August 3, 2016

TSG IntelBrief: The Evolving Nature of Cyber-Espionage

• Recent incidents of cyber-espionage, particularly the type seen in the hacking of the Democratic National Committee server, are not deterred by normal retaliatory protocols.  

• Traditional espionage retaliation involves declaring rival intelligence officers ‘persona non grata’ (PNG) and deporting them.

• The use of PNG, among other tactics, ensures intelligence services operate within well-established boundaries.

• For state actors and their proxies, the databases upon which modern governments and organizations run have become the primary espionage targets.


The well-established rules of espionage—while somewhat antiquated and hypocritical—have long ensured governments and intelligence services operate within certain boundaries. It is no secret that governments spy on other governments. In the course of such activities, rival intelligence services occasionally get caught in the act, which initiates a choreographed dance of arrests and charges, counter-arrests, and then several rounds of deportation after suspects are declared persona non grata (PNG).

With the increasing ubiquity of information technology in the governing process—particularly in the realm of state secrets—the nature of espionage is rapidly changing. Recent incidents of suspected government-sponsored cyber-espionage are not constrained by traditional responses such as arrest and declarations of PNG. As such, espionage-related incidents that have historically tended to result in diplomatic embarrassment and strained relations run a much greater risk of escalating into crises.

The hack of the Democratic National Committee (DNC) and the reported subsequent breach of the Democratic Congressional Campaign Committee (DCCC) have been widely attributed—though not officially—to be the work of the Russian government. Private cybersecurity firms have narrowed the culprits even further, specifically attributing the hacks to Russia’s foreign military intelligence, the Main Intelligence Directorate (GRU), and its Federal Security Service (FSB). Officially, the U.S. has not accused Russia of hacks, which is standard in such cases. The U.S. has little to gain by publicly accusing Russia or another government of a targeted cyber-espionage attack; it will not deter the next attempt since the normal rules of expulsion and embarrassment do not apply, and there is no public trial.

While the U.S. is unlikely to publicly attribute the breach to Russia, that does not rule out the possibility of covert retaliation. On July 30, the Russian government said up to twenty of its computer systems, including military systems, had been breached with malware. The Russians said the attack was ‘planned and made professionally’—a gentle way of saying ‘government-sponsored.’ Russia did not directly accuse the U.S. of the breaches, but by publicly acknowledging the attacks, it was sending a message that there are no clean hands in this fight. The public airing of cyber-attacks—but stopping just short of official accusation—is as close to declaring PNG as rival intelligence services care to get. As long as the cyber-espionage attempts remain in the general realm of covert information gathering on each side, a balance of sorts is maintained.

However, the recent incidents are more troubling than previous instances of cyber-espionage, as the nature of breaches appears to be changing from covert information collection to the overt and weaponized use of that information. Unlike previous foreign-directed data breaches, the DNC hack is particularly worrisome due to the fact the information obtained can now be used in efforts to influence a U.S. presidential election. As state use of cyber-espionage begins to evolve from information gathering to more invasive meddling in foreign affairs, the long-standing traditional espionage boundaries become blurred. Once such lines are crossed, more damaging cyber-attacks such as interfering with critical infrastructure become fair game. As more of modern life is built around information databases, the risk of more transparent and aggressive information warfare becomes a real threat.


For tailored research and analysis, please contact:


Subscribe to IB