Scenario 01: Election interference

In the run up to a major election in State A, a series of cyber incidents traceable to State B occur. The incidents influence, to a varying degree, the electoral campaign, the administration of the elections, as well as the election results. Analysis in this scenario considers whether any of the specific incidents may constitute violations of several rules of international law, including the obligation to respect the sovereignty of other States, the prohibition of intervention in the internal affairs of States, and the right to privacy of individuals.

Keywords
Election interference, hybrid threats, sovereignty, prohibition of intervention, peacetime cyber espionage

Facts
State A has a major election (parliamentary or presidential) coming up.

In the weeks prior to the election, a series of incidents takes place, including:


 * 1) An upsurge in the publication of unverifiable information on specific candidates, particularly in media outlets known for the dissemination of “alternative facts” and for promoting views close to those held by the regime in State B. Social networks get busy with discussions on candidates’ profiles, with posts often coming from accounts that have either been recently established or cannot be verifiably linked to a real person.
 * 2) A trove of emails purportedly coming from a candidate’s campaign team is leaked on the internet.
 * 3) Advertisements compromising the candidate’s credibility are published in print and online media while the entity who paid for them is either clearly artificial or known to support an electoral opponent or the regime in State B.

During the election itself:


 * 4a) The website of the electoral commission is rendered inaccessible by a massive DDoS attack and the accuracy and trustworthiness of results in the public opinion are thus placed in doubt.
 * 4b) Alternatively, the website is subject to a defacement that falsely claims that a specific candidate is leading the polls. That information is taken over by foreign media outlets that are not supportive of the other candidate(s).

After the election:


 * 5) State A uses an electronic ballot counting system. Sometime after the election, indications appear that the system had been tampered with. If true, this would imply that there likely were inaccuracies in counting, and therefore that the reported election results were untrue.

Independent researchers have verified that all of the incidents resulted from cyber operations of the intelligence service of State B.

Examples

 * Czech presidential election (2018) – fake news
 * French presidential election (2017) – Macron leak
 * DNC Hack (2016) – e-mail leak
 * US presidential election (2016) – targeted information on social media, alternative facts, trolls, bots
 * Ukrainian parliamentary elections (2014) – DDoS, defacement, false results published and spread by Russian media

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

Since attribution to State B is assumed as a fact, the legal analysis focuses on breaches of specific rules of international law by State B: the obligation to respect the sovereignty of other States and the prohibition of intervention. It also deals briefly with peacetime cyber espionage and its bearing on the legality of State B's cyber operations.

Obligation to respect the sovereignty of other States
The dissemination of 'alternative facts' (incident 1) does not constitute a violation of sovereignty of State A, because it is a mere propaganda, which does not interfere with inherently governmental functions (option 4), nor does it runs afoul of the other options.

The publication of the emails (incident 2), or rather the stealing of the emails before their publication, could be a violation of State A's sovereignty, if State B obtained them in a cyber operation conducted by its agents present in State A's territory (option 1). The publication itself does not violate State A's sovereignty.

The publication of the advertisements (incident 3) is not a violation of State A's sovereignty according to the above options.

The DDoS and defacement of the website of the electoral commission (incidents 4a-4b) could be an interference with inherently governmental functions (option 4), if the website was essential to the conduct of the elections (for instance, if State A allows for online voting), it was rendered inoperable and the result of the elections could have been affected (for instance, some voters could not cast their vote). Alternatively, if the loss of functionality is more serious or permanent, option 3 can also apply.

The tampering with the electronic ballot system is a clear interference with inherently governmental functions (option 4) and hence a violation of State A's sovereignty.

Prohibition of intervention
In the present scenario, the conduct that resulted in the manipulation of the election results (incident 5) would likely be considered as coercive. This is because the resulting effect is to deprive State A of the ability to choose its political representatives on the basis of the free expression of the will of the electorate. By contrast, influence operations targeted against the electorate in State A (incidents 1–3) would likely not reach the level of coercion and, as such, would not amount to prohibited intervention.

Every breach of the prohibition of non-intervention constitutes a violation of sovereignty and an internationally wrongful act, and can justify a response from the target State according to the law of State responsibility, such as countermeasures, if further conditions are met.

Espionage
With regard to incident 2 from the case at hand (obtaining a candidate’s emails), there are several options by which the cyber espionage operation can be illegal. For instance, the operation can be interfering with individual human rights according to international law, such as the right to privacy; in that case, the State launching the operation must have a legitimate justification, otherwise it will be in violation of international law. Another possibly illegal option would be to obtain the emails pursuant to a ‘close access’ operation, i.e. by physically sending individuals to the territory of the target State without its consent and then directing them in the operation in question.

With regard to incident 5, a cyber espionage operation probably preceded the actual sabotage of the electronic ballot system; if this is the case, then a more academic than practical question may be raised about the legality of the cyber espionage operation. Most of the Tallinn Manual 2.0 Experts would consider such a cyber espionage operation as an integral part of the operation to sabotage the electronic ballot system, and hence illegal in itself; however, a few of the Experts dissented.

Checklist

 * Sovereignty: What is the position of the client on whether sovereignty is a standalone primary rule of international law?
 * Sovereignty: Were any individuals associated with an outside State physically present in the domestic State’s territory without the latter’s consent?
 * Sovereignty: Did the operation occasion a loss of functionality of cyber infrastructure?
 * Sovereignty: Did the operation interfere with or usurp inherently governmental functions of another State?
 * Non-intervention: Did the operation bear on any of those matters in which States are allowed to decide freely?
 * Non-intervention: Did the operation amount to a coercive act against the victim State?
 * Espionage: Did the operation interfere with rights guaranteed under international human rights law? If so, did it have a legitimate justification under that body of law?
 * Espionage: Did the operation involve ‘close access’, i.e. the physical sending of individuals to the territory of the target State without its consent?

Bibliography and further reading

 * [TBC]

Contributions

 * Scenario by: Taťána Jančárková
 * Analysis by: Kubo Mačák & Tomáš Minárik
 * Reviewed by: [TBC]