Right now, that’s a gray area — and it’s hindering the U.S. response to influence operations.
U.S. spies say Russia meddled in the U.S. presidential
election, but the world’s top minds in cyber warfare aren’t sure if the act
constitutes coercion by one state against another. That legal ambiguity is why
weaponizing stolen information is such a difficult tactic for the United States
to counter.
Even the latest version of NATO’s guide to such
questions can’t offer a definitive answer. This week, the alliance’s Cooperative
Cyber Defence Centre of Excellence, or CCD COE, released its much
anticipated update to the Tallinn Manual, which bills itself as “the most
comprehensive analysis of how existing internationalaw applies
to cyberspace.”
The manual’s first edition was published two years after
Russia’s seminal distributed-denial-of-service attacks on
Estonia in 2007. Compiled by 20 experts, it sought to outline the best
thinking about what laws apply to states attacking each other over
the internet.
Much has changed since then; most importantly, Russia
executed a concerted effort to steal and publicize politicians’
email with the aim of influencing
the U.S. election. That’s what makes the recent update so
important. It provides a roadmap for how states should respond to incidents
like that in the future.
In terms of international law, the question is whether by
stealing emails and releasing them through Wikileaks and other outlets Russia
forced the United States to do something that the latter would not otherwise.
That would constitute meddling in the internal affairs of another state by
means of “coercion”— i.e., in a way that prohibits the target from acting
freely. It’s an idea that goes back
to 1758 but that has taken on new relevance now.
To get a sense of how contentious the issue has become,
check out this
Jan. 24 discussion of information warfare at Yale Law School.
(Introductions start at 8:00.) Right around the 21-minute mark, a small
argument breaks out between a young law student and the expert panel over
whether Russia coerced a particular election outcome. In reply, West
Point’s Aaron
Brantly argues that the DNC hack, and subsequent doxxing via
Wikileaks, “was not coercion” because it lacked a threat of force.
“We may not like that. It sounds better to say it was
coercion. But, in reality, we drank the Kool-Aid ourselves,” Brantly said.
“It’s our responsibility as a civil society to process that information.”
Others note that there’s (as yet) no firm evidence that the
data theft changed the election’s outcome, so it’s impossible to prove that the
meddling caused the United States government or people to do something that
they otherwise would not have done.
Bottom line: the degree to which the DNC hack
constitutes an act of illegal coercion is a somewhat subjective matter. Even
the experts who updated the manual could not come to a consensus.
“The counter view notes that there may have been an
impact on the election and the fact that the impact is the result of the
hacking differentiates it from mere propaganda or other means of exerting
‘influence’ (as distinct from intervention) by means of information,” said
Michael Schmitt, the editor of the manual and a law professor at both the
University of Exeter and the Naval War College. “The Russians are
masters at playing the ‘gray area’ in the law, as they know that this will make
it difficult to claim they are violating international law and justifying
responses such as countermeasures.”
Schmitt explained why that matters. If you could show that
Russia’s influence on the election had been coercive then the United States
would be legally justified in employing countermeasures that matched the
offense, such disrupting the functioning of the Russian government in a way “that
would be unlawful but for the fact that they are response to the unlawful
activities of the target state and are designed to cause the target state to
comply with the law.”
But if the attack was not coercive, then
the only real response that the U.S. can employ is something called
“retorsion,” or what Schmitt calls unfriendly, but lawful, actions.
“The expulsion of the Russian ‘diplomats and sanctions fall
into this category. This is because neither the expulsion of foreign officials
nor the imposition of economic sanctions is unlawful,” he said.
At some point, better exit polling and other metrics may
allow governments to more effectively trace influence operations to specific
effects. You might, for instance, be able to prove beyond reasonable doubt (or
at least with high statistical confidence) that a Russian influence campaign
did throw the election one way or the other. Until then, drawing a clear link
between doxxed information and voter behavior will be next to impossible.
That’s why Russian influence campaigns like the one
targeting the DNC will continue.
**Patrick Tucker is technology editor for Defense One. He’s also the author of The Naked Future: What Happens in a World That Anticipates Your Every Move? (Current, 2014). Previously, Tucker was deputy editor for The Futurist for nine years. Tucker has written about emerging technology in Slate, The Sun, MIT Technology Review, Wilson Quarterly, The American Legion Magazine, BBC News Magazine, Utne Reader, and elsewhere.