By Jake B. Sher, Guest Blogger, former Productions Editor (2015-2016), Pace International Law Review
The United States has asserted, and the CIA has reinforced, that Russia committed a “cyber-attack” by hacking into DNC e-mail servers and spamming the United States with a series of “fake news” articles, ostensibly in order to get Donald Trump elected President.[1] Under the broad definition of cyber-attack as “any action taken to undermine the functions of a computer network for a political or national security purpose,”[2] this accusation is (perhaps) reasonable. But a troubling fact is inescapable: it was Americans’ act of voting, not Russia’s act of hacking, that directly resulted in Trump’s election to office.
Certainly, American votes were likely influenced by e-mail leaks and dubious news articles. These sorts of attacks, which are designed to use cyberspace to manipulate real world human activities, are not uncommon. In fact, the Russians may have perpetrated the Clinton Campaign hack by redirecting staff users to fake, yet convincing, Gmail login pages.[3] Other examples of such hybrid cyber and scamming activities include the tweeting of false bomb threats to divert key individuals’ flights,[4] or the now famous 419 scam, also known as the “Nigerian Prince” Scam, in which a con artist in one state attempts to collect money from a victim in a second state, frequently by posing as a person of financial or romantic interest.[5]
Some agreement exists in the international community that Cyber Operations which incapacitate “critical infrastructures” may rise to the level of a “cyber-attack.”[6] Unfortunately, while the U.S. definition of a critical infrastructure might broadly apply to election structures or political parties, very little agreement exists on the subject in an international context. Moreover, it is a fundamental principle of international law that acts which are not expressly forbidden are generally permissible.[7] Thus, international legal norms neither expressly forbid document theft and psychological propaganda, nor do they classify such acts rising to the level of a cyber-attack if perpetrated in cyberspace.[8] Here, the general principle is likely reinforced by a combination of global factors. First, international law protects mind-based freedoms, such as thought, expression and opinion, under treaties such as the International Covenant of Civil and Political Rights. Second, international attitudes toward fighting corruption tend to endear us to those who unearth political secrets; despite their polarizing effect, figures such as Julian Assange, Edward Snowden, and Chelsea Manning often engender significant international sympathy.[9] As a result, the hacking of e-mail accounts and the electronic dissemination of “fake news” articles, while abhorrent, does not presently violate international law.
Nevertheless, as Trump’s election, Pizzagate,[10] and many other rash decisions made on a whim under the influence of “fake news” may indicate, there is a problem with unrestricted hacking and propaganda campaigns, particularly if they are instigated with ulterior motives. Such unmitigated dissemination of information by interested states may indeed rise to the level of a “cyber-attack” if its design is to incite individuals or groups to acts in which they would not otherwise engage. However, society tends to blame the actor and to turn a blind eye to the instigator. A classic example in domestic law might be the famous MarineSniper incident in the U.S., where a middle-aged woman posing as her 18-year-old daughter online under the handle “Talhotblond,” convinced a 46-year old man posing as an 18-year-old (handle “MarineSniper”) to shoot and kill a man who had uncovered her true identity.[11] In that case, the male shooter went to prison, but prosecutors could not charge the female instigator with a crime, because none existed.
The propagandist misuse of words to serve insidious ends is older than the internet, and can be regulated in both domestic and international contexts. Seven decades prior to the development of the World Wide Web, in his concurring opinion in Whitney v. California, Justice Brandeis proposed a test that is applicable to the problem:
. . . no danger flowing from speech can be deemed clear and present, unless the incidence of the evil apprehended is so imminent that it may befall before there is opportunity for full discussion. If there be time to expose through discussion the falsehood and fallacies, to avert the evil by the processes of education, the remedy to be applied is more speech, not enforced silence.[12]
When one engages the Russian Hack from this perspective, the problems become more apparent. The coordinated dissemination of news articles engaged in by the Russians was perfectly timed. The Russians almost definitely knew that the CIA and FBI would need time to investigate, and therefore that evidence of Russian hacking influence would not fully emerge until after the 2016 election, thus precluding the opportunity for full discussion. However, Justice Brandeis’ opinion in Whitney most likely provides only a domestic solution to an international problem, and there is no consensus regarding an international definition of what exactly a cyber-attack is, much less what activities are permissible in a cyber-operations context. So long as we continue to view cyber-attacks and real-world activities as separate and distinct, using cyberspace to influence hearts and minds will remain an internationally permissible—if controversial—activity.
[1] Mark Hosenball, Dustin Volz and Jonathan Landay, U.S. formally accuses Russian hackers of political cyber attacks, Reuters (Oct. 8, 2016), http://www.reuters.com/article/us-usa-cyber-russia-idUSKCN12729B; Ellen Nakashima, Karoun Demirjian and Philip Rucker, Top U.S. intelligence official: Russia meddled in election by hacking, spreading of propaganda, Wash. Post (Jan. 5, 2017), https://www.washingtonpost.com/world/national-security/top-us-cyber-officials-russia-poses-a-major-threat-to-the-countrys-infrastructure-and-networks/2017/01/05/36a60b42-d34c-11e6-9cb0-54ab630851e8_story.html?utm_term=.5259a41a2aa8..
[2] Oona A. Hathaway, Rebecca Crootof, et al, The Law of Cyber-Attack, 100 Calif. L. Rev. 817 (2012), http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=4844&context=fss_papers.
[3] Tim Greene, Russian hacker group used phony Google login page to hack Clinton campaign, NetworkWorld (Oct. 19, 2016), http://www.networkworld.com/article/3131921/security/russian-hacker-group-used-phony-google-login-page-to-hack-clinton-campaign.html.
[4] See Owen S. Good, Hacker bomb threat diverts flight carrying Sony Online president, Polygon (Aug. 24, 2014), http://www.polygon.com/2014/8/24/6063149/hacker-threat-diverts-flight-carrying-sony-online-president.
[5] See Lucy Martirosyan, Top ‘Nigerian prince’ email scammer arrested, USA Today (Aug. 2, 2016), http://www.usatoday.com/story/news/world/2016/08/02/top-nigerian-prince-email-scammer-arrested/87945460/.
[6] Nils Melzer, Cyberwarfare and International Law 14-15 (UNIDIR Resources 2011), http://www.unidir.org/files/publications/pdfs/cyberwarfare-and-international-law-382.pdf.
[7] S.S. Lotus (Fr. v. Turk.), 1927 P.C.I.J. (ser. A) No. 10 (Sept. 7), at 18 (“The rules of law binding upon States . . . emanate from their own free will as expressed in conventions or by usages generally accepted as expressing principles of law. . . . Restrictions upon the independence of States cannot therefore be presumed.”); but see International Court of Justice, Advisory Opinion: Legality of the Threat or Use of Nuclear Weapons, 35 I.L.M. 4, 926 (July 1996) (declining to issue a final ruling on the legality of the use of nuclear weapons); Rebecca Ingber, International Law Constraints as Executive Power, 57 Harv. Int’l L.J. 49, 81 (2016), http://www.harvardilj.org/wp-content/uploads/Vol-57-1_Ingber.pdf (relating in detail the principle and exceptions taken to it).
[8] Catherine A. Theohary and John W. Rollins, Cong. Research Serv., R43955, Cyberwarfare and Cyberterrorism: In Brief 6 (2015), https://fas.org/sgp/crs/natsec/R43955.pdf.
[9] ‘Angry’ Julian Assange starts fifth year living in Ecuador’s London embassy, The Guardian (Jun. 18, 2016), https://www.theguardian.com/media/2016/jun/19/angry-julian-assange-starts-fifth-year-living-in-ecuadors-london-embassy; Andrew E. Kramer, Russia Extends Edward Snowden’s Asylum, N.Y. Times, Jan. 19, 2017, at A6, https://www.nytimes.com/2017/01/18/world/europe/edward-snowden-asylum-russia.html; Kristin Hulaas Sunde, Whistleblower Chelsea Manning thanks Amnesty activists for their support, Amnesty Int’l (Apr. 8, 2015), https://www.amnesty.org/en/latest/campaigns/2015/04/whistleblower-chelsea-manning-thanks-amnesty-activists-for-their-support/.
[10] Marc Fisher, John Woodrow Cox and Peter Hermann, Pizzagate: From rumor, to hashtag, to gunfire in D.C., Wash. Post (Dec. 6, 2016), https://www.washingtonpost.com/local/pizzagate-from-rumor-to-hashtag-to-gunfire-in-dc/2016/12/06/4c7def50-bbd4-11e6-94ac-3d324840106c_story.html?utm_term=.0c3c56cb991b.
[11] Barbara Schroeder, And You Thought Your Mother Wasn’t Perfect, Huffington Post (Jul. 4, 2010), www.huffingtonpost.com/barbara-schroeder/and-you-thought-your-moth_b_542100.html.
[12] Whitney v. Calif., 274 U.S. 357, 377 (1927) (Brandeis, J., concurring).