Scenario 01: Election interference

In the run-up to a major election in State A, a series of cyber incidents traceable to State B occur. The incidents influence, to a varying degree, the electoral campaign, the administration of the elections, as well as (eventually) the election results. Analysis in this scenario considers whether any of the specific incidents may constitute violations of several rules of international law, including the obligation to respect the sovereignty of other States, the prohibition of intervention in the internal affairs of States, and the right to privacy of individuals.

Keywords
Election interference, hybrid threats, sovereignty, prohibition of intervention, peacetime cyber espionage, cyber reconnaissance, critical infrastructure

Facts
State A has a major election (parliamentary or presidential) coming up.

In the weeks prior to the election, a series of cyber-enabled incidents takes place, including:


 * 1) An upsurge in the publication of unverifiable information on specific candidates, particularly in media outlets known for the dissemination of “alternative facts” (as distinguished from facts supported by known, credible, tested sources) and for promoting views close to those held by the regime in State B. Social networks get busy with discussions on candidates’ profiles, with posts often coming from user accounts that have either been recently established or cannot be verifiably linked to a real person.
 * 2) A large batch of private emails, purportedly exchanged only among members of one candidate’s campaign team, is leaked onto a well-known, publicly-accessible internet site.
 * 3) Advertisements compromising the candidates' credibility are published in print and online media, while the entity who paid for them is either clearly artificial or known to support these candidates' electoral opponents or the regime in State B.

During the election itself:


 * 4a) The website of State A's electoral commission is rendered inaccessible by a massive DDoS attack, and the accuracy and trustworthiness of results in the public opinion are thus placed in doubt.
 * 4b) Alternatively, the commission's website is subject to a defacement that falsely claims that a specific candidate is leading the polls. That information is published by foreign media outlets that are not supportive of the other candidates.

After the election:


 * 5) State A uses an electronic ballot counting system, which is separate from the commission's website. Sometime after the election, indications appear that the system had been tampered with. If true, this would imply that there likely were inaccuracies in counting, and therefore that the reported, official election results were inaccurate.

Independent researchers have verified that all of the incidents resulted from cyber operations of the intelligence service of State B.

Examples

 * Czech presidential election (2018) – fake news
 * French presidential election leak (2017)
 * DNC Hack (2016) – e-mail leak
 * US presidential election (2016) – targeted information on social media, alternative facts, trolls, bots
 * Ukrainian parliamentary elections (2014) – DDoS, defacement, false results published and spread by Russian media

Legal analysis
For a general overview of the structure of analysis in this section, see Note on the structure of articles.

Since attribution of the cyber incidents described above to State B is assumed as a fact, the legal analysis focuses on breaches of specific rules of international law by State B: the obligation to respect the sovereignty of other States, the prohibition of intervention, and violation of individuals' privacy rights. It also deals briefly with peacetime cyber espionage or cyber reconnaissance and their bearing on the legality of State B's cyber operations.

Obligation to respect the sovereignty of other States
The dissemination of 'alternative facts' (incident 1) does not constitute a violation of sovereignty of State A, as these materials are mere propaganda, which does not interfere with inherently governmental functions (option 4), nor does it runs afoul of the other options. Moreover, such propaganda is likely within the scope of the international human right to freedom of opinion and expression.

The publication of the emails on a readily-accessible website (incident 2), or rather the exfiltration of the emails before their publication, could be a violation of State A's sovereignty, if State B obtained them in a cyber operation conducted by its agents present in State A's territory (option 1). The publication itself does not violate State A's sovereignty.

The publication of the advertisements (incident 3) is not a violation of State A's sovereignty, according to the above options.

The DDoS and defacement of the website of the electoral commission (incidents 4a-4b) could be an interference with inherently governmental functions or critical infrastructure that is virtual rather than physical (option 4), if the website was essential to the conduct of the elections (for instance, if State A allows for online voting), it was rendered inoperable and the result of the elections could have been affected (for instance, some voters could not cast their vote). Alternatively, if the loss of functionality is more serious or permanent, option 3 can also apply.

The tampering with the electronic ballot system is a clear interference with inherently governmental functions (option 4) and hence a violation of State A's sovereignty.

Prohibition of intervention
In the present scenario, the conduct that resulted in the manipulation of the election results (incident 5) would likely be considered as coercive. This is because the resulting effect is to deprive State A of the ability to choose its political representatives on the basis of the free expression of the will of the electorate. By contrast, influence operations targeted against the electorate in State A (incidents 1–3) would likely not reach the level of coercion and, as such, would not amount to prohibited intervention.

Every breach of the prohibition of non-intervention constitutes a violation of sovereignty and an internationally wrongful act, and can justify a response from the target State according to the law of State responsibility, such as countermeasures, if further conditions are met.

Espionage
With regard to incident 2 from the case at hand (obtaining and publishing private emails among individuals on a candidate’s campaign team), there are several options by which the cyber espionage operation can be illegal. For instance, the operation can be interfering with individual human rights according to international law, such as the right to privacy; in that case, the State launching the operation must have a legitimate justification, otherwise it will be in violation of international law. Another possibly illegal option would be to obtain the emails pursuant to a ‘close access’ operation, i.e. by physically sending individuals to the territory of the target State without its consent and then directing them in the operation in question by utilizing their proximity, such as by downloading emails from a server onto a portable device.

With regard to incident 5, a cyber espionage operation probably preceded the actual sabotage of the electronic ballot system; if this is the case, then a more academic than practical question may be raised about the legality of the cyber espionage operation. Most of the Tallinn Manual 2.0 Experts would consider such a cyber espionage operation as an integral part of the operation to sabotage the electronic ballot system as usurpation of inherently governmental functions (and/or harm to critical infrastructure), and hence illegal in itself as a violation of sovereignty or prohibited intervention; however, a few of the Experts would dissent from such a view.

Checklist

 * Sovereignty: What is the position of the analyst / interlocutor on whether sovereignty is a standalone primary rule of international law?
 * Sovereignty: Were any individuals associated with an outside State physically present in the domestic State’s territory without the latter’s consent?
 * Sovereignty: Did the operation occasion a loss of functionality of cyber infrastructure or critical infrastructure?
 * Sovereignty: Did the operation interfere with or usurp inherently governmental functions of the domestic State another State?
 * Non-intervention: Did the operation influence any of those matters in which States are allowed to decide freely?
 * Non-intervention: Did the operation amount to a coercive act against the victim State?
 * Espionage: Did the operation clearly constitute espionage, or was it better characterized as cyber reconnaissance or information-gathering?
 * Espionage: Did the operation involve ‘close access’, i.e. the physical sending of individuals to the territory of the target State without its consent?
 * Human rights law: Did the operation interfere with individual or group rights guaranteed under international human rights law? If so, did it have a legitimate justification under that body of law?

Bibliography and further reading

 * [TBC]

Contributions

 * Scenario by: Taťána Jančárková
 * Analysis by: Kubo Mačák & Tomáš Minárik
 * Reviewed by: [TBC]