Did Russia's election hacking break international law? Even the experts aren't sure

Grey areas in international law still exist when it comes to state-backed hacking and cyber operations.
Written by Steve Ranger, Global News Director

Alleged hacking by Russia might be considered an influence on another state's election, but it is not unlawful under international law to conduct espionage.

Image: iStock

For months, US intelligence agencies have been pointing the finger of blame at Russia over a series of hacks against organizations involved in last year's presidential election, including the Democratic National Committee (DNC).

Russia has consistently denied any involvement in the hacking campaign. While the attacks were condemned by President Obama, who expelled Russian diplomats as a result, it's not actually clear whether hacking of the DNC, if carried out by Russia or another country, broke international law.

"International lawyers are split right down the middle on whether or not that's a violation of international law," said professor Michael Schmitt, professor of public international law at the University of Exeter. Schmitt is the lead editor of the recently published Tallinn Manual 2.0, a guide to how law applies to cyberwarfare.

"I think it is. My closest colleague, the managing editor of our book, does not. She believes it's just under that red line. I believe it's just over the red line," he said.

"I think it is breaking international law. My argument is that espionage is not unlawful: it may be a violation of domestic law but in itself is not unlawful. However, when you engage in what is a domestic crime to distort the electoral process, then in that case you are intervening in the internal affairs of another state."

Schmitt says the "equally sound" counter argument is that more information is always better for an electorate, and that the emails were factual. So while that action might be considered an influence on another state's election, it is not unlawful under international law to conduct espionage and so was not an intervention into the internal affairs of the US.

"I also believe that violation would have opened the door to US operations that would have involved hack-backs had the US decided to conduct them. It would have made our hack-backs legal."

The debate about the legal status of the attacks on the DNC reflects how the law on the use of hacking and other cyber operations is not always clearly defined. It's something that the Tallinn Manual project has aimed to change.

The first version of the Tallinn Manual was published in 2013 and argued that international law did apply to cyberwarfare, something that had not been generally accepted until then.

"Before it came out, there was a big debate in the international community about whether international law applied to this new domain of conflict, of warfare. That debate's over. No serious scholar or state believes that international law doesn't apply in its entirety to operations conducted in cyberspace," said Schmitt.

The focus of the original Tallinn Manual, developed by NATO's cyber defence thinktank, was on the most extreme forms of cyber operations, those that occur during warfare or cyber attacks that caused death and destruction, and how they should be treated in law.

These incidents might be dramatic but are also extremely rare, and so the updated manual looks at the legal status of the various types of hacking and other digital attacks that occur on a daily basis during peacetime.

"Tallinn 1.0 was about the most severe operations. Tallinn 2.0 is about the most frequent operations," Schmitt said.

"It lays out how a cyber operation might violate international law. It looks at issues like, 'When is a cyber operation a breach of the sovereignty of the state into which it is conducted?'. It looks at issues like, 'When does a cyber operation by a state constitute intervention into the internal affairs of another country?'. It looks at issues of where is it permissible to conduct cyber operations from. There's a big chunk of Tallinn 2.0 that's about what is a violation of international law in cyberspace."

Mostly aimed at legal advisers to governments, military, and intelligence agencies, the manual looks at when an attack is a violation of international law in cyberspace, and when nations are justified in responding to such assaults. "It answers questions like, 'Can I hack back?' at individual or the entity or the state that conducted the cyber operation."

But Schmitt said one of the most important things is not where the team of 19 international law experts agreed, but where they disagreed.

"Perhaps the strength of the book isn't so much in what we agreed on, but what we disagreed on, or what we said was unsettled law as a matter of international law, because that really represents the grey zone where most of the action is going to occur," he said.

"By identifying those areas where the law is not crystal clear, it serves as a sort of map for states on where they need to focus their efforts, where they need to head to firm up the rule of law in cyberspace," he said.

But identifying the grey areas also gives states a guide to the sorts of behaviours that they can probably get away with, as it's not clear if they have broken the law.

Schmitt acknowledged this: "That's exactly right, though that is not our purpose." He said clear international law can act as a deterrent to malicious states because they then know the consequences of their activity.

"I also think clear rules of law diminish the possibility of escalation, because escalation often happens when there is confusion and uncertainty. So to the extent that everyone understands what has happened as a matter of law, the likelihood of escalation goes down a bit."

Not everyone agrees that reducing the grey area is a good idea, he said. By reducing that grey area: "The counter argument is that 'You Tallinn Manual people have to some extent made life hard for states because strategic ambiguity is useful'. It's nice to have a grey area in which to operate."

Read more on cyber-espionage

Editorial standards