Scenario 01: Election interference

In the run up to a major election in State A, a series of cyber incidents traceable to State B occur. The incidents influence, to a varying degree, the electoral campaign, the administration of the elections, as well as the election results. Analysis in this scenario considers whether any of the specific incidents may constitute violations of several rules of international law, including the obligation to respect the sovereignty of other States, the prohibition of intervention in the internal affairs of States, and the right to privacy of individuals.

Keywords
Election interference, hybrid threats, State sovereignty, non-State actors

Facts
State A has a major election (parliamentary or presidential) coming up.

In the weeks prior to the election, a series of incidents takes place, including:


 * 1) An upsurge in the publication of unverifiable information on specific candidates, particularly in media outlets known for the dissemination of “alternative facts” and for promoting views close to those held by the regime in State B. Social networks get busy with discussions on candidates’ profiles, with posts often coming from accounts that have either been recently established or cannot be verifiably linked to a real person.
 * 2) A trove of emails purportedly coming from a candidate’s campaign team is leaked on the internet.
 * 3) Advertisements compromising the candidate’s credibility are published in print and online media while the entity who paid for them is either clearly artificial or known to support an electoral opponent or the regime in State B.

During the election itself:


 * 4a) The website of the electoral commission is rendered inaccessible by a massive DDoS attack and the accuracy and trustworthiness of results in the public opinion are thus placed in doubt.
 * 4b) Alternatively, the website is subject to a defacement that falsely claims that a specific candidate is leading the polls. That information is taken over by foreign media outlets that are not supportive of the other candidate(s).

After the election:


 * 5) State A uses an electronic ballot counting system. Sometime after the election, indications appear that the system had been tampered with. If true, this would imply that there likely were inaccuracies in counting, and therefore that the reported election results were untrue.

Examples
NB: Links in this section will go to separate pages for each of these incidents within the toolkit (for demonstration purposes only, they now link to Wikipedia pages on those topics).


 * 2018 Czech presidential election (fake news)
 * 2017 French presidential election (Macron Leak)
 * 2016 DNC Hack (email leak)
 * 2016 US presidential election (targeted information on social media, alternative facts, trolls, bots)
 * 2014 Ukrainian parliamentary elections (DDoS, defacement, false results published and spread by Russian media)

Legal analysis
Technical attribution is a prerequisite. Provided that technical and other intelligence, when contextualised, can link the events to a State actor or actors within a State actor’s control/sphere of influence, the following legal issues may need to be addressed. (For legal attribution, refer to General matters 001: Attribution.)

Obligation to respect the sovereignty of other States
Sovereignty is a core principle of international law. According to a widely accepted definition in the Island of Palmas arbitral award of 1928,"[s]overeignty in the relations between States signifies independence. Independence in regard to a portion of the globe is the right to exercise therein, to the exclusion of any other State, the functions of a State."According to multiple declarations by the UN,  NATO,  OSCE,  and individual States, international law applies in cyberspace, and hence also the principle of sovereignty applies in cyberspace. It is the subject of some debate to what extent this principle operates as a standalone rule of international law.


 * For the proponents of this view, the prohibition on violation of sovereignty is a substantive primary rule of international law. This view is at the basis of the analysis in the Tallinn Manual  and it has reportedly not been challenged by any of over fifty States that had participated in the process of consultations of the Manual in 2017.
 * By contrast, the opposing view considers that sovereignty is ‘a principle of international law that guides state interactions, but is not itself a binding rule‘.  It was originally formulated by two high-level US government legal advisors writing in their private capacity  and it has since been endorsed at least by the UK attorney general.

The remainder of this section proceeds on the basis of the former ‘sovereignty-as-rule’ approach. Those espousing the latter ‘sovereignty-as-principle’ approach should refer to the following section on the prohibition of intervention.

The ‘internal’ facet of sovereignty entails that ‘[a] State enjoys sovereign authority with regard to the cyber infrastructure, persons, and cyber activities located within its territory, subject to its international legal obligations.’

Each State’s sovereignty is protected by international law from violation by other States. It is clear that a cyber operation with severe destructive effects, comparable to a ‘non-cyber’ armed attack or a use of force against a State, constitutes a violation of its sovereignty; however, with more subtle cyber operations, the question is far from settled.

The following options have been proposed in the Tallinn Manual 2.0:


 * 1) A State organ conducting cyber operations against State A while physically present in State A’s territory violates the State’s sovereignty.   This was agreed by all Experts drafting the Manual; however, ‘a few’ of the Experts thought that the extensive State practice carved out an exception for espionage operations.
 * 2) Causation of physical consequences by remote means;  again, ‘a few’ Experts took the position that this is not a determinative factor by itself;
 * 3) Causation of a loss of functionality of cyber infrastructure: no consensus could be achieved as to the precise threshold (the necessity of reinstallation of operating system or other software was proposed but not universally accepted);
 * 4) Interference with data or services that are necessary for the exercise of ‘inherently governmental functions’;  although the Experts could not definitively define the term ‘inherently governmental functions’, they agreed that the conduct of elections would so qualify;
 * 5) Usurpation of ‘inherently governmental functions’, such as exercise of law enforcement functions in another State’s territory without justification.

Attributing the conduct to a State different from State A is a necessary prerequisite for qualifying it as a violation of sovereignty. Non-State actors cannot violate sovereignty on their own.

In the case at hand, the incidents listed above can be qualified as follows:

Prohibition of intervention
The principle of non-intervention prohibits States from intervening in the internal or external affairs of other States. Prohibited intervention was authoritatively defined by the International Court of Justice in the judgment on the merits in the 1986 case Nicaragua v United States:"A prohibited intervention must … be one bearing on matters in which each State is permitted, by the principle of State sovereignty, to decide freely. One of these is the choice of a political, economic, social and cultural system, and the formulation of foreign policy. Intervention is wrongful when it uses methods of coercion in regard to such choices, which must remain free ones."Two elements follow from this understanding. The first is that in order for an act (a term that is wide enough to include a cyber operation) to qualify as prohibited intervention, it must bear on those matters in which States are allowed to decide freely (the so-called domaine réservé of States). As the ICJ ruling explains, the spectrum of such issues is particularly broad and it includes choices of political, economic, social, and cultural nature. The organization and conducting of domestic elections certainly counts among such choices, given that the result of the process is the appointment of the head of State or the composition of the parliament.

It is less clear whether the second element of prohibited intervention is met, which is that the act in question must be coercive in nature. There is no generally accepted definition of “coercion” in international law. However, as per the analysis in the Tallinn Manual 2.0, the “key is that the coercive act must have the potential for compelling the target State to engage in an action that it would otherwise not take (or refrain from taking an action it would otherwise take)”. Therefore, whether this element is met depends on the specific circumstances of each case.

In the present scenario, the conduct that resulted in the manipulation of the election results (incident 5) would likely be considered as coercive. This is because the resulting effect is to deprive State A of the ability to choose its political representatives on the basis of the free expression of the will of the electorate. By contrast, influence operations targeted against the electorate in State A (incidents 1–3) would likely not reach the level of coercion and, as such, would not amount to prohibited intervention.

Attributing the conduct to a State different from State A is a necessary prerequisite for qualifying it as a breach of the prohibition of non-intervention. Non-State actors cannot violate sovereignty on their own. For further details, refer to General matters 001: Attribution.

Every breach of the prohibition of non-intervention constitutes a violation of sovereignty and an internationally wrongful act, and can justify a response from the target State according to the law of State responsibility, such as countermeasures, if further conditions are met. For further details, refer to General matters 002: Countermeasures.

Espionage
Peacetime espionage has been traditionally considered as unregulated by international law. This is also reflected in the Tallinn Manual 2.0, which posits that ‘[a]lthough peacetime cyber espionage by States does not per se violate international law, the method by which it is carried out might do so.’

However, the methods of peacetime cyber espionage are varied and the legal consensus is almost non-existent with regard to cyber operations below the threshold of use of force or armed attack.

It must be noted that although cyber espionage operations may be legal from the perspective of international law, they are usually illegal according to domestic law of the target State, and the originating State usually has some requirements in its domestic law for conducting foreign intelligence operations.

With regard to incident 2 from the case at hand (obtaining a candidate’s emails), there are several options by which the cyber espionage operation can be illegal. For instance, the operation can be interfering with individual human rights according to international law, such as the right to privacy; in that case, the State launching the operation must have a legitimate justification, otherwise it will be in violation of international law. Another possibly illegal option would be to obtain the emails pursuant to a ‘close access’ operation, i.e. by physically sending individuals to the territory of the target State without its consent and then directing them in the operation in question.

With regard to incident 5, a cyber espionage operation probably preceded the actual sabotage of the electronic ballot system; if this is the case, then a more academic than practical question may be raised about the legality of the cyber espionage operation. Most of the Tallinn Manual 2.0 Experts would consider such a cyber espionage operation as an integral part of the operation to sabotage the electronic ballot system, and hence illegal in itself; however, a few of the Experts dissented.

Checklist

 * Technical attribution: What is the origin of the cyber operation and who are the actors involved?
 * Sovereignty: What is the position of the client on whether sovereignty is a standalone primary rule of international law?
 * Sovereignty: Were any individuals associated with an outside State physically present in the domestic State’s territory without the latter’s consent?
 * Sovereignty: Did the operation occasion a loss of functionality of cyber infrastructure?
 * Sovereignty: Did the operation interfere with or usurp inherently governmental functions of another State?
 * Non-intervention: Did the operation bear on any of those matters in which States are allowed to decide freely?
 * Non-intervention: Did the operation amount to a coercive act against the victim State?
 * Espionage: Did the operation interfere with rights guaranteed under international human rights law? If so, did it have a legitimate justification under that body of law?
 * Espionage: Did the operation involve ‘close access’, i.e. the physical sending of individuals to the territory of the target State without its consent?

Bibliography and further reading

 * MN Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017)
 * K Mačák, 'All Hands on Deck: Cyber Attacks Against Private Companies and International Law: When does an attack on a private company amount to a "prohibited Intervention?"', Just Security (9 April 2018) 
 * Etc.