Towards a Framework for Analysing Complex Interdependence in Digital Espionage Markets


  • Ahana Datta University College London



Cyber power, complex interdependence, cyber espionage, vulnerability disclosure


Cyber power indices have dominated discourse in recent years as measuring the relative power of nation-states in cyberspace to exercise their cyber capabilities for offensive and defensive purposes. These indices adapt a variety of methodologies, but their effectiveness in mobilising cyber power remains limited. Indices based on dynamic systems frameworks explain power consolidation arising from network-effects, but are too broad to implement due to complexity. In this article, we analyse cyber power through access to digital espionage capabilities, using the theory that states weaponise complex interdependence of information flows. Instead of proposing an index, we set up a case study contrasting the Chinese system, where the state mediates technology vulnerabilities, with the Five Eyes system, where vulnerability disclosures are a common occurrence. The Chinese system exhibits a “chokepoint” effect, in contrast to the Five Eyes’ “panopticon” mediation of information flows.

Extant cyber espionage analyses range over themes such as economic vis-a-vis open and closed vulnerability markets; legal, in relation to the circulation of tools like spyware; or strategic and case-based. Given this confluence, we posit a framework of information flows between ecosystems of actors. Exploit vendors, state-backed offensive operators, nation-states, and tech platforms are networked through interdependent information flows, consolidating power in private actors. The political economy of a nation-state provides useful heuristics in articulating strategic aims behind its espionage activities, as well as its approach in controlling the flow of knowledge of vulnerabilities between the private actors of which the state may be a customer. In highlighting this tension between nation-states’ political economies defining their roles as both mediator and customer, we offer security scholars nuanced considerations in theorising cyber power. We conclude that while this tension amplifies private power, policymakers must intervene to reshape interdependent networks that influence and counter it.