In a recent poll of cybersecurity experts, when asked if “state election systems [are] sufficiently protected against cyberthreats,” 95 percent responded no. Given the seriousness of the threat, and its ability to impact the future of the United States it is worth examining what other options there are in the United States’ playbook for dealing with election interference and hacking, specifically, the scope of responses permitted under international law to deter and respond to these types of attacks.
Since the 2016 U.S. Presidential elections, the security of America’s electoral system has emerged as a central issue in the political discourse of the day. The dire state of the system’s security and the continuous barrage of malicious activity thoroughly warrant the attention the issue receives. The ever presence of this risk has led to increased action and engagement on every level of government, from providing states with hundreds of millions of dollars, to an increased dedication from federal agencies assisting states bolster their security, to states increasingly building cybersecurity into their electoral systems.
While these are laudatory actions, and certainly help mitigate the risk of a successful attack on the U.S. electoral system, it is important to understand the full scope of the panoply of threats facing the security and integrity of our electoral systems in order to meaningfully and adequately craft an appropriate response, using all options available to the United States. We will examine the tactics, techniques, and procedures that have been previously deployed to attack our electoral system, as well as other potential attack vectors that have not yet been successfully deployed against our nation. Finally, we will examine the development of the international law governing election hacking and interference, the role the United States can play in moving that development forward, and the scope of responses available to a nation whose elections have been attacked.
What Is Election Hacking?
According to a January 2017 report released by the Office of the Director of National Intelligence (ODNI), reflects the findings of the U.S. Intelligence Community, and found that Russia waged an influence campaign against the 2016 U.S. Presidential elections. The ODNI Report offers several “Key Judgements” regarding Russia’s involvement in the 2016 Elections, which in sum, come to the following conclusion:
We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia’s goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump. [ … ] Moscow’s influence campaign followed a Russian messaging strategy that blends covert intelligence operations—such as cyber activity—with overt efforts by Russian Government agencies, state-funded media, third-party intermediaries, and paid social media users or “trolls.”
Essentially, the Report found that there were three prongs to Russia’s campaign: (1) gaining unauthorized access to the computer systems, accounts, and confidential information of Presidential Campaigns, party organizations, and high-ranking officials in the infrastructure of both; (2) tactical leaking of that information; and (3) an overt propaganda campaign using social media, sometimes impersonating American individuals and organizations, to micro-target voters to sway popular opinion. While there have also been allegations that Russia was able to gain access to some states’ electoral systems, there have been no allegations that a single vote was affected or that a single voter was taken off a voter roll.
Russia’s 2016 influence campaign represents one end of the spectrum of election hacking or interference, on the other end, we have countless hypothesized attacks, which could much more acutely and directly affect the results or even the final tally of a national election. The precise methodologies for potential attacks are too numerous to list, but there are two core aspects of the electoral system that are, potentially, vulnerable to attack: availability and integrity. Rogue actors can attack voting systems and seek to take them offline, en-masse, or even target particular regions that lean toward one side or the other, creating large-scale chaos and disruptions, and meaningfully hindering the ability of local governments to hold elections and voters in the area to participate and freely cast their votes. While this methodology does not directly target a particular political party, if it is precisely targeted towards areas that have a dense partisan affiliation in one direction or another, the outcome of an election can be impacted.
On the other end of the spectrum of potential attacks, lie attempts to affect the actual integrity of vote counts. This involves hacking election machines and can range from an attack on the actual data recorded, to a more nuanced attack on the interface between input in a machine and the actual result recorded. These types of attacks are not incredibly hard to perpetrate, at least on a local scale. Princeton researchers demonstrated how with, a single piece of hardware, a stingray cell-site simulator, a rogue actor can intercept and edit vote tallies as they are being transmitted to the central tallying location, all without ever physically interacting with a voting machine. While we are quite vulnerable to these and other similar forms of attack, due to the widespread use of outdated, vulnerable machines throughout the country, an issue that is significantly exacerbated by inadequate auditing protocols and a lack of paper trails, in order to have a meaningful impact, these attacks require large-scale coordination and significant resources on the ground. It would be exceptionally difficult for a foreign power, or any other malign entity, to carry out an attack targeting vote totals directly on a scale that could plausibly effect an election of national import.
While it might be harder to implement, a firmware or operating system attack on voting machines can impact systems much more broadly. If the firmware of a voting machine, the code that is permanently programmed into its read only memory, or the operating system of the machine is compromised at the level of a machine manufacturer or, potentially state or local authorities that run the machines, this single compromise can lead to the widespread use of compromised systems. Thus, compromising a few, or potentially, even a single company or government authority could result in the widespread use of compromised machines which could impact the vote totals in a significant manner.
One further note is the importance of contextualizing the recent trend of electoral interference through cyber means in the broader historical context of foreign electoral interference. Election interference is nothing new and has been broadly practiced throughout modern history. Foreign nations have attempted to interfere in American elections going back at least to the 1940 election, when both the United Kingdom and Nazi Germany tried to interfere in the election (to varying degrees of success). Even the United States has been accused of election interference from the post-war era when the United States often supported anti-communist candidates and even into the modern era. In fact, studies have counted well over 100 instances of foreign electoral interference, of one sort or another, in the post-war era, amounting, by some counts to over one out of nine competitive elections worldwide.
While the question of defending elections is quite multifarious and complex, particularly given the fact that much of the actual work of holding an election is carried out on the local and state level, the question of how vulnerable our elections actually are is quite simple: very vulnerable. Understanding the spectrum of possible attacks, from influence campaigns and meddling, to outright attempts to change vote tallies, is an important part of the issue, but we must also focus on how we can best defend our elections. The United States has several options at its disposal, and should use, or at least consider, all of them.
The first line of defense is securing our elections. In a comprehensive report by Harvard’s Belfer Center for Science and International Affairs, the authors provide a common sense list of steps that can be taken to significantly improve the security of our elections. While some of the measures, such as developing a security awareness culture and implementing multifactor authentication, are true for any organization trying to implement best practices for cybersecurity, the report lists many steps specifically tailored for election security. For example, an adequate paper vote record provides a means of external validation, securing against a complete reliance on technical systems and enabling states and local governments to audit results and compare paper results with digital results to detect and secure against anomalous activities indicative of a compromised machine.
Technical measures, while vital, are not, in and of themselves adequate to ensure the security and integrity of elections. Maintaining transparent and open communications between the public and the state or local government to ensure the speedy and efficacious dissemination of important information is essential to safeguarding public trust and confidence. Bolstering public awareness and confidence in the electoral system is critical to preparing for a potential attack on an election, minimizing the impact of such an attack, and preserving the integrity of the system. Every level of government, from state and local governments to the federal government, have an essential role in ensuring all technical and non-technical steps are taken to maximize the security of elections. While these measures are primarily carried out on the state and local level, the federal government plays an essential role, not just in terms of ensuring adequate funding, but by tying the funding to meaningful standards and ensuring the broad adoption of such heightened standards.
While all of these technical and non-technical steps are essential to securing elections, they are not the only solutions available to the United States on the national and international levels. The United States has many tools available in its arsenal to deter the actions of international malefactors seeking to meddle in its electoral processes. International law offers a broad spectrum of responses the United States can pursue against nation-state actors that interfere in American elections. Depending on the severity and scope of the actions, an interference campaign may or may not amount to an intervention in the domestic affairs of a sovereign state and a violation of international law. Even when a campaign falls below the threshold of violating of international law, the United States has a wide array of diplomatic and international tools that it can use to punish bad actors and deter future misconduct in the space. By more clearly setting a precedent that bad actors will face meaningful consequences and engaging with the full scope of activities permitted under international law, the United States can meaningfully disincentivize bad actors in the space.
While these are important steps in the defense and security of elections, and they represent most of the tools in a state or local government’s toolbox, they are not the only solutions available for the United States. International law offers several corrective actions that can be employed by a nation-state seeking to correct a violation of international law. By opening election hacking to diplomatic and military corrective actions, we provide ourselves with the most effective tools to deter nation-states from interfering and hacking our electoral processes. To make a foray into these options, it first necessary to understand certain foundational elements of international law and specific provisions that can apply to election interference and hacking.
International Law and Election Hacking
International law in cyberspace is generally governed by custom rather than treaty. Thus, much of the international law in this space is developed through the conduct and opinio juris of states. In the event that a nation-state violates the rights of another state, the aggrieved state is permitted to take countermeasures, unilateral corrective actions, that are “necessary to terminate the violation or prevent further violation, or to remedy the violation and are not out of proportion to the violation and the injury suffered.” (Restatement (Third) of Foreign Relations Law §905). The options for how to implement this type of remedy include, but are not limited to suspending treaty relations, freezing assets, imposition of economic sanctions, etc., but the action must always be proportional to the harm and engineered to correct the wrong and ideally facilitate negotiations between the parties. It is also important to note that there is no requirement that the modality of corrective action be, in any way, related to the modality of the initial violative activity. A cyber attack certainly does not necessitate that corrective action occur by cyber means.
Thus, the core question becomes what constitutes a violative act. This is far from an easy question, and particularly in cyberspace answers can be even harder to find. To start the analysis, we should begin with general principles of sovereignty. When a state violates another state’s sovereignty, there is a violative act. This can be true whether it is boots on the ground or if it is a digital attack. The most serious class of violative acts under international law include acts of war, armed attacks, and armed interventions. A cyber attack can absolutely reach this threshold, but the severity of the attack must be similar in extent and effect to the equivalent category of conventional, kinetic activities. It is very unlikely that electoral interference, unless part of a broader campaign of hostile activity, could reach the high threshold for this sort of violation.
However, a hostile act need not amount to an act of war to violate international law. Activities that intervene in the internal affairs of another state can constitute a violation of the norms of customary international law. To be violative the act must intervene in the scope affairs typically reserved for at state to exercise its internal, domestic jurisdiction and competence, or the domaine réservé, of another state. Furthermore, the act must be of a severity that constitutes coercion, rather than just pressure or influence. If the activities interfere in the domaine reserve of another state, but only amount to interference and pressure but not coercion, these activities do not violate international law. For example, seeking to carry out law enforcement activity in the territory of another state, without the consent of that state, would usually constitute a violative act of intervention in the internal affairs of another state.
There is a good deal of consensus that, under certain circumstances, election hacking can be adequately severe so as to constitute coercion and to constitute an act of intervention in the internal affairs of another state. For example, if a state hacks the actual electoral system of another state and modifies the results so that the losing candidate instead wins, the majority of experts agree that such an act constitutes coercion and a violation of the sovereignty of the targeted country. However, there is a great deal of disagreement as to the degree of severity required of an election hacking campaign such that the campaign amounts to a coercive act, violative of international law. There is a view that even in the aforementioned scenario, the threshold of coercivity is not met because the affected state does not realize it is being compelled to act.
The question of whether or not an electoral interference campaign that does not directly impact vote totals or the functionality of electoral systems can reach the necessary threshold of coercivity is both complicated and unsettled. Many theories of how such a campaign could potentially violate international law have been proposed, from the notion that the erosion of democratic legitimacy is a fundamentally coercive act impeding the ability of a state to effectively govern itself to the notion that such a campaign constitutes a violation of the right of a state to self-determination. Ultimately, the question of whether or not such a campaign can constitute a cognizable violation of international law and the precise contours of what such a violation might require are underdetermined and not clear under the current state of international law.
Any process of determining the contours of such a violation must proceed with extreme caution because the precise lines between illegitimate influence/propaganda and legitimate public diplomacy is extremely opaque. The development of an overly restrictive norm poses at least as much risk in terms of prohibiting the salubrious exercise of public diplomacy aimed at repressive regimes as it poses promise with regards to avoiding inappropriate influence campaigns targeted at undermining legitimate elections in free societies. Such propaganda can be combatted with true speech and public education campaigns. Removing the tool of public diplomacy from the arsenal of democratic societies leaves the population of nations with repressive regimes devoid of access to important information about their own societies and governments.
It is very important to note that if a hostile act fails to amount to a violation of international law, it does not leave the targeted state devoid of options. While countermeasures are only permissible in response to an identified violation of international law, and must be proportional to said violation, retorsion is free of both such requirements. Countermeasures are acts that, without the unique circumstances that render them lawful, would otherwise constitute a violation of international law. Retorsion, on the other hand, only applies to acts that, while carried out in response to the hostile acts of another state, do not constitute a violation of international law. Thus, while countermeasures are not permitted if the initial hostile act doesn’t reach the threshold of violating international law, retorsion is permitted in such circumstances. Furthermore, while countermeasures must be both proportional to the initial violative act and targeted towards inducing the culpable state to cease its wrongful activities, retorsion is subject to no such restrictions. While acts of retorsion must adhere to all applicable rules and norms of international law, they may be consciously both more severe than the initial hostile act and punitive in intent. Thus, the United States can meaningfully pursue policies targeted at deterring election hacking and interference, even when the activities do not amount to a violation of international law.
While clarifying the status of election hacking on various levels under international law is important, retorsion provides the United States with a broad scope of permissible activities that can be precisely structured to deter malicious actors from interfering in its elections. Though such corrective action comes after the harm, by clearly taking a stance as to the severity of the actions the United States will take if a national election is interfered with, we are well positioned to deter a potential actor looking to attack our elections, even if their proposed interference would not amount to a violation of international law. While this approach cannot unilaterally protect elections, simultaneously raising the costs of succeeding as well as raising the costs to succeed through strengthening our defenses, will force potential bad actors to meaningfully reassess their calculations. More importantly, the international law governing cyberspace is still in its nascency, there is a critically important opportunity for the United States to set the norms which will govern not only its conduct, but the conduct of all nation-states. If the United States does not take this initiative, other nation-states will.
Election interference and hacking is one of the most visible symptoms of our new, interconnected world. It is incumbent on global leaders, like the United States, to take an active role in the defending the democratic process within our borders and setting a standard for others to follow. There is no simple, single step that the United States can take to inoculate itself against this threat, but there are both domestic and international steps that can be taken to defend elections and deter bold actions in cyberspace. The United States should use all of the tools in its arsenal to ensure the validity and trustworthiness of future elections. While perfection may unattainable, following the above guidance can help the United States achieve meaningful improvements.
Benjamin Dynkin and Barry Dynkin are co-executive directors of the American Cybersecurity Institute, a nonprofit dedicated to cyber policy. They are also the co-founders of Atlas Cybersecurity, a cybersecurity services firm in New York.