Russia, it would appear, “hacked” its way into the US election. The Obama administration has pledged some sort of response. That reaction should be guided by a close consideration of international law and two specific questions: What rules did Russia violate? And what lawful measures are available to respond?
The Assumed Facts
The facts are unsettled, and so for the purposes of this posting, I’m going to rely on Max Fisher’s summary in The New York Times: Russian security agencies hacked Democratic National Committee email servers in 2015 and 2016. They also penetrated the private email account of Hilary Clinton’s presidential campaign chair, John Podesta. Then, this past summer, “intermediaries linked to the Russian government” supplied emails to Wikileaks and a blog, Guccifer 2.0, which then released the emails, precipitating negative coverage of the Clinton campaign.
Russia’s motives remain unclear. But the CIA has reportedly concluded that the Russian campaign was aimed at supporting Donald Trump’s presidential bid. To date, there is no evidence suggesting that the voting process itself was manipulated.
The Starting Point: The Rules of State Responsibility
International law as it pertains to the Russian campaign hacking properly starts with the draft articles on state responsibility, widely regarded as an authoritative treatment of customary international law on matters relevant to this discussion. The starting premise is simple: A state is responsible for breaches of its international obligations, actually attributable to it under specific rules of attribution. Where it is responsible, the state must remedy it misconduct. That means ceasing its violations, and making full reparations for injuries.
Reparations come in different forms. Restitution – returning the situation to the status quo ante – is a preferred outcome, but not available in circumstances such as a hacked election. Compensation and satisfaction – an acknowledgement of the breach and apology – are available, in principle.
But no one should be holding their breath for Russian remedies. And so injured states – in this case, the US — are permitted to employ countermeasures against the responsible state to induce compliance with these remedy expectations. In exercising countermeasures, the injured state may suspend some international obligations toward the responsible state, but not all. For instance, countermeasures cannot include threat or use of force – the availability of those responses are governed by the UN Charter and jus ad bellum rules.
Moreover, countermeasures must be proportional to the injury suffered, and must be prefaced by certain procedural rules, such as notification to the responsible state. (For more on potential U.S. responses to Russian hacking, see Sean Watt’s post from October.)
Breach of an International Obligation
Given the assumed facts, has Russia violated an international obligation? If so, which ones? There are two obvious candidates, and both stem from the concept of sovereignty.
One ingredient of sovereignty is the principle of non-intervention. In Nicaragua v. United States, the International Court of Justice (ICJ) concluded that, at a minimum, the principle of non-intervention
“forbids all States or groups of States to intervene directly or indirectly in internal or external affairs of other States. A prohibited intervention must accordingly be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy.”
In the particular context of the Nicaragua case, the ICJ concluded that prohibited interventions included “methods of coercion,” even when these were short of use of force. Notably, coercion in this context likely means more than direct, physical compulsion. As one authority describes it, “[c]oercion in inter-State relations involves the government of one State compelling the government of another State to think or act in a certain way by applying various kinds of pressure, threats, intimidation or the use of force.” These strictures clearly implicate some forms of covert action. Thus, the influential Tallinn Manual on the International Law Applicable to Cyber Warfare suggests coercive interference could include manipulation of “elections or of public opinion on the eve of elections, as when online news services are altered in favour of a particular party, false news is spread, or the online services of one party are shut off” (at 45).
The Russian influence operation seems a plausible candidate for exceeding this threshold, depending on how broadly one construes the requirement of “coercion.”
More than this, there are other, more general strictures on the exercise of state power across borders. Famously, the Permanent Court of International Justice in the SS Lotus matter noted:
“the first and foremost restriction imposed by international law upon a State is that – failing the existence of a permissive rule to the contrary – it may not exercise its power in any form in the territory of another State.”
The exercise of state power is known as “enforcement jurisdiction”, and the prohibition on non-consensual extraterritorial enforcement jurisdiction remains a bedrock principle of international law:
“the legal regime applicable to extraterritorial enforcement is quite straightforward. Without the consent of the host State such conduct is absolutely unlawful because it violates that State’s right to respect for its territorial integrity.”
Violation of this standard would certainly extend to a state’s use of physical force on the territory of another state. What actions short of this conduct violate the prohibition on extraterritorial enforcement jurisdiction is less clear. For instance, the question of whether international law prohibits spying is unresolved.
And so was Russian hacking of email servers in the United States an improper exercise of enforcement jurisdiction? There is no real clarity on this issue. But in my view, a cyber intrusion that requires the manipulation of computers in a foreign state (through hacking or otherwise) does constitute an exercise of extraterritorial enforcement jurisdiction. This is not like remote sensing, involving passive sensors located outside the territory of the state. Instead, it involved the transmission of electrical impulses in a manner that changed (and did not simply observe) the physical status quo in a foreign computer system. While it seems that the physical intrusion was minimal, I am not aware of any authority demonstrating that the legality of enforcement jurisdiction depends on transcending some de minimis physical presence. Indeed, to the extent that the hacking violated law where it occurred (the US), this may increase the international legal gravity of the intrusion. (See discussion at p. 80 from my July article in the Virginia Law Review). This seems especially likely where, as here, some international treaties oblige states to prohibit cyber hacking. This is not, in other words, an idiosyncratic local U.S. law.)
In sum, the Russian “election hack” does engage plausible international law issues. But they are not necessarily of an open-shut nature, given the novelty of some of the technological means used. Since much international law stems from state conduct, how the United States and its allies fearing similar Russian influence operations respond may shape norms and future interpretations of the law in this burgeoning area of cyber espionage and intrusion.