Russia’s hacks of the Democratic National Committee and its election meddling were alarming, but not an act of war, said a leading scholar of international law in cyber operations.
“I’m no friend of the Russians,” said Michael Schmitt, chairman of the U.S. Naval War College’s International Law Department and director of a project that analyzes how international law applies to cyber operations — especially in peacetime.
But Moscow’s hacking and dumping of Democratic emails to WikiLeaks “is not an initiation of armed conflict. It’s not a violation of the U.N. Charter’s prohibition on the use of force. It’s not a situation that would allow the U.S. to respond in self-defense militarily.”
Schmitt spoke in an interview with The Washington Post coinciding with the release of the Tallinn Manual 2.0, an updated reference for lawyers around the world on how international law applies to cyberspace. Schmitt, who is also a law professor at the University of Exeter in Britain, led the legal team that compiled the manual.
Sen. John McCain (R-Ariz.), the chairman of the Armed Services Committee, has said he believes Russia’s interference in the 2016 presidential election amounted to an act of war.
Nonetheless, Schmitt said, Russia’s apparent attempt to influence the outcome of the election by its release of emails through WikiLeaks probably violates the international law barring intervention in a state’s internal affairs. And that would give the United States grounds to undertake “countermeasures” that would otherwise be unlawful, he said.
The updated Tallinn Manual explores cyber actions most commonly confronted by states today: espionage, denial of service disruptions and influence operations — actions that fall short of armed conflict and the use of force.
“The Russians are masters at playing the gray areas” of law, said Schmitt, arguing that the Kremlin is adept at carrying out operations that fall short of breaching undisputed legal red lines that would invite robust responses. For instance, Moscow has not conducted operations in the United States that cause deaths or significant, nationwide economic harm that would warrant the use of force in response.
Hacking the DNC’s emails is an act of political espionage, which is not a breach of international law, Schmitt said.
But, Schmitt said, the steady, voluminous release of emails that garnered negative media coverage for Democratic candidate Hillary Clinton reflected an intent to influence the election and amounted to unlawful intervention. Some legal experts disagree, which is where the gray area comes in. But if what Russia did was a violation of international law, then countermeasures would be lawful as long as they do not cause death or injury, Schmitt said.
But the manual offers no policy guidance on whether potential responses such as unleashing a denial of service attack that targets a Russian government network is wise or effective.
“Just because you can do something doesn’t necessarily mean that you should,” said Michael Daniel, White House cybersecurity coordinator in the Obama administration. “Any response that the U.S. takes is always going to be embedded in the larger geopolitical context.”
The Obama administration took several actions in response to the Russian election meddling that were lawful and did not depend on finding a violation of international law. They included economic sanctions on Russian spy agencies and cyber officials, the expulsions of 35 Russian intelligence operatives from the United States and the closing of two Russian compounds used for intelligence purposes.
Duncan Hollis, an international law professor at Temple University, said the manual will be useful but not “definitive” for U.S. government officials, who have been writing their own memos for years. “It’s more likely to have an effect for all these other countries who don’t have the deep bench of lawyers” that the United States has, he said.