Does Russia’s Election Meddling Break International Law?

US spies say Russia meddled in the US presidential election. However, the world’s top minds in cyber warfare aren’t sure if the act constitutes coercion by one state against another. That legal ambiguity is why weaponising stolen information is such a difficult tactic for the United States to counter.

Even the latest version of NATO’s guide to such questions can’t offer a definitive answer. Recently, the alliance’s Cooperative Cyber Defence Centre of Excellence, or CCD COE, released its much anticipated update to the Tallinn Manual, which bills itself as “the most comprehensive analysis of how existing international law applies to cyberspace.”

The manual’s first edition was published two years after Russia’s seminal distributed-denial-of-service attacks on Estonia in 2007. Compiled by 20 experts, it sought to outline the best thinking about what laws apply to states attacking each other over the internet.

Much has changed since then; most importantly, Russia executed a concerted effort to steal and publicise politicians’ email with the aim of influencing the US election. That’s what makes the recent update so important. It provides a roadmap for how states should respond to incidents like that in the future.

In terms of international law, the question is whether by stealing emails and releasing them through Wikileaks and other outlets Russia forced the United States to do something that the latter would not otherwise.

That would constitute meddling in the internal affairs of another state by means of “coercion”, i.e., in a way that prohibits the target from acting freely. It’s an idea that goes back to 1758 but that has taken on new relevance now.

To get a sense of how contentious the issue has become, check out the recent discussion of information warfare at Yale Law School. Right around the 21-minute mark, a small argument breaks out between a young law student and the expert panel over whether Russia coerced a particular election outcome. In reply, West Point’s Aaron Brantly argues that the DNC hack, and subsequent doxxing via Wikileaks, “was not coercion” because it lacked a threat of force.

“We may not like that. It sounds better to say it was coercion. But, in reality, we drank the Kool-Aid ourselves,” Brantly said. “It’s our responsibility as a civil society to process that information.”

Others note that there’s (as yet) no firm evidence that the data theft changed the election’s outcome, so it’s impossible to prove that the meddling caused the United States government or people to do something that they otherwise would not have done.

Bottom line: the degree to which the DNC hack constitutes an act of illegal coercion is a somewhat subjective matter. Even the experts who updated the manual could not come to a consensus.

“The counter view notes that there may have been an impact on the election and the fact that the impact is the result of the hacking differentiates it from mere propaganda or other means of exerting ‘influence’ (as distinct from intervention) by means of information,” said Michael Schmitt, the editor of the manual and a law professor at both the University of Exeter and the Naval War College. “The Russians are masters at playing the ‘gray area’ in the law, as they know that this will make it difficult to claim they are violating international law and justifying responses such as countermeasures.”  

Schmitt explained why that matters. If you could show that Russia’s influence on the election had been coercive then the United States would be legally justified in employing countermeasures that matched the offense, such disrupting the functioning of the Russian government in a way “that would be unlawful but for the fact that they are response to the unlawful activities of the target state and are designed to cause the target state to comply with the law.”

But if the attack was not coercive, then the only real response that the US can employ is something called “retorsion,” or what Schmitt calls unfriendly, but lawful, actions.

“The expulsion of the Russian diplomats and sanctions fall into this category. This is because neither the expulsion of foreign officials nor the imposition of economic sanctions is unlawful,” he said.

At some point, better exit polling and other metrics may allow governments to more effectively trace influence operations to specific effects. You might, for instance, be able to prove beyond reasonable doubt (or at least with high statistical confidence) that a Russian influence campaign did throw the election one way or the other. Until then, drawing a clear link between doxxed information and voter behavior will be next to, impossible, to conclude.

That’s why Russian influence campaigns like the one targeting the DNC will continue.

DefenseOne

Information Warfare isn’t just Russian – It’s also American as Apple Pie:

 

 

« Data Realities: 2017 & Beyond
Malware Traders Switch To Less Suspicious File Types »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Tanium

Tanium

Tanium is an endpoint security and systems management company.

Software Factory

Software Factory

Software Factory develops custom-built high-performance software solutions and products for applications including industrial cyber security.

IT Association of Slovakia (ITAS)

IT Association of Slovakia (ITAS)

ITAS is a professional association of domestic and foreign companies operating in the field of information and communication technologies

Secret Double Octopus

Secret Double Octopus

Secret Double Octopus offers the world’s only keyless multi-shield authentication technology for users and things.

SolutionsPT

SolutionsPT

SolutionsPT enables customers to strengthen their Operational Technology (OT) network to meet the ever increasing demand for performance, availability, connectivity and security.

Securicon

Securicon

Securicon provides expert consulting for application, system and network security.

vdiscovery

vdiscovery

vdiscovery is a provider of proprietary and best-in-breed solutions in computer forensics, document review, and electronic discovery.

IT Career Switch

IT Career Switch

An IT Career Switch Traineeship is the easiest way to start a new career in IT or Cybersecurity with fantastic career prospects.

Attack Research

Attack Research

We go far beyond standard tools and scripted tests. Find out if your network or technology can stand real-world and dedicated attackers.

EBRAND Services

EBRAND Services

EBRAND, the European experts for brand protection on the Internet. We offer a full set of services including cybermonitoring, fighting counterfeiting offences and online security.

Templar Shield

Templar Shield

Templar Shield is a premier information security, risk and compliance technology professional services firm serving North America.

FourthRev

FourthRev

FourthRev is an education-technology start-up with a mission to solve the skills crisis of the Fourth Industrial Revolution.

N2K Networks

N2K Networks

N2K Networks is the world’s first “news to knowledge” network. The news to knowledge network is how you stay at the cutting edge in a rapidly changing world.

US Cyber Games

US Cyber Games

US Cyber Games is committed to inform and inspire the broader community on ways to develop tomorrow’s cybersecurity workforce.

Cyborg Security

Cyborg Security

Cyborg Security is a team of threat hunters, threat intelligence analysts, and security researchers from across North America.

PDQ

PDQ

PDQ helps IT professionals to manage and organize hardware, software, and configuration data for Windows- and Apple-based devices.