Scenario 01: Election interference

In the run up to a major election in State A, a series of cyber incidents traceable to State B occur. The incidents influence, to a varying degree, the electoral campaign, the administration of the elections, as well as the election results. Analysis in this scenario considers whether any of the specific incidents may constitute violations of several rules of international law, including the obligation to respect the sovereignty of other States, the prohibition of intervention in the internal affairs of States, and the right to privacy of individuals.

Keywords
Election interference, hybrid threats, sovereignty, prohibition of intervention, non-State actors

Facts
State A has a major election (parliamentary or presidential) coming up.

In the weeks prior to the election, a series of incidents takes place, including:


 * 1) An upsurge in the publication of unverifiable information on specific candidates, particularly in media outlets known for the dissemination of “alternative facts” and for promoting views close to those held by the regime in State B. Social networks get busy with discussions on candidates’ profiles, with posts often coming from accounts that have either been recently established or cannot be verifiably linked to a real person.
 * 2) A trove of emails purportedly coming from a candidate’s campaign team is leaked on the internet.
 * 3) Advertisements compromising the candidate’s credibility are published in print and online media while the entity who paid for them is either clearly artificial or known to support an electoral opponent or the regime in State B.

During the election itself:


 * 4a) The website of the electoral commission is rendered inaccessible by a massive DDoS attack and the accuracy and trustworthiness of results in the public opinion are thus placed in doubt.
 * 4b) Alternatively, the website is subject to a defacement that falsely claims that a specific candidate is leading the polls. That information is taken over by foreign media outlets that are not supportive of the other candidate(s).

After the election:


 * 5) State A uses an electronic ballot counting system. Sometime after the election, indications appear that the system had been tampered with. If true, this would imply that there likely were inaccuracies in counting, and therefore that the reported election results were untrue.

Examples
NB: Links in this section will go to separate pages for each of these incidents within the toolkit (for demonstration purposes only, they now link to Wikipedia pages on those topics).


 * 2018 Czech presidential election (fake news)
 * 2017 French presidential election (Macron Leak)
 * 2016 DNC Hack (email leak)
 * 2016 US presidential election (targeted information on social media, alternative facts, trolls, bots)
 * 2014 Ukrainian parliamentary elections (DDoS, defacement, false results published and spread by Russian media)

Legal analysis
Technical attribution is a prerequisite. Provided that technical and other intelligence, when contextualised, can link the events to a State actor or actors within a State actor’s control/sphere of influence, the following legal issues may need to be addressed. (For legal attribution, refer to General matters 001: Attribution.)

Obligation to respect the sovereignty of other States
In the case at hand, the incidents listed above can be qualified as follows:

Prohibition of intervention
In the present scenario, the conduct that resulted in the manipulation of the election results (incident 5) would likely be considered as coercive. This is because the resulting effect is to deprive State A of the ability to choose its political representatives on the basis of the free expression of the will of the electorate. By contrast, influence operations targeted against the electorate in State A (incidents 1–3) would likely not reach the level of coercion and, as such, would not amount to prohibited intervention.

Every breach of the prohibition of non-intervention constitutes a violation of sovereignty and an internationally wrongful act, and can justify a response from the target State according to the law of State responsibility, such as countermeasures, if further conditions are met.

Espionage
With regard to incident 2 from the case at hand (obtaining a candidate’s emails), there are several options by which the cyber espionage operation can be illegal. For instance, the operation can be interfering with individual human rights according to international law, such as the right to privacy; in that case, the State launching the operation must have a legitimate justification, otherwise it will be in violation of international law. Another possibly illegal option would be to obtain the emails pursuant to a ‘close access’ operation, i.e. by physically sending individuals to the territory of the target State without its consent and then directing them in the operation in question.

With regard to incident 5, a cyber espionage operation probably preceded the actual sabotage of the electronic ballot system; if this is the case, then a more academic than practical question may be raised about the legality of the cyber espionage operation. Most of the Tallinn Manual 2.0 Experts would consider such a cyber espionage operation as an integral part of the operation to sabotage the electronic ballot system, and hence illegal in itself; however, a few of the Experts dissented.

Checklist

 * Technical attribution: What is the origin of the cyber operation and who are the actors involved?
 * Sovereignty: What is the position of the client on whether sovereignty is a standalone primary rule of international law?
 * Sovereignty: Were any individuals associated with an outside State physically present in the domestic State’s territory without the latter’s consent?
 * Sovereignty: Did the operation occasion a loss of functionality of cyber infrastructure?
 * Sovereignty: Did the operation interfere with or usurp inherently governmental functions of another State?
 * Non-intervention: Did the operation bear on any of those matters in which States are allowed to decide freely?
 * Non-intervention: Did the operation amount to a coercive act against the victim State?
 * Espionage: Did the operation interfere with rights guaranteed under international human rights law? If so, did it have a legitimate justification under that body of law?
 * Espionage: Did the operation involve ‘close access’, i.e. the physical sending of individuals to the territory of the target State without its consent?

Bibliography and further reading

 * MN Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017)
 * K Mačák, 'All Hands on Deck: Cyber Attacks Against Private Companies and International Law: When does an attack on a private company amount to a "prohibited intervention?"', Just Security (9 April 2018)
 * Etc.