Countering Russian election hacks

If Russia intervened in the midterm elections such that their actions violated the domaine réservé of the United States, the U.S. government would not be prohibited from engaging in “countermeasures,” as that term is understood in international law. These self-help responses to Russian intervention could include cyber measures that would otherwise be unlawful but are designed to bring Russia back into compliance with international law. Non-cyber countermeasures would also be appropriate as there is no requirement for the countermeasure to use the same medium as the initial violation. In all circumstances, countermeasures must be proportionate to the injury suffered and must not involve destruction that amounts to the use of force. It is unclear if NSPM-13 addresses the lawfulness of countermeasures, though it may indicate an increasing willingness to use them.

Regarding actions which do not intervene in the domaine réservé, the Center for Public Integrity article highlights two interesting points concerning the U.S. posture, Jensen notes.

First, the article quotes unnamed government officials who clarify that foreign government’s influence campaigns don’t trigger a “broader response” such as countermeasures. It is only “efforts to tamper with voting registration and recording votes” that rise to that level. I take this to mean, in the current Administration, the action that triggers countermeasures (and, by definition, the action that equates to an international law violation) is actually trying to change votes, not trying to influence votes. Russia can engage in influence operations, but until they actually hack into voting machines, they have not violated international law because they have not coercively intervened in the domaine réservé.

An alternate view might be that the administration does view Russia’s actions as a violation of international law, but chooses, as a matter of policy, neither to describe them as such nor to respond to them as such. In my view, this would be a dangerous approach as it sends the wrong message not only to Russia, but also to all the other countries who are looking at Russia’s action and gauging their own cyber interpretations of the law based on the reactions of the United States.

Neither of these views, of course, mean that Russian individuals have not violated U.S. domestic law. In fact, the Department of Justice indictments make clear that much of the 2016 influence campaign by various Russians did violate U.S. domestic law. But the international law point is important.

Following from the first point, the article also makes clear that NSPM-13 allows DoD to take actions on foreign computers that would ensure “the right access” in case that was needed. Whether non-consensual actions by one state on the computers in another state’s territory is prohibited by international law as a violation of sovereignty has been a hotly debated topic among academics and governments. The apparent allowance of DoD to establish “access” on the computers of other nations is significant: it appears that the current Administration takes the view that persistent presence on foreign computers is not a violation of international law. Such actions would likely be considered unfriendly, but not unlawful, and would certainly be short of a prohibited use of force at least until harmful malware is activated.

Jensen writes that in addition to the implicit assertions that can be drawn from the reported description of NSPM-13 concerning the current state of international law, the order also provides interesting insights on national security law and process:

By revoking PPD-20, NSPM-13 establishes a more streamlined and DoD friendly method of approving cyber actions. According to the Center for Public Integrity article, instead of the prior process where almost unanimous intra-governmental approval was necessary before a specific cyber action could be taken, the new process is less cumbersome, allowing DoD and other government agencies to get prior approval of broad parameters, including some “left-and-right bounds,” and then take specific cyber actions without seeking additional approval as long as they remain within the pre-considered operation.

There is no doubt that, if true, this signals a significant change to the U.S. cyber policy and is a clear indication that cyber actions have now entered the mainstream of national security tools. For years, the “newness” of cyber capabilities have caused the level of authorization to remain at very high levels and subject to extensive interagency dialogue before even simple cyber tasks could be taken. These procedural requirements undoubtedly had the practical effect of limiting the number of cyber activities undertaken. By allowing DoD and other government agencies to function more autonomously within pre-approved guidelines reflects a normalization of cyber capabilities that has been too long in coming. Perhaps the decades of cyber actions both by and against U.S. interests have now provided a sufficient “comfort level” with the ability to scope cyber activities with respect to distinction and proportionality such that it can now be viewed more like using tanks or aircraft to accomplish a military mission, rather than a nuclear weapon.

Many cyber capable countries seem to be trending in a similar direction. Germany, for example, recently divulged that it has authorized “hack backs” in certain circumstances. The adoption and implementation of NSPM-13 and its application to the mid-term elections seems to be a strong statement of change in U.S. policy. The move to allow more aggressive cyber activities sends a message to adversaries about what are acceptable and unacceptable cyber activities. It is also one more piece of evidence in a search to determine state practice on the use of cyber tools under international law.

Read the article: Eric Jensen, “Countering Russian election hacks,” Just Security (5 November 2018)