International Law on the Use of Cyber Espionage

1. Introduction

International law on the use of cyber espionage has become one of the most complex and contested fields within contemporary public international law. Cyber espionage is now a routine instrument of state practice, carried out on a continuous basis by states against allies, competitors, and neutral actors. Despite this widespread practice, no comprehensive treaty governs espionage as such, and no international court has delivered a judgment devoted exclusively to cyber espionage. This regulatory silence has often been misinterpreted as evidence that cyber espionage exists outside the reach of international law. That interpretation is unsustainable. International law does regulate cyber espionage, but it does so indirectly, through general rules that constrain how states may conduct intelligence activities rather than prohibiting espionage as an activity in itself (Oppenheim, 1955; Tallinn Manual 2.0, 2017).

At its most basic level, cyber espionage consists of the covert acquisition of information through digital means, usually involving unauthorized access to computer systems, interception of communications, or persistent exploitation of software vulnerabilities. Espionage itself is not new. States have long relied on human intelligence, signals intelligence, and technical surveillance to obtain information relevant to national security and foreign policy (Shulman, 2018). What distinguishes cyber espionage is not its purpose, but its scale, speed, and intrusiveness. Cyber operations allow a single actor to penetrate systems located in multiple jurisdictions simultaneously, to extract massive volumes of data at negligible marginal cost, and to remain embedded within foreign networks for extended periods without detection. These features intensify long-standing legal concerns surrounding territorial sovereignty, jurisdiction, privacy, and the limits of permissible state conduct (Hernández, 2020).

The legal difficulty lies in the fact that espionage has historically occupied an ambiguous position in international law. Classical doctrine acknowledged the universality of espionage while emphasizing the absence of an explicit prohibition under international law (Grotius, 1625; Oppenheim, 1955). States consistently criminalized espionage under domestic law, yet rarely asserted that espionage conducted by foreign states was internationally unlawful as such. This ambivalence continues in the cyber domain. State practice demonstrates extensive engagement in cyber espionage, but official statements often avoid clear claims of legality or illegality, relying instead on strategic silence. Such silence cannot be equated with permissive customary law. In international law, the absence of a specific prohibition does not amount to legal authorization, particularly where conduct implicates fundamental principles such as sovereignty or non-intervention (Hernández, 2020).

The contemporary legal framework governing cyber operations rests on a widely accepted premise: international law applies to state conduct in cyberspace. This position has been repeatedly affirmed in United Nations processes and is reflected in the official views of an increasing number of states (United Nations General Assembly, 2015; United Nations General Assembly, 2021). The point of contention is not applicability, but interpretation. States disagree on whether sovereignty operates as an independent rule capable of direct violation by cyber operations, on the threshold at which cyber intrusions become legally significant, and on how principles developed in a physical environment should be applied to digital infrastructure (Schmitt, 2017; Watts, 2021).

Cyber espionage exposes these disagreements with particular clarity because it is typically designed to avoid physical damage and overt disruption. Traditional indicators of illegality, such as property destruction or direct coercion, are often absent. Yet the absence of physical harm does not render cyber espionage legally irrelevant. Unauthorized penetration of systems located on foreign territory, interference with core governmental functions, interception of protected diplomatic communications, or large-scale extraction of personal data may all engage international legal obligations, even when conducted covertly and without immediate observable effects (Tallinn Manual 2.0, 2017; Lubin, 2019).

This article approaches cyber espionage through the lens of general international law rather than treating it as a novel or exceptional phenomenon. International law regulates conduct, not labels. Describing an operation as “espionage” does not shield it from legal scrutiny, just as framing it as “intelligence gathering” does not resolve questions of sovereignty, intervention, or responsibility. The decisive issue is how specific acts—such as unauthorized access, persistence within foreign systems, data exfiltration, and subsequent use of acquired information—interact with established legal rules (Hernández, 2020).

The analysis that follows aims to clarify when cyber espionage remains within the bounds of legally tolerated state practice, when it crosses into internationally wrongful conduct, and why a significant number of operations occupy a legally contested intermediate space. Rather than assuming a legal vacuum, the article demonstrates that international law already provides a structured, albeit imperfect, framework for assessing cyber espionage. That framework is fragmented, context-dependent, and shaped by competing state interpretations, but it is neither absent nor irrelevant.

2. Cyber espionage as a legally relevant activity

2.1 Functional definition for international law purposes

For the purposes of international law, cyber espionage is best defined in functional rather than descriptive or political terms. At its core, cyber espionage consists of the covert acquisition of information through digital means, carried out by or on behalf of a state, without the consent of the territorial or data-controlling state. Two elements are decisive for legal analysis: purpose and means.

The purpose of cyber espionage is information acquisition. The information sought may relate to national security, military capabilities, diplomatic positions, economic strategy, technological research, or political decision-making. The subject matter of the information does not determine legality by itself. International law has never drawn distinctions between “legitimate” and “illegitimate” intelligence objectives at the level of purpose alone (Oppenheim, 1955; Dinstein, 2017). What matters is how that information is obtained.

The means employed in cyber espionage typically involve covert cyber intrusion. This may include unauthorized access to computer systems, exploitation of software vulnerabilities, deployment of malware for persistent access, interception of data in transit, or manipulation of authentication credentials. These acts are technically intrusive even when they produce no immediate physical damage or functional disruption. From a legal perspective, this technical intrusiveness is central, because it is the means—rather than the intelligence objective—that potentially engages rules on sovereignty, jurisdiction, diplomatic inviolability, and human rights (Schmitt, 2017; Hernández, 2020).

It is important to distinguish this legal definition from political, strategic, or intelligence-community definitions. Intelligence services often define espionage broadly as any activity aimed at reducing uncertainty for decision-makers. Such definitions are operationally useful but legally imprecise. International law does not regulate uncertainty reduction; it regulates conduct attributable to states. A functional legal definition, therefore, focuses on identifiable acts that can be assessed against established legal norms, regardless of how intelligence agencies internally categorize their operations.

2.2 Espionage versus cyber attack and cybercrime

Cyber espionage must be clearly distinguished from both cyber attacks under international security law and cybercrime under international criminal cooperation regimes. These distinctions are essential to avoid analytical errors that inflate or understate the legal consequences of cyber operations.

Cyber espionage usually falls below the thresholds associated with the use of force or armed attack under the United Nations Charter. Most cyber espionage operations are designed to avoid physical damage, injury, or destruction. They do not degrade infrastructure functionality in a way comparable to kinetic force, nor do they typically produce consequences of a scale and gravity that would justify self-defence claims (Dinstein, 2017; Schmitt, 2017). Even large-scale data exfiltration or long-term system infiltration generally lacks the material effects required to trigger Article 2(4) or Article 51 of the Charter.

This does not mean that cyber espionage is legally insignificant. It means that its regulation occurs primarily through non-forcible rules of international law, including sovereignty, non-intervention, diplomatic law, state responsibility, and international human rights law. Confusing cyber espionage with cyber attacks risks misapplying legal frameworks designed for armed conflict to conduct that remains below that threshold.

Cyber espionage must also be distinguished from cybercrime. Cybercrime regimes, including transnational cooperation frameworks and domestic criminal law, are primarily concerned with individual criminal liability and law enforcement cooperation. Cyber espionage, in contrast, is typically a state-attributable activity carried out by intelligence services or actors acting under state direction or control (Hernández, 2020). The decisive legal questions are attribution, breach of international obligations, and inter-state responsibility, not extradition or mutual legal assistance. Treating cyber espionage as cybercrime obscures the fact that states are not subject to criminal jurisdiction in the same manner as individuals and that international law evaluates their conduct through different mechanisms.

Attribution and intent play a central role in distinguishing these categories. Cyber espionage presupposes state involvement or attribution, even if indirect or covert. The intent is intelligence collection rather than disruption or coercion. When attribution cannot be established, legal responsibility at the international level becomes difficult to engage, even if technical indicators suggest sophisticated state-level capabilities (Tallinn Manual 2.0, 2017).

2.3 Why international law assesses acts, not labels

A foundational principle of international law is that legality is determined by conduct, not by the labels attached to that conduct. This principle is particularly important in the context of espionage, where states have strong incentives to rely on euphemistic or strategic terminology.

International law does not contain a general category of “espionage” that is either permitted or prohibited. Instead, it regulates specific acts such as unauthorized entry into territory, interference with governmental functions, interception of protected communications, and violations of individual rights. The same act may be lawful or unlawful depending on context, effects, consent, and applicable legal regimes (Hernández, 2020).

Describing an operation as espionage does not immunize it from legal scrutiny. Unauthorized cyber intrusion into systems located on another state’s territory may still implicate territorial sovereignty, even if the sole objective is information gathering. Interception of diplomatic communications remains subject to the rules of diplomatic inviolability, regardless of whether it is framed as intelligence collection. Large-scale surveillance affecting individuals may engage international human rights obligations, even when justified by national security rationales (Lubin, 2019).

This act-based approach explains why cyber espionage occupies a legally contested space rather than a legal void. Some acts associated with cyber espionage may remain within the bounds of tolerated state practice due to limited effects or evidentiary constraints. Others may cross clearly defined legal lines. The absence of a general prohibition does not suspend the operation of existing rules. It simply requires that each operation be assessed through the cumulative application of those rules, rather than through a single, activity-specific norm.

By focusing on conduct rather than labels, international law preserves analytical coherence while acknowledging the realities of intelligence practice. Cyber espionage is therefore legally relevant not because of its name, but because of what states actually do when they engage in it.

3. The absence of a general prohibition on espionage

3.1 Historical treatment of espionage in international law

Espionage has long been acknowledged as a persistent feature of relations between states, yet it has never been regulated through a comprehensive prohibition under international law. Classical publicists treated espionage as an inevitable, if disfavoured, practice of statecraft. Grotius accepted the reality of intelligence gathering in wartime and peacetime alike, while emphasizing that spies captured on foreign territory could be punished under domestic law without engaging international responsibility (Grotius, 1625). Later writers followed a similar line. Oppenheim described espionage as neither expressly permitted nor prohibited by international law, noting that its regulation was largely left to municipal legal systems (Oppenheim, 1955).

This classical tolerance was pragmatic rather than normative. Espionage was not endorsed as lawful conduct; it was simply not subjected to comprehensive international regulation. States criminalized espionage domestically, expelled or prosecuted foreign agents, and accepted reciprocal exposure to intelligence activities as a fact of international life. The absence of treaty-based rules reflected the difficulty of regulating an activity defined by secrecy and denial rather than a belief that espionage was legally neutral.

It is therefore essential to distinguish non-regulation from legal permission. International law often refrains from codifying prohibitions where enforcement is structurally difficult or politically sensitive. Silence may indicate regulatory restraint rather than approval. Espionage illustrates this pattern. The lack of an explicit prohibition does not entail that all acts associated with espionage are lawful. Instead, it means that espionage has historically been assessed through the application of general rules, such as sovereignty, jurisdiction, and diplomatic law, rather than through an activity-specific legal regime (Hernández, 2020).

3.2 Espionage and customary international law

The question whether customary international law permits espionage as such requires careful separation of state practice and opinio juris. State practice clearly demonstrates that espionage is widespread and persistent. States across regions and political systems engage in intelligence gathering, including cyber-enabled intelligence operations, on a routine basis. This practice is rarely denied in abstract terms, even if specific operations are disavowed.

What is missing, however, is consistent evidence that states regard espionage as lawful as a matter of legal obligation. Official statements seldom assert a legal right to conduct espionage on foreign territory. When espionage is exposed, the typical responses are diplomatic protests, expulsions, criminal prosecutions, or countermeasures, rather than acknowledgements of lawful conduct. This pattern undermines claims that a permissive customary rule has crystallized (Hernández, 2020; Watts, 2021).

Strategic silence plays a central role in this dynamic. States benefit from ambiguity. Explicitly asserting that espionage is lawful would weaken their ability to object when they are targeted. As a result, opinio juris remains under-articulated. Silence, however, cannot be equated with acceptance of legality. In customary international law, tolerance driven by reciprocity, evidentiary constraints, or political prudence does not substitute for a belief that conduct is legally permitted (International Law Commission, 2018).

The prevailing doctrinal position is therefore negative rather than permissive: there is no rule of customary international law prohibiting espionage as a general category, but neither is there a rule affirmatively authorizing it. Espionage exists in a space where legality depends on the compatibility of specific acts with existing primary obligations.

3.3 Cyber operations and the rejection of legal exceptionalism

The emergence of cyber operations has not altered this structural position. Claims that cyberspace constitutes a legally exceptional domain, insulated from general international law, have been widely rejected. States and international bodies have repeatedly affirmed that international law applies to state conduct in cyberspace in the same manner as it applies in other domains (United Nations General Assembly, 2015; United Nations General Assembly, 2021).

Cyber espionage does not create a new category of legally unregulated behaviour. Instead, it raises familiar questions in unfamiliar technical contexts. Unauthorized access to foreign systems engages rules on territorial sovereignty and jurisdiction. Interference with governmental networks implicates the legal protection of state functions. Operations attributable to a state are subject to the law of state responsibility, regardless of the technological means employed (Tallinn Manual 2.0, 2017).

Rejecting legal exceptionalism does not require analogical rigidity. Cyber operations differ from physical intrusions in important respects, particularly in their intangibility and transboundary character. These differences complicate the application, but they do not suspend legal regulation. International law has long addressed activities that transcend territorial borders, including transboundary pollution, satellite operations, and radio communications. Cyber espionage fits within this broader pattern of conduct regulated through general principles rather than domain-specific prohibitions.

The absence of a general prohibition on espionage therefore persists in the cyber context, but it persists within a framework that subjects cyber operations to existing rules on jurisdiction, attribution, and responsibility. Cyber espionage is not legally invisible. Its regulation is indirect, fragmented, and contested, but it remains firmly anchored in the general structure of public international law.

4. Sovereignty and cyber espionage

4.1 Sovereignty as a binding rule in cyberspace

Sovereignty remains a foundational rule of public international law and operates as a primary legal constraint on state conduct, including conduct carried out through cyber means. In its classical formulation, sovereignty denotes a state’s exclusive authority over its territory, population, and governmental functions, combined with a correlative duty on other states to refrain from interference (Island of Palmas Arbitration, 1928; Shaw, 2017). Nothing in the structure or sources of international law suggests that this rule ceases to apply when conduct is executed through digital infrastructure rather than physical presence.

In the cyber context, sovereignty performs two related legal functions. First, it establishes territorial authority over cyber infrastructure physically located within a state’s territory, such as servers, data centres, and network hardware. Second, it protects the exercise of inherently governmental functions carried out through digital systems, even when those systems rely on transnational data flows (Hernández, 2020). These dimensions are doctrinally grounded in general international law and do not depend on the emergence of new cyber-specific norms.

States have expressed divergent views on how sovereignty operates in cyberspace. Some states regard sovereignty as an independent rule whose breach may arise directly from unauthorized cyber operations conducted on or through their territory. Others describe sovereignty primarily as a principle that informs the interpretation of more specific prohibitions, such as non-intervention or the use of force. Despite these differences in articulation, both positions accept sovereignty as legally relevant. The disagreement concerns threshold and consequence, not applicability (Tallinn Manual 2.0, 2017; Watts, 2021).

From a doctrinal perspective, sovereignty has long functioned as a rule capable of direct violation. International jurisprudence has treated unauthorized incursions, exercises of authority, and interference with territorial integrity as breaches of sovereignty irrespective of accompanying coercion or force (Island of Palmas Arbitration, 1928; Corfu Channel Case, 1949). Translating this logic to cyberspace requires careful attention to the nature of cyber intrusions, but it does not require abandonment of sovereignty as a binding rule.

4.2 Unauthorized cyber intrusion and territorial integrity

A central question in the law of cyber espionage is whether non-consensual penetration of computer systems located within another state’s territory constitutes a violation of sovereignty. Cyber espionage operations frequently involve precisely such penetration, even when no physical damage or service disruption occurs.

Analogies to physical intrusion provide an initial point of reference. In traditional doctrine, unauthorized entry by state agents into foreign territory, even if covert and temporary, has been treated as a violation of territorial sovereignty (Shaw, 2017). Cyber intrusions differ in form, but they share a key feature: the exercise of control over infrastructure situated within the territorial domain of another state. Malware implantation, persistence mechanisms, and remote command-and-control activities enable a foreign actor to operate within domestic systems without consent. This functional presence challenges the exclusivity that sovereignty is designed to protect (Hernández, 2020).

Critics of this analogy argue that cyber intrusions lack physicality and therefore should not be equated with territorial incursions. According to this view, sovereignty should only be engaged when cyber operations produce tangible effects, such as physical damage or loss of system functionality. Pure access or data extraction, without observable harm, would fall outside the scope of sovereign violation. This position draws support from concerns about over-expansion of sovereignty and the practical realities of ubiquitous cyber interactions (Schmitt, 2017).

The difficulty with a purely physical or harm-based approach is that it fails to account for how modern governance and authority are exercised. Digital systems are integral to state administration, defense, and diplomacy. Unauthorized penetration of these systems enables a foreign state to undermine control, confidentiality, and decision-making autonomy without leaving physical traces. From a legal standpoint, the absence of kinetic damage does not negate the intrusion into a protected domain of authority (Hernández, 2020).

4.3 Effects-based versus intrusion-based approaches

Two principal approaches have emerged to assess when cyber espionage violates sovereignty: effects-based tests and intrusion-based tests. Each reflects different assumptions about how sovereignty operates in a digital environment.

Effects-based approaches focus on consequences. Under this model, a sovereignty violation arises only when cyber operations cause physical damage, loss of functionality, or other significant effects comparable to those produced by traditional intrusions. This test offers clarity and limits legal exposure for routine cyber activities, but it risks under-protecting core sovereign interests in situations where harm is intangible yet substantial. Persistent access to sensitive systems, long-term extraction of classified information, and manipulation of confidential data may all evade legal qualification despite their strategic impact (Schmitt, 2017).

Intrusion-based approaches emphasize unauthorized access and control rather than material harm. Under this view, sovereignty is breached when a state conducts cyber operations that penetrate systems within another state’s territory without consent, particularly when those operations involve persistence or manipulation. This approach aligns more closely with classical understandings of territorial authority, where the act of intrusion itself carries legal significance (Hernández, 2020).

Each test has weaknesses. Effects-based approaches struggle to capture the realities of cyber espionage, where the most serious consequences are often informational rather than physical. Intrusion-based approaches raise concerns about breadth, potentially capturing benign or incidental cross-border cyber interactions. A balanced doctrinal analysis suggests that not every unauthorized digital interaction triggers a sovereignty violation, but that deliberate, state-attributable intrusions designed to extract protected information present a qualitatively different case from incidental data flows.

4.4 Governmental systems and inherently sovereign functions

Cyber espionage directed at governmental systems raises sovereignty concerns with particular force. International law has long recognized that certain functions lie at the core of state authority, including national defense, foreign relations, administration of justice, and internal security. Digital systems supporting these functions are not merely technical assets; they are instruments through which sovereign power is exercised.

Intrusions into networks of ministries, courts, electoral bodies, or defense establishments undermine a state’s ability to exercise exclusive authority over its internal affairs. Even when cyber espionage is limited to information gathering, access to internal deliberations, classified assessments, or judicial communications compromises institutional autonomy and decision-making integrity. This type of interference engages sovereignty more directly than espionage targeting purely commercial or private infrastructure (Hernández, 2020; Tallinn Manual 2.0, 2017).

The heightened legal gravity of such operations stems from the nature of the interests affected rather than the scale of technical damage. Penetration of defense networks or judicial databases does not need to disable systems to undermine sovereign authority. Control over information central to governmental functions allows a foreign state to shape strategic environments in ways that international law has traditionally sought to restrain.

Cyber espionage against core state institutions, therefore, occupies the strongest case for sovereignty violation within existing doctrine. While international law has not articulated a bright-line rule applicable to all cyber intrusions, operations targeting inherently sovereign functions sit closest to the heart of territorial authority and provide the clearest illustration of how sovereignty constrains cyber espionage under contemporary international law.

5. Cyber espionage and the principle of non-intervention

5.1 The coercion requirement in international law

The principle of non-intervention occupies a central place in the regulation of inter-state conduct and provides one of the most important legal constraints on cyber operations. Rooted in customary international law and reflected in United Nations practice, the principle prohibits states from intervening in matters that fall within the domaine réservé of another state, provided that such intervention is coercive in nature (Nicaragua v United States, 1986; Shaw, 2017).

Coercion is the decisive legal element. International law does not prohibit all forms of influence, pressure, or persuasion between states. Diplomatic engagement, economic incentives, public messaging, and intelligence collection all shape state behaviour without necessarily violating the non-intervention rule. For an intervention to be unlawful, the conduct must be designed to deprive the target state of its freedom of choice in relation to matters reserved to its sovereign authority, such as political system, foreign policy, or internal governance (Nicaragua v United States, 1986).

Cyber espionage, when limited to the covert acquisition of information, rarely satisfies this requirement. Information gathering, even when intrusive or unfriendly, does not by itself compel a state to act in a particular way. Intelligence collection enhances the strategic position of the collecting state but leaves the target state legally free to determine its own policies. For this reason, most cyber espionage operations do not qualify as unlawful intervention under customary international law, even when they raise serious concerns under other legal principles such as sovereignty or human rights (Hernández, 2020; Tallinn Manual 2.0, 2017).

This distinction explains why non-intervention has a narrower reach than sovereignty in the cyber context. While unauthorized cyber intrusion may implicate territorial authority, non-intervention is engaged only when cyber operations cross the higher threshold of coercion. Treating espionage as intervention without evidence of coercive intent or effect would collapse this doctrinal distinction and extend the principle beyond its established contours.

5.2 Espionage combined with coercive leverage

Cyber espionage may nonetheless violate the principle of non-intervention when it is combined with coercive leverage. The decisive factor is not the act of data theft itself, but the use of stolen information as a means of compulsion. When intelligence collection is operationalized to constrain a state’s decision-making autonomy, the legal character of the conduct changes.

Such situations arise when a state uses unlawfully obtained data to threaten disclosure, impose conditional demands, or otherwise force compliance with its preferences. Examples include blackmail of political leaders, threats to release confidential diplomatic communications unless policy changes are made, or leveraging sensitive economic data to compel regulatory or strategic concessions. In these scenarios, cyber espionage becomes part of a broader coercive strategy rather than a stand-alone intelligence activity (Hernández, 2020).

A doctrinal test for cyber-enabled coercion may be articulated along three cumulative elements. First, there must be intent to compel, demonstrated by demands or threats directed at the target state. Second, the conduct must produce or be designed to produce constraint on free choice, meaning that refusal would entail serious adverse consequences. Third, the subject matter must fall within the target state’s domaine réservé, such as political leadership, constitutional order, or core policy decisions. Absent these elements, the conduct remains influence rather than intervention.

This framework preserves the integrity of the non-intervention principle while accommodating the realities of cyber-enabled statecraft. It avoids treating all intelligence exploitation as unlawful while providing a clear basis for identifying when cyber espionage crosses a legal boundary.

5.3 Electoral processes and political independence

Cyber espionage targeting electoral processes and political institutions has generated particular concern and illustrates the difficulty of distinguishing unlawful intervention from non-prohibited influence. Elections lie at the heart of political independence and clearly fall within the domaine réservé of states. The legal question is not whether cyber activities affect elections, but whether they do so through coercive means.

Espionage operations aimed at collecting information about electoral strategies, party communications, or voting infrastructure do not automatically amount to unlawful intervention. Information gathering alone, even when directed at sensitive political processes, does not compel a state or its population to adopt a particular political outcome. From the standpoint of the non-intervention principle, such operations resemble traditional diplomatic or intelligence activities long practiced by states (Tallinn Manual 2.0, 2017).

The legal assessment changes when espionage is coupled with actions designed to force political outcomes. The use of stolen electoral data to intimidate candidates, manipulate institutional decision-making, or impose threats against electoral authorities may satisfy the coercion requirement. The decisive issue remains whether the operation removes or substantially constrains political choice, not whether it merely seeks to influence opinions or preferences.

International law has consistently distinguished interference, which may be unfriendly or illegitimate politically, from intervention, which is unlawful only when coercive. Lawful persuasion, public advocacy, and even deceptive messaging may raise serious normative concerns but do not fall within the prohibition unless accompanied by compulsion (Nicaragua v United States, 1986; Shaw, 2017).

Cyber espionage directed at elections, therefore, occupies a legally sensitive but carefully delimited space. It engages the principle of non-intervention only when intelligence collection becomes an instrument of coercion against political independence. This narrow construction reflects the balance international law strikes between protecting sovereign choice and accommodating the persistent realities of inter-state influence and intelligence competition.

6. Due diligence and cyber espionage infrastructure

6.1 The due diligence obligation in cyberspace

Due diligence is a well-established obligation of general international law requiring states to ensure that activities within their territory or under their control do not cause serious harm to the rights of other states. It is an obligation of conduct, not of result. A state is not required to guarantee that no harmful acts originate from its territory, but it must exercise reasonable efforts, within its capacity, to prevent or halt activities that it knows, or should have known, would cause significant adverse effects to other states (Corfu Channel Case, 1949; International Law Commission, 2001).

In the cyber context, due diligence applies to cyber operations that originate from, or are routed through, infrastructure located on a state’s territory when those operations produce legally relevant harm abroad. The obligation does not depend on whether the harmful cyber operation is carried out by state organs or private actors. Its focus lies on territorial control and knowledge, not attribution of the underlying conduct (Tallinn Manual 2.0, 2017).

Applied to cyber espionage, due diligence does not prohibit intelligence activities as such. Instead, it requires states to take reasonable measures when cyber operations emanating from their territory are used to cause serious harm to other states’ rights. This may include situations where cyber espionage infrastructure is knowingly used to facilitate intrusions into foreign governmental systems or to support persistent operations that undermine sovereign functions (Hernández, 2020).

The threshold for triggering due diligence remains high. International law has traditionally limited the obligation to situations involving significant adverse effects. Minor or speculative harm does not suffice. This threshold serves an important systemic function by preventing due diligence from becoming an unbounded obligation to monitor all cyber activity within national networks.

6.2 Hosting, routing, and indirect facilitation of espionage

Cyber espionage frequently relies on globally distributed infrastructure. Operations may be launched from compromised servers, cloud services, or routing nodes located in third states with no direct interest in the operation. This raises the question of whether states incur responsibility for tolerating the use of their infrastructure as platforms for cyber espionage.

Due diligence does not impose strict liability for the mere presence of malicious cyber activity on national infrastructure. States are not responsible simply because cyber espionage traffic passes through their territory. Modern internet architecture depends on constant transboundary routing, much of which is automated and opaque even to network operators (Schmitt, 2017).

Responsibility may arise, however, when a state has actual or constructive knowledge that infrastructure under its jurisdiction is being used to support cyber operations causing serious harm to another state and fails to take reasonable steps to address that situation. In the cyber espionage context, this could include circumstances where servers are knowingly used as command-and-control nodes for persistent intrusions into foreign governmental networks, and where the territorial state has the technical and legal capacity to intervene but chooses not to act (Tallinn Manual 2.0, 2017).

Evidentiary and capacity limitations significantly constrain the operation of due diligence. Cyber operations are often concealed through anonymization techniques, botnets, and layered routing. States may lack reliable information about the nature or destination of traffic, particularly where infrastructure is privately owned or operated. Due diligence requires reasonable efforts in light of available capabilities, not omniscience or technological perfection (International Law Commission, 2001).

These limitations explain why due diligence functions as a contextual and fact-sensitive obligation rather than a broad duty to police cyberspace. The standard remains one of reasonableness, assessed in light of the state’s knowledge, resources, and regulatory reach.

6.3 Limits of due diligence in intelligence contexts

The due diligence obligation has clear limits in the context of intelligence activities. International law does not require states to prevent or suppress all intelligence operations conducted from their territory, nor does it impose a duty of intelligence self-policing. Espionage, including cyber espionage, has long been treated as a domain where states tolerate a degree of reciprocal risk and uncertainty (Oppenheim, 1955; Hernández, 2020).

A crucial distinction must be drawn between negligence and tolerated intelligence activity. Negligence arises when a state fails to act despite knowledge that cyber operations from its territory are causing serious harm to another state’s legally protected interests and when it possesses the means to mitigate that harm. Tolerated intelligence activity, by contrast, reflects political or strategic decisions to accept the presence of foreign intelligence operations without endorsing them as lawful. International law does not equate such tolerance with breach of due diligence unless the harm threshold and knowledge requirements are met.

Extending due diligence too far into intelligence contexts would create unrealistic expectations and destabilize the balance of rights and obligations between states. Intelligence activities are inherently covert, often indistinguishable from legitimate cyber traffic, and frequently conducted by highly capable actors beyond the effective control of territorial authorities. Imposing an obligation to eliminate all intelligence-related cyber activity would transform due diligence into a de facto prohibition on espionage, a result unsupported by state practice or opinio juris.

The role of due diligence in relation to cyber espionage is, therefore, limited but meaningful. It operates as a constraint on knowingly tolerated infrastructure-based harm, not as a comprehensive regulatory regime for intelligence activities. Within these limits, due diligence reinforces the principle that territorial control carries responsibilities, while preserving the structural realities that have long shaped the law of espionage.

7. State responsibility for cyber espionage

7.1 Attribution of cyber espionage operations

State responsibility for cyber espionage depends first on attribution. Under general international law, a cyber operation is attributable to a state when it is carried out by state organs, including intelligence agencies, or by non-state actors acting on the state’s instructions, direction, or control (International Law Commission, 2001). These rules apply without modification in cyberspace.

Cyber espionage operations conducted by military intelligence units, civilian intelligence services, or other state security bodies are attributable to the state as acts of its organs. Formal secrecy, deniability, or the absence of official acknowledgment does not affect attribution. International law assesses objective control and institutional status rather than public admission (Tallinn Manual 2.0, 2017).

More complex issues arise when cyber espionage is carried out through proxies, contractors, or loosely affiliated hacker groups. Attribution in such cases depends on the degree of control exercised by the state. Where a state directs, instructs, or exercises effective control over the specific operation, attribution follows. General political sympathy, shared objectives, or passive tolerance is insufficient (Nicaragua v United States, 1986; International Law Commission, 2001).

Technical attribution gaps complicate the evidentiary process but do not alter the legal standard. Cyber operations are often masked through anonymization, false flags, or third-state infrastructure. These techniques make proof difficult but do not create a separate attribution regime. Plausible deniability is a strategic condition, not a legal doctrine. Once sufficient evidence establishes state involvement, the ordinary rules of state responsibility apply, regardless of the technical complexity involved (Hernández, 2020).

7.2 Breach, wrongfulness, and legal consequences

Attribution alone does not establish international responsibility. Responsibility arises only when the attributable cyber espionage operation breaches an international obligation in force for the state. As previously discussed, espionage is not prohibited as such. Wrongfulness, therefore, depends on whether specific acts associated with cyber espionage violate rules relating to sovereignty, non-intervention, diplomatic law, human rights, or other applicable obligations (International Law Commission, 2001).

Examples of wrongful cyber espionage include unauthorized penetration of governmental systems that violate territorial sovereignty, interception of diplomatic communications contrary to diplomatic inviolability, or large-scale surveillance breaching international human rights obligations. In each case, wrongfulness derives from the violated rule, not from the espionage character of the activity.

Once an internationally wrongful act is established, legal consequences follow. The responsible state is under an obligation to cease the wrongful conduct and to offer appropriate assurances and guarantees of non-repetition where circumstances warrant (International Law Commission, 2001). The injured state is also entitled to reparation, which may take the form of restitution, compensation, or satisfaction, depending on the nature of the injury. In cyber espionage cases, restitution is often impracticable, as data once accessed cannot be returned to its prior confidential state. Compensation may likewise be difficult to quantify where harm is strategic or informational rather than material. Satisfaction, including acknowledgment of breach or diplomatic apology, may therefore play a more prominent role.

7.3 Countermeasures in response to cyber espionage

When cyber espionage constitutes an internationally wrongful act, the injured state may resort to countermeasures, provided that the strict conditions established under the law of state responsibility are met. Countermeasures are otherwise unlawful acts taken in response to a prior breach, aimed at inducing compliance rather than punishment (International Law Commission, 2001).

In the cyber context, lawful countermeasures may include proportionate cyber operations that interfere with the responsible state’s systems, suspension of international obligations owed to that state, or other non-forcible responses. Countermeasures must remain below the threshold of the use of force and must not violate peremptory norms or fundamental human rights obligations (Tallinn Manual 2.0, 2017).

Necessity and proportionality are central constraints. Countermeasures must be directed at inducing cessation and reparation, not at retaliation or escalation. The injured state must, where feasible, call upon the responsible state to cease the wrongful conduct before acting. Proportionality requires that the scale and effects of the countermeasure bear a reasonable relationship to the injury suffered, a requirement that is particularly challenging to assess where harm is informational or strategic rather than physical (Hernández, 2020).

The secrecy surrounding cyber espionage further complicates the use of countermeasures. Public attribution may be politically costly or strategically undesirable, yet countermeasures traditionally presuppose some level of communicative clarity between states. These practical difficulties do not negate the availability of countermeasures as a matter of law, but they help explain why states often rely on retorsion or silent reciprocal practices rather than formal invocation of responsibility.

State responsibility thus provides a coherent, if imperfect, legal framework for addressing cyber espionage. It reinforces the principle that covert conduct is not legally immune, while accommodating the evidentiary and strategic realities that shape contemporary cyber operations.

8. Diplomatic law and cyber espionage

8.1 Diplomatic missions and cyber activities

Diplomatic law provides one of the clearest and most established legal constraints on espionage, including cyber-enabled espionage. The Vienna Convention on Diplomatic Relations codifies a balance between the functional necessity of diplomatic missions and the sovereign rights of the receiving state. While diplomatic practice has always involved intelligence collection, the Convention imposes strict limits on how diplomatic privileges may be exercised (Vienna Convention on Diplomatic Relations, 1961).

Cyber activities conducted from or through diplomatic missions fall squarely within this framework. Diplomatic premises are inviolable, but they remain subject to the obligation to respect the laws and regulations of the receiving state and the duty not to interfere in its internal affairs. The use of embassy networks, diplomatic communications infrastructure, or privileged access to local networks to conduct cyber espionage raises acute legal concerns because it exploits protections granted for diplomatic functions rather than intelligence operations (Denza, 2016).

The abuse of diplomatic privileges through cyber means occurs when diplomatic premises or immunities are used as platforms for covert cyber intrusions into the receiving state’s systems. Unlike traditional intelligence observation or reporting, cyber operations conducted from diplomatic missions may involve direct technical penetration of governmental or private networks. Such conduct exceeds what can plausibly be justified as incidental to diplomatic functions and may constitute a breach of the Convention, even if it does not involve physical misuse of the premises (Hernández, 2020).

The legal consequences of such abuse do not depend on whether cyber espionage is tolerated as a political reality. Diplomatic law operates independently of broader debates about the legality of espionage. Where cyber activities amount to interference in internal affairs or misuse of privileges, the receiving state is entitled to respond through remedies provided by diplomatic law, including declaration of persona non grata, restriction of mission activities, or, in serious cases, severance of diplomatic relations (Denza, 2016).

8.2 Inviolability of diplomatic communications

The inviolability of diplomatic communications constitutes a core element of diplomatic law and has direct relevance to cyber espionage. Diplomatic correspondence, archives, and communications are protected from interception, monitoring, and interference by the receiving state and third states alike. This protection extends to modern forms of communication used for official diplomatic purposes, including encrypted digital communications transmitted over public or private networks (Vienna Convention on Diplomatic Relations, 1961).

Cyber interception of diplomatic data, such as hacking embassy servers, compromising secure email systems, or infiltrating encrypted communication channels, engages this rule directly. Unlike general intelligence collection, interception of diplomatic communications strikes at the institutional guarantees that enable peaceful inter-state relations. International law treats such conduct as a serious violation regardless of whether the interception produces immediate political consequences (Denza, 2016).

The legal consequences of violating the inviolability of diplomatic communications arise under both diplomatic law and the general law of state responsibility. The responsible state is under an obligation to cease the unlawful conduct and to provide assurances of non-repetition. The injured state may seek satisfaction through diplomatic protest, formal acknowledgment of breach, or other appropriate means. In cases involving systematic or egregious violations, countermeasures consistent with international law may also be available (International Law Commission, 2001).

Cyber espionage has intensified long-standing tensions between intelligence practice and diplomatic protection, but it has not altered the legal baseline. Diplomatic communications enjoy heightened protection precisely because of their role in maintaining stable relations between states. Cyber techniques do not dilute this protection; they heighten the need to reaffirm it. As a result, diplomatic law remains one of the most robust legal limits on cyber espionage under contemporary international law.

9. International human rights law constraints

9.1 Extraterritorial surveillance and jurisdiction

International human rights law imposes substantive limits on cyber espionage when intelligence activities fall within a state’s jurisdiction for the purposes of human rights obligations. Jurisdiction is not confined to territorial boundaries. International jurisprudence and treaty interpretation have established that human rights obligations may arise extraterritorially when a state exercises effective control over persons, objects, or relevant aspects of their rights (Human Rights Committee, 2004; Al-Skeini v United Kingdom, 2011).

In the cyber context, jurisdiction may be triggered when a state exercises control over data, communications, or digital infrastructure in a manner that directly affects the enjoyment of protected rights. Cyber espionage operations that intercept, collect, store, or analyse personal data can bring individuals within the acting state’s jurisdiction even if those individuals are located abroad. Control over information, rather than physical presence, becomes the decisive factor (Milanovic, 2016).

This approach reflects the functional nature of jurisdiction under human rights law. Where a state has the technical capacity to access, retain, and exploit personal communications, it exercises power capable of engaging human rights protections. The covert character of cyber espionage does not negate this control. Human rights obligations attach to the exercise of authority, not to the visibility of the act (Human Rights Committee, 2014).

At the same time, jurisdiction is not triggered by every transboundary data interaction. Incidental or automated routing of data through foreign infrastructure does not amount to effective control. The decisive element is deliberate access or interception attributable to state organs and directed at identifiable data subjects. This threshold preserves the balance between protecting rights and avoiding an unbounded extension of extraterritorial obligations.

9.2 Privacy, correspondence, and proportionality

The right to privacy and the protection of correspondence form the core human rights constraints on cyber espionage. These rights are protected under international instruments and extend to communications and personal data, irrespective of the medium used. Cyber espionage operations that intercept emails, messages, metadata, or stored digital content, therefore, constitute interferences with protected rights (Human Rights Committee, 2014).

Such interferences are not prohibited in absolute terms. International human rights law permits limitations when they are prescribed by law and pursue legitimate aims, including national security. The decisive legal requirements are necessity and proportionality. Surveillance measures must be strictly required to achieve a legitimate objective and must be proportionate in scope, duration, and intensity to that objective (European Court of Human Rights, 2015).

Bulk cyber surveillance presents particular difficulties under this framework. Large-scale collection of data without individualized suspicion risks exceeding what is strictly necessary for national security purposes. Even when intelligence objectives are legitimate, indiscriminate data collection weakens the proportionality analysis because it captures information unrelated to specific threats and affects large populations without differentiation (Human Rights Committee, 2014; Milanovic, 2016).

National security justifications do not dispense with these requirements. International human rights bodies have repeatedly emphasized that security concerns cannot serve as a blanket authorization for unrestricted surveillance. Legal frameworks governing cyber espionage must include clear limits, oversight mechanisms, and safeguards against abuse. Absence of transparency, lack of independent supervision, or indefinite retention of collected data weigh heavily against compliance with proportionality requirements.

9.3 Interaction between human rights law and state security

The relationship between international human rights law and state security interests lies at the heart of debates surrounding cyber espionage. Intelligence gathering is widely regarded as essential to national security, yet human rights law demands that security measures respect fundamental rights. This tension is not resolved by treating intelligence activities as categorically exempt from human rights scrutiny.

Arguments invoking lex specialis to displace human rights law in the intelligence domain have limited reach. Human rights law continues to apply in peacetime and is displaced only in narrowly defined circumstances, such as during armed conflict where international humanitarian law provides more specific regulation. Cyber espionage conducted outside armed conflict remains subject to human rights constraints (Milanovic, 2016).

Human rights law does not prohibit intelligence collection. It regulates its methods and safeguards. States retain discretion to protect national security, but that discretion is bounded by requirements of legality, necessity, proportionality, and accountability. Covert surveillance does not escape these requirements simply because disclosure would undermine intelligence effectiveness. Oversight may be adapted to secrecy, but it cannot be eliminated altogether (Human Rights Committee, 2014).

The interaction between human rights law and cyber espionage thus reinforces the broader theme that international law governs conduct rather than categories. Cyber espionage remains legally permissible only within a framework that respects individual rights and limits state power. Where intelligence activities disregard these limits, they engage international responsibility irrespective of their strategic rationale.

10. Cyber espionage and international security law

10.1 Use of force and armed attack thresholds

International security law draws a clear distinction between non-forcible conduct and the use of force prohibited under Article 2(4) of the United Nations Charter. Cyber espionage, as a form of intelligence gathering, almost always falls on the non-forcible side of this divide. The defining features of cyber espionage—covert access, data extraction, and information analysis—are designed to avoid physical destruction, injury, or immediate disruption. As a result, such operations lack the scale and effects traditionally associated with military force (Dinstein, 2017; Schmitt, 2017).

The prevailing doctrinal approach evaluates cyber operations by reference to their consequences, not their intent alone. Acts qualify as a use of force when their effects are comparable to those of kinetic military operations, such as physical damage to infrastructure, loss of life, or severe functional incapacitation of essential systems. Cyber espionage typically does not meet this threshold because it seeks confidentiality rather than destruction. Even extensive exfiltration of sensitive data or long-term infiltration of networks does not, by itself, produce the kind of tangible harm required to trigger Article 2(4) (Tallinn Manual 2.0, 2017).

Exceptional scenarios remain theoretically possible. If a cyber operation conducted under the guise of espionage were to cause severe physical consequences—such as triggering explosions, disabling critical life-support systems, or causing large-scale infrastructural collapse—it could cross the use of force threshold regardless of its intelligence rationale. In such cases, the legal characterization would follow the effects rather than the label. The operation would cease to be legally relevant as espionage and would instead be assessed as a forcible cyber operation (Dinstein, 2017).

An even higher threshold applies to armed attack, which engages the inherent right of self-defence under Article 51 of the Charter. Armed attacks require consequences of sufficient gravity, traditionally associated with the most serious forms of force. Cyber espionage, even when intrusive and strategically damaging, does not ordinarily reach this level. The absence of physical destruction or loss of life places intelligence operations outside the scope of lawful self-defence responses under current international law.

10.2 Collective security and cyber intelligence

The United Nations collective security system is designed to address threats to international peace and security, primarily through the regulation of force and coercive measures. Cyber espionage, as a non-forcible intelligence activity, does not easily fit within this framework. Intelligence collection, including cyber-enabled intelligence, has long been regarded as part of routine inter-state interaction rather than as a trigger for collective security responses (Shaw, 2017).

The Security Council possesses broad discretion to determine the existence of threats to peace, breaches of peace, or acts of aggression. In principle, a pattern of cyber operations could contribute to such a determination if their cumulative effects destabilize international relations. In practice, however, cyber espionage alone has not been treated as engaging collective security mechanisms. Its covert nature, evidentiary uncertainty, and lack of immediate disruptive effects make it ill-suited to the public, institutionalized responses characteristic of the Security Council (Hernández, 2020).

Cyber intelligence operations are more commonly addressed through diplomatic protest, countermeasures, or unilateral sanctions rather than through collective enforcement action. This practice reflects an implicit understanding that intelligence gathering, even when hostile, does not constitute a threat to peace in the sense contemplated by the Charter. Elevating espionage to that level would risk politicizing the collective security system and conflating intelligence competition with armed conflict.

The legal position is therefore consistent with broader international practice. Cyber espionage remains governed by general international law, including sovereignty, non-intervention, state responsibility, and human rights law, but it does not ordinarily activate the mechanisms of international security law. The United Nations Charter framework continues to draw a firm line between intelligence activities and forcible measures, a line that cyber espionage has not, to date, crossed.

Also read

• The Evolution of International Law in Cyberspace

• Human Rights and the Global Digital Surveillance Infrastructure

• Jurisdictional Gaps in Subsea Data Cables

• The Right to Connectivity under the ICCPR

• International Responsibility in Public International Law

• Customary International Law: How It Forms and Works

• Principles Of Jurisdiction In International Law

• Evolution of the Law of Armed Conflict

11. Emerging norms and unresolved doctrinal debates

11.1 Competing state views on sovereignty and cyber operations

One of the most significant unresolved debates in international law on the use of cyber espionage concerns the legal status and content of sovereignty in cyberspace. States broadly agree that sovereignty remains relevant, yet they diverge on how it operates and when it is breached by cyber conduct.

A restrictive interpretation treats sovereignty as a binding primary rule whose violation may arise directly from unauthorized cyber intrusion into systems located on a state’s territory. Under this view, non-consensual penetration, persistence, or manipulation of foreign systems can breach sovereignty even in the absence of physical damage or functional disruption. This position draws on classical doctrine emphasizing exclusive territorial authority and has been supported by a growing body of academic analysis and several official state positions (Hernández, 2020; Milanovic, 2016).

A permissive interpretation accepts sovereignty as a foundational principle but limits its legal consequences. States adopting this approach tend to argue that sovereignty informs the application of other rules, such as non-intervention or the prohibition of force, rather than operating as an independent basis of wrongfulness. According to this view, cyber operations violate international law only when they produce tangible effects or reach established thresholds under more specific prohibitions (Schmitt, 2017; Watts, 2021).

These competing interpretations have direct implications for the formation of customary international law. Divergent state positions weaken claims that a settled rule has crystallized concerning unauthorized cyber intrusion as a sovereignty violation. At the same time, the increasing willingness of states to articulate legal positions, rather than rely on silence, suggests that opinio juris is evolving. Future customary law formation will likely depend on whether states converge around intrusion-based thresholds or continue to privilege effects-based analyses. The outcome remains open, but the debate itself confirms that sovereignty is not legally irrelevant in the cyber domain.

11.2 Norm development versus legal obligation

Alongside doctrinal debates, states have engaged in extensive norm-development efforts aimed at shaping responsible behaviour in cyberspace. These initiatives include political commitments, confidence-building measures, and voluntary norms articulated through multilateral processes. While these efforts contribute to stability, they must be distinguished carefully from binding legal obligations.

Political norms express expectations about conduct, such as restraint in targeting critical infrastructure or cooperation in responding to cyber incidents. They may influence state behaviour and inform future legal development, but they do not create enforceable rights or duties by themselves. Treating such commitments as law risks conflating policy consensus with legal obligation and obscuring the sources of international law (International Law Commission, 2018).

United Nations cyber processes have played an important role in reaffirming that existing international law applies to cyber activities, including cyber espionage. Their contribution lies primarily in consolidating interpretive frameworks and encouraging transparency rather than creating new legal rules. These processes reinforce the applicability of sovereignty, non-intervention, and state responsibility, but they do not resolve contested thresholds or eliminate doctrinal disagreement.

Norm development may nonetheless influence the evolution of customary law over time. Repeated articulation of expectations, combined with consistent practice, may gradually shape opinio juris. For the moment, however, international law on cyber espionage continues to rest on general principles rather than on newly created cyber-specific obligations.

11.3 Structural limits of legal regulation of espionage

The regulation of espionage, including cyber espionage, is subject to enduring structural constraints. Secrecy is inherent to intelligence activities, limiting transparency and making verification difficult. Attribution challenges complicate the identification of responsible states and delay or prevent legal responses. Reciprocity shapes state behaviour, encouraging restraint in legal claims where mutual exposure is high (Oppenheim, 1955; Hernández, 2020).

These constraints affect enforcement, not legality. They explain why states often respond through diplomatic protest, retaliation, or silent countermeasures rather than formal invocation of international responsibility. They also explain why many cyber espionage operations remain unaddressed publicly despite raising serious legal concerns.

Claims that cyber espionage exists in a legal vacuum confuse enforcement difficulty with normative absence. International law does not require perfect compliance or constant adjudication to remain operative. Its rules continue to structure expectations, delimit permissible conduct, and provide a framework for assessing responsibility even when practical obstacles limit formal remedies.

Acknowledging these structural limits avoids unrealistic expectations while preserving legal coherence. Cyber espionage is regulated indirectly and unevenly, but it is not unregulated.

12. Conclusion

International law on the use of cyber espionage does not prohibit intelligence gathering as such, but it does not leave it legally unconstrained. Cyber espionage is conditionally regulated, not legally free. Its permissibility depends on how intelligence activities are conducted and on their interaction with established legal rules.

Sovereignty operates as a central constraint, particularly where cyber operations involve unauthorized intrusion into systems linked to territorial authority or inherently governmental functions. The principle of non-intervention limits cyber espionage when intelligence collection becomes a vehicle for coercion. The law of state responsibility ensures that attributable cyber operations breaching international obligations generate legal consequences. Diplomatic law and international human rights law impose additional and often stringent limits, especially where protected communications or individual rights are affected.

International security law draws a clear boundary between espionage and force, leaving cyber espionage largely outside the scope of collective security and self-defence while reinforcing its regulation through non-forcible norms. Emerging political norms and UN-led processes support this framework by reaffirming the applicability of international law, even as doctrinal debates persist.

The resulting legal landscape is fragmented and context-dependent, reflecting the structural nature of intelligence in international relations. International law governs cyber espionage indirectly, through general principles rather than activity-specific prohibitions. That indirect regulation is neither accidental nor deficient. It represents a longstanding accommodation between legal order and the realities of state intelligence practice, now extended into the digital domain.

References

1. Al-Skeini and Others v United Kingdom (2011) European Court of Human Rights, Application No. 55721/07.

2. Corfu Channel (United Kingdom v Albania) (Merits) (1949) ICJ Reports, p. 4.

3. Denza, E. (2016) Diplomatic Law: Commentary on the Vienna Convention on Diplomatic Relations. 4th edn. Oxford: Oxford University Press.

4. Dinstein, Y. (2017) War, Aggression and Self-Defence. 6th edn. Cambridge: Cambridge University Press.

5. European Court of Human Rights (2015) Roman Zakharov v Russia, Application No. 47143/06.

6. Grotius, H. (1625) De Jure Belli ac Pacis. Paris: Nicolaus Buon.

7. Hernández, G.I. (2020) The International Law of Espionage. Oxford: Oxford University Press.

8. Human Rights Committee (2004) General Comment No. 31: The Nature of the General Legal Obligation Imposed on States Parties to the Covenant. UN Doc. CCPR/C/21/Rev.1/Add.13.

9. Human Rights Committee (2014) Concluding Observations on the Fourth Periodic Report of the United States of America. UN Doc. CCPR/C/USA/CO/4.

10. International Law Commission (2001) Draft Articles on Responsibility of States for Internationally Wrongful Acts, with Commentaries. Yearbook of the International Law Commission, Vol. II, Part Two.

11. International Law Commission (2018) Identification of Customary International Law, Conclusions with Commentaries. Yearbook of the International Law Commission, Vol. II, Part Two.

12. Island of Palmas Case (Netherlands v United States) (1928) Reports of International Arbitral Awards, Vol. II, p. 829.

13. Lubin, A. (2019) 'The Liberty–Security Balance in a Digital World', American Journal of International Law Unbound, 113, pp. 223–228.

14. Milanovic, M. (2016) Extraterritorial Application of Human Rights Treaties: Law, Principles, and Policy. Oxford: Oxford University Press.

15. Nicaragua v United States of America (Merits) (1986) ICJ Reports, p. 14.

16. Oppenheim, L. (1955) International Law: A Treatise, Vol. I – Peace. 8th edn. Edited by H. Lauterpacht. London: Longmans.

17. Schmitt, M.N. (ed.) (2017) Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Cambridge: Cambridge University Press.

18. Shaw, M.N. (2017) International Law. 8th edn. Cambridge: Cambridge University Press.

19. United Nations General Assembly (2015) Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. UN Doc. A/70/174.

20. United Nations General Assembly (2021) Final Report of the Open-ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security. UN Doc. A/75/816.

21. Watts, S. (2021) 'The Law of State Responsibility and Cyber Operations', Texas Law Review, 99(5), pp. 1359–1408.