Dr. Asaf Lubin, an Associate Professor of Law at Indiana University Maurer School of Law, brings extensive expertise in international law, cybersecurity, and information warfare. With affiliations at Harvard University’s Berkman Klein Center for Internet and Society, Yale Law School’s Information Society Project, and the Hebrew University of Jerusalem’s Federmann Cyber Security Research Center, he is recognized as an authority in his field.
This interview, conducted on March 2, 2024, delves into the intricate dynamics of election interference, intelligence operations, and the evolving landscape of international law. In it, Lubin provides insights into espionage, cybersecurity, and the challenges posed by emerging technologies, offering a nuanced perspective on contemporary geopolitical issues.
With his forthcoming book, ‘The International Law of Intelligence: The World of Spycraft and the Law of Nations,’ slated for release later this year, Lubin’s expertise promises to contribute significantly to the discourse on intelligence ethics and the regulation of these activities within the framework of international law.
JURIST: Professor Lubin, for our readers, could you please provide a brief overview of what election interferences and intelligence operations are, and how those have manifested in recent US presidential elections?
Lubin: Let me start by situating espionage and intelligence activities within a broader universe of activities, what we might call information warfare (IW). IW involves a wide range of activities targeting information and communication technologies employed by a country to gain certain competitive advantages over an adversary. It may include, among other things, cyberattacks, disruption to critical infrastructure, propaganda efforts, and the deployment of misinformation and disinformation. Espionage and theft of sensitive information is another tool in the IW toolbox.
Election interference involves a country trying to gain foreign policy advantages by intruding into the election process of another state. Some election interferences are analog, think of a country financially contributing or advising in support of one political party. But some intrusions are digital. From troll farms and misinformation campaigns such as those committed by the Russian Internet Agency in the 2016 elections or attacks on voting machines and election infrastructure.
There is a convergence between election interferences and espionage operations. Consider the 2016 elections, the DNC email hack, and the doxing of John Podesta, in his role as campaign chairman for Hilary Clinton’s presidential bid. In that attack, Russian espionage was used to collect secret communications which were then shared with WikiLeaks to be dumped online in the hopes of embarrassing the campaign and influencing the results of the elections.
Electoral interference and espionage are not new issues. In fact, governments have long been involved in such efforts to advance their agendas. Some of these intrusions might be legitimate and tolerable. Others might be impermissible and condemned. The evolution of IW and the international law regulating it, will continue to shape these lines of legitimacy and permissibility.
JURIST: Thank you for bringing up the question of legitimacy, which also triggers the questions of sovereignty and non-intervention, as fundamental principles of international law. In that context, Professor, to what extent does international law address electoral interference and espionage?
Lubin: International law may apply to constrain certain types of IW operations, depending on their nature and the severity of their effects. Take election interferences, at one extreme is a scenario where one country attacks election machines in another country, in such a way as to completely change the results of an election. In this scenario, there is general consensus among states that the two-part test for a coercive intervention—as laid down by the ICJ in the 1986 Nicaragua decision—has been met. First, the attack targets an area within the domaine réservé (reserved domain) of that state, since the freedom to choose one’s leaders who will effectuate economic and social policy is a core pillar of political independence. Second, the attack is coercive, since it interferes in internal affairs in such a way that denies sovereign free choice (literally that choice is being taken from the voters).
But now think about the hack of the DNC and the doxing operation by Russia in 2016. This is a more complex case. Even if the targeting of the communications of the DNC was found to be within the domaine réservé of the United States, it seems much harder to prove that the free choice of the American public was hindered by releasing those otherwise accurate emails to the media stream.
The law on sovereignty and territorial integrity is even more complex. First, there is a debate among states about whether sovereignty even applies in cyberspace as a rule that may be violated. The African union has recently concluded that it does, as did a number of other countries like France, Germany, and the Netherlands. Nonetheless, other countries have questioned the applicability of sovereignty-as-a-rule. This is the view of the United Kingdom and seemingly the United States. Even if sovereignty may be violated in cyberspace, it remains to be seen which remote cyber activity rises to the level of such a violation. Here too countries disagree about the permissibility of cyber intrusions taking the form of mere intelligence gathering or espionage.
There is thus a large portion of IW operations, including in the context of cyber espionage and election interference, which falls below recognized thresholds and into an international law grey zone over which there is mostly legal disagreement and lack of consensus.
JURIST: Professor, we have recently seen the Chinese making assurances that they will not-intervene in the 2024 US elections, which reflects a governmental stance; But we’ve also seen around the world different forms of cyber intrusions and financial contributions to political campaigns, all with the goals of shaping election results. Considering these myriad attack vectors on election integrity, how effective is international law in tackling election interference by both governments and private actors?
Lubin: Each threat vector entails different international legal analysis. Let’s take a couple of examples and try to look at each of them more carefully. Beginning with foreign financial contributions. This is of course not a new problem. Professor Damrosch (Columbia Law School) as early as 1987 examined the current state of the law and made some projections about future law in this area. In 2024, we still don’t have good answers to these questions. Much of the issue of campaign funding is not regulated by international law, such as the law of non-intervention or human rights law, but is rather the subject of domestic regulation. So if the European Union wants to promote democracy around the world, the legality of its support of local political parties or non-for-profits will be determined on the basis of domestic legislation.
Again, part of the challenge has been that states have yet to explicitly regulate this area of state activity so to create best practices, standards, and international norms, let alone binding law. With regards to the 2024 elections, Congress is considering a bill being promoted in bipartisan fashion that would require radio stations and tv broadcasters to assess with reasonable efforts whether a certain political ad was bought by a foreign national.
This leads us to another threat vector, micro-targeting which is a new frontier for election interference. The now famous Cambridge Analytica scandal offers one such example. In this scenario, a political campaign or foreign agent may rely on social media platforms, on surveillance capitalism, and on artificial intelligence, to target certain communities vulnerable to particular types of political messaging. The messaging could include disinformation or misinformation, whatever the algorithm has identified is most likely to produce a response from the likely voter. Again, these kinds of grey zone attacks are not clearly regulated by international law. In Europe, for example, the response to Cambridge Analytica’s misuse of Facebook’s data, was to introduce and tighten certain data protection, misinformation, and AI legislation. But these are all domestic efforts.
A final example concerns remote cyber activity. The FBI established a Foreign Influence Task Force in the Fall of 2017, and then formed an Election Crimes Task Force in 2021. Recently, FBI director Christopher Wray noted that “more foreign actors, more nation-states want to get in the business of trying to interfere or at least influence elections.” The Cybersecurity and Infrastructure Security Agency (CISA) is equally looking to advance cybersecurity of electoral processes at the state level. These are all domestic responses meant to enhance cyber hygiene and cyber enforcement at home, or in collaboration with partners abroad. A public statement like that you mentioned from China, might help enhance confidence from the voting public, but does not assuage concerns for the Biden Administration of a possible Chinese covert operation.
On the international level, the United Nations Group of Governmental Experts (UNGGE) and other UN efforts continue to work to regulate responsible behavior in cyberspace. But so far these efforts have fallen short of actually reaching consensus as to whether election interferences, let alone cyber espionage activity, rise to the level of a prohibited attack on critical infrastructure or the core of the internet.
Interestingly, a lot of the rules of the road are being formulated behind closed doors, through back-channel dealings and other signaling efforts done between intelligence and security agencies of rivaling countries. Attribution, deterrence, and countermeasures in cyberspace often involve non formal mechanisms, certainly not the kind of mechanisms that generate public state practice and visible customary international law. But these more amorphous and below the surface understandings are nonetheless generating expectations of behaviors for this Great Powers’ digital competition.
JURIST: Delving more into digital and cyber issues, particularly for the 2024 election, artificial intelligence has a great role to play in both good and bad ways. There are many things about AI that we don’t know yet. So, how do you think that’s going to affect the electoral interference issue?
Lubin: In a different statement, FBI Director Wray said that AI is “lowering the barrier to entry” for foreign actors interested in election interference, allowing them to move “at a far faster pace” and producing election manipulations that are “more difficult to detect.” We know that AI is already used to generate misinformation and disinformation including through the creation of fake news, photos, and videos. The bot farms from Russia, mentioned in the Muller Report, are probably working overtime.
AI is opening the door for new ways to wreak societal havoc, requiring higher levels of education of the voting public to be able to discern what are trustworthy sources of information and how to operate in the world with a healthy dosage of skepticism about everything you read and see.
That’s one aspect of it. Another aspect is that AI allows for automation, it allows malicious actors to scale up their attacks. We already see this in cyberspace, where remote attacks using malware-as-a-service has entailed a greater diversification of threat actors and threat activity. AI could further balloon these operations, generating unimaginable quantities of content for disinformation and misinformation purposes so as to multiply the harmful effects.
AI is a problem in cybersecurity, but AI can also be the solution. AI can enhance defenses. AI can do a better and faster job at quality assurance around vulnerabilities in the code, replacing human engineers who previously needed to look through the code and spot those vulnerabilities themselves. AI can also assist in writing new code, that is more secure, and thus producing safer communication systems and election processes.
But this is a cat and mouse game. Once AI is fully utilized to enhance cybersecurity, the hackers will turn to attaching the machine learning behind it. So, the new frontier of cyberattacks is the targeting of databases from which AI is generated to poison the data and thereby bias the AI in all kinds of malicious ways. All you need to do is understand how the AI sees the world and then manipulate it to advance a particular governmental purpose.
Round and round we go, new threats on societal trust in elections, new defenses, and new threats once again. Notice I’ve said nothing about international law. This race is mostly technological with the law playing second fiddle.
JURIST: Well, considering what you just said, do you think there is a need for a change in the existing legal framework or the enactment of new frameworks, be them international or domestic? Particularly with the 2024 US presidential election in mind?
Lubin: In an ideal world, the answer is simple: YES! An international framework that would reorient public world order around these threats, would be welcome. Clear and precise collective agreement on what is acceptable and unacceptable behavior in cyberspace, in intelligence gathering, or in the context of foreign intrusions, would help stabilize the system to secure minimum world order.
But I’m also realistic and recognize it is very unlikely that such an agreement will be achieved, certainly not now as the world undergoes two major wars in Ukraine and in Gaza, which have pitted the world powers against each other. After all, whatever the framework is the world powers will have to sign onto that framework. China, Russia, the United States – seem to agree on very little, particularly where the AI Arms Race is at stake. Take the recent Council of Europe “Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law” from 2024 or the more specific “Political Declaration on Responsible Military Use of Artificial Intelligence and Autonomy” from 2023. If you actually read the text of these documents, you will see how behind the multilateral discourse is around proper regulation of some of these activities.
It seems unrealistic to think that on something as major as election interference we will ever achieve common ground. And so at the immediate level, enhancing cybersecurity, including by enhancing capacities around the world to equalize individual nations’ ability to safely address election threats is where we should go.
Perhaps countries could agree that certain attacks on critical infrastructure are off the table. The Paris Call for Trust and Security in Cyberspace, for example, sets a principle the obligations of nation states to “prevent activity that intentionally and substantially damages the general availability or integrity of the public core of the Internet.” Countries may, over time, come to agree on which categories of information and communications technologies may be seen as “core” and subject to heightened protections.
Coming back to espionage regulation, I wrote in a book chapter a few years ago for NATO CCDCOE, that argued that cyber law and espionage law operate in tandem, as communicating vessels. What I meant by that is that every cyber intrusion begins with unauthorized access, just like every espionage operation begins with unauthorized access. Any affirmative regulation of cyberspace thus will have direct and immediate effects on the regulation of brick-and-mortar spying, because at its root its an attempt by international lawyers to set clearer standards on trespass. Countries in the past sought to exclude espionage, covert action, and election interferences from being the subject of explicit regulation. The cyber and AI debates may now force them to regulate some of these practices against their will.
JURIST: Thank you, Professor. Also congratulations on your forthcoming book ‘The International Law of Intelligence: The World of Spycraft and the Law of Nations’. Would you like to share the timeline of the publication with our readers and what to expect in the book?
Lubin: The book comes out probably late in the Fall of 2024. The core argument that the book makes can be summed up in quite simple terms: we have heavily relied on general principles of international law to regulate espionage. These are the same general principles we’ve discussed during this interview: the law on sovereignty and non-intervention, as well as human rights law or the law on diplomatic protection or the law of the sea. These general principles, as their name suggests, are general. They were codified with no intention that they will explicitly be the law of espionage, a topic that is very complicated, very nuanced, and historically rich.
Applying general international law to intelligence creates all sorts of problems, including limitations on our ability to manage and meaningfully regulate the choice of means, the choice of targets, and the choice of campaigns in the conduct of intelligence activity.
The book is situated within a broader and emerging literature around the need for specialized rules that are derived both from deontological principles and values in intelligence ethics and from the broader historical practice of intelligence as a tradecraft. Combined these sources help formulate a new set of guiding rules which I argue exist as a matter of customary law, or at least could exist, as a matter of lex ferenda to better regulate the future of intelligence activity.
The book will also call for the need to increase pedagogy around these issues as a matter of international law. Intelligence is a topic that is rarely covered in traditional public international law courses and textbooks. And that’s a real problem, I think, in our ability to creatively think about the set of problems that we’ve discussed throughout this interview.