Political and legal responses to foreign election interference have been meek at best. Criminal charges tend to pale in comparison to the magnitude of the crime. Political unwillingness to call out information operations as a violation of international law and diplomatic reservations to discuss information security hamper more forceful reactions. Against this background, international law is the only viable way forward for liberal democracies – and may be the only way to prevent states from resorting to extra-legal measures.
The COVID-19 pandemic has reminded us that external interference with the integrity of information have become pervasive threats to modern digital life. UN Secretary General Gutteres tweeted that in addition to the virus, we are now fighting an “infodemic of misinformation”. In the midst of this infodemic, it important that we don’t lose sight of less acute but still significant ongoing disinformation threats – such as the threat to the 2020 United States Presidential election.
Like a virus, foreign election interference is likely to return to test the immunity of democratic systems again this November. Given that election interference meddles with the heart of what a democracy is, the reactions to these foreign information operations have been meek at best. Given how frequently states claim that laws and norms in cyberspace are of little value without the resolve and capacity to impose consequences, it is surprising that, so far, their reactions have been limited to relatively low-level criminal charges. States have abstained from invoking international law, for instance, even though scholars and some governments believe it is possible to do so. So are there political and legal impediments preventing a more forceful reaction to election interference?
Elections: Easy Targets, Tame Repercussions
In 2019, the Oxford Internet Institute published a report documenting social media manipulation campaigns in 70 countries and naming seven countries using sophisticated state actors to conduct foreign influence operations. Foreign information operations aimed at influencing elections have struck a particular nerve in liberal democracies. Election inference – meddling in the process at the heart of democracy – is seen as a violation of the social contract between the people and their government. Covert, targeted foreign interference in the domestic information sphere, especially when the aim is the election of a candidate who is the preference of a foreign actor, is viewed as a gross violation of the democratic process.
However, even though election interference may be seen as politically egregious, the operations themselves involve relatively little actual crime, leaving states with limited options for pushing back. Even though an FBI indictment accused the GRU officers who interfered with the 2016 election of a “conspiracy against the United States”, the actual crimes they are charged with are relatively minor: hacking into and taking over computers, falsely registering a domain name, aggravated identity theft and conspiracy to launder money. The charges, which are based on the letter of domestic criminal law, pale in comparison to the violation of the spirit of the law.
Generally, states have also abstained from invoking international law when publicly attributing cyberattacks to state actors. Stepping onto the path of international law would mean classifying such actions as a “violation of sovereignty” or a “violation of the principle of non-interference”, which no state has been willing to do. States are reluctant to be explicit about how they interpret the applicability of international law. Large states especially would like to keep their hands free for their own cyber operations. This is why, in terms of legal instruments for punishing election interference, states have come up rather empty-handed. As a result, their responses have been tame, in comparison to the alleged seriousness of the crimes.
Protecting Election Infrastructure
Election infrastructure – especially electronic voting systems, voter registration databases and systems that aggregate votes – can be hacked to manipulate or sabotage the voting process. In January 2017, the Department of Homeland Security (DHS) designated the infrastructure used to administer the nation’s elections “critical infrastructure”. This move underlined the importance of election infrastructure to the American “way of life”. In 2019 the EU Cybersecurity Agency (ENISA) recommended imposing a legal obligation to classify election systems, processes and infrastructures as critical infrastructure “so that the necessary cybersecurity measures are put in place”.
Arguably, designating election infrastructure as critical would bring it under the scope of the 2015 UN GGE norm stating that critical infrastructures should not be attacked during peacetime. Although that norm is voluntary and non-binding, it was negotiated by national experts, including experts from Russia and China, and subsequently adopted by the UN General Assembly. In addition, in June of 2018 the Global Commission on the Stability of Cyberspace proposed a norm for the protection of technical election infrastructure. With a slightly broader scope, the Paris Call for Trust and Security in Cyberspace urges states to strengthen capacity to prevent malign interference by foreign actors aimed at undermining electoral processes through malicious cyber activities. This norm addresses “election processes”, which could be interpreted as more than just the technical election infrastructure, but does so only in reference to capacity building. By focusing on prevention, the norm avoids directly condemning these activities on a legal or normative basis, other than calling them “malign” and “malicious”.
Some states have become more vocal. Brian Egan, legal advisor to the US Department of Foreign Affairs, expressed the view that “a cyber-operation by a state that interferes with another country’s ability to hold an election or that manipulates another country’s election results would be a clear violation of the rule of non-intervention”. The United Kingdom, the Netherlands and Australia recently took similar positions. Although some of these statements make broader pronouncements, most still tend to be focused on technical election infrastructure.
Protecting Election Processes
The more insidious use of influence operations and disinformation – influencing elections – is more difficult to prove in terms of causal effects (when is an election swayed or even meddled with?) and even more difficult to meaningfully connect to violations of domestic or international law. For example, if manipulation of information in the public domain occurs in the absence of digital breaking and entering, which laws apply? How can states respond to what Peter Singer and Emerson Brooking call the ‘weaponisation of social media’?
Nicholas Tsagourias, building on earlier work by Jens David Ohlin, explores the possibility of bringing information operations targeting elections under the scope of the principle of non-intervention. He links the issue to the principle of national self-determination, i.e. the “right to authentic self-government, that is, the right of a people to really and freely choose its own political and economic regime”. His is a rare effort to anchor the issue of election interference in international law concretely, rather than a simple statement that it is a breach of sovereignty or the principle of non-intervention. However, the next hurdle would be connecting the idea of “a violation of the right to authentic self-government” to any legal evidentiary standard.
Why Talking About InfoOps Is Hard
The impediments to creating a real deterrent to election interference are not just legal. There are also political reasons why it is difficult for liberal democracies to respond to the resurgence of information operations, or InfoOps, in digital form. Since 1998, the likeminded countries have resisted Russia’s attempts to frame the cyber-related international security debate in terms of “information security”. The concept of information security has become tied up with the notion of “cyber sovereignty” championed by China and Russia. In their view, information security is about protecting the national information sphere from foreign intervention in order to safeguard regime stability. Accepting this narrative would legitimise the idea of (absolute) state control of the domestic information sphere and undermine the likeminded countries’ counter narrative of an open and free Internet and the protection of fundamental rights and freedoms.
However, as liberal democracies begin to feel the need to protect their own domestic information spheres, it is hard to find terminology that does not edge them towards the Russian and Chinese position. Even though trying to safeguard the process of elections is very different from trying to protect the outcome of election processes, the language involved in each may become a little too close for comfort. Authoritarian governments will certainly not hesitate to stress the emerging similarities.
Imposing Consequences Outside Of The Law?
The problem of election interference is not going to disappear. It is a perpetual issue. In terms of strategy and intent, it is not a new phenomenon – the use of InfoOps during conflicts dates back to antiquity. However, what we are seeing today is qualitatively different in terms of scale and methods. The digital domain has opened up a new playbook of indirect, covert influence on an unprecedented scale.
As the law does not provide many options for pushback – partially due to self-imposed constraints – states may turn to other means to impose consequences. Recent military cyber doctrine out of the United States references the “integration of cyberspace operations with information operations”, suggesting a turn towards the weaponisation information in the public digital domain and the treatment of the public information sphere as a battlefield (again). A dark reading of recent changes in American military cyber doctrine – combining this integration of cyberspace operations and InfoOps with the doctrines of “defending forward” and “persistent engagement” – suggests that the US may be gearing up to “fight fire with fire“.
The first American reaction to Russian influence operations, however, followed a different playbook. In 2018, the US hit back at the Internet Research Agency (IRA), the famous Russian troll factory, by trolling individual IRA members and taking the organisation offline during the 2018 midterm election. If and when the US does decide to target the integrity of information in the public domain, escalation is almost certain to ensue as the other major cyber powers are likely to follow suit.
Double or Nothing
Where does this leave the international community? The legal tools available to fight back against InfoOps still feel inadequate, especially when elections have been “violated”. Domestic criminal law only allows for the indictment of suspects with relatively minor offences. International law only applies when accusing a state of violating principles of international law, such as ‘non-intervention’. It’s a double or nothing situation: bringing minor charges under criminal law is close to doing nothing and legal experts do not actually expect any of the accused to end up in court. Whereas calling out election interference as a violation of international law opens up possibilities for more severe repercussions, including legal countermeasures. So far, wary of upping the ante, most states are opting for an approach closer to nothing.
In these circumstances, many states may default to non-legal responses to impose consequences for election interference, possibly even resorting to conducting their own InfoOps as payback. For liberal democracies, however, it’s hard to argue that this “low road” is morally defensible – or operationally practical. Operationally, it’s not a level playing field. Authoritarian regimes have much more control over their national information spheres, giving them a defensive advantage, while liberal democracies’ open information spheres and spaces for public debate provide vulnerable targets. Authoritarian intelligence agencies are also less constrained by the type of legal oversight that limits the tool box available to their counterparts in liberal democracies.
Finally, but crucially, conducting covert information operations makes liberal democracies vulnerable to charges of hypocrisy. It’s hard to defend the integrity of information by fighting the integrity of information. Fighting fire with fire is likely to get democracies burned. That should make the legal option more attractive – even though turning “nothing” into “double” will be an uphill battle.