There are lots of important issues implicated by this morning’s above-the-fold story in the New York Times that U.S. officials and certain cybersecurity experts (e.g., Crowdstrike) have concluded Russian government agencies bear responsibility for hacking the Democratic National Committee’s servers and leaking internal e-mails stored on them to Wikileaks (Russian responsibility for the hack itself was alleged more than a month ago). The domestic fall-out is already on evidence with the resignation of Debbie Wasserman Schultz and I’m sure we’ll see other impacts here in Philadelphia at this week’s Convention (although Senator Sanders so far is not using the event to walk back his endorsement of Hillary Clinton). U.S. national security officials are treating the news as a national security and counter-intelligence issue (as they absolutely should).
But what does international law have to say about a foreign government obtaining and leaking e-mails about another country’s on-going election processes? This is obviously not a case violating Article 2(4) since that only prohibits the “threat or use of force against the territorial integrity or political independence of any state” and there’s no force at work in the current distribution of data otherwise intended to remain confidential. But alongside the Charter’s prohibition on the use of force, customary international law has long recognized a ‘duty of non-intervention’ that applies to State behavior in cases falling short of the use of force. The question then becomes whether the duty applies to this case and if so to what end? For my part, I see at least three distinct sets of issues: (i) attribution; (ii) the duty’s scope; (iii) the relevance of international law more generally to cyber security incidents like this one.
1. Attribution — Did Russia do this? Attribution has both a factual and a legal element, both of which are at issue in the DNC case. Factually, there’s the question of who actually perpetrated these hacks — the hacker(s) named Guccifer 2.0 claims responsibility but cybersecurity investigators suggest two separate penetrations tied to two different Russian hacker groups, “Cozy Bear” and “Fancy Bear” (international lawyers take note of how much more fun cybersecurity officials have in naming stuff than we do). Making the factual case of who did what in hacks such as this is always difficult even as recent technological advancements have improved the ability to trace-back in certain cases. Just as importantly, however, there’s always the possibility of a ‘false flag’ where the true perpetrator goes to great lengths to make investigators think some other actor was responsible (i.e, planting evidence/code in a particular language or using coding patterns associated with a particular group of actors). Ironically, the potential for a false flag means that a State caught red-handed can always invoke plausible deniability and suggest that they are themselves a victim as some other, unknown super-sophisticated actor is trying to frame them. One can safely assume, for example, that Russia will make this argument in the DNC case. Indeed, even in cases that appear clear cut like Sony Pictures, there are still those who resist FBI’s assertions of North Korean responsibility.
A second aspect of the attribution inquiry is a more legal one — namely, assuming the individual actors who perpetrated the hack can be identified, when can their actions be attributed to a State? This is not really at issue if the perpetrators are in a State’s direct employ (e.g. military officers or intelligence officials). But what happens if the perpetrators are nonstate actors? How much control would a State like Russia need to exercise over the DNC hack and later leak for it to bear responsibility? That question is one that different international fora have answered differently in different contexts (the ICJ’s Nicaragua case and ICTY’s Tadic case‘s competing tests of effective versus overall control being the most famous examples). As such, it’s difficult to say at present what relationship a State must have with nonstate hackers or hacktivists to bear responsibility for what they do. That may not be a bad thing overall, as one can imagine how a clear line might incentive States to proliferate behavior just short of crossing the line in lieu of being chilled from acting generally if the whole area is cast as a truly grey zone. That said, the ability to debate what international law requires in terms of the State-nonstate actor relationship complicates any application of the duty of non-intervention in individual cases.
2. Scope: What behavior violates the duty of non-intervention? Assuming that Russia was responsible (which I should be clear at this point is just an assumption), the next question is whether its hacking and leaking of DNC data violated the duty of non-intervention? Here again, international lawyers will encounter some uncertainty as the precise scope of the duty has never been fully resolved. To be clear, there’s widespread consensus that a duty of non-intervention is customary international law. The problems are more the duty’s contents. The most famous formulation is undoubtedly that put forth by the ICJ in the Nicaragua case (para. 205), prohibiting interventions
bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones. The element of coercion, which defines, and indeed forms the very essence of, prohibited intervention, is particularly obvious in the case of an intervention which uses force, either in the direct form of military action, or in the indirect form of support for subversive or terrorist armed activities within another State.
The ICJ’s take suggests that intervention requires methods of coercion, forcing the victim State to make different choices than it might were it free of coercive interference. This pairs with key parts of the earlier 1970 UN General Assembly Declaration on Friendly Relations Among States:
No State or group of States has the right to intervene, directly or indirectly, for any reason whatever, in the internal or external affairs of any other State. Consequently, armed intervention and all other forms of interference or attempted threats against the personality of the State or against its political, economic and cultural elements, are in violation of international law.
No State may use or encourage the use of economic political or any other type of measures to coerce another State in order to obtain from it the subordination of the exercise of its sovereign rights and to secure from it advantages of any kind. Also, no State shall organize, assist, foment, finance, incite or tolerate subversive, terrorist or armed activities directed towards the violent overthrow of the regime of another State, or interfere in civil strife in another State.
Thus, much of the debate over the duty of non-intervention has focused on identifying which coercive measures below the use of force threshold are covered by the prohibition. But, looking at the DNC hack, there’s little evidence that Russia is trying to coerce any particular result. Indeed, it’s not even clear that the goal of the hack was to support Trump’s candidacy. The operation could have other purposes; for example, I’ve seen suggestions that it might have been a response to Russian presumptions that the United States bears responsibility for the Panama Papers, a data breach that caused some discomfort to Putin’s administration. Given this, might we not simply write this hack-off as a particularly visible form of espionage? Is this case equivalent, for example, to the OPM hack? That hack, while clearly contrary to U.S. national security interests, was not terribly susceptible to claims of an international law violation given international law’s longstanding, complicated relationship with surveillance (for more see Ashley Deek’s recent article).
I’m not so sure, however, that the duty of non-intervention can be dismissed so quickly. For starters, the hackers did not just take the data and use it to inform their own policies or behavior. They also leaked it, and did so in a way where the timing clearly sought to maximize attention (and corresponding impacts) on the U.S. domestic political campaign process. Perhaps we need to separate out this incident into two parts — the espionage (i.e., the hack itself) and the interference in the U.S. campaign using the fruits of that espionage. Doing so suggests the leaking might be the problematic act under a less quoted paragraph of the 1970 U.N. General Assembly Declaration’s description of the duty of non-intervention:
Every State has an inalienable right to choose its political, economic, social and cultural systems, without interference in any form by another State.
Interference in ‘any form’ is clearly a broader formulation than coercive acts, suggesting that actions designed to impact public support for not just a particular candidate, but an entire “political” party, could implicate the duty of non-intervention here. That said, there are others who’ve been thinking much more carefully on the question of non-intervention and cyberspace than I have. Later this year, for example, we should be able to read the fruits of Tallinn 2.0, the much-anticipated follow-up to the Tallinn Manual and its take on international law applicable to cyberwar. Tallinn 2.0 will offer the views of an independent group of experts on how international law regulates cyberspace outside of the use of force and jus in bello contexts, including the duty of non-intervention. I imagine I’m not alone in wanting to know whether and how its contents will speak to the current DNC crisis.
3. Remedies: Does International Law Really Matter Here? Talking about this case in the last 24 hours, I’ve had a couple of non-lawyer friends express skepticism over international law’s relevance to the DNC hack. Given our age, my friends hearken back to the Cold War, suggesting that Russia can and will ignore international law with impunity here (one of the more sanguine among them, also pointed out that the United States has its own history of interfering in foreign elections, a point Jack Goldsmith made earlier today at Lawfare). And, to be sure, there’s some merit to this critique. After all, Russia’s Security Council veto ensures the inability of that body to respond to these events in any way. And U.S. resistance to the jurisdiction of international courts and tribunals precludes any real chance that a third-party would review the case.
Still, I think it’s important to raise the international legal issues for at least three reasons. First, and perhaps most obviously, international law does provide self-help remedies in cases of state responsibility, including retorsion (otherwise legal acts done in response to unlawful behavior) and counter-measures (behavior that would otherwise be unlawful but for the fact that it is itself in response to unlawful behavior). Thus, if Russia was responsible for the DNC hack and that hack did violate the duty of non-intervention, it would free the United States to engage in counter-measures vis-a-vis Russia that would otherwise be unlawful. Time and space preclude me from surveying all the various counter-measure options that the United States might have, although I’d note there’s an interesting ancillary question of whether international law might limit the U.S. from pursuing certain counter-measures — such as interfering in Russia’s own domestic political process — if doing so is analogous to humanitarian obligations, which are non-derogable (i.e., you cannot violate the human rights of another State’s nationals just because they violated your nationals’ human rights). I’d welcome reader thoughts on such limits as well as a more open discussion of the types of counter-measures that might be legally available in this case or any collective measures that could be in play.
Second, there’s the question of what happens if international law is not invoked or applied to this case? To the extent state practice can involve acts and omissions, might silence suggest that this sort of behavior (hacking and releasing political parties’ internal communications) is perceived as lawful (or at least not internationally wrongful)? In other words, how States react to this case will have follow-on effects on future expectations of responsible State behavior, leading to new norms of behavior in cybersecurity. This is a topic on which I’ve been spending A LOT of time lately with a forthcoming article in the American Journal of International Law that I’ve co-authored with Martha Finnemore (we’ve not posted it yet, but interested readers should e-mail me if they’d like to see a draft).
Finally, there’s an academic reason to undertake this analysis. In recent years, scholars have debated and emphasized ways to shrink the duty of non-intervention, under the banner of things like human rights (unseating the old assumption that international law did not care what a State did vis-a-vis its own citizens in its own territory) or humanitarian intervention (the idea that responding to a State’s failure to protect those within its borders is more important than the duty of other States to stay out of domestic jurisdiction matters). I wonder if these arguments are relevant to the current controversy? Have they inadvertently created space for additional exceptions or otherwise shifted the scope and reach of any duty of non-intervention? I might be wrong to worry about any such link, but I do think the issue warrants further study.
Thus, I think this is an important case that bears close attention. I’d like to see how the United States responds publicly, if at all, to the allegations, not to mention how other States or actors view the behavior in question. For international lawyers, moreover, I’d hope to see further discussions of how to attribute responsibility in cyber security incidents as well as more detailed analyses of how the duty of non-intervention applies in cyberspace than we have had to date. To that end, I’d welcome reader thoughts and comments. What have I got wrong? What am I missing?