Earlier this month, WikiLeaks released nearly 20,000 e-mails belonging to Democratic National Committee’s top officials, where Senator Bernie Sanders was humiliated and criticized. These e-mails strengthened Sanders supporters’ charge that the Democratic Party favored Secretary Hillary Clinton. Robby Mook, campaign chief for Clinton suggested that Russia is behind the hack “for the purpose of helping Donald Trump.” Many other cybersecurity experts pointed the finger at Russia (here, here, and here). This is not the first time that sensitive e-mails become public with the leakers intent to intervene in certain political affairs.
Almost two weeks ago, WikiLeaks published as many as 300,000 e-mails belonging to Turkish President Recep Tayyip Erdogan‘s AKP political party following the failed coup attempt in the country. At this point it is impossible to overstate how massive digital information has become a foreign policy tool and at times, a weapon. However, it is still a relatively unprecedented case of “the use of these [cyber] tools for covert political influence against the United States during a presidential general election.” The question, then, is how should the international community view these types of leaks, aimed at steering a political situation in a certain direction? Surely, such leaks could constitute a prohibited intervention by a foreign power, but as this piece demonstrates, cyberspace exacerbates certain difficulties with the norm of non-intervention. The answer, therefore, ought to depend not only on the content of the information leaked, but also on the intent (is the perpetrator seeking to undermine a political system?) and intrusiveness (is it a phishing attack or simply information that was discovered by online research?) of the cyber operation in question.
Prohibited Intervention or Access to Information?
The principle of non-intervention in the affairs of sovereign states is a longstanding, bedrock principle of public international law. The main weakness of the principle is that it lacks specificity, especially when it comes to its applicability to cyberspace. The General Assembly Declaration on Friendly Relations provides that “No State or group of States has the right to intervene, directly or indirectly, for any reason whatever, in the internal or external affairs of any other State.” Even the UN Charter clarifies that nothing contained within it “shall authorize the United Nations to intervene in matters which are essentially within the domestic jurisdiction of any states”. The International Court of Justice (ICJ) in the case of Nicaragua provided that “Intervention is wrongful when it uses methods of coercion” against a legitimate State choice of “a political, economic, social and cultural system, and the formulation of foreign policy.” However, the ICJ mainly envisioned direct military force or certain support for armed activities within a State.
In an effort to clarify non-intervention in the digital context, last year’s Report of the U.N. Group of Governmental Experts has reaffirmed that the principle of non-intervention applies to cyberspace and information technologies, and as such it was incorporated as part of the rules of responsible behavior in cyberspace. In addition, Russia, China and four other States have gone further by drafting and signing an additional non-binding “international code of conduct for information security”, in which they pledged “not to use information… to interfere in the affairs of other States or with the aim of undermining the political, economic, and social stability.”
As much as the principle of non-intervention is a fundamental part of international law, it does not necessarily apply to cyberspace in the way that it applies to the physical world, particularly because information is widely available and cyberspace transcends political borders.
The digital era allows massive amounts of information to flow freely across international borders, and it is nearly impossible to prevent publicly available information from reaching all corners of the interconnected world. Even protecting data is not foolproof, as hackers may use phishing attacks to trick users, or brute force to try to break the encryption system. The assumption should be that in the age of WikiLeaks, most information is vulnerable and may leak if certain actors are after it. In addition, cyberspace enables the access to a raw volume of information that would be unattainable in the physical world (5.6 million fingerprints, 11.5 million financial documents).
These facts call for an approach for non-intervention – not only the examination of the content of the information (although the content is important, it should not be the primary factor), but the intent behind it, as well as the intrusiveness of the cyber operation.
The main difficulty with the norm of non-intervention lies in the fact that the publication of certain information is essential and important for human rights or humanitarian purposes, as well as governance. What matters, therefore, is the context in which such disclosures take place. For example, we want to encourage information regarding torture practices in an armed conflict to become public for the sake of protection of human rights. At the same time, we should not tolerate foreign actors who use intrusive cyber operations to gain access to information to disrupt an ongoing political process. Distinguishing between the two cases may be difficult at times, but the identity of the actors involved, the timing, context, and even the type of operation employed, can all tip the scales in the right direction, although some cases in the future may pose a great difficulty in applying the norm of non-intervention, and states will need to clarify the boundaries
“Intervention 2.0” is how I refer to the determination of whether a State used cyberspace to illegally intervene in the affairs of another State should rely on intent and intrusiveness for the purpose of distinguishing legitimate information disclosure practices from illegitimate ones. Cyberspace changes the way we treat, consume, and create information, and as such intervention should be reevaluated. Russia, in that case, would be an actor susceptible of hostile intent, who forcefully intruded into the DNC information systems, with the purpose of leaking private e-mails.
More Leaks Ahead
The practice of leaking data will continue, particularly because the gains are overwhelmingly higher than the stakes. International law does not explicitly prohibit the use of cyber operations to gain access to information, but it may prohibit such activities if they amount to prohibited intervention, use of force, or violation of international human rights. There are certain steps that the US, along with the international community, need to undertake to create a norm prohibiting cyber intrusions for the purposes of leaking information.
First, the US must unequivocally declare that such leaks are harmful, unwanted, and unfriendly. By doing so, it will slowly create a customary norm that will prohibit such practices in the future. State practice is one of the factors to determine whether a customary international law norm exists or not, and currently, there simply is not enough State practice to make a clear determination on the matter. Therefore, being decisive on these types of hacks is essential to prevent future hacks, but this may be a hurdle due to the American involvement in cyber espionage on other nation states
Second, the norm of non-intervention should be more specific with regard to cyberspace. As I mentioned earlier, the norm of non-intervention lacks the specificity to become operational. Given that, we need to think about what this norm entails in cyberspace. Its tenets in the cyber context should be comprised mainly of intent (i.e., did the State in question leak the information with the main purpose of intervening in the domestic affairs of the victim state?) and intrusiveness (i.e., the technical and strategic effort put in the cyber operation). In other words, disclosing publicly available information would not be intrusive enough to be covered by the norm of non-intervention. Cyber operations that use methods of phishing, brute force, and cooperative insiders, however, should be treated as intrusive acts that violate the principle.
The difference between these two courses of action is that the first creates a new norm entirely, prohibiting cyber operations with the purpose of leaking sensitive information, while the second clarifies an existing norm, and provides a more general principle prohibiting intervention. They may both apply to the same situation, or separately in different scenarios.
“DNC hack is a tiny tip of iceberg of possible electoral disruptions via cyber”, according to Jack Goldsmith, and this is probably true, especially since WikiLeaks founder, Julian Assange, already made clear that there is “a lot more material” coming up concerning US presidential elections. Reacting to the DNC hack should be a national interest since cyber operations are about to become more sophisticated and more challenging to respond to should there be no decisive and determined response. For example, unauthentic information (e.g., fake e-mails) may be “leaked” in the future (Jack Goldsmith pointed out this difficulty in his recent Lawfare contribution), and elections may be affected by cyber-attacks manipulating the process and the results (as Bruce Schneier has suggested). The response to the DNC hack should take place now, before a more catastrophic scenario unfolds in the near future.