Analysts largely agree that the hacking of various arms of the Democratic Party, and the release of hacked emails that deepened divisions within the party just ahead of its presidential convention, is a big deal. But there’s less agreement about whether what we’re witnessing is fundamentally old or new. The answer to that question could shape not just the Obama administration’s response to the hack, but international norms on the limits to foreign influence in democratic elections.
Put simply: If, as some reckon, Russian intelligence agencies spied on the Democratic Party and then shared looted documents with WikiLeaks in order to intervene in the U.S. election, can that be tolerated?
So far, only anonymous U.S. officials and private cybersecurity companies have designated Russia as the prime suspect in the hack. The U.S. government has yet to publicly accuse the Russian government of orchestrating the breach, let alone the leaks, and Russian officials have denied any involvement in the episode. Nevertheless, some argue that the Kremlin appears to have merely extended to America a reinvented Soviet tactic that it has deployed for years at home and across Europe: Using a variety of measures—including the collection and dissemination of compromising information and disinformation—to meddle in politics, discredit the political systems of rival countries, and sow doubt, discord, and disarray. An alternative interpretation is that Russia is “crossing a big red line and setting a dangerous precedent: an authoritarian country directly yet covertly trying to sabotage an American election.” Still others point out that there’s a long history of countries, including Russia and the United States, secretly seeking to influence elections and public opinion abroad, particularly during the Cold War. Often these efforts are overt, even routine; in many cases they stop short of explicitly picking sides (think of Angela Merkel praising Hillary Clinton), and in some they don’t (think of Barack Obama’s plea for Britain to remain in the European Union).
As U.S. authorities investigate who was behind the hack, legal scholars and cybersecurity experts have been scrambling to sort the old from the new. Jack Goldsmith, a Harvard Law professor and former George W. Bush administration official, says there’s something novel about the mechanisms and scale of the intervention, in that it seems to have involved not just cyber operations, but also partnering with a third-party organization to publish a massive amount of data. That last step is what made ordinary espionage extraordinary—and what potentially invites more ambitious interventions in American democracy in the future. The U.S. government, he fears, may be unprepared for the onslaught:
The combination of pilfering sensitive information and then “weaponiz[ing] Wikileaks” or some similar organization will surely recur. … Foreign governments could “hack a voting machine,” “shut down the voting system or election agencies,” “delete or change election records,” “hijack a candidate’s website,” “dox a candidate,” “and target campaign donors.” …
The Russian hack of the [Democratic National Committee] was small beans compared to the destruction of the integrity of a national election result. … Election fraud is typically the responsibility of election officials working with law-enforcement officials. But when election fraud with national consequences is potentially threatened by foreign adversaries, it should become the responsibility of (at a minimum) national intelligence officials. But are they on this problem? Does the United States government have a well-worked out plan to ensure that our highly computerized and highly decentralized system for electing the President is protected from foreign disruption via cyber-exploitation or cyber-attack?
The operation, he adds, may also feel new, even if that’s not actually so, because of the context in which it’s occurring. “It seems different because it involves manipulation of an American election,” Goldsmith writes. “And it seems different because of the suggestion that a presidential candidate of one U.S. party, [Donald Trump], might be working with—or at least supportive of—a major foreign adversary’s efforts to covertly damage the rival presidential candidate.”
As for whether the hack poses new legal challenges, Goldsmith notes that while cyber-theft violates U.S. law, many countries—with the United States in the lead—similarly defy domestic law in other countries when conducting cyber-espionage abroad.
International law is murkier. Cyber-conflict is a relatively lawless frontier of foreign relations. Over the last half century or so, an international norm of non-intervention in a country’s internal affairs has emerged, according to Lori Fisler Damrosch, a professor of international law and diplomacy at Columbia University. But the norm is clearer in the case of, say, one country using military force to alter another country’s borders or independence than in cases where the methods used to interfere in a country’s ability to make its own choices aren’t obviously coercive.
“There was long ago a crystallization of this idea that forcible intervention in other countries’ affairs was prohibited by customary international law and by treaty law,” Damrosch told me. “It follows almost like a syllogism that non-forcible techniques that are equally intrusive should be equally prohibited. But because those techniques are so diffuse, it’s much harder to see any bright lines.”
If foreign hackers release documents that damage a political party during an election, is that a violation of the norm of non-intervention? It’s difficult to say, particularly since it’s very hard to attribute cyber-attacks with anything approaching certainty to a government, or to ascribe clear motives to the attackers.
“It’s always been something of a gray area to know what is benign influence in international and domestic politics, and what is prohibited intervention,” Damrosch said. “I’m not sure that that effort is really amenable to new lawmaking.”
These considerations could all factor into how the Obama administration reacts to the hacks and leaks that jolted an already-tumultuous presidential election. Even if U.S. officials gather sufficient proof of Russian involvement in the operation, “they may not be able to make their evidence public without tipping off Russia, or its proxies in cyberspace, about how deeply the National Security Agency has penetrated that country’s networks,” David Sanger reported in The New York Times over the weekend. “And designing a response that will send a clear message, without prompting escalation [of cyber-conflict between the two countries] or undermining efforts to work with Russia in places like Syria, where Russia is simultaneously an adversary and a partner, is even harder.”
U.S. retaliation against Russia could range from naming and shaming Russia as the culprit, to imposing sanctions or issuing indictments against implicated Russian officials, to launching cyber-attacks against Russian intelligence services. The Obama administration resorted to several of these measures against North Korea in 2014 over its hacking of Sony Pictures. But the risks of antagonizing Russia are greater than they were for North Korea. As a result, the United States might ultimately decide to do nothing.
Yet not responding is dangerous too, according to Matt Tait of Capital Alpha Security, who has concluded that the hack was probably the work of Russian intelligence. A decision to not retaliate could serve as a “green light to using similar tactics in future.”
“Will we stand idly by as a foreign government mass-leaks spreadsheets of donor financial information or the names, addresses, and phone numbers of DNC LGBT supporters?” Tait asks. “Is it okay to let a foreign government interfere in a U.S. election unchallenged? This is what’s at stake in Russia’s DNC hack.”
And those stakes might only be increasing. Back in 2009, Zephyr Teachout, a Fordham Law professor who’s currently running for Congress, wrote that “Given the global impact of United States policy, twenty years from now massive efforts to influence United States elections—from outside its borders—will be routine.” At the time, she meant that the internet had enabled governments, corporations, and citizens of other countries to influence U.S. elections as never before. For example, she asked, what if Venezuela’s then-president, Hugo Chavez, had released a series of viral videos online in 2008 that personally attacked the Republican presidential candidate, John McCain? Would that have been a good or bad thing for American democracy?
A lot has changed since then. Chavez is dead. The U.S. Supreme Court’s 2010 Citizens United decision allowed foreign entities to spend boundless money on American elections through U.S.-based corporations. The ensuing years have brought revelations of U.S.-Israeli cyber-attacks on Iran’s nuclear program and suspected Russian cyber-attacks against Ukraine’s power grid. The intense interest in influencing U.S. elections has not abated, but the means of doing so have grown more pernicious.
If the U.S. government determines that a foreign government was behind the breach, what it does—or does not do—next could have far-reaching consequences for American democracy, and democracies around the world.