Hacking the Election

Written by Ram Sachs

The U.S. Intelligence Community has formally announced that the Russian Government was behind the cyberattack on the Democratic National Committee (DNC) servers[1] – but now what? With this attribution, does the United States have any rights to respond under international law?

The challenge, of course, is that this incident exists on the frontier of international law, with no obvious legal framework.[2] In this post, I’ll parse two potential sources to back a U.S. response: the United Nations Charter, and a Shanghai Cooperation Organization (SCO) voluntary code of conduct. Invoking the U.N. Charter would identify a violation of international law, and the right to self-defense. A less-appealing alternative, the SCO code of conduct, would provide political cover for a proportional response, but without the force of binding international law. Unfortunately, both sources fall short: First, the U.N. Charter’s conception of “use of force” has limited application to this case. Unless another treaty can be found, Russia likely did not violate international law, and the U.S. cannot invoke the Article 51 right to self-defense. Second, while the SCO code of conduct likely covers this hack, citing the code could set a dangerous precedent. The U.S., currently a non-signatory, could be seen as giving tacit approval for restricting internet freedom.

The UN Charter: A document ill-adapted to the DNC hack

Citing the U.N. Charter would be the most straightforward path for establishing the legal right of response. Article 2(4) directs member states to “refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state.”[3] Article 51 provides an exception, preserving the “inherent right of individual or collective self-defence if an armed attack occurs against a Member of the United Nations.”[4] Taken as a whole with other provisions of the charter, and records of preliminary deliberation, these provisions reference military force or other physical violence.[5] Coercion or interference typically falls outside this context.[6]

In the case of the DNC hack, Russia’s apparent intention to influence and spy, rather than destroy, undercuts a “use of force” argument. Even at first glance, it’s hard to compare the provisions’ traditional conception – of German Panzers dashing across borders – with the silent prying into computer servers. Russia’s hack was an information-gathering and dissemination exercise that did not disable the DNC’s operations, or cause any direct, physical harm. Walter Sharp compares such hacks to “military intelligence flights, [which] may be deliberate and unlawful intrusions, but are not necessarily a use of force.”[7] Observers may note that Russia often attempts to ‘weaponize’ information, but this phrasing borrows a forceful verb to describe what is ultimately a non-violent attempt to sway an election.[8]

Some scholars have also recognized “critical national infrastructure” as deserving protection under international law – but it’s unlikely the DNC servers would fall under this umbrella.[9] The DNC’s servers were important for the support and promotion of the Democratic Party, but were not directly linked to the administration of the election or the counting of ballots. As such, the repercussions are limited to reputational issues, rather than day-to-day operations of the electoral process. Even these broader interpretations of the U.N. Charter are unlikely to identify a Russian violation of international law, or give legal cover for an American response to this hack.

The problematic implications of the Shanghai Cooperation Organization code of conduct

If Russia has not violated international law under the U.N. Charter, an alternative path forward relies on the Shanghai Cooperation Organization code of conduct. Russia and the other states constituting the SCO[10] have taken an expansive tack on regulating information flows. In a 2015 revision, SCO nations agreed to a voluntary code of conduct whereby states promise not to “use information and communications technology to . . . interfere in the internal affairs of other States,” or “undermin[e] . . . political, economic, and social stability.”[11] SCO members have typically cited maintaining political stability as justification to repress online dissent. However, if applied to the DNC hack, this language could actually confer protections upon the United States’s democratic infrastructure. Based on the intelligence community’s assertions that Russia intended to influence U.S. elections, the DNC hack falls under the proscribed activities in the SCO’s code of conduct. Russia could be publically shamed for violating its own norms, and the U.S. could take advantage of political cover for a proportional response.

The second-order effects of citing the SCO document, though, should give the Administration pause. Any moves affirming the SCO code could be seen as tacit U.S. approval for restricting essential rights online. U.S. initiatives that support political reform in former Soviet states, and have an internet component, could conflict with SCO language. Beyond the merits of citing the SCO agreement, there is also an issue of applicability at play: The United States is not a signatory to the Code of Conduct, though the text notes it is open to all states.[12]

In sum, the DNC hack reveals that current international accords have not evolved to manage current cyber threats. For an asymmetric hack that serves to influence, rather than destroy or occupy physical territory, it’s hard to draw on the protections of the U.N. Charter. Embracing the Shanghai Cooperation Organization language, which appealingly covers exactly this type of political interference, may set a problematic precedent against America’s human rights agenda.

The U.S. cannot clearly cite international law in its response, but it is worth considering an alternative scenario. Washington could push for a new accord that specifically protects elections infrastructure, including political parties, from hacks intending to sway public opinion. This agreement would certainly constrain American behavior. But, given the vulnerability of U.S. civil society and the public to a well-timed election revelation, the trade-off may be worth the price.

Ram Sachs is a 1L at Yale Law School. This piece is inspired by the “Hacking the Election” Conference, sponsored by the Information Society Project and Center for Global Legal Challenges.


 

[1] Joint Statement from the Department Of Homeland Security and Office of the Director of National Intelligence on Election Security, (October 7, 2016), https://www.dhs.gov/news/2016/10/07/joint-statement-department-homeland-security-and-office-director-national (last visited October 20, 2016).

[2] Oona Hathaway, Rebecca Crootof, et al., The Law of Cyber-Attack, 100 Cal. L. Rev. 817, 859 (2012).

[3] U.N. Charter art. 2 ¶ 4 (emphasis added).

[4] U.N. Charter art. 51 (emphasis added).

[5] Matthew C. Waxman, Cyber-Attacks and the Use of Force: Back to the Future of Article 2(4), 36 Yale J. Int’l L. 421, 428 (2011).

[6] Id. at 429.

[7] Walter Gary Sharp, Sr., Cyberspace and the Use of Force 126 (1999).

[8] See Helle C. Dale, Russia’s “Weaponization” of Information, Heritage Foundation (April 15, 2015), http://www.heritage.org/research/reports/2015/04/russias-weaponization-of-information; Peter Pomerantsev & Michael Weiss, The Menace of Unreality: How the Kremlin Weaponizes Information, Culture and Money, Institute of Modern Russia, http://www.interpretermag.com/wp-content/uploads/2014/11/The_Menace_of_Unreality_Final.pdf; Molly McKitterick, Russian Propaganda: The Weaponization of Information, VOA News (Nov. 3, 2015, 9:45 PM), http://www.voanews.com/a/russian-propaganda-weaponization-information/3036087.html

[9] Eric Jensen, Computer Attacks on Critical National Infrastructure, 38 Stan. J. Int’l L. 207, 209 (2002)

[10] Signatories include Russia, China, Kazakhstan, Kyrgyzstan, Tajikistan, and Uzbekistan

[11] Letter dated 9 January 2015 from the Permanent Representatives of China, Kazakhstan, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General, U.N. Doc. A/69/723, art. 2 ¶ 3, 5.

[12] Letter dated 9 January 2015 from the Permanent Representatives of China, Kazakhstan, Kyrgyzstan, the Russian Federation, Tajikistan and Uzbekistan to the United Nations addressed to the Secretary-General, U.N. Doc. A/69/723, art. 1.

2 Comments
  1. Even if maintained that the attack was “use of force”, the response under IL can only be countermeasures UNLESS the attack amounted to an “armed attack”, and only then the response can be self-defence under Article 51.

Leave a Reply

Your email address will not be published. Required fields are marked *