International Law in Cyberspace

Isabella Piedrahita Velasco

Cyber Espionage and Sovereignty: Case Study of the African Union HQ “Bugging”

I. INTRODUCTION

Cyber espionage, as defined by the Tallinn Manual 2.0, is understood as “any act undertaken
clandestinely or under false pretenses that uses cyber capabilities to gather, or attempt to gather,
information.”1 In these terms, any action conducted in the cyber-sphere entailed to extract
confidential information from an adversary falls under the scope of cyber espionage. However,
the legality of these actions and their implications from an International Law (IL) perspective
still remain up for debate. To explore these considerations, this synopsis will analyze the
phenomenon of cyber espionage through the case study of the notable claim made against China
for spying on - or bugging - the African Union HeadQuarters.

In January 2012, the African Union (AU) inaugurated its HeadQuarters (HQ) in Addis Ababa,
Ethiopia. The project was entirely funded and built by the Government of China.2 In January
2017, a group of officials at the IT department of the AU HQ discovered that its servers and
internal data had been hacked, sending all of the “secrets” of the institution to servers in
Shanghai. After this discovery, the premises was swept by cybersecurity experts, who found
microphones and bugs3 in the premises. According to them and different sources within the
institution, the hidden digital doors (“backdoors”) on the servers and the bugs were planted by
the Chinese engineers that built the HQ.4 Even though China publicly denied the accusations, the
claim serves as a unique case study to discuss the lawfulness of cyber espionage in IL.

II. LAWFULNESS OF CYBERESPIONAGE

1
Michael N. Schmitt, Cyber operations not per se regulated by international law, in Tallinn Manual 2.0 on the
International Law Applicable to Cyber Operations, Rule 2, pg. 168, (2 ed. 2017).
2
BBC News, African Union opens Chinese-funded HQ in Ethiopia, (2012). Available at:
https://www.bbc.com/news/world-africa-16770932.
3
“A very small device fixed on to a phone or hidden in a room, that allows you to listen to what people are saying
without them knowing.” Cambridge Dictionary definition for the word bug.
4
Ghalia Kadiri, A Addis-Abeba, le siège de l’Union africaine espionné par Pékin, (Le Monde, 2018). Available at:
https://www.lemonde.fr/afrique/article/2018/01/26/a-addis-abeba-le-siege-de-l-union-africaine-espionne-par-les-chin
ois_5247521_3212.html.
The first concern that arises with the case presented is whether or not cyber espionage is
permissible under IL. For starters, there is no international treaty that regulates cyber espionage;
thus, other sources of IL must be consulted. Since the Tallinn Manual 2.05 theoretically6 -serves
as a guideline for the norms applicable to international cyber operations, these are the provisions
that should be taken into account. According to Article 32 of the Manual, “although peacetime
cyber espionage by States does not per se violate international law, the method by which it is
carried out might do so.” The International Group of Experts (IGE) that drew up the Rule
understood that, for cyber espionage to be prohibited by IL, there would have to be a greater
extent of State practice and opinio juris on the subject - which there currently isn’t - to establish a
customary norm.7 Therefore, under this interpretation, the existing status quo on the matter is
insufficient to make cyber espionage per se unlawful. But this is not absolute.

As the Rule indicates, the means by which cyber espionage is conducted may in fact contravene
IL. So if the way the operation was carried out breaches obligations owed to States, then the
operation could be considered illegal. Some scholars have also concluded that “whilst cyber
espionage is not specifically regulated by international law it may be nevertheless unlawful when
appraised against general principles of international law.”8 This being said, in the case under
revision we can see that there is a main axiom of IL that was infringed with the bugging of the
AU HQ: the principle of sovereignty.

III. PRINCIPLE OF SOVEREIGNTY

5
The Tallinn Manual (2.0) is an academic work that identifies the international laws, principles and custom
applicable to cyber operations, and enumerates a series of rules that govern the issues revolving around such
operations. Each rule includes an extensive commentary explaining the experts’ reasoning and discussions on the
norms in the context of cyberspace.
6
Given that the Tallinn Manual is an academic composition, it cannot be understood as a binding framework for
States and other international actors. Under Article 38 of the ICJ Statute, the Manual would be classified as a
“teaching of the most highly qualified publicists of the various nations” (Art. 38, lit. d), which is considered to be a
subsidiary source of International Law.
7
Michael N. Schmitt, Cyber operations not per se regulated by international law, in Tallinn Manual 2.0 on the
International Law Applicable to Cyber Operations, Rule 2, pg. 169, (2 ed. 2017).
8
Russell Buchan, The International Legal Regulation of State-Sponsored Cyber Espionage, in International Cyber
Norms: Legal, Policy & Industry Perspectives, pg. 3 (Tallinn: NATO CCD COE Publications, 2016).
 “Sovereignty [...] signifies independence. Independence [...] is the right to exercise
therein, to the exclusion of any other States, the functions of a State.”9

The principle of sovereignty is often considered to be the highest norm of IL.10 From a traditional
perspective, this principle is designed to protect the territorial sovereignty of a State from the
physical intrusion of others. However, modern technologies demand that this interpretation be
expanded to encompass States’ right to independence in the cyber-sphere. So, the Tallinn Manual
has sustained in its very first Rule that “the principle of sovereignty applies in cyberspace”11 the
way it normally would. Now, while this may be true for most cyber operations, in the context of
cyber espionage the application of the principle is not so apparent. On one hand, from the
perspective of the IGE’s majority, there is always a breach of sovereignty if the espionage is
conducted from within the territory of the targeted State (also known as close access espionage);
however, others were of the opinion that there is no violation given the extensive State practice
there is on the matter.12 Moreover, if the “spy” is not on State soil when the information is
extracted, the IGE agreed that cyber espionage does not breach the principle of sovereignty if
there is no physical damage or loss of infrastructure functionality.13

In response to these considerations, the majority’s view that close access cyber espionage poses a
threat to sovereignty seems reasonable insofar as there is a fair amount of opinio juris14 to sustain
so. Numerous States have publicly condemned cyber espionage,15 therefore discrediting the
allegation that it is customarily lawful as a result of positive State practice. Both opinio juris and

9
Island of Palmas Case (Netherlands v. USA) 4 April 1928, Reports of International Arbitral Awards, Volume II pp
829-871, 838.
10
Katharina Ziolkowski, Peacetime Cyber Espionage – New Tendencies in Public International Law, in Peacetime
Regime for State Activities in Cyberspace, (Tallinn: International Law, International Relations and Diplomacy,
NATO CCD COE Publication, 2013).
11
Michael N. Schmitt, Sovereignty, in Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations ,
Rule 1 (2 ed. 2017).
12
Ibid. Rule 4, Num. 7.
13
Ibid. Rule 4, Num. 27.
14
“To be regarded as customary international law, state practice must meet two conditions, known as the objective
element and the subjective element. The objective element requires that the practice is general. The subjective
element, also known as opinio juris sive necessitatis, or simply opinio juris, requires that states follow the practice
because they recognise it as a norm of international law.” Christian Dahlman, The Function of Opinio Juris in
Customary International Law, (Scandinavia: Nordic Journal of International Law 81, 2012).
15
E.g. France, Iran, Switzerland, China, Argentina, Mexico, Indonesia, Bahamas, Mercosur, Poland. Kevin Jon
Heller, In Defense of Pure Sovereignty in Cyberspace, in International Law Studies, pg. 1476, (Stockton Center for
International Law, 2021).
State practice are necessary to constitute custom, so only the latter is insufficient. Now, the
distinction between close access and remote espionage is irrelevant to the discussion. Experts
have noted that it is sufficient that the information interfered with is on servers located in the
State’s territory.16 Moreover, where there is an usurpation of inherently governmental functions -
understood as the engagement in a function exclusively reserved to a State17 - physical presence
of the trespasser is not required for there to be a breach of sovereignty. Therefore, in the context
of the AU HQ case, the fact that the Chinese “spies” were no longer bodily in Ethiopia does not
rule out a violation to the principle of sovereignty.

With regards to the requirement of physical damage for there to be a breach of sovereignty, the
solution will depend on whether it is interpreted from a pure sovereignty or relative sovereignty
perspective. The first believes that any cyber operation that “involves non-consensually
penetrating a computer system located on another State’s territory violates the targeted State’s
sovereignty”, whereas the second rejects this idea and demands that a cyber operation cause “at
least some kind of harm to the targeted state to be internationally wrongful.”18 In the realm of IL,
the first perspective seems more sensible given that the principle of sovereignty, being a
foundational rule of international relations, should not vary in the sphere of cyberspace. And,
considering that in the material world territorial sovereignty is not subjected to physical
damage,19 this should not be the case for cyberspace. Additionally, under the ruling of the Lotus
case,20 any form of exercise of power inside a State’s territory without its permission is
considered to be a definite violation of the principle. This being said, the extraction of
confidential information from servers that are within the country and that hold data

16
“it is sufficient that the foreign government’s intrusive activities occurred on [the State’s] territory.” Patrick C. R.
Terry, “Don’t Do as I Do”—The US Response to Russian and Chinese Cyber Espionage and Public International
Law, in German Law Journal Vol. 19 no. 03, pg. 617, (Cambridge University Press, n.d.). ; and “where computer
networks are interfered with, or where information is interfered with that is located on those networks, and those
networks are supported by cyber infrastructure physically located in a state’s territory, that state’s territory can be
regarded as transgressed and thus a violation of the principle of territorial sovereignty occurs.” Russell Buchan, The
International Legal Regulation of State-Sponsored Cyber Espionage, in International Cyber Norms: Legal, Policy &
Industry Perspectives, pg. 6 (Tallinn: NATO CCD COE Publications, 2016).
17
Kevin Jon Heller, In Defense of Pure Sovereignty in Cyberspace, in International Law Studies, pg. 1457, (Stockton
Center for International Law, 2021).
18
Ibid. pgs. 1458 and 1461.
19
Ibid. pgs. 1468.
20
“Now the first and foremost restriction imposed by international law upon a State is that—failing the existence of
a permissive rule to the contrary— it may not exercise its power in any form in the territory of another State.” S.S.
Lotus (Fr. v. Turk.), Judgment, 1927 P.C.I.J. (ser. A) No. 10, at 18–19 (Sept. 7).
corresponding to inherently governmental functions is understandably an unlawful exercise of
power. In this sense, cyber espionage proves to be a violation under the pure sovereignty
perspective as there is a non-consensual transgression of the State’s independence.

In this particular case, however, given that the AU is not a State but an International
Organization, the implications under the scope of IL are slightly different.

3.1. Sovereignty in the AU HQ Case

An International Organization (IO) is an independent entity - with its own legal personality -
established by formal political agreements between its member States, usually via international
treaties.21 In most cases, like in the case of the AU, these IOs are created with the purpose of
exercising functions that would normally be circumscribed to States.22 Nevertheless, from a
traditional perspective, IOs don’t enjoy the same right to sovereignty insofar as they are not
States. Thus, the case under analysis begs the question of whether cyber espionage activities that
would normally suppose a breach of sovereignty, can be assessed as unlawful when the target is
not a State but an IO.

In recent approaches of Nation-State theory, certain classical prerogatives have been reevaluated
to encompass a more realistic, global view. The concept of supranationality23 has shifted the way
sovereignty should be interpreted and applied. With this perspective sovereignty is not a
principle that is territorially dependent, but rather relies on the IO’s independence and authority
to exercise power.24 So by stretching this definition, the espionage on the AU HQ would
constitute an internationally unlawful act on behalf of China. This, however, is a highly contested
and predeveloped viewpoint.

21
OECD, Glossary of Statistical Terms. https://stats.oecd.org/glossary/detail.asp?ID=1434.
22
​Jan Klabbers, An Introduction to International Organizations Law: Fourth Edition, (United Kingdom: Cambridge
University Press, 2022).
23
“Supranationality” refers to the phenomenon under which two States or more involve non-State actors in their
political and social processes. It encompasses formal organizations, institutions, and political and legal agreements
related to transnational interaction. Michael R. Lucas, Nationalism, Sovereignty, and Supranational Organizations,
(Hamburg: Heft, 1999).
24
Ibidem.
On another hand, though it is clear that the manner in which the operation was conducted
infringes upon the sovereignty of the State of Ethiopia, as it was in Addis Ababa (the capital of
the country) where the “spies” non-consensually planted the bugs, what happens to the
sovereignty of the other members of the AU? The solution can be grounded on the same
interpretation of the principle whereby physical presence of the “spy” on State territory is not
necessary for there to be an infringement upon sovereignty, as long as there is an usurpation of
inherently governmental functions.

3.2. Consent as a Preclusion of Wrongfulness

In essence, cyber espionage operations are carried out in a covert manner; without the consent of
the target State. This being said, consent is a fundamental factor in determining whether an
operation violates the sovereignty of a State (or IO) and, hence, if it is unlawful or not. The
Budapest Convention on Cybercrime provides guidance on the matter, as it expressly allows
parties to access stored computer data in another State’s territory when “lawful and voluntary
consent” has been granted.25 Similarly, the Tallinn Manual 2.0 holds in its Rule 19 that the
wrongfulness of an act involving cyber operations is precluded in the case of consent.26 So, if
China claimed that it bore the AU’s consent to bug the HQ under the pretense that they were
authorized to “temporarily take control of its cyber infrastructure”27 whilst building the HQ, there
would be no internationally unlawful act. Nonetheless, the fact that China financed and built the
premises, including the IT infrastructure, in no way signifies that the AU acknowledged and
consented the installation of hidden bugs and backdoors to their servers. Therefore, this argument
would not have legal standing.

IV. CONCLUSION

25
Ido Kilovaty, World Wide Web of Exploitations - The Case of Peacetime Cyber Espionage Operations Under
International Law: Towards a Contextual Approach, in The Columbia Science and Technology Law Review Vol.
XVIII, (Columbia University, 2016).
26
Michael N. Schmitt, Law of international responsibility, in Tallinn Manual 2.0 on the International Law
Applicable to Cyber Operations, Rule 19, (2 ed. 2017).
27
Ibid. Num. 2.
Being an unregulated topic as it is, the rules and limits of cyber espionage remain ambiguous,
leading to an array of unanswered questions. Pre-eminently, regarding the issue of lawfulness.
With cases such as the Chinese Bugging of the AU HQ, we can see how the complexity of the
subject demands for a clear, binding understanding on how these operations inherently breach
State - and IO - sovereignty and thus should be considered internationally wrongful acts.

Bibliography:

BBC News, African Union opens Chinese-funded HQ in Ethiopia, (2012). Available at:
https://www.bbc.com/news/world-africa-16770932.

Christian Dahlman, The Function of Opinio Juris in Customary International Law, (Scandinavia: Nordic
Journal of International Law 81, 2012).

Ghalia Kadiri, A Addis-Abeba, le siège de l’Union africaine espionné par Pékin, (Le Monde, 2018).
Available at:
https://www.lemonde.fr/afrique/article/2018/01/26/a-addis-abeba-le-siege-de-l-union-africaine-espionne-p
ar-les-chinois_5247521_3212.html.

Ido Kilovaty, World Wide Web of Exploitations - The Case of Peacetime Cyber Espionage Operations
Under International Law: Towards a Contextual Approach, in The Columbia Science and Technology
Law Review Vol. XVIII, (Columbia University, 2016).

Island of Palmas Case (Netherlands v. USA) 4 April 1928, Reports of International Arbitral Awards,
Volume II pp 829-871, 838.

​Jan Klabbers, An Introduction to International Organizations Law: Fourth Edition, (United Kingdom:
Cambridge University Press, 2022).

Katharina Ziolkowski, Peacetime Cyber Espionage – New Tendencies in Public International Law, in
Peacetime Regime for State Activities in Cyberspace, (Tallinn: International Law, International Relations
and Diplomacy,
NATO CCD COE Publication, 2013).

Kevin Jon Heller, In Defense of Pure Sovereignty in Cyberspace, in International Law Studies, pg. 1476,
(Stockton Center for International Law, 2021).

Michael N. Schmitt, in Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations i-ii
(2 ed. 2017).

Michael R. Lucas, Nationalism, Sovereignty, and Supranational Organizations, (Hamburg: Heft, 1999).

OECD, Glossary of Statistical Terms. https://stats.oecd.org/glossary/detail.asp?ID=1434.

Patrick C. R. Terry, “Don’t Do as I Do”—The US Response to Russian and Chinese Cyber Espionage and
Public International Law, in German Law Journal Vol. 19 no. 03, pg. 617, (Cambridge University Press,
n.d.).

Russell Buchan, The International Legal Regulation of State-Sponsored Cyber Espionage, in International
Cyber Norms: Legal, Policy & Industry Perspectives, pg. 3 (Tallinn: NATO CCD COE Publications,
2016).

S.S. Lotus (Fr. v. Turk.), Judgment, 1927 P.C.I.J. (ser. A) No. 10, at 18–19 (Sept. 7).