Foreign Cyber Interference in Elections: An International Law Primer, Part I

With US elections looming, it is a propitious moment to examine the international law rules bearing on foreign interference in this fundamental expression of democracy. Sadly, little appears to have changed since the US intelligence community concluded with a “high degree of confidence” that “Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election.” This August, for instance, the Director of the National Counterintelligence and Security Center warned,

Ahead of the 2020 U.S. elections, foreign states will continue to use covert and overt influence measures in their attempts to sway U.S. voters’ preferences and perspectives, shift U.S. policies, increase discord in the United States, and undermine the American people’s confidence in our democratic process. They may also seek to compromise our election infrastructure for a range of possible purposes, such as interfering with the voting process, stealing sensitive data, or calling into question the validity of the election results.

And this time the finger is pointed not only at Russia, but also China and Iran. Microsoft has confirmed that actors in all three states are actively targeting the election.

While interference in American elections has captured most attention, the phenomenon is global. For instance, in 2014 CyberBerkut, a group of Russian hacktivists, targeted the Ukrainian Central Election Commission, bringing its network down for twenty hours and nearly leading to the announcement of a false winner. In 2017 the GRU (Russian military intelligence) purportedly conducted operations directed at Emmanuel Macron’s campaign for the French Presidency, while the next year a distributed denial of service attack was conducted against the Russian Central Election Commission, allegedly from locations in fifteen countries.

Such election-related activities in cyberspace raise the question of their lawfulness under international law. This series of posts examines that question from three angles. First, it assesses if and when election interference by cyber means amounts to a violation of international law (parts I and II). Then, in Part III, it considers the duties states shoulder to put an end to hostile cyber election interference, and closes with a brief survey of response options under international law available to states that are facing such interference.

Election Interference as a Violation of International Law

An internationally wrongful act consists of two elements [Articles on State Responsibility (ASR), art. 2]. First, the action or omission in question must be legally attributable to a state. Second, that act must breach an obligation owed in international law to another state. I will first briefly examine the attribution element, and then move on to the various substantive obligations that election interference might breach: the prohibition of intervention, and in Part II the duty to respect the sovereignty of other states and the obligation to respect human rights.

Attribution

Attribution in the legal sense must be distinguished from attribution in the technical sense of the word, although the latter forms the factual predicate for the former. Legally, the concept of attribution denotes those situations in which the conduct of humans is regarded as that of a state. The clearest basis for attributing a cyber operation that interferes with an election to a state is when it is conducted by an organ of that state (ASR, art. 4), as was the case of the Russian GRU’s 2016 US election interference. An entity may qualify as an organ of the state either by virtue of being designated as such in the state’s law or by operating in “complete dependence” on the state. The latter basis precludes the possibility of a state escaping responsibility for election interference by operating through an organization that lacks de jure organ status under domestic law but nevertheless engages in cyber activities for and at the direction of the state, in other words, acts as its organ de facto.

When non-State actors conduct cyber operations, the most likely basis for attribution is that they acted “on the instructions of, or under the direction or control of” of the state (ASR, art. 8). This would appear to be the legal basis for attribution of Internet Research Agency’s 2016 operations to Russia.

The terms instruction, direction and control are rather ambiguous. Some cases are clear, as when there is a contractual relationship between the state and a private company like a marketing agency or social media consultancy that is conducting the election interference, on the one hand (art. 8 criteria are met), or when “patriotic hackers” carry out the operations without any state involvement, on the other (art. 8 criteria are not met). Yet in many cases, assessing whether the relationship between the non-state actor and the state amounts to instructions, direction or control is not straightforward. This is not necessarily because of the lack of clarity in the operation of the attribution rules, but instead because of the lack of evidence of the nature of the relationship between the state and the non-state actor.

Absent attribution to a state, cyber election interference by non-state actors does not violate international law, although it may trigger positive obligations of prevention that are discussed below. And even when it is attributable to a state, the interference must breach an obligation owed to the state conducting the election before it qualifies as an internationally wrongful act. In that regard, discussion first turns to the prohibition of intervention.

Prohibition of Intervention

The rule of international law that has drawn the greatest attention with respect to foreign cyber election interference is the prohibition of intervention into the internal or external affairs of other states (see Tallinn Manual, Rule 66). Appearing in such instruments as the 1970 Friendly Relations Declaration, it is a well-accepted rule of international law, the applicability of which in cyberspace was confirmed by the 2015 UN GGE report that was subsequently endorsed by the General Assembly. Variants of the rule also appear in treaties such as the Charter of the Organization of American States, although caution is merited in applying those rules because their parameters may differ from the customary rule discussed below.

As understood in customary law, intervention consists of two elements famously set forth by the International Court of Justice in its Nicaragua judgment, both of which must be satisfied before a breach exists. First, the cyber operation in question must affect another state’s internal or external affairs, that is, its domaine réservé. Second, the cyber operation has to be coercive. States that have spoken to the issue are in accord as to these constitutive elements of the rule. For instance, the 2019 International Law Supplement to Australia’s International Cyber Engagement Strategy explains, paraphrasing the ICJ in Nicaragua, that: “A prohibited intervention is one that interferes by coercive means (in the sense that they effectively deprive another state of the ability to control, decide, or govern matters of an inherently sovereign nature), either directly or indirectly, in matters that a state is permitted by the principle of state sovereignty to decide freely” (see also, e.g., Australia, France, Netherlands, United Kingdom, United States here and here).

Within the domaine réservé, the field of activity left by international law to states to regulate, states enjoy discretion to make their own choices. Elections represent a paradigmatic example of a matter that is encompassed in the domaine réservé; in fact, the ICJ cited the “choice of political system” to illustrate the concept. That said, the increasing regulatory reach of international law is causing certain state activities to fall outside the domaine réservé, as exemplified by the expansion of international human rights law. Today, rights like the freedom of expression, the right to privacy, and the right to vote (discussed below) can be implicated by certain election-related activities. Thus, for example, a foreign state providing access to secure online communications to individuals whose right to political expression during an election is being impeded by the territorial state would not intrude into the latter’s domaine réservé. The operation might violate other obligations owed to the territorial state, but not the prohibition of intervention.

While foreign election interference usually will manifestly transgress the victim state’s domaine réservé, the application of the second element of prohibited intervention – coercion – to such interference is far more complicated. It also occupies center stage with respect to intervention, for, as the ICJ explained in Nicaragua, “The element of coercion… defines, and indeed forms the very essence of, prohibited intervention.”

Thus, cyber operations that are coercive have to be distinguished from those that are merely influential or persuasive. Noting that “[t]he precise definition of coercion, and thus of unauthorised intervention, has not yet fully crystallised in international law,” the Netherlands Ministry of Foreign Affairs has observed that “[i]n essence it means compelling a state to take a course of action (whether an act or an omission) that it would not otherwise voluntarily pursue. The goal of the intervention must be to effect change in the behaviour of the target state.”  The challenge is to identify the point at which permitted influence becomes prohibited coercion.

A useful way to approach the issue is to distinguish election-related cyber activities that affect the state’s ability to conduct an election from those that target voter attitudes. Foreign cyber activities that deprive a state of its ability to act vis-à-vis its domaine réservé are almost always coercive. They make it objectively impossible or substantially more difficult for the state to pursue a particular policy or activity, as when a cyber operation interferes with either the actions of state authorities administering an election or with the election infrastructure itself. The obvious example would be using cyber means to cause a miscount, which would be coercive because the real choice of the state, as reflected in the vote, is being repressed. This could be done by directly tampering with the vote count, disabling election machinery or causing it to malfunction, blocking e-voting, and the like.

Foreign states can also indirectly disrupt a state’s ability to conduct an election by engaging in activities directed at voters, for example by engineering voter suppression. Consider the use of social media to falsely report that a dangerous incident, like an active shooter situation, is on-going near voting locations and that people should stay out of the area. Reasonable individuals would follow those instructions, and thus not cast their vote. Or social media could be used to give improper instructions about voting, such as the wrong location, or block or alter correct information as to where to vote. An example was the posting of tweets in 2016 in both English and Spanish to the effect that individuals could vote for Hillary Clinton through text messaging. Those who followed the instructions did not cast their vote because it is not, in fact, possible to vote via text message in the United States. Another example would be the circulation of false information online regarding how and when to request, complete and mail-in absentee ballots. Election returns even could falsely be reported prior to the polls closing, causing voters to reasonably conclude that because their candidate has already effectively lost, there is no point in going to vote. In all of these cases, the target state’s ability to make free choices by means of its election has effectively been coerced, regardless of whether it could conclusively be shown that the outcome of the election was altered.

Of course, a rule of reason should apply. Operations that result in only a very limited number of voters voting improperly or not voting at all would be unlikely to qualify as coercive. Other issues such as the timing of an operation or whether the state had an opportunity to thwart it might also weigh in the assessment. But by and large, cyber operations intended to directly or indirectly affect the state’s ability to conduct an election by targeting either state-end electoral administration and infrastructure or the voters’ ability to properly cast a ballot are coercive in nature.

The more difficult case is that of cyber activities intended to influence the electorate’s attitudes towards a particular candidate or issue on the ballot. In these cases, information operations, although directed at voters, are being used as a means to achieve the goal of coercing the state. While no definitive standard exists for assessing such activities against the requirement of coercion, the assessment is necessarily one of degree.

Arguably, it is reasonable to characterize as coercive those cyber operations that deprive the electorate, or a substantial number of individual voters, of information bearing on the election. After all, having access to reliable information about candidates or issues would seem essential to ensuring the election is meaningful. Examples might be denial of service attacks against a campaign’s website or social media presence, or the targeting of media outlets that support a particular candidate.

A more difficult case is that in which information regarding candidates or issues is pushed to the electorate by a foreign state. This is a critical issue, for the greatest success in influencing elections has been achieved “by influencing the way voters think, rather than tampering with actual vote tallies.”

Traditional messaging setting forth a state’s position on a foreign election is not coercive, a conclusion supported by widespread state practice; it is designed to influence and persuade, not coerce. The unsettled question is whether there is some point at which the foreign state’s information campaign becomes coercive. Imagine, for instance, a foreign state investing sufficient resources in support of a candidate to overwhelm the opponent’s advertising, thereby allowing the former to dominate the traditional and social media information space. As it stands, the law is not sufficiently clear as to whether, and if so when, information operations can qualify as coercive.

Nevertheless, it might be possible to agree on certain non-exhaustive factors that likely would influence the characterization of a foreign information operation during an election as coercive or not. An operation’s scale and effects would seem to be highly relevant. There is precedent for looking to these factors in interpreting ill-defined thresholds. For example, the ICJ has pointed to  scale and effects when assessing whether a use of force rises to the level of an “armed attack”, and states (e.g., Australia) are increasingly using the approach with regard to the threshold for a cyber use of force. Scale and effects would consider factors such as how widespread the impact of the election interference is, how serious its effect on the election is, and perhaps even the nature and significance of the election in question (e.g., municipal versus national).

Another factor that might bear on the determination of whether an information campaign is coercive is the veracity of the information in question. At first glance, it would seem difficult to make the case that the release of truthful information can ever be coercive. After all, at least in theory, the better informed the electorate, the more it is able to participate meaningfully in the election.

But consider the scenario offered above where a foreign state dominates the information space. Or recall the 2016 Russian meddling, in which genuine but purloined material was released at a point in the election that did not afford the Clinton campaign an opportunity to effectively rebut and recover, thereby skewing voting. In that case, complicating matters was the fact that the truthful information was packaged in a layer of deception regarding the identity of those who acquired it and their affiliation with the Russian state. Had American voters known that the information, even if truthful, was being disseminated by Russia as part of an influence campaign, that knowledge might have caused them to evaluate it differently. Perhaps there should be a presumption that the dissemination of information that is both truthful and complete does not violate international law, but that presumption should be rebuttable in extreme cases.

It would seem easier to describe disinformation campaigns as coercive. The range of possible scenarios is limited only by one’s imagination. For instance, artificial intelligence could be used to create fake user profiles (profile pics, names, etc.) in huge numbers to create negative “buzz” about a candidate on social media. Or consider a deep fake in which a candidate purportedly admits to egregious criminal behavior. It is released just before election day when there is no time to counteract its effect, thereby altering the election result. Similarly, take the case of a cyber operation involving a fake website purporting to be that of an influential media outlet that puts out a story as the polls open claiming the candidate has admitted to the criminal activity. The story goes viral and the candidate loses.

Many other factors could come into play in determining whether to style a foreign information (including disinformation) campaign during an election as coercive. For instance, an operation designed to achieve a specific result, such as the election of a particular candidate favored by the foreign state, is probably more likely to be characterized as coercive than one intended merely to cause general electoral disruption in the target state, for instance by using social media to disseminate disinformation about all the key candidates. Similarly, an operation that exploits specific vulnerabilities in the target state, such as ethnic or religious divisions, presumably would be more likely to be seen to be coercive than one that is simply negative.