Law | Europe | Tim Hagemann

The emails of Monsieur Macron: An international law perspective on cyber interference of foreign elections

Against the background of the latest email leaks of Emmanuel Macron shortly before the second round of the French presidential election, Tim A. Hagemann has a closer look on the classification and problems of these interferences with the democratic election process under international law.

Against the background of the latest email leaks of Emmanuel Macron shortly before the second round of the French presidential election, Tim A. Hagemann has a closer look on the classification and problems of these interferences with the democratic election process under international law.

Two days before the second round of the French presidential elections and the expected victory of liberal candidate Emmanuel Macron over his far-right opponent Marine Le Pen should take place, it occurred what most experts had feared and what most Americans might have put in a state of Deja-vu: Private and campaign related documents of a promising presidential candidate were apparently stolen from his personal servers, leaked to the public and spread millionfold over the internet. As for the spectacular DNC leak, there is reason to believe, that Russian hackers are responsible for this attack, that sought to boost the Kremlin’s favorite Le Pen in her final attempt to tip the public opinion in her favor. Although the action missed its aim and Emmanuel Macron emerged nevertheless victorious (be it for the news embargo France regularly imposes 48 hours before the election or the all but shocking content of the published documents), the increasing frequency of such interferences in the democratic election processes of western democracies, presumably by the Russian government or associated foreign actors, makes it necessary to illuminate their legality under international law.

Breach of international law

First and foremost, the act of hacking into a candidate’s computer to steal potentially incriminating documents must pose a violation of an international obligation of a state towards another. Given, that the perpetrated cyber-attacks in one country can be clearly attributed to a foreign nation, the obvious candidate for being violated is the principle of non-intervention. Article 2 (7) of the UN Charter states explicitly, that nothing in the charter authorizes its member states “to intervene in matters which are essentially within the domestic jurisdiction of any [other] state.” This underlines the importance the Charter attributes to this fundamental principle of sovereignty, which can only be bypassed by an authorization of the UN Security Council under circumstances as outlined by Chapter VII of the Charter, that means only in the event of “the existence of any threat to the peace, breach of the peace, or act of aggression.”[1] The inadmissibility of intervening in foreign domestic affairs has since been stressed by the United Nations in its General Assembly Resolution of 1965, where the Assembly firmly underlined the state’s “inalienable right to choose its political, economic, social and cultural systems without interference in any form by another State”[2], which was then thoroughly confirmed by the ICJ in its Nicaragua judgment of 1986, where the court defined, that a prohibited intervention comprises all “methods of coercion” towards another state. However, if “methods of coercion” cover – such as in our case – cyber-attacks on private servers of political figures in the end phase of an election process, is highly speculative and remains disputed. The Tallinn Manual[3] suggests, that manipulating the public opinion to the advantage of one party by altering online news, spreading fake news or shutting off one party’s online services must be seen as an eligible interference[4] and accordingly covering cyber-attacks aiming to benefit Le Pen. In fairness, it must be kept in mind, that the Tallinn Manual was developed by a NATO Cyber Defence think-tank[5], thus reflecting predominantly the opinion of those western democracies, which are most likely to be targeted by cyber manipulation. There is no indication that the prominent part of other nations shares this view which renders the construction of a customary rule mute from the beginning as long as states do not start to develop appropriate corresponding legislature.

Problem of Attribution

Even if one would interpret the principle if non-interference generously and thus including cyber-attacks as the one against Clinton and Macron, dealing with such actions includes a simple but troublesome component; the attribution of them to a state. It is a simple but powerful principle in international law, that it traditionally targets states, not individuals. Accordingly, these cyber-attacks must be regarded as state conduct in order to pose a violation of Article 2 (7) UN Charter. And this is the crux of the matter, as it requires a causal connection between the injury and an official act or omission attributable to the state that is alleged to be in breach of its legal obligations. Under the relevant regimes of state attribution this means in concrete terms, that the entity responsible must be a state organ, empowered by the state or a private, whose conduct the state has acknowledged as their own.[6] But although there are certain hints presumably linking the DNC leak to the Russian government, these could not yet be established for the attack on the servers of Emmanuel Macron. And what to do if not the state, but privateers, supporters of a far-right Europe did execute these attacks, encouraged by state propagandists, but not directly instructed by them? The mere support of a certain political view is and cannot be the threshold of accountable conduct as it would not only contradict the legal threshold established in the Balkan war cases, but would moreover throw the gates wide open for an extremely arbitrary attribution of every conceivable action to a state. Even if the hackers themselves originated from Russia and used Russian servers to execute their attacks, even exceptionally restrictive Tallinn Manual underlines explicitly that the fact that an attack originates from the cyber infrastructure of a state cannot be sufficient evidence to establish a legal responsibility of that state.[7]

It must therefore be concluded that the use of cyber-attacks to manipulate the outcome of a democratic election remains both in terms of legality as in terms of state attribution an excruciatingly underdeveloped field of international law. States would be well-advised to push forward the development and implementation of corresponding legislature. As this remains a long way to go and most states seem not to be able or willing to provide sufficient resources to adequately counter the intensifying thread of cyber warfare to it democratic structures, it is nothing but a secret, that the leaking of incriminating documents on the eve of important elections will probably become source of obstruction to be reckoned with.

[1] Cf. article 39 UN Charter.

[2] Cf. A/RES/20/2131.

[3] The Tallinn Manual on the International Law Applicable to Cyber Warfare is an academic, internationally not recognized study on the application of international law to cyber-attacks and cyber warfare.

[4] Id, para 45.

[5] To be more precise: The “Cooperative Cyber Defence Centre of Excellence” based in Tallinn, Estonia.

[6] Cf. articles 5 – 11 of the Draft articles on State Responsibility of 2001.

[7] Cf. Tallinn Manual, Rule 8.


Tim Hagemann

Tim Hagemann studied International Law, Economics and Chinese at the Universities in Tuebingen, Beijing, Aix-en-Provence and Maastricht. He holds a Master's degree in European and International Law from Aix-Marseille University, passed his first legal State Examination in Germany with a focus on public international and economic law and currently pursues an additional Master's degree in International Trade and Investment Law at Maastricht University. Professionally, he works as research associate for a renowned law firm and authors books relating to international business and economic law.