Former Secretary of Homeland Security Jeh Johnson testified Wednesday before the House Intelligence Committee as part of the House investigation into Russian interference in the 2016 election. Much of the hearing focused on Johnson’s decision, announced on January 6, to designate election infrastructure as “critical infrastructure.” Both Rep. Mike Conaway (R-TX) and Rep. Joaquin Castro (D-TX) questioned whether that designation includes political parties, and Johnson repeatedly clarified that it does not.
It might seem obvious that political parties and campaigns should be covered as critical infrastructure. After all, it was the hack of the Democratic National Committee (DNC) that started the Russian hacking scandal. But the question of whether to include political parties and related entities as critical infrastructure is tied into the broader, ongoing debate about how to treat information operations designed to influence democratic elections. That’s a harder question than simply whether political entities are critical infrastructure or not.
When asked why designating election infrastructure as critical infrastructure was important, Johnson gave three reasons. He explained first that “critical infrastructure receives a priority in terms of the assistance [DHS] give[s] on cybersecurity,” and second that communications between critical infrastructure and DHS receive “a certain level of . . . confidentiality.” Johnson’s third reason goes to the international implications of the designation. He explained, “[W]hen you’re part of critical infrastructure, you get the protection of the international cyber norms. Thou shalt not attack critical infrastructure in another country.”
Johnson is right to emphasize that the designation isn’t purely a domestic issue, but rather one with international implications. As I argued last summer, specifying what counts as critical infrastructure is an important step toward adding substance to the broad peacetime norm against attacking critical infrastructure that the United States, Russia, China, and other members of the U.N. Group of Governmental Experts (GGE) agreed to in 2015. Announcing that the United States considers election infrastructure to be critical infrastructure is a way of telling foreign governments to back off, making clear that the United States will consider interference with election infrastructure to be a violation of the norm that could bring political or possibly legal consequences.
Given this implication of designating infrastructure as “critical,” designating political parties and campaigns as critical infrastructure has some intuitive appeal. Political parties and campaigns have been the victims of hacks that then facilitate influence operations. And this has happened not just in the United States, but also in France. On the eve of the French presidential election, now-President Emmanuel Macron’s campaign suffered a massive hack, resulting in the release of actual and fraudulently altered campaign documents in the days immediately preceding the vote.
However, designating political parties and campaigns as critical infrastructure might not protect against these kinds of information operations. (To be clear, I’m talking here about protection in theory, not protection in fact—that is, whether the norm’s protection extends, not whether the existence of the norm will restrain state behavior.)
The 2015 U.N. GGE Report sets out the critical infrastructure norm as follows:
A State should not conduct or knowingly support [information and communications technologies] activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public. (para. 13(f)).
Even if political parties and campaigns were to count as critical infrastructure, it’s not clear that the theft and subsequent strategic release of their information would violate the norm. Whether it would depends in part on the definitions of “damages” and “impairs the use.” In a colloquial sense, it might be said that the theft and release of information “damaged” the DNC, but that’s not how damage is defined in other cybersecurity-related contexts. The Computer Fraud and Abuse Act, for example, defines damage as “any impairment to the integrity or availability of data, a program, a system, or information” (18 U.S.C. § 1030(e)(8))—not an impairment to confidentiality. Does theft and release of information “impair . . . the use” of political parties? Maybe, but in a more attenuated way than, for example, a distributed denial of service attack impairs use.
Moreover, the norm prohibits actions that are “contrary to” a state’s “obligations under international law.” This requirement does provide a potential way to distinguish cyber operations against political parties or campaigns that are designed for espionage, rather than for use in influencing election outcomes. Espionage is not traditionally understood to violate international law, so even if political parties are critical infrastructure and even if theft of information is understood to damage them, espionage against political parties wouldn’t be caught by the norm. That raises the question, though, of how states are going to view cyber-enabled influence operations: do they or do they not violate a state’s international law obligations, such as the principle of non-intervention? As Ryan Goodman explained, the Obama Administration appears to have carefully avoided accusing Russia of violating international law.
Designating political parties and campaigns as critical infrastructure may be useful for the first two reasons Johnson listed for designating election infrastructure, namely ensuring prioritized assistance from DHS and guaranteeing confidentiality in communications with DHS. But more than just a critical infrastructure designation would be needed to put cyber-enabled influence operations against political parties and campaigns under the prohibition of the international norm against attacking critical infrastructure.
Image: Getty/Allison Shelley