spies Without Borders: International Law and Intelligence
Collection, 5 J. NAT’L SEC. L. & POL’Y 195, 202 (2011); see also John See Yoo & Glenn
Sulmasy, Counterintuitive: Intelligence Operations and International Law, 28 MICH. J.
INT’L L. 625, 628 (2007) (“Nowhere in international law is peaceful espionage
prohibited.”).
104 Ziolkowski, Peacetime Cyber Espionage – New Tendencies in Public
International Law, in PEACETIME REGIME FOR STATE ACTIVITIES IN CYBERSPACE, supra
note 77.
105 See Forcese, supra note103, at 201–02.

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 955

previously stated, a legally binding custom is born out of state
practice and opinio juris.106

In relation to confidential state practices, the Second Report of
the International Law Commission’s Special Rapporteur on the
Formation and Evidence of Customary International Law explains,
“[i]t is difficult to see how practice can contribute to the formation
or identification of general customary international law unless and
until it has been disclosed publicly.”107 Just because espionage is
clandestine by nature, however, does not mean that we don’t know
of it as an extensive practice. As a matter of fact, espionage is at
least as old as international relations.108 It has long existed before
the development of international law in its current form.109

In the 1969 North Sea Continental Shelf Cases,110 the
International Court of Justice stated that in order to find that a
customary rule has emerged there must be “extensive and virtually
uniform” state practice in favor of that rule.111 Several scholars
argue that such constant and widespread state practice is evidence
enough of the lawfulness of espionage.112 But state practice alone
is not necessarily sufficient to show a mandatory rule of
international customary law.113 Custom also requires the condition
of opinio juris to be fulfilled.114 In the North Sea Continental Shelf
Cases, the International Court of Justice (“ICJ”) judgment is
unequivocal:

[n]ot only must the acts concerned amount to a settled practice,
but they must also be such, or be carried out in such a way, as to
be evidence of a belief that this practice is rendered obligatory

106 See id.
107 Michael Wood (Special Rapporteur on the Formation and Evidence of
Customary International Law), Second Report on Identification of Customary
International Law, ¶ 47, U.N. Doc. A/CN.4/672 (May 22, 2014).
108 See Ziolkowski, Peacetime Cyber Espionage – New Tendencies in Public
International Law, in PEACETIME REGIME FOR STATE ACTIVITIES IN CYBERSPACE, supra
note 77 at 425 (“Espionage has existed since the dawn of human history.”).
109 See id.; see also Yoo & Sulmasy, supra note 103, at 626–28.
110 North Sea Continental Shelf (Ger. v. Den.; Ger. v. Neth.), Judgment, 1969 I.C.J.
Rep. 3 (Feb. 20).
111 Id. at 43, ¶ 74.
112 Ashley Deeks, An International Legal Framework for Surveillance, 55 VA. J.
INT’L L. 291, 302 (2015).
113 See North Sea Continental Shelf, at 44, ¶ 77.
114 See id.

956 N.C. J. INT’L L. [Vol. XLII

by the existence of a rule of law requiring it. The need for such
a belief, i.e., the existence of a subjective element, is implicit in
the very notion of the opinio juris sive necessitatis. The States
concerned must therefore feel that they are conforming to what
amounts to a legal obligation. The frequency, or even habitual
character of the acts is not in itself enough.115
There is little chance that opinio juris is constituted in the

conduct of espionage.116 States are not spying on each other
thinking they are doing so in all legality.117 They are aware of the
questionable character of espionage.118 The very concealed nature
of such operations points to the fact that states do not “believe”
they are allowed to perform them.119 Here, the importance of
opinio juris takes on its full meaning. What’s more, sending states
have not historically objected to their spies being convicted,
deported, or declared persona non-grata by the spied upon state.120
Therefore, it appears that spying states do not consider their own
acts of espionage legal. Now, “not explicitly legal” does not
necessarily entail “illegal.” It may just be that the practice in
question is unregulated, that there is a gap in the law.121 When
Oppenheim says a government “cannot officially confess to having
commissioned a spy,”122 it may be that it fears future sanction, or
that it simply considers it unfriendly and therefore awkward to
reveal.123

In a related attempt to assert the legality of espionage, some
may also see the so-called Lotus principle as another possible
justification of constant state practice translating as lawful
practice. The Lotus case has introduced the idea that international
obligations cannot be presumed.124 Thereby affirming that state

115 See id.
116 See id.
117 See Radsan, supra note 12, at 596.
118 See id.
119 See id.
120 See Wright, supra note 25, at 3.
121 Deeks, supra note 112, at 300.
122 OPPENHEIM, supra note 49, at 770–72.
123 See Julius Stone, Legal Problems of Espionage in Conditions of Modern
Conflict, in ESSAYS ON ESPIONAGE AND INTERNATIONAL LAW 39 (Ohio State Univ. Press
ed., 1962).
124 S.S. Lotus (Fr. v. Turk.), Judgement, 1927 P.C.I.J. (ser. A) No. 10, at 18 (Sept.
7).

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 957

sovereignty would imply presumptive legality of state action,
therefore including the widespread recourse to espionage. But this
oft-cited Lotus principle has been highly contested.125 Such
principle only holds if counter-balanced by the principles of
sovereignty and political independence. State action that harms
sovereign rights of other states cannot be presumed to be legal. It
follows that widespread state practice alone is not sufficient to
entail the legality of the practice of espionage, either on the ground
of an established custom or that of presumptive legality.

The behavior of spied upon states is also commonly
misinterpreted to imply lawfulness. The general reluctance of
spied upon states to seek reparation in court or through diplomatic
channels, in the form of satisfaction or otherwise, does not mean
that such abstention implies the consent of the said states to be
subjected to espionage or that they felt there was no obligation
owed to them. As the Court says concerning the non-objection of
states to the principle of equidistance for lateral territorial
delimitations at sea, “[t]here is no evidence that they so acted
because they felt legally compelled . . . they might have been
motivated by other obvious factors.”126 In the case of espionage,
those other factors might be the willingness of spied-upon states to
maintain the status quo and be allowed to spy as well. As much as
consent of the victim state might preclude responsibility of the
spying state, it certainly does not imply an absence of obligation.
Mere tolerance does not imply legality. As a matter of fact, states
have not always remained silent, even before the advent of cyber
espionage. In a public declaration to the United Nations, the
representative of the U.S.S.R. said: “The object to which illegal
surveillance is directed constitutes a secret guarded by a sovereign
state, and regardless of the means by which such an operation is
carried out, it is in all cases an intrusion into something guarded
by a sovereign state in conformity with its sovereign
prerogative.”127 Likewise, the state parties to the United Nations

125 Hugh Handeyside, The Lotus Principle in ICJ Jurisprudence: Was the Ship Ever
Afloat?, 29 MICH. J. INT’L L. 71, 72 (2007).
126 See North Sea Continental Shelf (Ger. v. Den.; Ger. v. Neth.), Judgment, 1969
I.C.J. Rep. 3 (Feb. 20).
127 Joseph Soraghan, Reconnaissance Satellites: Legal Characterization and
Possible Utilization for Peacekeeping, 13 MCGILL L.J. 458, 470–71 (1967) (emphasis
added).

958 N.C. J. INT’L L. [Vol. XLII

Convention on the Law of the Sea have expressed the view that
“any act aimed at collecting information to the prejudice of the
defence [sic] or security of the coastal state . . .” was in violation
of the right of innocent passage through the territorial sea of the
coastal state. This may be the only general provision of treaty law
prohibiting information-collection on the territory of other states—
the territorial sea being an integral part of a state’s territory—
which, though only applicable to state parties, is a strong
indication that at least a substantial number of states may indeed
regard espionage as illegal per se under certain circumstances.
That being said, the lack of case law prevents the issue from being
more clearly settled.

Certain scholars go as far as to say that the only possible
ground of espionage illegality is collateral illegality:128 Julius
Stone takes the example of the U-2 incident that he claims was
illegal on grounds of territorial intrusion alone.129 However, minor
territorial intrusions are common, and not always sanctioned, but
the illegality of this particular instance was not questioned.130
Therefore, was espionage an aggravating factor, at least? To
Stone, once the territorial intrusion element is removed, espionage
alone is to be considered legal because spying activities conducted
from outer space and international waters is allowed.131 Since
there is no possible territorial intrusion in such international
spaces, he interprets the legality of espionage in those spaces as
proof that espionage alone does not infringe on international
law.132 But here, he fails to appreciate the specificities of
international spaces, among which the absence of sovereign
claims, among other difficulties exposed later (lack of distinction
between espionage “in” and “from” international spaces, narrowly-
tailored national technical measures of verification, and
technology allowing for far more precise remote data-collection
than ever before).133 In fact, the existence of collateral illegality in
traditional espionage is a convenient way to avoid having to
legally characterize acts of espionage themselves. The obvious

128 See Stone, supra note 123, at 32.
129 Id.
130 See id.
131 Id. at 34.
132 Id.
133 See id.

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 959

unlawfulness of the coincidental intrusion was enough to postpone
the need to address espionage in itself.

Hence the conclusion that espionage has mostly been left
unregulated, and has remained in this grey area of being neither
legal nor illegal,134 spying states and target states seemingly
preferring the status quo of uncertainty up until now.135

3. Exceptions to the Case Law Gap
There are, however, two notable exceptions in which cases of

espionage were directly or indirectly brought to the ICJ.136 In
those cases, the ICJ either did not have a chance to render a final
judgment or did not take any clear or general position.137
However, nothing in its official documents seems to oppose future
condemnation of certain cases of espionage.138

In a 1980 case concerning U.S. diplomatic and consular staff in
Tehran, the court referred to “espionage” and “interference in
internal affairs” as “abuses” of the functions of embassy staff
members.139 It even makes a clear distinction between the two
with the conjunction “or.”140 This should not be interpreted to
mean that espionage may never constitute interference or
intervention. Rather, it places both concepts on an equal footing,
making espionage as reprehensible as intervention. It suggests that
espionage does not have to be part of a broader act of intervention
for it to be reprehensible. It is an abuse in its own right, at least
when committed by diplomatic personnel.141

The focus on the diplomatic personnel in the discussion of
abuse is reminiscent of the law of armed conflicts that also focuses
on the spy’s responsibility more than the state’s.142 However,
diplomatic personnel does not risk as much as a spy captured in
wartime. Unlike the latter, who loses combatant immunity, the

134 Forcese, supra note 103, at 204.
135 Id.
136 See id. at 201.
137 See id.
138 See id. at 204.
139 United States Diplomatic and Consular Staff in Tehran (U.S. v. Tehran),
Judgment, 1980 I.C.J. 38, ¶ 85 (May 24).
140 Id.
141 See id. ¶¶ 28, 85.
142 Id. ¶ 86.

960 N.C. J. INT’L L. [Vol. XLII

diplomatic immunity of embassy staff is preserved.143 The worst
thing that may happen to them is being deported to their sending
state, and being declared persona non-grata.144 What’s more, the
Court seems to have left the door open to some sort of state
responsibility as well.145 Drawing from the Vienna Conventions of
1961 and 1963, the Court states:

Beyond that remedy for dealing with abuses of the diplomatic
function by individual members of a mission, a receiving State
has in its hands a more radical remedy if abuses of their
functions by members of a mission reach serious proportions.
This is the power . . . to break off diplomatic relations with a
sending State and to call for the immediate closure of the
offending mission.146

Espionage is therefore considered an “abuse” of diplomatic
functions whose “proportions” may warrant breaking off
diplomatic relations.147 Though not explicit, and limited to the
specific case of diplomatic missions, this form of retorsion is
arguably a step towards the recognition of state responsibility for
acts of espionage by the Court.

In 2013, a more typical case of traditional espionage was
brought to the ICJ when Timor-Leste initiated a court action
against Australia.148 The dispute concerned Australia’s seizure of
certain documents and data, which belonged to Timor-Leste, as
well as correspondence between Timor-Leste and its legal advisers
related to a pending Treaty Arbitration between Australia and

143 See Amien Kacou, Foreign Government Officials in the U.S. Enjoy Some
Protection from Prosecution, but not in all Matters, NOLO, http://www.nolo.com/legal-
encyclopedia/what-is-diplomatic-immunity.html [https://perma.cc/8BRV-YUVS].
144 See Vienna Convention on Diplomatic Relations art. 9, ¶ 1, Apr. 18, 1961, 23
U.S.T. 3374, 500 U.N.T.S. 95 (“The receiving State may at any time and without having
to explain its decision, notify the sending State that the head of the mission or any
member of the diplomatic staff of the mission is person non grata or that any member of
the staff of the mission is not acceptable.”); see also United States Diplomatic and
Consular Staff in Tehran (U.S. v. Tehran), Judgment, 1980 I.C.J. 39, ¶ 85 (May 24)
(discussing a purpose of the afore-cited provision to be to provide a remedy for possible
abuses of diplomatic functions).
145 See U.S. v. Tehran, at 40, ¶ 85.
146 Id.
147 Id.
148 Questions Relating to the Seizure and Detention of Certain Documents and Data
(Timor-Leste v. Austl.), Provisional Measures, 2014 I.C.J. 147, ¶ 1 (Mar. 3).

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 961

Timor-Leste.149 This case did not involve an extraterritorial
component; the said property was seized from the business
premises of a legal adviser of Timor-Leste located in Australia.150
The International Court of Justice nonetheless declared Timor-
Leste’s claimed “right to conduct arbitration proceedings or
negotiations without interference by Australia, including the right
of confidentiality of and non-interference in its communications
with its legal advisers . . .” to be plausible in its provisional order
on the merits of the case.151 Thus, the nature of the seized property
and its relation to the state’s sovereign right to conduct foreign
policy freely was potentially sufficient for Australia’s seizure of
secret or confidential information without Timor-Leste’s
permission, a classic act of espionage, to be considered illegal.
The case was unfortunately dropped by Timor-Leste,152 leaving a
missed opportunity for the ICJ to more directly consider the
legality of espionage in the international realm. In its order
discontinuing the proceedings, the court quoted a letter, dated June
2, 2015, sent by an agent of Timor-Leste, which stated:
“[f]ollowing the return of the seized documents and data by
Australia on 12 May 2015, Timor-Leste has successfully achieved
the purpose of its application to the court, namely the return of
Timor-Leste’s rightful property, and therefore implicit recognition
by Australia that its actions were in violation of Timor-Leste’s
sovereign rights.”153 This is an interesting indication of the current
paradigm shift under international law, whereby some states are, at
the very least, finally protesting the legal status quo.

C. International Domains and Organizations
The law of espionage in international domains, or as governed

by international organizations such as the International
Telecommunication Union, is no more explicitly articulated than it
is as a general matter.

149 Id.
150 Id.
151 Id. ¶ 22.
152 See Questions Relating to the Seizure and Detention of Certain Documents and
Data (Timor-Leste v. Austl.), Order, 2015 I.C.J. 3 (June 11).
153 Id.

962 N.C. J. INT’L L. [Vol. XLII

1. Domains
International domains governed by treaty regimes include the

high seas, outer space, and Antarctica.154 The treaties establish a
principle of common and peaceful usage, as well as the prohibition
(or freeze in the case of Antarctica) of territorial claims over
international spaces or any portion thereof.155 Espionage
operations conducted within those international spaces is therefore
generally admitted, as it does not risk infringing upon any state’s
sovereignty.156 The treaties even provide for strategic observation
for the purpose of ensuring that no treaty provisions or any general
provisions of international law are violated by any state party.157
The difficulty of legal appreciation stems from the rarely made
distinction between espionage conducted within an international
domain, and espionage conducted from an international domain
and directed at sovereign territory.158 Several scholars either fail to
make the distinction,159 or go as far as to say that such a distinction
would be “unrealistic and artificial . . . and . . . would raise many
new problems of definition.”160 Surely enough, spying activities
from Antarctica may not be very common or useful, as the
continent is far away from population centers and seats of
government. But it is undeniable that there is an essential
difference between, for example, station observation on remote
celestial bodies161 on the one hand, and Earth-oriented observation
on the other, in terms of sovereignty implications. Outer space is
all around us, and the reach of Earth observation technology

154 Katharina Ziolkowski, General Principles of International Law as Applicable in
Cyberspace, in PEACETIME REGIME FOR STATE ACTIVITIES CYBERSPACE, supra note 77, at
135, 167.
155 See id.
156 See Kraska, supra note 101, at 173 (“Certainly, there is no prohibition of
intelligence and espionage activities conducted beyond state territory.”).
157 JOHN KISH, INTERNATIONAL LAW AND ESPIONAGE 102 (David Turns ed., 1995).
158 Id.
159 Id.
160 Hamilton DeSaussure, Remote Sensing by Satellite: What Future for an
International Regime?, 71 AM. J. INT’L L. 707, 710 (1977).
161 G.A. Res. 34/68, art. 15 (Dec. 5, 1979) (“Each State Party may assure itself that
the activities of the other States Parties in the exploration and use of the moon are
compatible with the provisions of this Agreement. To this end, all space vehicles,
equipment, facilities, stations and installations on the moon shall be open to other State
Parties.”).

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 963

allows for mass coverage of sovereign territory. The same goes, to
a lesser extent, with the high seas.162 Surely, the sovereignty
implications of such spying activities are not artificial, as
substantial surface of sovereign territory can be covered by
technology located in outer space and the high seas, especially as
remote-sensing and other technologies allow for far greater
precision than it did during the Cold War.163 There is no escaping
the far-reaching remote-sensing capabilities of space-faring
nations.164 As early as 1960, the U.S. spy satellite Corona and
Keyhole were later said to have shone an “enormous floodlight” in
a “darkened warehouse.”165 The cases of Earth and land oriented
spying activities, conducted from outer space and the high seas
respectively, offer a much earlier illustration of extraterritorial
surveillance, one that did not necessitate the physical presence of a
spy on a foreign territory to clandestinely collect information, long
before the internet existed.166

The main framework used for the justification of
extraterritorial surveillance conducted from international spaces is
inherently linked to the concept of national technical means of
verification, which are monitoring techniques employed to verify
compliance with international law.167 Certain treaties specifically
provide for such measures, but they are commonly used to monitor
clandestine activities going against the non-proliferation of
dangerous substances, including the development of nuclear,
biological or chemical weapons.168 Remote intelligence operations
in international spaces has therefore been considered “key to the

162 See Kraska, supra note 101, at 178 (documented cases of spying activities from
international waters: Soviet operations in the Caribbean sea and Gulf of Mexico, U.S.
operations off the coast of Vietnam, China, Korea, and Israel).
163 See William J. Broad, Spy Satellites’ Early Role As ‘Floodlight’ Coming Clear,
N.Y. TIMES (Mar. 8, 2017, 9:15 PM), http://www.nytimes.com/1995/09/12/science/spy-
satellites-early-role-as-floodlight-coming-clear.html [https://perma.cc/QHG3-TTKZ].
164 Id.
165 Id.
166 Id.
167 Treaty on the Limitation of Anti-Ballistic Missile Systems, U.S.–U.S.S.R., May
26, 1972, 23 U.S.T. 3435; see Interim Agreement Between the U.S. and the U.S.S.R. on
Certain Measures with Respect to the Limitation of Offensive Arms, U.S.–U.S.S.R., May
26, 1972, 23 U.S.T. 3462; Treaty on the Elimination of Intermediate-Range Missiles and
Shorter-Range Missiles art. V, U.S.-U.S.S.R., Dec. 8, 1987, S. Treaty Doc. No. 11
(1988).
168 See Treaty on the Limitation of Anti-Ballistic Missile Systems, supra note 167.

964 N.C. J. INT’L L. [Vol. XLII

contemporary global security system.”169 But this is the sole
purpose for which extraterritorial surveillance from an
international space is explicitly allowed.170 What’s more, national
technical means of verification have to be used “in a manner
consistent with generally recognized principles of international
law,” one of which being state sovereignty.171

One high seas example, of a Soviet trawler found sailing one
mile from Chesapeake Bay lighthouse, about twelve miles from
Cape Henry, Virginia, illustrates a fairly open view of spying
activities from international spaces.172 U.S. naval forces did not
protest, as the ship remained in international waters at all times.173
Rear Admiral Charles C. Kirkpatrick, Navy Chief Information
Officer, said the ship was equipped with eleven antennae, and was
obviously a “snooper,” but that it would not be interdicted in
international waters.”174 But this isolated case of tolerated land-
oriented espionage from the high seas is far from being the
norm.175

In space, the question is just as unsettled. “Did a state have a
possessory interest in information about its own terrain,
population, or military activities?” asks Kanuck.176 The question
has been left unanswered. As Christol puts it, “science and
technology had eliminated the policy option of national privacy
(emphasis added) built on the contention of national
sovereignty.”177 This outlook was replaced by that of “open
skies,” which, paradoxically was also supported by the view that a
state could engage in information-gathering through remote
sensing by virtue of its national sovereignty.”178 Paradoxical
indeed. The “open skies” approach meant that a sensed state could

169 Kraska, supra note 101, at 174.
170 See id.
171 Treaty on the Limitation of Anti-Ballistic Missile Systems, supra note 167, art.
V.
172 Jack Raymond, Soviet Trawler Called Spy Ship: Navy Says Craft that Sailed
Through Missile Test Area off L. I. was a ‘Snooper’, N.Y. TIMES, July 14, 1960, at 8.
173 Id.
174 Id.
175 See Kraska, supra note 101, at 178.
176 Kanuck, supra note 29, at 279.
177 Carl Q. Christol, Remote Sensing and International Space Law, 16 J. SPACE L.
21, 24 (1988).
178 Id.

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 965

not claim a right to prior consent.179
The 1986 U.N. General Assembly resolution, Principles

Relating to Remote Sensing of the Earth from Space, which does
support the right of states to engage in remote sensing data-
gathering as a matter of principle, also accords the “sensed state”
the right to access this data.180 This provision tends to
acknowledge the sovereignty of the sensed state over such data.181
The resolution further provides that “States operating remote
sensing satellites shall bear international responsibility for their
activities and assure that such activities are conducted in
accordance with these principles and the norms of international
law, irrespective of whether such activities are carried out by
governmental or non-governmental entities or through
international organizations to which such States are parties.”182

The travaux indicate that this could be interpreted to mean that
the dissemination of information thus gathered that adversely
affects other states would give rise to state responsibility. During
the negotiation process of the resolution, a Brazilian proposal of
February 8, 1982 specified: “A State conducting remote sensing
activities on Earth shall be held internationally responsible for the
dissemination of any primary data or analyzed information that
adversely affects the interests of a sensed State.”183 One other
proposal, made by Nigeria, aimed to restrict the sharing of data
with the sensed state.184 Disclosure to states other than the sensed
states would’ve been considered giving rise to state responsibility,
regardless of the actual harm or damage caused as a result of the
dissemination of such data.185 Kanuck interestingly notes: “For
instance, the remote sensing debate could be easily resolved under
such a construction. The intelligence collection causes no damage,
but any interventionist use of such information would produce a
violation.”186

179 Id. at 26.
180 G.A. Res. 41/65, at ¶ XII (Dec. 3, 1986).
181 See id.
182 Id. at ¶ XIV.
183 Jefferson Hane Weaver, Lessons in Multilateral Negotiations: Creating a
Remote Sensing Regime, 7 TEMP. INT’L & COMP. L.J. 29, 58 (1993).
184 See id. at 56–57.
185 See id.
186 Kanuck, supra note 29, at 290.

966 N.C. J. INT’L L. [Vol. XLII

2. Organizations
The oldest international organization is the one that governs

international telecommunications.187 The International Telegraph
Union was established in 1865 to regulate tariffs, codes, and
routing.188 As wireless technology emerged, it introduced radio
regulations to ensure the equal distribution of radio frequencies on
the spectrum.189 It became the International Telecommunication
Union (“ITU”) in 1932.190 It now also assigns orbits for
telecommunication satellites, and promotes the development of
telecommunication infrastructure in the developing world.191 It
has a constitution and produces regulations to be implemented by
all 193 United Nations Member States.192 Some of its regulations
have been interpreted to govern international surveillance. The
stoppage of telecommunications clause reads: “Member States
also reserve the right to cut off, in accordance with their national
law, any other private telecommunications which may appear
dangerous to the security of the State or contrary to its laws, to
public order or to decency.”193 “Which may appear” has been
argued to render signals intelligence lawful, since it would imply
preemptive interception and analysis of the said
telecommunication.194 But this provision does not seem to apply
to communication not transiting through the state’s territory. In
other words, it certainly does not provide for a general right to
probe the international telecommunications network. The ITU
Constitution also provides for the secrecy of communications,195
but solely “in terms of divulgence to the general public, not

187 See Overview of ITU’s History, ITU (Mar. 8, 2017, 10:40 PM),
http://www.itu.int/en/history/Pages/ITUsHistory.aspx [https://perma.cc/FM8F-UBDP].
188 Id.
189 Id.
190 History, ITU (Mar. 8, 2017, 10:44 PM),
http://www.itu.int/en/about/Pages/history.aspx [https://perma.cc/M5CG-QNG8].
191 About ITU, ITU (Mar. 8, 2017, 10:45 PM),
http://www.itu.int/en/about/Pages/default.aspx [https://perma.cc/M3AU-6LXQ].
192 See id.; see also Constitution of the International Telecommunication Union, Jan.
1, 2012, 1825 U.N.T.S. 31251 [hereinafter ITU Const.].
193 ITU Const., supra note 192, art. 34 (emphasis added).
194 A.M. Rutkowski, International Signals Intelligence Law: Provisions and
History, 4 LAWFARE RES. PAPER SERIES 1, 4 (2016).
195 ITU Const., supra note 192, art. 37.

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 967

governments.”196 Article 37.1 reads: “Member States agree to take
all possible measures, compatible with the system of
telecommunication used, with a view to ensuring the secrecy of
international correspondence.”197 Article 37.2 reads:
“Nevertheless, they reserve the right to communicate such
correspondence to the competent authorities in order to ensure the
application of their national laws or the execution of international
conventions to which they are parties.”198

IV. Cyber Espionage

A. What Cyber Espionage is and how it Differs from
Traditional Espionage

The Cuckoo’s Egg incident and global surveillance are two
opposite manifestations of cyber espionage.199 One is more
discrete, while the other occurs on a much larger scale.200 I chose
the expression “global surveillance” because it is a convenient way
to convey both the mass-scale and extraterritorial components of
foreign surveillance. Foreign includes both extraterritorial and
transnational surveillance (e.g. when target located outside of
spying state territory interacts with someone located on the said
state’s territory).201 There are several categories of remote (meta-)
data collection methods that arguably qualify as cyber espionage
when the target (whether discriminate or indiscriminate) is located
in one state and the operation is pursued by or on behalf of another
state. They may not be cyber techniques per se, but have all
greatly been enabled by cyber capabilities. Such operations
include computer network exploitations, communications
intelligence or interception (“COMINT”), and secret information-
sharing programs carried out by virtue of public-private
partnerships or international agreements. They sometimes overlap

196 Rutkowski, supra note 194, at 5.
197 ITU Const., supra note 192, art. 37.
198 See id.
199 Review: The Cuckoo’s Egg by Cliff Stoll, ESSAYS ON SECURITY (Mar. 8, 2017,
11:10 PM), https://www.essaysonsecurity.com/2017/01/15/review-the-cuckoos-egg-by-
cliff-stoll/ [https://perma.cc/DV5Q-DCTJ].
200 See id.
201 Forcese, supra note 103, at 183 (“territorial” describes purely domestic spying,
“extraterritorial” describes purely foreign spying and “transnational” describes spying
that straddles state borders).

968 N.C. J. INT’L L. [Vol. XLII

(e.g. NSA’s Upstream program), or are otherwise used in
conjunction with one another.

1. Computer Network Exploitation
Computer network exploitation is cyber espionage par

excellence. It is commonly referred to as hacking. It can be local
but it can be conducted from virtually anywhere on the globe, and
therefore enables large parts of purely extraterritorial operations.
In the United States, this is typically Tailored Access Operations.
The high profile Democratic National Committee and SONY
Hacks are examples of computer network exploitations.

In the Cuckoo’s Egg, the intruder used Lawrence Berkeley
National Laboratory computers to reach many others, especially
computers of military and defense contractors.202 The intruder was
allowed to thrive so his tactics and approach could be
documented.203 He successfully penetrated more than thirty
computers, collected data, and caused very minor damage.204 All
of this was performed over the ARPAnet, mostly through what is
now called zero-day attacks, exploiting existing flaws in the
system’s security and working their way up to system manager
privileges.205 After assuming that it was a prankster from the
nearby University of California, Berkeley campus, the
investigation pointed to sources in Germany, and techniques used
by the KGB.206

The techniques used in computer network exploitations show
several elements that can arguably be considered coercive in the
second definition of the term I put forward.207 The very term brute
force attack, for example, provides a picturesque indication of its
coercive nature.208 Some of the most common techniques also

202 See Healey, supra note 2.
203 Id.
204 Id.
205 Id.
206 Id.
207 See Non-Intervention, supra note 52, section III C.
208 Definition: Brute Force Cracking, TECHTARGET (July 2006),
http://searchsecurity.techtarget.com/definition/brute-force-cracking
[https://perma.cc/93LK-NQ6S] (“Brute force (also known as brute force cracking) is a
trial and error method used by application programs to decode encrypted data such as
passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using
brute force) rather than employing intellectual strategies. Just as a criminal might break

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 969

include man in the middle attacks,209 (spear) phishing attacks,210
and the already mentioned zero-day attacks. The more secured the
targeted system, the more invasive and therefore coercive the
exploitation thereof. The more energy, financial, technical, and
human resources are required to break into a system, the more
coercive the cyber espionage operation is. Hacking is also
potentially a form of territorial intrusion, since states do retain
sovereign rights over cyber infrastructure located on their territory,
whether public or private.

Furthermore, whether intended or not, hacking may cause
incidental damage.211 Either way, there is little difference between
a computer network exploitation and a computer network attack.
The difference between the two is at best subtle, if not misleading.
Not to mention that one can easily enable the other (brute force
attack to gain information versus gaining information to carry out
more destructive attacks). Microsoft’s General Counsel Brad
Smith once concluded: “Indeed, government snooping potentially
now constitutes an ‘advanced persistent threat,’ alongside
sophisticated malware and cyber-attacks.”212 He was thus
suggesting it is only the end result that differs.213 Computer
network exploitations constitute cyber sabotage, the coercive
nature of which appears to be fairly obvious.214

into, or ‘crack’ a safe by trying many possible combinations, a brute force cracking
application proceeds through all possible combinations of legal characters in sequence.”).
209 Margaret Rouse, Definition: Man-in-the-Middle Attack (MitM), TECHTARGET,
http://internetofthingsagenda.techtarget.com/definition/man-in-the-middle-attack-MitM
[https://perma.cc/A3HS-W6NU] (“A common method of executing a MitM attack
involves distributing malware that provides the attacker with access to a user’s Web
browser and the data it sends and receives during transactions and conversations.”).
210 Margaret Rouse, Definition: Phishing, TECHTARGET,
http://searchsecurity.techtarget.com/definition/phishing [https://perma.cc/3KGL-GSTV]
(“Phishing is a form of fraud in which the attacker tries to learn information such as login
credentials or account information by masquerading as a reputable entity or person in
email, IM or other communication channels.”).
211 Healey, supra note 2, at 105 (“Break-ins ultimately destroy the network
connectivity they exploit.”) (Nearest copy available at Library of Congress).
212 Jim Edwards, Microsoft Says Government Surveillance Is An “Advanced
Persistent Threat” That May Be Unconstitutional, BUS. INSIDER (Dec. 5, 2013, 10:44
AM), http://mobile.businessinsider.com/microsoft-government-surveillance-advanced-
persistent-threat-unconstitutional-2013-12 [http://perma.cc/B3XY-UACA].
213 Id.
214 Id.

970 N.C. J. INT’L L. [Vol. XLII

2. Communications Intelligence (“COMINT”)
COMINT,215 or communications intelligence, is not new, but

there is a much greater amount of data available in the digital age,
and the liberalization of the international telecommunications
market has paved the way for new types of interception
opportunities.216 COMINT can be extraterritorial or transnational
depending on whether or not communication travels through
intercept point located in spying state.217 In the United States,
COMINT typically falls under Special Source Operations. Legal
consequences may depend on where communication is intercepted.

COMINT presents geographical limitations, as not all states
are equal in terms of access to global telecommunication
infrastructure, nor does all traffic transit through all states in
comparable volumes, either due to geographical or economic
constraints.218 A country’s COMINT capability depends on its
geographical location, and ability to plant intercept points on
international spaces or foreign territory (thus constituting a breach
of territorial integrity in the latter case).219 But the path of
information cannot always be predicted, and data does not
necessarily take the most direct, but the cheapest route, as a
reportedly leaked National Security Agency slide claims.220

Submarine cables account for ninety-nine percent of global
internet traffic.221 The USS Jimmy Carter submarine can wiretap

215 See Sulmasy & Yoo, supra note 103, at 631 (“Communications Intelligence
(COMINT) is the technical information derived from the interception of foreign
communications by one other than the intended recipient.”).
216 See Lawrence D. Sloan, Echelon and the Legal Restraints on Signals
Intelligence : A Need for Reevaluation, 50 DUKE L.J. 1467, 1471–74 (2001).
217 Id.
218 Ingrid Burrington, Up to 70 Percent of Global Internet Traffic Gores Through
Northern Virginia, NEXTGOV (Jan. 8, 2016), http://www.nextgov.com/big-
data/2016/01/70-percent-global-internet-traffic-goes-through-northern-virginia/124976/
[https://perma.cc/3QLW-3YNS] (estimating that 70% of international internet traffic
goes through the U.S.).
219 Id.
220 NSA Slides Explain the PRISM Data-Collection Program, WASH. POST. (July 10,
2013), http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-
documents/ [https://perma.cc/UT7T-CE9Y].
221 Douglas Main, Undersea Cables Transport 99 Percent of International Data,
NEWSWEEK (Apr. 2, 2015, 12:39 PM), http://www.newsweek.com/undersea-cables-
transport-99-percent-international-communications-319072 [https://perma.cc/23QY-
G5JD].

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 971

on submarine cables.222 This sort of practice appears to be an old
and widespread practice.223 This is arguably intrusive and
potentially damaging to the cable.224 Most probably in violation of
1884 Convention for the Protection of Submarine Telegraph
Cables, which does not have any specific provision about
espionage or wiretapping, but whose Article 2 states that “[i]t is a
punishable offence to break or injure a submarine cable, willfully
or by culpable negligence, in such manner as might interrupt or
obstruct telegraphic communication, either wholly or partially,
such punishment being without prejudice to any civil action for
damages.”225 Damage to submarine cables can have far-reaching
consequences given the amount of internet traffic that relies on
them.226

Clandestine intercept points or servers located on foreign
territory require territorial intrusion to plant the intercept point.227
Here, the very intrusion could be unlawful in itself, as a form of
prohibited intervention.228 If the intercept point is not on foreign
territory, then it is not an intrusion, but legality would depend on
other factors.229 For example, certain intercept points defeat the
purpose of “peaceful usage” of common domains if placed in
international waters, or outer space, especially as signals

222 Glenn Zorpette, Making Intelligence Smarter, IEEE XPLORE (2004),
http://ieeexplore.ieee.org/ielx5/6/21038/975021/975021.html [https://perma.cc/ZG8J-
X8EQ]; New Nuclear Sub is Said to Have Special Eavesdropping Ability, N.Y. TIMES
(Feb. 20, 2005), http://www.nytimes.com/2005/02/20/politics/new-nuclear-sub-is-said-
to-have-special-eavesdropping-ability.html [https://perma.cc/P842-H6AS] [hereinafter
New Nuclear Sub].
223 See Ewen MacAskill et al., GCHQ Taps Fibre-Optic Cables for Secret Access to
World’s Communications, THE GUARDIAN (June 21, 2013, 12:23 PM),
https://www.theguardian.com/uk/2013/jun/21/gchq-cables-secret-world-
communications-nsa [https://perma.cc/V4K3-ZJL8]; see also Matthew Carle, Operation
Ivy Bells, MILITARY.COM,
http://www.military.com/Content/MoreContent1/?file=cw_f_ivybells
[https://perma.cc/V5W9-KK7J].
224 Id.
225 Convention for the Protection of Submarine Telegraph Cables art. II, Mar. 12,
1884, 24 Stat. 989, T.S. No. 380.
226 New Nuclear Sub, supra note 222.
227 See ELLA SHOSHAN, APPLICABILITY OF INTERNATIONAL LAW ON CYBER
ESPIONAGE INTRUSIONS § 4.6, at 46–47 (2014).
228 Id.
229 Id.

972 N.C. J. INT’L L. [Vol. XLII

intelligence and remote sensing technology allow for far more
precise data-collection than anticipated when the law of the sea
and outer space developed. Also, the amount of data transiting
through international spaces is unprecedented.230

If an intercept point placed by State A is on the territory of
State B to spy on State C, it is still an unauthorized intrusion on
State B, even if it is not the target of the data-collection operation.
However, State B’s responsibility would also arise if State B has
knowledge of the intercept server’s existence and purpose, and
does nothing to mitigate its effects on other States. In the Corfu
Channel case, the International Court of Justice ruled that states
cannot knowingly let their territory be used in ways that adversely
affect other states.231 Therefore, a state’s responsibility may arise
if it knowingly lets cyber infrastructure located on its territory be
used for espionage purposes of other states that amount to
intervention.232 This would be the case even if the state from
whose territory the cyber espionage operation is conducted does
not benefit from the data thus collected and is not otherwise an
accomplice of the spying state.233 If the intercept point is on the
spying state’s territory, then legality would rely on scale and
context, as we shall see below. EU and BRICS234 have started
laying their own intercontinental submarine cable connections to
avoid passing through U.S. nodes.235 This investment in
circumventing U.S. access points, shows states do not consent to
being subjected to mass-interception of their data.236

3. Secret Information-Sharing
Information-sharing programs are not new either, and not

230 See JAMES MANYIKA ET AL., MCKINSEY GLOB. INST., DIGITAL GLOBALIZATION:
THE NEW ERA OF GLOBAL FLOWS 30 (2016) (“Cross-border used bandwidth has grown
45 times larger over the past decade. In absolute terms, it has grown from 4.7 terabits per
second (Tbps) in 2005 to 211.3 Tbps in 2014, for an annual growth rate of 52 percent.28
Over the next five years, total Internet Protocol (IP) traffic is projected to triple, while
cross-border used bandwidth is projected to post a nine-fold increase.”).
231 Corfu Channel (U.K. v. Albania), Judgment, 1949 I.C.J. Rep. 35 (Apr. 9).
232 See id.
233 See id.
234 BRICS is an acronym for the countries of Brazil, Russia, India, China, and South
Africa.
235 Scola, supra note 78.
236 Id.

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 973

necessarily carried out through cyber means, but then again, there
is a greater amount of data available in the digital age.237 It is
mostly transnational (information shared by two states or stored on
private servers located on spying state’s territory), sometimes
extraterritorial (private servers located in spied upon state).238
Corporate partnerships, whether formalized or not, with internet
service providers, telecommunications companies, internet
corporations (social media platforms, cloud computing service
providers, service apps, etc.) constitute one type of agreements
through which secret information-sharing practices occur.239 In the
United States, such actors are labeled “data providers” by PRISM
program executives.240 One important indicator of state consent
(or lack thereof) to such practice is the existence of domestic data
location legislation in the target state.241 There might be a
presumption of consent on the part of the target state in the
absence of domestic legislation requiring data to be stored within
that state’s territory.242 If, however, such legislation exists then it
is clear indication that the target state does not want its citizens’
personal data spied upon.243 The recent passage of the EU-U.S.
Privacy shield agreement to govern EU-U.S. data transfers is
further evidence of states perceiving such data-collection programs
as invasive, whether servers are located on spied upon state or
spying state.244 The EU intended to protect its citizens in both
scenarios.245 Furthermore, Australia v. Timor showed that data

237 See MANYIKA, supra note 230, at 30.
238 See David Kris, U.S. Government Presents Draft Legislation for Cross-Border
Data Requests, LAWFARE: SURVEILLANCE (July 16, 2016, 8:07 AM),
https://www.lawfareblog.com/us-government-presents-draft-legislation-cross-border-
data-requests [https://perma.cc/X8DX-SFAN].
239 NSA Slides Explain the PRISM Data-Collection Program, supra note 220.
240 See id.
241 See Lothar Determann, Local Data Residency Requirements for Global
Companies, BAKER & MCKENZIE: INSIGHTS (Aug. 2015),
http://www.bakermckenzie.com/en/insight/publications/2015/08/local-data-residency-
requirements-for-global-com__/ [https://perma.cc/XSY2-YDQE].
242 See id.
243 See id.
244 European Commission Press Release IP/16/216, EU Commission and United
States Agree on New Framework for Transatlantic Data Flows: E.U.–U.S. Privacy Shield
(Feb. 2, 2016).
245 Julia Fioretti, EU Says US Explanation of Yahoo Email Scanning Not Enough,
REUTERS (Jan. 11, 2017, 4:20 PM), http://www.reuters.com/article/us-eu-usa-yahoo

974 N.C. J. INT’L L. [Vol. XLII

theft occurring on spying state territory can still be considered
espionage.246 Therefore, domestically located data handed over by
a private company could still potentially qualify as espionage.

In the case of international agreements with foreign partner
agencies, there is obviously no violation of sovereignty if data
intended for spying state is collected by “target” state itself on its
own territory, but it potentially becomes a violation of sovereignty
when data-collection efforts are mutualized against a third state.247
Another sovereignty issue here, is the fact that the “requesting”
state has no control over the information-collection process
performed by the partner state, which may be more invasive than
intended by the requesting party.248 The Five Eyes network249 born
out of the U.K.-U.S. agreement is emblematic of that sort of
intelligence-sharing cooperation programs.

B. Why Should Cyber Espionage Be Deterred?
Cyber espionage presents the risk of occasioning an escalation

of tension and conflict for several reasons; mostly pertaining to its
unprecedented scale,250 specific characteristics, and potential
consequences.

First and foremost, cyber espionage is both cost-efficient251 and

idUSKBN14V2MN?feedType=RSS&feedName=technologyNews&utm_source=Twitter
&utm_medium=Social&utm_campaign=Feed%3A+reuters%2FtechnologyNews+%28R
euters+Technology+News%29 [https://perma.cc/PRP2-DQ52].
246 See Questions Relating to the Seizure and Detention of Certain Documents and
Data (Timor-Leste v. Australia), Provisional Measures, Rep. 2014 I.C.J. 147 (Mar. 3).
247 Cf. U.S. JOINT CHIEFS OF STAFF, MULTINATIONAL OPERATIONS III–6, at (d)(1)
(2007) (citing the collection and sharing of information as a potential sovereignty issue).
248 Cf. id.
249 The “Five Eyes” is an alliance of five English-speaking countries—the United
States, the United Kingdom, Australia, Canada, and New Zealand. See Paul Farrell,
History of 5-Eyes—Explainer, GUARDIAN (Dec. 2, 2013, 12:30 AM),
http://www.theguardian.com/world/2013/dec/02/history-of-5-eyes-explainer
[https://perma.cc/TB3F-ELAK]; FIVE EYES,
https://www.privacyinternational.org/node/51 [https://perma.cc/C8RP-UXJK].
250 See PoKempner, Cyberspace and State Obligations in the Area of Human Rights,
in PEACETIME REGIME FOR STATE ACTIVITIES CYBERSPACE, supra note 77, at 252–53
(explaining that state-sponsored espionage is on a “pervasive scale” and could be of
“unlimited by scale or duration”).
251 See Healey, supra note 2, at 98 (“[E]spionage over networks can be cost efficient,
offer nearly immediate results, and target specific locations.”).

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 975

has considerably less damaging consequences for spying states.252
Director of National Intelligence, John Clapper, had the
opportunity to lament that foreign actors in cyberspace “remain
undeterred from conducting reconnaissance, espionage, and even
attacks in cyberspace because of the relatively low costs of entry,
the perceived payoff, and the lack of significant consequences.”253
Indeed, the practice of cyber espionage is remote by essence, and
therefore rarely requires sending an agent into foreign territory.
Not only does that imply less risk for spies, but it is also less
detectable and more challenging to attribute to the spying state.
With traditional espionage involving human intelligence, the risk
taken by the agent (and the state that risks losing its most
competent and talented agents) could be self-deterring in some
cases. It also meant it had to be more discreet and targeted. When
the United States began flights over of Soviet bloc countries in
1956, the risks were known.254 In 1960, the U-2 piloted by Gary
Francis Powers was shot down over the territory of the U.S.S.R.255

Cyber espionage’s cost-efficient and remote nature, coupled
with the development of the global internet, allow for
unprecedented mass-scale data-gathering opportunities. Cost-
efficiency also means that a much larger number of states can
engage in cyber espionage activities than in conventional forms of
espionage requiring more resources.256

Data-mining technology,257 which is being enhanced by

252 See PoKempner, Cyberspace and State Obligations in the Area of Human Rights,
in PEACETIME REGIME FOR STATE ACTIVITIES CYBERSPACE, supra note 77, at 253
(explaining that cyber espionage “made the means of surveillance vastly more cost-
effective”).
253 JAMES R. CLAPPER, DIR. OF NAT’L INTELLIGENCE, STATEMENT FOR THE RECORD
TO THE SENATE ARMED SERVICES COMMITTEE, WORLDWIDE THREAT ASSESSMENT OF THE
U.S. INTELLIGENCE COMMUNITY 3 (Feb. 9, 2016).
254 See Alexander Orlov, A “Hot” Front in the Cold War, CIA (June 27, 2008, 7:39
AM), https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-
publications/csi-studies/studies/winter98_99/art02.html [https://perma.cc/J39Q-M4J8].
255 The U–2 Spy Plane Incident, EISENHOWER PRESIDENTIAL LIBR.,
http://www.eisenhower.archives.gov/research/online_documents/u2_incident.html
[https://perma.cc/BMS7-FJ59].
256 See Ziolkowski, Peacetime Cyber Espionage – New Tendencies in Public
International Law, in PEACETIME REGIME FOR STATE ACTIVITIES IN CYBERSPACE, supra
note 77, at 425.
257 See Glenn Greenwald, XKeyscore: NSA Tool Collects ‘Nearly Everything a User
Does on the Internet’, GUARDIAN (Feb. 26, 2017, 8:56 AM),

976 N.C. J. INT’L L. [Vol. XLII

machine learning258 and supported by rising computing power,
make it even easier to make sense of the considerable flow of
information intercepted or otherwise collected.259 As a result,
mass-scale data collection is becoming less of an impediment to
intelligence analysis.260 Big data and deep learning are actually
fueling new software capable of predicting individual, as well as
collective behavior such as social unrest.261

The unprecedented scale of the phenomenon is both
problematic in itself, and because of its possible consequences.
There is a quantitative leap from conventional espionage.262 The
current scale of espionage makes it change in nature. As Hegel263
showed, past a certain threshold, quantity becomes quality.
Punctual espionage was less harmful to state interests, and
certainly less invasive.264 Having access to the kind of intelligence
available in the digital age is not the same as only collecting
punctual intelligence on a foreign country’s arsenal, capacity, or
the intentions of its government. Stephen Chabinsky, a senior FBI
official says “A spy might once have been able to take out a few
books’ worth of material . . . . Now they take the whole library.

https://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data
[https://perma.cc/RP8Z-AT64] (explaining that the NSA’s XKeyscore is an example of
new data mining technology).
258 Machine learning is associated with significant advancements in speech
recognition, image recognition, and language processing. Machine Learning, SAS,
https://www.sas.com/en_us/insights/analytics/machine-learning.html
[https://perma.cc/6GMW-Z8NR].
259 See id.
260 Frank Konkel, The CIA Says It Can Predict Social Unrest as Early as 3 to 5
Days Out, DEF. ONE (Oct. 5, 2016), http://www.defenseone.com/technology/2016/10/cia-
says-it-can-predict-social-unrest-early-3-5-days-out/132121/ [https://perma.cc/2G7R-
VFFN].
261 Id.
262 See Ziolkowski, Peacetime Cyber Espionage – New Tendencies in Public
International Law, in PEACETIME REGIME FOR STATE ACTIVITIES IN CYBERSPACE, supra
note 77, at 425.
263 See generally David Gray Carlson, Hegel’s Theory of Quality (Cardozo L. Sch.
Jacob Burns Inst. For Advanced Legal Stud. Working Paper 017, 2000),
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=241950 [https://perma.cc/K5FQ-
3BNT] (explaining Hegel’s theory which shows that quality and quantity are
interrelated).
264 See War in the Fifth Domain, ECONOMIST (July 1, 2010),
http://www.economist.com/node/16478792 [https://perma.cc/9CBZ-L9D4].

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 977

And if you restock the shelves, they will steal it again.”265 There is
also a greater number of targets; now, average citizens, and not
just critical threat actors or foreign governments can be espionage
targets.266

Incidental loss or damage, whether intended or unintended, is
another reason why cyber espionage should be deterred. Cyber
espionage may cause immaterial and material damage.267 It may
hinder the availability and integrity of data, and may also interfere
with the functionality of systems, sometimes permanently
damaging hardware or infrastructure.268 This kind of collateral
damage was also possible with traditional espionage when an
agent had to physically break into installations to access the
information thus sought. But remote data-collection can also
cause severe damage, sometimes heavier, as more systems can be
affected by a single act of espionage, including dual-use
infrastructure.269 Loss can also be economic, as there are multiple
documented cases of State-sponsored intellectual property theft.270
Cyber intrusions more broadly represent a security threat, as they
may enable further attacks by weakening the targeted system.

265 Id.
266 See Justin Sink & Chris Strohm, Hackers, Corporate Spies Targeted by Obama
Sanction Order, BLOOMBERG TECH. (Apr. 1, 2015, 8:59 AM),
https://www.bloomberg.com/news/articles/2015-04-01/u-s-economic-sanctions-to-target-
cyber-attacks-cyberspying [https://perma.cc/7T5H-M8PB].
267 See James Stavridis, How to Win the Cyberwar Against Russia, FOREIGN POL’Y:
VOICE (Feb. 2, 2017), http://foreignpolicy.com/2016/10/12/how-to-win-the-cyber-war-
against-russia/ [https://perma.cc/2DL7-93NX].
268 Id. (“North Korea’s attack on Sony Pictures, which did millions of dollars of
damage to hardware.”).
269 See Rob Knake, Russian Hackers Were Only Getting Started in the 2016
Election, FORTUNE (Jan. 15, 2017), http://fortune.com/2017/01/15/russian-hackers-2016-
election-cyber-war/ [https://perma.cc/4Y8W-B8C9].
270 China reportedly stole the designs for the F-35 fighter jet, corporate secrets for
steel, and the blueprints for gas pipelines that supply much of the United States. See
David E. Sanger & Nicole Perlroth, Hackers From China Resume Attacks on U.S.
Targets, N.Y. TIMES (May 19, 2013),
http://www.nytimes.com/2013/05/20/world/asia/chinese-hackers-resume-attacks-on-us-
targets.html [https://perma.cc/4GDZ-CYDW]; see also Spencer Ackerman & Jonathan
Kaiman, Chinese Military Officials Charged with Stealing US Data as Tensions
Escalate, GUARDIAN (May 20, 2014, 3:58 AM),
https://www.theguardian.com/technology/2014/may/19/us-chinese-military-officials-
cyber-espionage [https://perma.cc/ECX2-J2RM].

978 N.C. J. INT’L L. [Vol. XLII

Unintended consequences271 can therefore be more harmful than
the intended eavesdropping.

What’s more, the threat of cyber espionage is now augmented
by the possibly of ensuing dissemination of the information to a
much larger and global audience than was possible before the
internet and the globalization of the telecommunications market.272
The internet allows for instant mass publication at no cost. This
presents a higher threat for personal as well as classified
information. In the digital age, stolen data may no longer be
known to the spying state alone. Mass-dissemination may be
intentionally used as a new weapon of information warfare, or it
may be that stolen data inadvertently gets lost or leaked by
personnel without the spying state’s instructions.

For the aforementioned reasons and others, the scale and
potential consequences273 of cyber espionage make it a rising
element of tension escalation in the world.274 It has been observed
that the balkanization of the internet movement has considerably
amplified after the 2013 Snowden disclosures; cyber espionage is
a major threat to the globally interconnected nature of the
internet.275

C. How And When Cyber Espionage Becomes Illegal

1. How
There is no prohibition of espionage per se, but cyber

espionage significantly differs in scale, characteristics, and

271 Intended damage would exceed the scope of this article, as it could be interpreted
as prohibited use of force.
272 See PoKempner, Cyberspace and State Obligations in the Area of Human Rights,
in PEACETIME REGIME FOR STATE ACTIVITIES CYBERSPACE, supra note 77, at 256.
273 Though tempting, I am intentionally not using the expression “scale and effects”
reserved for assessing whether an occurrence of use of force reaches the threshold of an
armed attack.
274 See Jerome Cartillier, Obama Vows to Slap Russia Over Hacking, Tensions on
Rise, YAHOO NEWS (Dec. 16, 2016), https://www.yahoo.com/news/obama-says-us-
retaliate-against-russian-hacking-022451853.html [https://perma.cc/8LQG-SDF8].
275 See John Naughton, Edward Snowden’s Not the Story. The Fate of the Internet
Is, GUARDIAN (July 27, 2013, 5:01 PM),
https://www.theguardian.com/technology/2013/jul/28/edward-snowden-death-of-internet
[https://perma.cc/V86N-572C]; see also Sascha Meinrath, The Future of the Internet:
Balkanization and Border, TIME (Oct. 11, 2013), http://ideas.time.com/2013/10/11/the-
future-of-the-internet-balkanization-and-borders/ [https://perma.cc/L69H-2QHH].

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 979

consequences from pre-cyber espionage. We are moving away
from the status quo and legal ambivalence of espionage under
international law.276 Deeks evokes a “shift from agnosticism.”277
Prohibition of espionage may not have been warranted in the past,
but certain cases of espionage are becoming illegal for the very
reasons brought forth by those international legal scholars who
viewed traditional espionage as illegal per se. Their arguments
didn’t hold in the past, but they take on their full meaning now.
However, it would be unreasonable to declare espionage illegal
ipso facto, as some cases of traditional and even cyber espionage
would still be discreet enough to be tolerable under the law. I
believe the existing theory of non-intervention offers the most
useful framework to deter certain types of cyber espionage. In a
word, espionage remains neither legal nor illegal per se, but it may
rise to the level of prohibited intervention in cases that I shall
briefly expose. I would argue that it is a scale and context
question. The historically ambivalent law of espionage allows for
that type of quantity assessment. The same way that possession of
recreational drugs can be tolerated in small amounts in certain
legal systems and be criminalized past a certain threshold.

It is worth warning the reader that I do not in any way promote
the idea, contended by certain politicians278 and scholars, that
(cyber) espionage may sometimes rise to the level of use of force,
if not armed attack.279 This would be an unreasonable and
unnecessary development. As stated before, intervention does not
have to amount to use of force to be unlawful.280

2. When: Scale and Coercion
In regard to the National Security Agency’s cyber espionage

activities, several political declarations of states are clear

276 See Deeks, supra note 112, at 315.
277 Id.
278 See Theodore Schleifer & Deirdre Walsh, McCain: Russian Cyberintrusion an
“Act of War”, CNN (Dec. 31, 2016, 1:27 AM),
http://edition.cnn.com/2016/12/30/politics/mccain-cyber-hearing/
[https://perma.cc/SR99-X485] (showing McCain claiming that Russia’s “cyber intrusion
is an act of war”).
279 See id. (“These events have already proved why it’s to everyone’s benefit that
Cyber Command will soon be elevated by the military to the status of a full combatant
command.”).

280 See Non-Intervention, supra note 52, at III (C.).

980 N.C. J. INT’L L. [Vol. XLII

indications of the lack of consent of target states on the one hand,
and lack of opinio juris on the part of the United States on the
other.281 These also suggest how crucial scale was in their legal
assessment of the situation.282 Then Brazilian President Dilma
Roussef to the United Nations:

[I]ntrusion and meddling in such a manner in the life and affairs
of other countries is a breach of international law and as such an
affront to the principles that must guide the relations among
them, especially among friendly nations. A country’s
sovereignty can never affirm itself to the detriment of another
country’s sovereignty.283
Brazil also asked the U.S. President for an explanation,

apology and guarantee of non-repetition.284 Then France’s Foreign
Affairs Minister, Bernard Kouchner said it was unacceptable
conduct from allies, saying “Let’s be honest, we eavesdrop too.
Everyone is listening to everyone . . . . The magnitude of the
eavesdropping is what shocked us.”285 Germany called the
revelations “completely unacceptable.”286

On the other hand, President Obama, while he attempted to
justify the National Security Agency’s spying activities, did not
speak to the question of legality.287 Instead, he justified these

281 See Josh Levs & Catherine E. Shoichet, Europe Furious, ‘Shocked’ by Report of
U.S. Spying, CNN (Feb. 28, 2017, 9:06 AM),
http://www.cnn.com/2013/06/30/world/europe/eu-nsa/ [https://perma.cc/GT3N-4TUD].
282 See id.
283 News Wrap: Brazil President Calls U.S. Spying on Allies ‘Totally Unacceptable’,
PBS (Feb. 27, 2017, 9:04 AM), http://www.pbs.org/newshour/bb/world-july-dec13-
newswrap_09-24/ [https://perma.cc/X68X-5GVL].
284 Brian Winter, Exclusive – Brazil’s Rousseff wants U.S. Apology for NSA Spying,
YAHOO NEWS (Feb. 27, 2017, 9:09 AM), https://www.yahoo.com/news/exclusive-
brazils-rousseff-wants-u-apology-nsa-spying-013035060.html?ref=gs
[https://perma.cc/RH9A-MYQX].
285 NSA Spying Threatens to Hamper U.S. Foreign Policy, CBS NEWS (Feb. 27.
2017, 9:21 AM), http://www.cbsnews.com/news/nsa-spying-threatens-to-hamper-us-
foreign-policy/ [https://perma.cc/P8U5-3XUL] (emphasis added).
286 Jeff Black, Germany’s Merkel Calls Obama: Did NSA Monitor my Cellphone?,
NBC NEWS (Feb. 27, 2017, 9:25 AM), http://www.nbcnews.com/news/other/germanys-
merkel-calls-obama-did-nsa-monitor-my-cellphone-f8C11452362
[https://perma.cc/3SZW-JNU6].
287 See Luke Johnson, Obama Defends NSA Programs, Says Congress Knew About
Surveillance, HUFFINGTON POST (June 7, 2013, 12:45 PM),
http://www.huffingtonpost.com/2013/06/07/obama-nsa_n_3403389.html
[https://perma.cc/QDU5-HDQ5].

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 981

activities on national security grounds.288 Justifying state action in
the name of national security, in a plea of necessity, or other
preclusion of responsibility, though common practice, does not
negate the underlying illegality of the act in question.

Further indications of opinio juris that scale makes cyber
espionage less acceptable is that it does not allow states to
guarantee a fundamental right in their own territory.289 Beyond the
important issue of extraterritorial application of human rights
obligation, the long series of “privacy in the digital age”
resolutions and reports at the UN are also proof that mass-scale
surveillance is less tolerable to states namely because of its
deleterious effects on human rights.290

3. When: Context and Threat of Disclosure (Information
Warfare)

When cyber espionage does not rise to the level of intervention
by itself, it may still elicit and therefore be part and parcel of a
prohibited act of intervention. Context is therefore key, whether in

288 See id.
289 See Ziolkowski, General Principles of International Law as Applicable in
Cyberspace, in PEACETIME REGIME FOR STATE ACTIVITIES CYBERSPACE, supra note 77, at
153.
290 See Human Rights Council Res. 20/8, U.N. Doc. A/HRC/20/L.13, ¶ 1 (June 29,
2012) (“The Human Rights Council . . . [a]ffirms that the same rights that people have
offline must also be protected online.”); G.A. Res. 68/167 (Dec. 18, 2013); G.A. Res.
26/13, ¶ 5 (July 14, 2014) (Calls upon all states to address security concerns on the
internet in accordance with their international human rights obligations to ensure
protection of freedom of expression, freedom of association, privacy and other human
rights online.”); G.A. A/C.3/69/L.26/Rev.1, 3 (Nov. 19, 2014) (“Deeply concerned at the
negative impact that surveillance and/or interception of communications, including
extraterritorial surveillance and/or interception of communications, as well as the
collection of personal data, in particular when carried out on a mass scale, may have on
the exercise and enjoyment of human rights.”); see G.A. Res. 69/166 (Dec. 18, 2014)
(discussing the right to privacy in the digital age); see 2015 Report of the Group of
Governmental Experts on Developments in the Field of Information and
Telecommunications in the Context of International Security, G.A. Res. 69/166 (Dec. 18,
2014) (“Welcoming the adoption by the Human Rights Council of resolution 26/13 of
June 26 2014 on the promotion, protection and enjoyment of human rights on the
internet.”); see Human Rights Council, The Right to Privacy in a Digital Age, U.N. Doc.
A/HRC/27/37 (June 30, 2014); see also The Right to Privacy in the Digital Age, OHCHR
(Feb. 28, 2017, 1:48 PM),
http://www.ohchr.org/EN/Issues/DigitalAge/Pages/DigitalAgeIndex.aspx
[https://perma.cc/3HQ6-GL5U].

982 N.C. J. INT’L L. [Vol. XLII

the context of international negotiations,291 or, as we saw very
recently with the so-called Democratic National Committee
(“DNC”) Hack, national election periods.292 The latter event
prompted the RAND Corporation to call for the prohibition of
cyber espionage conducted for the purpose of political
interference.293 Thus showing how intricately connected cyber
espionage and interference are. The DNC Hack was an alleged
attempt to manipulate the outcome of the 2016 United States
presidential election.294 The exact impact of the alleged operation
is difficult to assess. However, if confirmed, any attempt by a
state to manipulate foreign public opinion is widely considered to
wrongfully interfere with democratic processes.295 Here, it is not
so much the fact that the public should not have access to certain
potentially relevant information about presidential candidates.
What is argued to have crossed the line is that it was coming from
a foreign entity with the intent of manipulating the election.296
This type of state-sponsored dissemination of information also
escapes the jurisdiction of the victim state, which therefore has no

291 Memorial of the Democratic Republic of Timor–Leste, Questions Relating to the
Seizure and Detention of Certain Documents and Data (Timor-Leste v. Austl.), 2014
I.C.J. Application Instituting Proceedings 57 (April 28, 2014).
292 See Michael Wood, Non–Intervention (Non-Interference in Domestic Affairs),
ENCYCLOPEDIA PRINCETONIENSIS, https://pesd.princeton.edu/?q=node/258
[https://perma.cc/J9KL-XURZ] (“Interference in political activities (such as through
financial or other support for particular political parties, comment on upcoming elections
or on the candidates; seeking to overthrow the government–so–called ‘regime
change.’).”).
293 Martin C. Libicki, The DNC Hack: Are New Norms Needed?, RAND BLOG (Feb.
28, 2017, 8:26 PM), http://www.rand.org/blog/2016/09/the-dnc-hack-are-new-norms-
needed.html [https://perma.cc/D3RS-2XT3].
294 See Eric Lipton et al., The Perfect Weapon: How Russian Cyberpower Invaded
the U.S., N.Y. TIMES (Feb. 28, 2017, 8:31 PM),
https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html?_r=0
[https://perma.cc/ZR7L-EX4H]; see also Stavridis, supra note 266 (“All democratic
nations have a stake in pushing back against this blatant interference in the democratic
political process.”).
295 See Stavridis, supra note 267.
296 See Ellen Nakashima, Russian Government Hackers Penetrated DNC, Stole
Opposition Research on Trump, WASH. POST (Feb. 27, 2017, 8:43 PM),
https://www.washingtonpost.com/world/national-security/russian-government-hackers-
penetrated-dnc-stole-opposition-research-on-trump/2016/06/14/cf006cb4-316e-11e6-
8ff7-7b6c1998b7a0_story.html?utm_term=.43884b9021d5 [https://perma.cc/UJ27-
ECYG].

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 983

resource to go after the perpetrator of the information theft or
disclosure of classified information.297 Foreign powers also have
more resources to steal larger amounts of classified information.298
Their nuisance capacity in accessing and revealing classified or
otherwise sensitive material is higher than that of national media
organizations.299 Dissemination also elevates privacy threat, as
countless private individuals end up in the “email dumps,”300
sometimes without even realizing it.

In his statement on “Actions in Response to Russian Malicious
Cyber Activity and Harassment,”301 President Obama officially
responded to the “data theft and disclosure activities.”302 The use
of the expression “malicious cyber activity” is noteworthy, as the
only “malicious cyber activity” involved in the DNC hack was
hacking.303 Disclosure of information is not a form of cyber
activity. This emphasis on the data-gathering component tends to
corroborate the idea that the United States is going after espionage
as a decisive element of the alleged prohibited intervention of
Russia, an element to be condemned in it of itself. If this case of
cyber espionage was legal, why not focus on the “disclosure
activities?” It is also interesting that the statement should avoid
the word espionage, when the subsequent FBI report points to
Russian intelligence agencies being behind the operation.304

297 Alain Megias, How Cyber Jurisdiction Affects Cybercrime Prosecution, I–
POLICY (Feb. 27, 2017, 8:51 PM), http://www.i-policy.org/2011/02/how-cyber-
jurisdiction-affects-cybercrime-prosecution.html [https://perma.cc/GP34-3RSU].
298 See Heli Tiirmaa-Klaar, Cyber Diplomacy: Agenda, Challenges, and Missions, in
PEACETIME REGIME FOR STATE ACTIVITIES CYBERSPACE, supra note 77, at 509, 515.
299 See id.
300 See Raphael Satter & Maggie Michael, WikiLeaks’ Document Dumps Contain
Plenty of Private Data, BOS. GLOBE (Feb. 27, 2017, 9:01 PM),
https://www.bostonglobe.com/news/world/2016/08/23/wikileaks-document-dumps-
plenty-private-data/xrQEmoFoT3DTD3inmQS9IO/story.html [https://perma.cc/6V7A-
G52K].
301 Press Release, President Barack Obama, Statement by the President on Actions
in Response to Russian Malicious Cyber Activity and Harassment (Dec. 29, 2016),
https://www.whitehouse.gov/the-press-office/2016/12/29/statement-president-actions-
response-russian-malicious-cyber-activity [https://perma.cc/XLN2-4S9R] [hereinafter
Press Release Obama].
302 See id.
303 See id.
304 DEPT. OF HOMELAND SEC. & FED. BUREAU OF INVESTIGATION, REF. NO. JAR-16-
202961, JOINT ANALYSIS REPORT: GRIZZLY STEPPE – RUSSIAN MALICIOUS CYBER

984 N.C. J. INT’L L. [Vol. XLII

President Obama further evokes “Russia’s efforts to undermine
established international norms of behavior, and interfere with
democratic governance” as well as “cyber activity that seeks to
interfere with or undermine our election processes and
institutions.”305 Again, the only cyber activity was the data theft
itself and nothing else.

V. Functionalism and other Moot Preclusions of State
Responsibility
The law of state responsibility was set out in 2001 by the

International Law Commission in a series of articles; these
responsibilities are usually considered codifications of
international customary law.306 States are responsible to other
states for their infringement on international law.307 A state’s
responsibility rises when an act or omission that is attributable to
the state constitutes a breach of an international obligation of that
state.308 The responsible state is under an obligation to cease the
wrongful act in question, and offer appropriate assurance and
guarantee of non-repetition.309 In addition, the responsible state
must make full reparation for the injury through restitution,
compensation, or satisfaction.310 Additionally, in cases where acts
of non-state actors are not attributable to a state, states still have an
obligation to put an end to any activities that they know are
occurring on their territory and that adversely affects other

ACTIVITY (Dec. 29, 2016), https://www.us-
cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-
1229.pdf [https://perma.cc/36R8-M2UW].
305 See Press Release Obama, supra note 301.
306 See generally Draft Articles on Responsibility of States for Internationally
Wrongful Acts, with commentaries, in Report of the International Law Commission on
the Work of Its Fifty-third Session, 56 U.N. GAOR Supp. (No. 10) at art. 31(1), U.N.
Doc. A/56/10 (2001), http://www.un.org/law/ilc [https://perma.cc/3J6Y-58TV]
[hereinafter ILC Draft Articles].
307 See Ziolkowski, General Principles of International Law as Applicable in
Cyberspace, in PEACETIME REGIME FOR STATE ACTIVITIES CYBERSPACE, supra note 77, at
135.
308 See Terry D. Gill, Non-Intervention in the Cyber Context, in PEACETIME REGIME
FOR STATE ACTIVITIES CYBERSPACE, supra note 77, at 217, 226.
309 See Michael N. Schmitt, Cyber Activities and The Law of Countermeasures, in
PEACETIME REGIME FOR STATE ACTIVITIES CYBERSPACE, supra note 77, at 659, 664.
310 See id.

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 985

states.311 There are defenses available for states to claim
preclusion of responsibility.312 These include consent by the
injured state, self-defense, force majeure, distress, necessity, and
countermeasures.313 Only consent, necessity, and self-defense
could theoretically be invoked in the context of cyber espionage
that reaches the threshold of intervention.314 In the case of self-
defense, only in so far as espionage can be considered a pre-
requisite for the exercise of self-defense, not because espionage
should be equated to an armed attack.315 That being said, it
appears that no preclusions of state responsibility hold in cases of
cyber espionage.316

Consent of the spied-upon state, as was shown earlier, would
be difficult to argue. Necessity may be invoked to preclude
responsibility if it “is the only way for the State to safeguard an
essential interest against a grave and imminent peril;” and it “does
not seriously impair an essential interest of the State or States
towards which the obligation exists, or of the international
community as a whole.”317 This would be equally difficult to
argue, as the International Law Commission itself recognizes that
“necessity will only rarely be available to excuse non-performance
of an obligation and that it is subject to strict limitations to
safeguard against possible abuse.”318 The plea of necessity would
therefore not be justified by the kind of national security threats
invoked by states engaging in mass-scale surveillance. Though
serious, these rarely amount to a “grave and imminent peril” to “an
essential interest.”319 Besides, there is no evidence for mass-scale

311 The Corfu Channel Case (United Kingdom of Great Britain and Northern Ireland
v. Albania), Judgment, 1949 I.C.J. 22 (Apr. 1949).
312 See Ziolkowski, General Principles of International Law as Applicable in
Cyberspace, in PEACETIME REGIME FOR STATE ACTIVITIES CYBERSPACE, supra note 77, at
462–63.
313 See Michael N. Schmitt, Cyber Activities and The Law of Countermeasures, in
PEACETIME REGIME FOR STATE ACTIVITIES CYBERSPACE, supra note 77,, at 659, 667.
314 See id.
315 See id. at 679.
316 See Ziolkowski, General Principles of International Law as Applicable in
Cyberspace, in PEACETIME REGIME FOR STATE ACTIVITIES CYBERSPACE, supra note 77, at
463.
317 See ILC Draft Articles, supra note 306, art. 25.
318 Id.
319 Id.

986 N.C. J. INT’L L. [Vol. XLII

surveillance being effective against international terrorism.320
Likewise, the argument that intelligence is the pre-requisite for

the exercise of the right to anticipatory self-defense321 does not
hold. Mass-scale surveillance is not tailored narrowly enough, and
gathers more information about ordinary citizens than it does
about potential criminals, terrorists, or armed groups.322 It also
does not discriminate among individuals acting on their own
accord and those acting on the instructions of, or under the
direction or control of a state.323 Self-defense can only be
exercised in the case of an armed attack committed by a state
which is either imminent or actual.324 More generally, the
functionalist approach echoes the logic of international spaces,
where strategic observation is allowed for the purpose of
guaranteeing peace and security.325 Some argue that the same
justification can be used in any case of espionage, regardless of the
international or non-international character of the space.326 During
the cold war, every effort was made to avoid a nuclear war,
therefore espionage, taken as a national technical means of
verification, was seen as a necessary sacrifice to ward off the more
serious risk of a nuclear war.327 “Reciprocal espionage” was the
counterpart of nuclear deterrence.328 No party could surprise the
other with an attack.329 Spying therefore was serving a “common
interest” function.330 The same idea seems to pour into current
foreign intelligence practices, not to ward off nuclear war, but the

320 See Mass Surveillance Isn’t the Answer to Fighting Terrorism, N.Y. TIMES (Feb.
28, 2017, 8:30 PM), https://www.nytimes.com/2015/11/18/opinion/mass-surveillance-
isnt-the-answer-to-fighting-terrorism.html?_r=0 [https://perma.cc/2HYG-EUHQ].
321 David Weissbrodt, Cyber–Conflict, Cyber–Crime, and Cyber–Espionage, 22
MINN. J. INT’L L. 347, 365 (2013).
322 See Sink & Strohm, supra note 266.
323 See Gill, supra note 308, at 227.
324 See Ziolkowski, General Principles of International Law as Applicable in
Cyberspace, in PEACETIME REGIME FOR STATE ACTIVITIES CYBERSPACE, supra note 77, at
437.
325 See id. at 438.
326 See id.
327 See Stone, supra note 123; see also Luke Pelican, Peacetime Cyber-Espionage:
A Dangerous but Necessary Game, 20 COMMLAW CONSPECTUS 363, 372–73 (2012).
328 See Stone, supra note 123, at 31.
329 See id. at 43.
330 See id. at 31, 41.

2017 FROM THE CUCKOO’S EGG TO GLOBAL SURVEILLANCE 987

threat of terrorism. The common argument is that it is necessary
for both national and global security purposes,331 much like during
the cold war. Yet, the threat of terrorism is incommensurate with
that of a nuclear war. Mass-scale foreign surveillance is also not
targeted at specific threat actors, as data is collected about volumes
of different individuals and entities. While reciprocal espionage
was a key aspect of nuclear deterrence in the Cold War, the
efficacy of global surveillance in preventing transnational crime
and terror attacks has yet to be established.332

VI. Conclusion
Espionage is neither legal nor illegal per se. Some espionage

will continue to be tolerable, especially in the legitimated yet
narrowly-tailored exercise of the inherent right to self-defense and
national technical means of verification. But cyber espionage,
depending on scale and context, is arguably more invasive and
coercive than conventional espionage ever was. Therefore, cyber
espionage that elicits or amounts to intervention is unlawful.

Whether international law is effective or not has no bearings
on whether or not espionage should, in some circumstances, be
illegal. Formulating the values of the international legal order has
to precede working on a strategy to enforce compliance. Values
and objectives need first to be clearly defined, if we are to
implement them at all. We cannot forsake the values on the
ground that they cannot be enforced. Values are not sufficient
conditions, but they certainly are necessary conditions to
influencing state behavior.

It is also important for states to have clarity as to what
standards they are being held against. We can no longer afford the
status quo as to the legality of espionage under international law.
To move away from uncertainty, states should be encouraged to
take cyber espionage matters to the International Court of Justice
for clarification, tangible sanctions, and potential damages. The
Ahmadou Sadio Diallo case, in which the International Court of
Justice awarded damages in a human rights case for the first time,
certainly created a welcome precedent in that respect.333 Bi- or

331 See Pelican, supra note 327, at 382.
332 See id.

333 Ahmadou Sadio Diallo (Republic of Guinea v. Democratic Republic of the
Congo), Compensation, Judgment, I.C.J. Reports 2012 at 324.

988 N.C. J. INT’L L. [Vol. XLII

multilateral agreements akin to the anti-spying treaties passed by
the United States and China,334 and which have shown substantial
success,335 could also be developed. An International Law
Commission working group should be called on to codify
customary law on espionage and cyber espionage, thereby paving
the way for a court decision or a global treaty on cyber espionage.

In the meantime, as governments begin to be more vocal
against other states’ spying activities, it is important to remember
that reciprocity is key to international law compliance. States
cannot continue to both condemn and carry out mass surveillance
programs. As United States Department of State Legal Advisor
Harold Koh said in 2012: “[i]f we succeed in promoting a culture
of compliance, we will reap the benefits. And if we earn a
reputation for compliance, the actions we do take will earn
enhanced legitimacy worldwide for their adherence to the rule of
law.”336 Action should be taken to restore trust for the sake of
maintaining international peace and security, as well as an open
internet. “Once trust is broken, the open, cooperative character of
our networks may be lost forever.”337 As the exponential
development of technology modifies our perception of reality and
international relations, it may be that, contrary to what Quincy
Wright wrote in 1962,338 wars are in fact made both in the minds of
men and in technological development.

334 Stephan Kravchenko, Russia More Prey Than Predator to Cyber Frim Wary of
China, BLOOMBERG TECH. (Feb. 28, 2017, 8:38 AM),
https://www.bloomberg.com/news/articles/2016-08-25/russia-more-prey-than-predator-
to-cyber-firm-wary-of-china [https://perma.cc/CT6W-LM9B]; Ellen Nakashima &
Steven Mufson, U.S., China Vow Not to Engage in Economic Cyberespionage, WASH.
POST (Feb. 28, 2017, 8:48 AM), https://www.washingtonpost.com/national/us-china-
vow-not-to-engage-in-economic-cyberespionage/2015/09/25/90e74b6a-63b9-11e5-8e9e-
dce8a2a2a679_story.html?utm_term=.d20536037139 [https://perma.cc/YP9J-L4VS].
335 Eva Galperin, The Year in Government Hacking: 2016 Review, ELEC. FRONTIER
FOUND. (Feb. 28, 2017, 8:54 AM), https://www.eff.org/deeplinks/2016/12/year-
government-hacking [https://perma.cc/2ADM-WCXU].
336 Brian J. Egan, Legal Adviser, Berkeley Law Sch., Remarks on International Law
and Stability in Cyberspace (Nov. 10, 2016), https://www.law.berkeley.edu/wp-
content/uploads/2016/12/egan-talk-transcript-111016.pdf [https://perma.cc/9RLW-
6YAS].
337 Healey, supra note 2, at 99.
338 See generally QUINCY WRIGHT, PREVENTING WORLD WAR III, SOME PROPOSALS
(1962) (referencing Quincy Wright’s collection written at the height of the Cold War on
topics including the arms race, reducing international tensions, and building a more
global society).