Image generated by ChatGPT
The Challenge to International Norms
Cyberattacks have become a powerful tool for foreign interference, especially during elections, posing risks to democratic institutions. Through covert means, States disrupt electoral systems, spread disinformation, and undermine voter confidence by targeting critical infrastructure. Election-related cyber interference is part of the broader concept of “foreign interference”, a term not explicitly defined in international law but addressed within national legal frameworks. However, domestic legal frameworks, such as the Canadian Security Intelligence Service (CSIS) Act, describe foreign-influenced activities as covert, deceptive actions threatening domestic interests. Such interference involves attempts by State or non-State actors to manipulate, intimidate, or discredit individuals, organisations or governments for the benefit of a foreign nation, targeting both domestic and international entities aiming to affect policies and democratic processes covertly.
Cyberattacks challenge fundamental international law principles, including non-intervention, due diligence, and state responsibility. Non-intervention prohibits States from coercively interfering in other States’ internal or external affairs. For a cyber operation to be considered a prohibited intervention, two conditions must be met: it must pertain to a State’s domaine réservé—areas like national elections or foreign policy—and it must be coercive. Coercion can be defined as forcing a state to change its behavior regarding sovereign matters or depriving it of control over such matters without directly altering its behavior, such as by manipulating voter registries, disrupting balloting systems, or spreading disinformation to undermine public confidence in elections. These actions interfere with a State’s ability to conduct its electoral processes independently and infringe upon its sovereign equality and political independence. Non-coercive actions, like persuasion or propaganda, do not qualify as intervention, unless they create adverse consequences for electoral processes or undermine public trust.
States also have a duty to prevent their territory from being used for actions that harm other States’ rights, including in cyberspace. Due diligence prohibits acts infringing upon a State’s sovereign rights, such as tampering with electoral systems or disseminating disinformation to undermine public confidence in elections. Although there is debate about whether sovereignty applies as a standalone rule in cyberspace, legal analysis and state practice affirm that acts interfering with the political independence or territorial integrity of another state violate its sovereignty.
Likewise, under international law of state responsibility, wrongful cyber acts—defined as operations violating international obligations and attributable to a State—are prohibited. Exceptions include self-defence or lawful countermeasures. While most cyber activities fall below the threshold of an armed attack, States remain accountable for violations, ensuring a legal framework for addressing malicious cyber actions.
As such, this analysis provides actionable recommendations to safeguard electoral integrity in the digital age, acknowledging the challenges of achieving international consensus. It argues that the “grey zone” of cyber-attacks presents both opportunities and threats, requiring States to innovate and reinterpret existing norms while developing new ones, as some democratic countries have already begun to do. States must collaborate to establish a binding international framework that clearly defines and prohibits cyber-based election meddling to address the complexities of cyber interference.
Legal Attribution and Existing Mechanisms
Attributing cyberattacks to a state presents a significant challenge in international law. For a cyber election meddling operation to be deemed an internationally wrongful act, it must violate an international obligation and be attributable to a State. However, attributing such actions is difficult due to the need for sophisticated technical capabilities and intelligence gathering, often hampered by jurisdictional limitations. This difficulty, compounded by the potential for false flag operations and a lack of universally accepted cyber warfare norms, makes holding perpetrators accountable and coordinating international responses incredibly challenging.
International law provides four categories of responses for States facing hostile cyber operations, including election interference. First, retorsion involves unfriendly but lawful acts, such as sanctions or diplomatic expulsions, used when the cyber operation is not clearly illegal. Secondly, and conversely, countermeasures are actions that would normally be unlawful but are justified as responses to wrongful acts. These measures must be proportional and aim to stop unlawful behaviour or seek reparations. For instance, the United States has employed both retorsion and countermeasures in response to Russian cyber meddling; however, it was reluctant to label those acts as breaches of international law.
Third, a plea of necessity allows States to take unlawful actions to defend their “essential interests” when faced with “grave and imminent peril,” and no other alternative exists. This framework does not require the cyber operation to be a breach of legal obligations or attributed to a State. However, it raises challenges, such as defining an “essential interest” and whether the threat is grave and imminent. It is generally accepted that fair and credible national elections are an essential interest, especially for high-level offices like the presidency. However, the threat must be serious and ongoing to justify invoking necessity, and minor cyber meddling would not meet this threshold.
Fourth, cyber-attacks could potentially constitute an “armed attack” under Article 51 of the UN Charter. While cyber election interference significantly harms democratic processes, it often lacks the physical damage traditionally associated with armed attacks. This ambiguity allows States to conduct hostile cyber operations without triggering a traditional military response. This legal uncertainty is exploited to disrupt and influence other States without facing immediate repercussions. The lack of clear legal definitions and thresholds for “armed conflict” in cyberspace makes it difficult for States to respond appropriately, leading to a lack of accountability and emboldening further hostile actions.
The recent failure of the UN Group of Governmental Experts (GGE) to reach a consensus on issues like self-defence and international humanitarian law in cyber interference underscores the challenges in applying existing international legal norms, with States like Russia and China opposing key proposals. This legal ambiguity threatens democratic processes, especially in cyber election interference, as some States exploit this grey zone to enhance the impact of their cyber actions. Efforts to address this include proposing new interpretations of international law and soft-law mechanisms to clarify these issues.
State Practice on Countermeasures
Some States are already leading efforts to build a shared understanding of international law related to cyber operations. For example, the Netherlands’ “Hague Process” fosters regional training programs to build consensus and lay the groundwork for future negotiations on cyber law. Additionally, States such as Canada apply existing international law principles, such as state responsibility for attributing cyber misconduct and holding States accountable for acts perpetrated directly or through proxies. Canada also emphasises that public disclosure of attribution is not mandatory due to political and strategic considerations.
State practice increasingly acknowledges the taking of countermeasures in response to wrongful acts in cyberspace. Countermeasures are actions typically prohibited under international law as part of self-defence but allowed as a response to an internationally wrongful act. The primary aim of countermeasures must be to induce compliance rather than seek retribution. They must be proportional, targeted only at the responsible State, and should not violate human rights or involve force.
While many States, including Canada, Germany, Japan, the UK, and the United States, agree on the principle of countermeasures applied to cyber incidents, there is variation in their interpretations. For instance, Denmark insists on prior notification before countermeasures, with exceptions for emergencies. Conversely, Israel argues that pre-notification is not mandatory and may be counterproductive, particularly in covert operations.
On proportionality, Austria believes countermeasures must not amount to force and should remain proportional, while Japan stresses the necessity of compliance without violating the use-of-force prohibition. Russia emphasises adherence to the UN Charter’s human rights and humanitarian norms. Regarding the type of countermeasures, the Netherlands suggests cyber operations targeting networks used in attacks are permissible. New Zealand includes both cyber and non-cyber measures, and the UK maintains that responses do not need to be symmetrical, allowing cyber countermeasures for non-cyber acts. These varying positions reflect a shared foundation for countermeasures but highlight differences that complicate the development of a coherent international legal framework for cyber countermeasures.
Countermeasures under international law are also provisional, meant to cease when the wrongful act they respond to stops. However, this condition becomes contentious in cyberattacks, particularly election interference, where the impacts may last long after the initial act ends. Questions arise about whether countermeasures should end automatically or be sustained to address long-term consequences. Determining if a countermeasure meets the necessary conditions is an objective matter, placing the burden of proof on the injured State. While the exact standard of proof can vary, international jurisprudence typically demands “clear and convincing evidence”. Consequently, the injured State must show that it is significantly more probable than not that the wrongful act occurred. If a State initiates countermeasures based on an unfounded belief that a breach happened, it risks international responsibility for wrongful conduct.
Countermeasures can be cyber or non-cyber and may include collective responses to wrongful acts, such as cyber operations to assist other States. However, there is insufficient State practice or legal consensus to confirm their legality under current international law. During the 76th session of the UN General Assembly, Estonia proposed, with support from New Zealand, that non-injured States could take collective countermeasures when diplomatic efforts fail and no lawful use of force is available. This measure would help States lacking cyber capabilities address unlawful operations. However, Canada rejected this, emphasising that collective countermeasures are not yet legally affirmed and should be seen as a potential future development in international law.
Proposals
As such, this analysis advocates for the creation of voluntary, non-binding international norms in the forms of declarations, guidelines or recommendations by UN bodies and resolutions by the UN General Assembly as an initial step to address cyber-attacks related to election interference, supporting recommendations by the UN GGE for responsible State behaviour in cyberspace. Such norms can enhance global security without contradicting international law and pave the way for future binding obligations. This analysis also underscores the importance of integrating regional experiences and State consultations, as outlined in General Assembly resolution 70/237, to inform and strengthen these norms. It urges affected States to conduct thorough investigations into cyber incidents, considering technical and impact-related factors and enhancing national frameworks and international coordination for better detection, investigation, and attribution of election-related cyber-attacks. Sharing attribution practices through multilateral platforms is also recommended to build a robust international norm framework.
This analysis also proposes a resolution on cyber-attacks related to election interference based on Human Rights Council resolutions 20/8 and 26/13, which emphasise human rights online, and General Assembly resolutions 68/167 and 69/166, focusing on digital privacy. These resolutions stress the need to protect human rights, such as privacy and freedom of expression, in the face of cyber threats to elections. States are urged to uphold these rights during elections, both online and offline, recognising that cyber-attacks, particularly those involving disinformation and election interference, violate individual human rights and undermine democratic integrity. It recommends that States expand their legal and policy frameworks to consider the human rights impact of cyber-attacks, adopting measures that safeguard electoral systems and individuals’ rights.
Janakan Muthukumar is a PhD student at Carleton University (Ottowa) and a Visiting Scholar at Global Affairs Canada.