Foreign Cyber Interference in Elections: An International Law Primer, Part III

Parts I and II of this series examined cyber election interference as an internationally wrongful act, looking at the two elements of attribution and breach, and in particular at the three sets of primary rules that election interference operations can violate: the prohibition of intervention, the obligation to respect sovereignty, and the duty to respect human rights. Now, in Part III, I will examine the positive obligations implicated by election interference cyber operations, and then look at the response options available to victim states.

Obligation of Due Diligence

The ICJ acknowledged a so-called “due diligence” obligation of states to control activities occurring on their territories in its first case, Corfu Channel. In that 1949 judgment, the Court observed that a state has a duty to not “allow knowingly its territory to be used for acts contrary to the rights of other states.” The Tallinn Manual 2.0 experts concluded that there was no reason to exclude the rule’s application in the cyber context (Rules 6-7); a number of states have come to the same conclusion (see, e.g., Brazil, Estonia, Finland, France, Korea, Netherlands, but see Argentina). However, unable to achieve unanimity on its status as a binding rule of international law in the cyber context, the UN GGE adopted it in its 2013 and 2015 reports as (at the least) a voluntary non-binding norm of responsible state behavior in cyberspace.

Accordingly, whether a state must, as a matter of international law, take action to stop election interference by third states or non-state actors that is being conducted from, or by otherwise using (as in the case of hosting leaked data on a server in a third state or taking remote control of cyber infrastructure from which to mount hostile operations), its territory remains unsettled. Even if so, the Tallinn Manual 2.0 experts cautioned that the due diligence obligation is quite limited in reach. Although the rule applies to hostile cyber operations by both state and non-state actors, the obligation only attaches when the operations are ongoing or imminent (in the sense of a material step having been taken). Additionally, they must affect an international legal right of the affected state, as well as cause “serious adverse consequences,” and the territorial state has to know of the operations in question. In these circumstances, the territorial state will still only be in breach of the obligation if it was feasible to put an end to the operations and it did not do so. Importantly, there is no obligation to look to other states, including the victim state, for assistance, although the territorial state is free to do so.

These limitations loom large in an election interference scenario. Most significantly, the remotely conducted election interference would have to implicate a right of the victim state. The myriad fault lines outlined above in the relevant primary rules would directly affect whether the obligation applies. For instance, a state claiming a due diligence breach on the basis that the election interference implicates the rule of non-intervention would face the uncertainty surrounding the threshold for coercion.

However, there is one significant benefit to the rule of due diligence in the election interference context. In a situation in which a state cannot adequately attribute remote election interference in fact or law to the state from whose territory it is being conducted, it may nevertheless be able to claim a breach of due diligence on the part of that state. The failure of the territorial state to put an end to the election interference then would open the door to countermeasures (see below) that could take the form of cyber operations directed against the source of the interference (see explanation here).

Obligations to Protect Human Rights

In addition to the duty to respect human rights, states shoulder an obligation to protect (secure, ensure) the human rights of individuals on their territory, a principle captured in ICCPR (art. 2(1)), and other human rights instruments such as the ECHR. As explained by the Human Rights Committee, “the positive obligations on States Parties to ensure Covenant rights will only be fully discharged if individuals are protected by the State, not just against violations of Covenant rights by its agents, but also against acts committed by private persons or entities that would impair the enjoyment of Covenant rights.” Thus, if harmful cyber interference by another state or a non-state actor is likely to impede, or is impeding, the exercise of protected rights related to the election, the state in which the election is taking place must take those measures at its disposal to prevent or end the interference.

It must be emphasized that unlike the due diligence obligation under general international law, which only applies to ongoing or imminent activities, the human rights obligation to protect requires a state to take reasonable preventive measures in anticipation of remotely conducted election interference that would place protected rights at risk. Moreover, the protective obligation undoubtedly applies because the inability to exercise or enjoy the right in question occurs on the territory of the state conducting the election. It is unclear, however, whether such a protective obligation would extend to individuals located outside the state’s territory, such that state A would have a human rights duty to protect elections in state B if A’s territory was being used to mount cyber operations against B.

Like due diligence, the obligation is a duty of conduct, not of result. States need only take those actions that are within their capabilities in the attendant circumstances. Factors bearing on feasibility range from cost to technical wherewithal.

Response Options

States facing remotely conducted foreign cyber election interference have a number of response options at their disposal. Internally, they may take a variety of measures under their domestic law to protect the integrity of their elections. Such measures, which may, for example, involve the regulation of social media platforms and restrictions on speech that contains electoral disinformation, have to comply with the requirements of international human rights law cited above. These are regulatory questions of great complexity that will not be addressed here further.

Internationally, states may bring the matter before various dispute resolution fora, such as the ICJ or the European Court of Human Rights, or they may do so before political bodies like the UN Security Council. The Council could even authorize measures under Chapter VII of UN Charter to terminate the operations should it find the election interference to constitute a “threat to the peace.” However, a number of self-help measures are also available under international law to victim states.

The option elected by the United States when targeted by Russian election of interference in 2016 was retorsion. Retorsion is an act that, albeit unfriendly, does not violate international law. For instance, the Obama administration imposed sanctions, expelled “diplomatic” personnel and closed Russian facilities in response to Russia’s election meddling. Because retorsion involves acts that are not prohibited by international law, a state may engage in it without having to establish that the underlying activities are violating its international legal rights. This may be why the Obama administration elected that course of action.

If the remotely conducted election interference violates international law, the “injured state” may also take countermeasures (ASR, art. 22,  Tallinn Manual, Rules 20-25). The difference between retorsion and a countermeasure is that the latter is an act (action or omission) that would be unlawful but for the fact that it is undertaken to compel the offending state (“responsible state”) to desist and/or to secure any reparations that might be due for injury suffered (ASR, art. 49). For reasons such as the risk of escalation, some nervousness surrounds the political endorsement of the applicability of countermeasures in the cyber context. Nevertheless,  many states have explicitly confirmed their availability in response to unlawful cyber operations (see, e.g., Australia, Estonia, France, Netherlands, United Kingdom, United States).

In this regard, countermeasures are typically thought of as a “hack backs.” For instance, the injured state could conduct cyber operations to disable the cyber infrastructure being used by the responsible state to conduct the election interference, an act that otherwise might amount to a breach of the responsible state’s sovereignty. However, countermeasures may also be directed at cyber infrastructure other than that involved in the hostile operation; indeed, the countermeasure need not even be cyber in nature so long as it is designed to put an end to the unlawful cyber activity affecting the election or to secure reparations based on that interference.

It should be emphasized that countermeasures are subject to a number of conditions and limitations, such as a requirement of proportionality. Perhaps most significantly, they are only available in response to election interference that violates international law (or a failure to exercise due diligence); if either the element of attribution or breach is missing, the response cannot qualify as a countermeasure and the action remains unlawful.

Finally, a state that is facing a “grave and imminent peril” to one of its “essential interests,” irrespective of the source and regardless of whether the peril is the result of an international law violation, may take otherwise unlawful action to put an end to the threat so long as the measures it takes are the only means of doing so and the action does not affect the essential interests of any other state (ASR, art. 25) This so-called “plea of necessity” is a measure limited to exceptional circumstances (Tallinn Manual 2.0, Rule 26).

The conduct of elections is clearly an essential interest in a democracy. Therefore, the determinative question with respect to a particular instance of election interference will usually be whether the consequences are serious enough to merit characterization as “grave.” Unfortunately, international law provides no bright line threshold of requisite gravity. But if the peril is grave, an otherwise unlawful action in response to the election interference is permissible.

Concluding Thoughts

It’s complicated, to say the least. There are some foreign election-related activities that are clearly unlawful, as when organs of a state conduct cyber operations that affect the ability of the target state to execute the election. Yet, beyond the few unequivocally wrongful cases, multiple fault lines in the international law governing cyber activities will hinder definitive characterization of a particular act of election interference as unlawful. These range from questions of fact and evidence to the unsettled issues surrounding the existence and interpretation of the primary rules. Such issues bleed over into the availability of response options. It is clear that this fog of law demands continued action by states to clarify the rules (see Hollis Report), for until that occurs, states will struggle to determine how to characterize election interference and respond effectively to it.