At the 2025 Conference on International Cyber Security: Order, Disorder, Re-order — Geopolitics and the Transformation of Cyberspace, held on 4–5 November in The Hague, our partners in Virtual Routes, represented by Apolline Rolland, joined a vibrant discussion on how states, technologies, and private actors are reshaping the boundaries of espionage and governance in the digital realm, representing EU-funded project REMIT (Reignite Multilateralism via Technology).
In the panel “Spooks in Cyberspace: Surveillance of the Digital Realm,” moderated by Lena Riecke, Apolline Rolland presented the paper “Varying Vectors: The Targeting Logics of Digital Espionage” (co-authored with James Shires). The paper introduces a new framework for understanding how states conduct espionage in the digital age, challenging the fragmented ways in which the field has often been studied. Research on espionage, Rolland and Shires argue, tends to be divided between work on spyware targeting individuals, studies of cyber operations against organisations, and analyses of mass surveillance at the infrastructural level. This fragmentation obscures the reality that states increasingly combine these methods in flexible, multi-layered strategies that move seamlessly between individuals, organisations, and infrastructures.
Their paper defines the concept of “digital espionage,” to include network intrusions, also spyware campaigns, supply-chain compromises, and infrastructural surveillance. It proposes two key concepts to capture how these operations function: infrastructural entry points, meaning gateways that provide access to multiple targets, and vectors of access, describing how specific espionage techniques intersect with both the type of target and the technical layer being exploited.
Drawing on documented cases of state-sponsored espionage, the research maps how digital espionage operates across multiple layers of the digital stack. The authors illustrate this through the case of mobile communications, showing how states exploit diverse vectors of access, from sophisticated spyware like Pegasus and hardware-based extraction tools such as GrayKey, to SS7 protocol vulnerabilities and large-scale telecom infrastructure compromises such as Belgacom or Salt Typhoon. These examples demonstrate how the choice of vector depends on a balance of capability, cost, and plausible deniability: major cyber powers can afford to invest in complex infrastructural compromises, while other states rely on commercially available tools or outsourced contractors. In all cases, the blurring of state and private roles complicates attribution and accountability.The panel brought this analysis into dialogue with two other compelling papers. Anchi Cao examined how data brokers, often seen as engines of surveillance capitalism, are in fact structurally fragile intermediaries, “brokers without brokerage”, whose weakness could be harnessed to build more accountable forms of governance. Natalie Davidson analysed how Big Tech has become an unexpected regulator of the global spyware trade, developing and enforcing norms that both constrain and complicate state and corporate power. Together, the three papers revealed how new configurations of vulnerability, accountability, and authority are reshaping the governance of cyberspace.