The recent disclosure of a purported Russian cyber-espionage campaign that targeted NATO, the European Union, and Ukraine once again brings the issue of state sponsored cyber espionage to the forefront. Despite Henry Stimson’s view as Secretary of State the “Gentlemen don’t read each other’s mail,” espionage has a long history in international relations.
The Sandworm vulnerability discussed in the linked story exploited a zero-day vulnerability in Microsoft Windows and Windows Server. The patch was released by Microsoft on October 14. While espionage is against the law in individual countries, nation states routinely spy on other nations. There are no treaties outlawing spying and the penalties for the nation state getting caught are largely public embarrassment and strained relationships.
One recent development however was the leveling of criminal charges by the United States against several Chinese military officers for commercial espionage. Arguing that stealing private company trade secrets to gain market advantage is fundamentally different than obtaining an adversary’s battle plans, the United States hopes to deter commercial espionage by rallying world opinion against the practice.
The advantage in stealing of trade secrets is two-fold. No need to invest in research and development, just steal the technology and take it to market yourself. If you can get the digital plans, it even avoids the time-consuming process of reverse engineering a physical model. Skillful targeting of your campaign can discover bidding strategies and a wealth of inside information. While commercial espionage has been around since early in the industrial age, computers make it significantly easier.
Given the limited tools of international law and the ever increasing connection of systems, the risk of cyberespionage at a corporate level, companies need to take prudent measures to secure and patch systems and instill awareness of the threat in their workforce. The answer to the opening question of whether cyberespionage is illegal doesn’t much matter for the near future.