The Third Annual Mike Lewis Memorial Teleforum: Cyberwar and International Law

Listen & Download

There is broad agreement that international law applies to cyber conflict. There is less agreement as to exactly what that means. What principles of the existing Law of Armed Conflict clearly apply to cyber attacks by nations? What questions remain open and should be determined by the actual practice of nations? Two distinguished law professors will address these and other issues during the Mike Lewis Memorial Teleforum.
 
Mike Lewis was a naval aviator, and then a renowned law professor, widely admired by other scholars and practitioners, whether or not they agreed with his substantive conclusions. He was a great friend of the Federalist Society, appearing at dozens of lawyer and student chapter events, as well as the 2014 National Convention. He was also a member of the Executive Committee of the Society's International & National Security Law Practice Group. Each year, the Practice Group holds a Teleforum in his honor.
 

Featuring:

Professor Eric Talbot Jensen, Professor of Law, The J. Reuben Clark Law School, Brigham Young University

Professor Jeremy A. Rabkin, Professor of Law, Antonin Scalia Law School, George Mason University

Moderator: Eric J. Kadel, Jr., Partner, Sullivan & Cromwell LLP

 

 

Teleforum calls are open to all dues paying members of the Federalist Society. To become a member, sign up here. As a member, you should receive email announcements of upcoming Teleforum calls which contain the conference call phone number. If you are not receiving those email announcements, please contact us at 202-822-8138.

 

Event Transcript

Operator:  Welcome to The Federalist Society's Practice Group Podcast. The following podcast, hosted by The Federalist Society's International & National Security Law Practice Group, was recorded on Thursday, September 6, 2018 during a live teleforum conference call held exclusively for Federalist Society members.        

 

Wesley Hodges: Welcome to The Federalist Society's teleforum conference call, and welcome to the Third Annual Mike Lewis Memorial Teleforum hosted by our International & National Security Law Practice Group. My name is Wesley Hodges, and I'm the Associate Director of Practice Groups at The Federalist Society.

 

      As always, please note that all expressions of opinion are those of the experts on today's call.

 

      Today we are very fortunate to have with us an accomplished panel of experts and moderating them today is Mr. Eric J. Kadel, Jr., who is a Partner at Sullivan & Cromwell LLP. After our speakers give their remarks, we will have an audience Q&A, so please keep in mind what questions you have for this subject or for our individual speakers. Thank you very much. Eric, the floor is yours.

 

Eric J. Kadel, Jr.:  Great. Thank you very much, Wes. And hello, everyone. This is Eric Kadel. I'm a Partner at Sullivan & Cromwell LLP, and I'm a longstanding member of the Executive Committee of The Federalist Society's International & National Security Law Practice Group. It's my honor to welcome you today to the Third Annual Mike Lewis Memorial Teleforum.

 

      Just a few words of background. The teleforum was instituted in January 2016 by the Executive Committee of the International & National Security Law Practice Group of The Federalist Society in order to honor our friend and colleague, Professor Michael W. Lewis, who passed away in the summer of 2015 after a battle with cancer. The Federalist Society lost a great friend with the passing of Mike Lewis. Mike was a Naval aviator, a loving father and husband, an internationally renowned law professor from The Ohio Northern University Pettit College of Law, and a tireless public advocate for a principled and wise application of the law of armed conflict consistent with both the values and the interests of the United States.

 

      After receiving his undergraduate degree from Johns Hopkins University, Professor Lewis flew F-14s for the U.S. Navy. He graduated first in his class from TOPGUN. He served in Operations Desert Shield and Desert Storm. After those operations, he entered Harvard Law School, where he was a member of The Federalist Society and served on the Editorial Staff of the Harvard Journal of Law and Public Policy. One year after joining the faculty at Ohio Northern law school, he received its award for Excellence in Classroom Teaching.

 

      Mike's areas of specialty were the law of armed conflict and international humanitarian law. Mike was a brilliant lawyer who was one of the premier law of war specialists. Not only was he brilliant and articulate, but he brought to bear the practical wisdom of a war fighter. Mike was widely admired but other scholars and practitioners, whether or not they agreed with his substantive conclusions. As Vince Vitkowsky, the former chair of our Executive Committee, said, "Mike was an amazing person, an incredible blend of talent, energy, charisma, sincerity, and generosity of spirit. We're privileged to have known him and worked with him and we will miss him profoundly." And we are proud to honor him and his memory with this teleforum.

 

      The inaugural Mike Lewis teleforum in 2016 focused on the U.S. Department of Defense Law of War Manual. In 2017, our experts discussed the White House Report on the use of force. This year, we're joined by Professor Eric Talbot Jensen, Professor of Law at the J. Reuben Clark Law School, Brigham Young University and Professor Jeremy A. Rabkin, Professor of Law at the Antonin Scalia Law School at George Mason University. And what we'll talk about today is the intersection of cyberwar and international law.

     

      A few words just to set the stage for today's discussion. There's broad agreement that international law applies to cyber conflict, but there is less agreement as to exactly what this means. What principles of the existing law of armed conflict clearly apply to cyber attacks by nations? What questions remain open and should be determined by the actual practice of nations? In order to start our discussion today, let me start by posing this question to Eric and to Jeremy, and it's about the Tallinn Manual. For those of you who want to look this up later, that's spelled T-A-L-L-I-N-N. It started as an academic study put together by legal scholars and legal practitioners with experience in cyber issues, who were consulted throughout the duration of the project by information technology specialists on how international law and in particular the jus ad bellum and international humanitarian law, applies to cyber conflicts and cyber warfare. In April 2013, the manual was published by Cambridge University Press and Tallinn 2.0 was released in February 2017. The manual is recognized as the first effort to analyze the topic comprehensively and authoritatively and to bring some degree of clarity to the associated complex legal issues. Can you tell us more about the Tallinn Manual and the current status? And maybe I'll turn it over to Eric first.

 

Professor Eric Talbot Jensen:  Sure. So the genesis of the initial Tallinn Manual came from the 2007 cyber event that occurred in Estonia, where the Estonian government moved a statue of a Russian solider from its more prominent place in the city to a cemetery somewhat outside the city. And many of the Russian citizens or Russian residents of Estonia began to -- they were angry with that and began to cause a disturbance. And contemporaneously with that, a number of cyber activities occurred mostly to government and finance institutions in Estonia. And this of course caused a major disruption and caused many people to start thinking this cyber thing has some real potential to cause some problems. We ought to spend some more time thinking about this. And so there's a center for cyber excellence in Estonia, now, in Tallinn. It's a NATO institution, but they thought well, let's get some people together and some people who are maybe experts in law of armed conflict and see how the law of armed conflict would apply to a cyber situation.

 

      And that's what the first Tallinn Manual dealt with, the one published in 2013. It was mostly written by, again, scholars, people who are law of armed conflict experts, and who are writing mostly about what would happen with -- how cyber would fit into the law of armed conflict. After that was published, the same center got a lot of feedback that was really great. But there's a lot of things that are going on now outside of armed conflict, and we have some questions about how international law more generally would apply to cyber activities, not necessarily in armed conflict but short of armed conflict. Just in normal relations and with non-state actors—just individuals or groups or transnational criminal organizations.

 

      And so a different group, although some of us were the same, a different group was gathered, and in this case, the experts and scholars were less law of armed conflict experts and more experts of international law more generally. And we got together at that point and produced what we call Tallinn 2.0, which really is our attempt to try and place cyber activities within in international law more generally. And we take on subjects like sovereignty and human rights and peaceful settlement of disputes and things like that that are not necessarily tied to armed conflict but instead are applied to international law more generally, and produced this second manual, what we call Tallinn 2.0, in 2017.

 

      One of the other differences between the first and the second Tallinn Manual is we recognize that we as scholars don’t make international law; that really is the province of states. And we tried to get states much more involved. Michael Schmitt, who was the director of this program, did a fantastic job of getting input from states, getting input from lots of different avenues and really tried to make this Tallinn 2.0 a robust exposition of what the law was as of the day we published it. Now, we weren't trying to say what the law should be, could be. It was really about what the law was as of the day we published it. And I think that we did a pretty good job. I'm not sure we got everything right. I think we did the best we could. And I think the great benefit of these manuals is they have encouraged states to then speak up and say well, "We agree or we disagree," and of course since states are really the ones that make law, that's the value in my mind of the Tallinn manuals.

 

Eric J. Kadel, Jr.:  Great. Thank you very much, Eric. Jeremy, anything you'd like to add to that?

 

Professor Jeremy A. Rabkin:  So just to encourage the callers, if they want to prompt Eric for inside gossip, a couple of times he said "we" but he wasn't explicit. He was one of the experts on both of those manuals. So he really does know a lot about this.

 

      I'd just mention two or three concerns, but I'll just start with we don’t know how the Trump administration feels about this, at least they haven't made any public pronouncements, right? That's right, isn't it, Eric?

 

Professor Eric Talbot Jensen:  That is right. At least not that I know of.

 

Professor Jeremy A. Rabkin:  Yeah. I mean, it's okay. You don’t have to comment on everything, but this thing seems to me to have a fair amount of momentum. I remember, well, I guess it was last year. Michael Schmitt came to Washington and there was a presentation. It was at the Atlantic Council and the Dutch Government was a co-host of this because they're like co-sponsors of international law. That's how they seem to regard themselves. And they were like, "Yes! We have the Tallinn Manual. That's really great." And they weren't treating it as a bunch of scholars just happened to write their opinions. There have been a number of really quite hefty volumes published by scholars, who just present themselves as scholars. This thing seems to have a little bit more status than that because it's sort of sponsored by NATO, not as NATO policy but as -- right, that center for excellence is a NATO center. It's something that NATO is interested in. I guess the status of NATO has now become controversial in Washington.

 

      But this thing is kind of rolling along, and I think actually the Trump administration might want to at some point say, "We don’t agree with this, this, and this." I'll just mention two qualms -- three, actually, quickly, that I have about it. And the first is starting with the original Tallinn Manual, it takes as the baseline Additional Protocol I to the Geneva Conventions. That's the law of armed conflict, and we'll see how it applies to cyber. And the United States is not a party to that, and the United States has made clear that it has differences -- I mean, there are things in that 1977 treaty which the United States doesn't think are correct statements of the law of armed conflict. So I think it's already a little bit troublesome that we're taking that as the baseline. A particular thing that's in AP I is you can't make reprisals in kind if something is a prohibited tactic otherwise. That was always the American position that we're going to enforce rules of armed conflict by the threat of retaliating in kind, and in cyber we very well might want to do that. So I think that would be worth clarifying.

 

      And one other thing that might seem specialized but I think is potentially very important: there's no provision, either in the first or second round of the Tallinn Manuals, about humanitarian intervention. Everything is couched as self-defense. One of the things that, I mean, it's really shameful that we didn't try to shut down Radio Rwanda to stop exhortations to mass killing. If there were again a situation like that where we could have a cyber intervention that would make it difficult to mobilize people who are going to go out and commit atrocities, I think that'd be a really good thing to do. It is a question whether international law permits that. That might be something which the United States want to be a leader on because we have the technical capacity probably more than any other country or as much as any other country to intervene in that situation. So we might want to say, "Yes, we're reserving the right to do that, and our view of international law is that it allows it."

 

Eric J. Kadel, Jr.:  Yeah. Great. Thank you, both, for the sort of helpful explanation and background on Tallinn Manual and how to sort of think about these issues in a context. I guess maybe one thing that would be helpful for our listeners today is to turn our focus to the present day and the real world approach. And Jeremy, I think your remarks have touched on this a little bit, but maybe we could be a little more direct and express on what is the policy of the United States regarding cyber operations? And what about cyber retaliation, and has there been a clear or evident shift in U.S. policy on cyber operations or cyber retaliation since the Trump administration has come into power and the Obama administration has left office?

 

Professor Jeremy A. Rabkin:  So you used the words 'clear' and 'evident,' and if those are the adjectives, then no, there hasn't been that kind of shift.

 

Professor Eric Talbot Jensen:  Exactly.

 

Professor Jeremy A. Rabkin:  But there has been a lot of moderating and mumbling and leeks and indications that there is a new policy, the gist of which -- I mean, there is not a document that's been released, but we are told that there's an executive order, which is authorizing cyber command to play a more active role in retaliation. We're not clear what they have in mind, what kind of things we'd be responding to, but they are at least elevating the threat. They're making it more prominent that we're thinking about this and we're serious about it.

 

      There're a whole lot of issues that probably we need to think about. I'm not sure myself whether it was sensible to be so secretive about this. I mean, we put everyone on notice that, yeah, we're really working on this, but then we don’t clarify what is it we think we are able to do. I hope they will be a little more forthcoming. They don’t have to share secrets with us, but they could be -- not just for the American people—although we might want to have some political debate about this—but for potential adversaries, to be more explicit about what things we regard as eligible tactics for possible retaliation and what things we might retaliate for.

 

Professor Eric Talbot Jensen:  Well, and I think Jeremy's response to the prior question is, in at least part, an answer to this question, where Jeremy's able to pull out some of the issues from the Tallinn Manual that just are not clear, that the Tallinn Manual's been cited on, that governments have been cited on that haven't really been spoken to. In the Tallinn Manual as you read it, you'll find that the experts very seldom had a unanimous approach to how to resolve these questions, and the Tallinn Manual notes that. And that is certainly true of governments, including the United States, both between the United States and its allies and between the United States even within government. I'm sure there's a great deal of discussion that goes on with respect to how do we respond to these cyber difficulties.

 

      Now, one of the international law options is, of course, countermeasures. As these bad cyber things happen, it is certainly the U.S. belief and position that they can respond with countermeasures. A countermeasure is an otherwise unlawful act done to another country that is in violation of international law with the intent to bring them back into compliance. And there're a number of requirements to do a proper countermeasure. But cyber capabilities and cyber tools seem to provide great opportunity to do countermeasure, and there has never been a statement by the United States that they will not do countermeasures. In fact, quite the opposite. The United States supports countermeasures and would certainly support the use of cyber countermeasures or at least there's no indication they wouldn't.

 

      But I think even given that, Jeremy's point is really valid about the fact that these governments are being silent. The recent speech by the Attorney General of the United Kingdom, Jeremy Wright, is an exception. It was wonderful to have him stand up and say, "Here are some things we think about cyber policy," and he called on other nations to be more explicit about their cyber policies and their cyber rules and to try and build a foundational base of what states are doing so that the public knows, states know, adversaries know, allies know, everybody knows so that we can start to build norms about cyber interaction in international law.

 

Professor Jeremy A. Rabkin:  Yeah, I'd just add one thing to that, which is—and I don't mean this as a criticism of the Tallinn effort—but if you're thinking about, gosh, what law applies? You can have a very long inventory of potential issues, potential standards. But I think it's much more urgent to say these are our red lines. There're a lot of things that we might think are improper. There're a lot of things we think, you know, hey, we're going to complain if you do it. There're probably a few things that we would regard as extremely threatening and we would be prepared to wait for a response that was ferocious, and I think it would be helpful to be clear about that. I'll just give one example.

 

      I've heard people who study these things say, "You know, surveillance we accept, but you're just gathering data. I mean, we try to stop you but we accept that. Even putting out false information, we don't like that but that happens. Even shutting down services on a temporary basis, okay, that happens. That's kind of vandalism. If you start corrupting data, like you penetrate into the banking system and you start changing the numbers, that may seem like it's not a big thing because it doesn't immediately draw any blood. But it could be devastating for the banking system." And so things like that we ought to be very explicit about, that we will regard that not as a prank but as a direct threat to our vital interest because of course no one can bank with confidence if they understand that the amount of money in their account is going to be changed by hackers in Iran or Russia or someplace. There're a few things like that which we should lay down as red lines.

 

Professor Eric Talbot Jensen:  Yeah, I couldn’t agree more. And there's been some of that with the government stating the certain infrastructure that are the ones that are most at risk that we're most concerned about. But there's certainly not been red lines put down, as Jeremy would say. And I agree that would be helpful.

 

Eric J. Kadel, Jr.:  Are there any examples, to either of you, are there any examples of states other than the United States being express about these topics? What kinds of things they would find as sort of beyond the line --

 

Professor Jeremy A. Rabkin:  As Eric mentioned, the U.K. and that's particularly important because they are a close partner with us.

 

Professor Eric Talbot Jensen:  Right. And there has been some, the government of the Netherlands has made a statement dealing with some of these issues, and there are some out there. But the problem is they're not comprehensive. They're not -- at least it doesn't look like they're coordinated. And so what would be nice is if the attempt at the United Nations -- this was a group called the Group Government Experts at the United Nations; they were dealing with telecommunications, and they worked for a number of years and tried to come up with some good norms with respect to cyber activities and really struggled to do so. And they got a little ways down the road, but clearly not as far as many of us hoped that they would. It would be nice to have something like that, some form like that, where states were talking about this and we were getting more clarity. That would be great. 

 

Eric J. Kadel, Jr.:  Great. Well, I think one other thing that would be interesting to talk about is let's focus specifically on the perspective of defenses. Our current U.S. policy, as to the extent that we understand them, are they sufficient to defend against and deter cyber intrusions on U.S. networks? I think this case would really have -- or this question -- really have two prongs to it, right? There is the cyber intrusions to U.S. government networks like the hack of the Office of Personnel Management and the sort of accessing of a large volume of personnel records. And then there's also examples of hacks on private businesses and the ability of private businesses to defend against potential intrusion.

 

Professor Jeremy A. Rabkin:  Well, I'll start off. So my understanding of this is the NSA is tasked with defending, not government networks, military networks. The government is kind of on its own. The Department of Homeland Security is supposed to look into how we can strengthen defenses for both civilian/government agencies and just private sector activities. I've never heard anyone say a good word about DHS efforts in that area. I suppose the one good thing you could say is that they don’t impose on anyone very much. I mean, they give advice.

 

      But just starting with the government, the government seems to have been just criminally negligent. It turned out there was a lot of very sensitive information in the Office of Personnel Management, you know, records because among the people whose files are there, are people who work for intelligence agencies. I myself had a file there, and after the hacking, people were opening bank accounts in my name. Maybe it's a coincidence, but I think a lot of that data was just distributed through the world. It doesn't seem to have been guarded at all. There're a whole series of GAO reports saying, "We need to do better tightening defenses. We need to do better. We need to do better." And, gee, you know, the government is not very conscientious about its activities, at least the civilian part of the government. Maybe they're improving a bit but I have not seen any sign that the Trump administration is being more vigorous about this than the Obama administration was.

 

      And not to belabor this but when you see how poorly the government does protecting its own data, then you have to ask yourself are they the right people to be advising the private sector on how to protect their data? And my impression is the private data -- sorry, the private sector, particularly big corporations with a lot of at stake, they consult private security firms, particularly for cybersecurity, and they get their advice privately and they pay for it. And presumably if they pay a lot, then they get better advice and more assistance. But I think the government so far has been pretty peripheral. We might hope that they could get their act together, but I don't think that's going to happen this year.

 

Professor Eric Talbot Jensen:  Yeah, and I agree with Jeremy. I think there're -- I'm certainly not a government apologist, but I think that we have to accept that cyber defense is a tough nut. It's just hard to do. You know, you think of yourself back in the medieval age where you had to build an entire fort with thick walls, and all the people who were attacking you had to do was find the one weakness. So you had to maintain the entire fortress with all the expense and work and problems that that took. And all the people who were attacking you had to do was find the one weak spot. And that is certainly the nature of cyber activities and cybersecurity. You could secure all of your data, you know, lock it up tight and have one vulnerability and someone will find that one vulnerability. So it's not an easy task. And, again, I'm not an apologist for the government, but I do think it's important to note that this is a difficult task. And it's a difficult task even for the most efficient of organizations, which is not how I would characterize the U.S. government. Redundant, yes; efficient, maybe not so much.  

 

      But then you also have to look at this from the international law perspective and the domestic law perspective, and we have to -- I think we need to think about is the current legal paradigm facilitating cybersecurity or is it not facilitating cybersecurity? And there're lots of avenues to analyze that and there're lots of opinions on that. But even if it's not formal, there is, I believe, informal help going on between the government and the private sector to try and notify each other of things that are happening, of malware that is out and about, of attacks that are happening to both the government and the private sectors. So I think there is some of that going on, and hopefully we'll get better at it over time. We'll learn lessons as we go. But we certainly do have a long way to go.

 

Professor Jeremy A. Rabkin:  I'd just mention one thing because it's often overlooked. I agree that there're a lot of very, very severe technical challenges in trying to monitor what's coming in over your network. I mean, it's a vast amount of crossing the boundaries of your networks, and it's hard to be alert to everything.

 

      But there's also just some basic precautions you might take about what you expose to -- you know, what you put online. And one of the things that was startling about the OPM hack was how much the government had put online, like you must have all the papers pertaining to someone's security clearance. Really? Why must you have that online? Why couldn’t that be in a folder somewhere? You don’t need it every day. Hardly anyone needs it. So there is a kind of hygiene about these kinds of things, and I think it's probably too late for the government to be preaching about that. But there are people giving advice about how to protect your data and manage it in ways that makes it a little less vulnerable to cyber intrusion and that actually can be helpful.

 

Professor Eric Talbot Jensen:  Right. No doubt about that. We talk about hardware vulnerabilities, software vulnerabilities, and wetware—in other words, human—wetware vulnerabilities.

 

Professor Jeremy A. Rabkin:  Yes, yes, yes.

 

Professor Eric Talbot Jensen:  And clearly the humans are the biggest vulnerability of all of that because we don’t do our cyber hygiene. We don’t do the simple things that we need to do. I mean, I would bet that there are plenty of listeners out there who have not updated their antivirus software. It's just that kind of stuff is so simple, but we often just overlook it or forget it or don’t do it.

 

Professor Jeremy A. Rabkin:  And you should be careful about what contractors you hire to help you.

 

Eric J. Kadel, Jr.:  Yeah, it's a good point. I was actually going to follow up, if it's all right, just briefly with the question on is there -- or to what degree do you see a partnership between the government and the private sector on these kinds of issues, on defense issues? Both the government potentially helping the private sector but vice versa, the private sector potentially helping the government improve defensive postures.

 

Professor Eric Talbot Jensen:  Well, I'll start with this one. I think that the government, at least the current approach to the government, is, "we don’t want to regulate," and certainly the private sector approach is "we don’t want to be regulated." So whatever cooperation would make us more protected may have to take a less formal role. It may not be government intrusion and telling banks and energy systems what to do. It may be instead providing assistance or providing advice and the private sector doing the same to the government. I know one problem the government has is retaining qualified people with these skills because they can make so much more in the private sector. There are things we can do to help share information and share people and share skills in an informal way that may be able to move us forward as well.

 

Professor Jeremy A. Rabkin:  Yes. There's tremendous amount of talent, of course, that's in the private sector because that's where the money is. I mean, you need to vet these people, you need to be careful, but of course the government needs access to that private expertise.

 

Eric J. Kadel, Jr.:  Great. Well, look, in the time we have before we open the floor to questions, I thought maybe it would make sense to talk about some real-world examples. And in that respect, as we've been clear about, cyber intrusions can be attempted and executed against the government and against private parties. But at the same time, they can be attempted and executed against persons by state actors or by non-state actors or in some cases by non-state actors that are acting with the blessing and/or support of the state. I've got a few questions that I thought would be useful to talk about: how does international law account for malicious cyber activity that's coming from non-state actors? And should we think about the Russian, quote, "interference" in the U.S. elections as a challenge for cyber policies? I think that's a particularly timely question for the current day.

 

Professor Eric Talbot Jensen:  Well, I'll start with the non-state actor question, and I'll let Jeremy respond to the interference question because he's got some great thoughts on that. So the non-state actor question is really quite difficult because, you know, I mentioned earlier countermeasures as an opportunity to respond to malicious activity, but one of those requirements of countermeasures is you can only take a countermeasure against a state. And so if there's some Russians or Chinese or Americans, whoever they are, who are acting on their own behalf as private citizens and they are engaging in malicious cyber activity against either government or individuals in another state, that victim's state cannot take a countermeasure against those individuals. Countermeasures can only be used against states. And so the current international legal paradigm leaves some gaps there in terms of appropriate responses.

 

      Now, there're other things you can do. You know, even just this morning, the New York Times is reporting that we've indicted a North Korean in connection with the Sony hack. Of course, if he was representing North Korea, which he seems to have in this case, we could've taken countermeasures against North Korea. But we've indicted other folks in conjunction with some of these things, and really an indictment, it certainly doesn’t do much. It means, I guess, that that poor North Korean fellow won't be able to travel much, but I'm not sure he probably traveled much anyway. So it seems like a kind of inadequate response to what's going on with non-state actors these days. And I think that is, if we're going to see any movement in terms of security and adjustment of international law—and by the way, the U.K. Attorney General Wright kind of hinted at this—countermeasures are going to be one of those areas where we may want to become more robust in our responses.

 

Professor Jeremy A. Rabkin:  I want to just add a word to that, which I think is actually mentioned in the Tallinn Manual, which is the state that is hosting private actors, if they are doing their mischief on the territory or through the networks of a state, they are answerable for that. We should demand that Russia assist us in finding the private actors, if they claim they are private, who are launching bot attacks or whatever it might be. And if they say, "Oh, no sorry. We can't allow you to probe this, and we can't help you with this," well, that is already something that we should regard as a kind of international delict. They have a responsibility for what goes on in their territory. They have a responsibility to make sure that their territory is not used to launch attacks on other countries.

 

Professor Eric Talbot Jensen:  Yeah, I agree there's this due diligence obligation. I just think that not many states -- states up until now, nation states, have been hesitant to accept that --

 

Professor Jeremy A. Rabkin:  Yeah, yeah, yeah, so we should press that I think.

 

Professor Eric Talbot Jensen:  I agree. I agree.

 

Professor Jeremy A. Rabkin:  Yeah, yeah. Okay. So I wanted to say a word about the Russia thing. I think this is really unfortunate it got tangled up in our domestic politics. And the domestic debate is was Trump colluding with Russia, or did Russia influence the outcome of the 2016 election? And it's very confusing what people even think they're talking about. But the one thing which seems to be agreed that this did happen is some entities in Russia fed information into American networks. I'm not even sure it's illegal. I don't think the United States really wants to be sanctimonious about that. I mean, we support the flow of information into other countries, including Russia. And I'm not talking about anything nefarious. We would like to amplify certain viewpoints in other countries. We certainly don’t promise that we will never assist people in articulating viewpoints.

 

      A lot of the things that Russia seems to have been involved in was agitating issues that they saw from analyzing American websites, but this got a lot of traction, and people were all excited about this, so they said various things about, you know, "Hilary Clinton was going to take away people's guns," or some other hot-button issue. I don't see that as cyber warfare, and I think if it is illegal, it's probably in the misdemeanor category and people shouldn't confuse those kinds of concerns with, like, actually damaging equipment. If they had damaged voting machines, that would be a very, very serious concern. I don't think we've seen any indication of that. I don't think that's even been -- I don't think the Justice Department has even said they found any effort to try and do that. It really --

 

Eric J. Kadel, Jr.:  When you say damage, Jeremy, what do you mean by that? Do you mean by changing votes within the system or making the machines so they don’t work?

 

Professor Jeremy A. Rabkin:  Yeah, either of those would be great cause for concern.

 

Professor Eric Talbot Jensen:  Yeah, I agree completely with Jeremy. I think that the vast majority of what we're talking about with the Russians was not a violation of international law. I think at the point, where there's some indication that Russians—whatever that means—may have been messing with actual voting machines in 30-ish states across the United States, if that's true that they were doing that with the intent to influence or change -- not influence, but change the election, change people's votes, then I think that is illegal under international law. We would call that a prohibited intervention. So that's more than interference. That's actually intervention, which is prohibited under international law, if it applies to something that goes to the very heart of what states do, like elections, like choosing their governments.

 

      And so I think that, if you're planning to change the outcome of the election, that's different than if you're just trying to convince people to vote a certain way or you're trying to reveal things that might make a certain candidate look bad. You know, I'm certain that countries do that to each other all the time because countries have an interest in governments, and I don't -- in my mind at least, I don't know any basis for that to be illegal until you're actually in voting machines changing votes.

 

Professor Jeremy A. Rabkin:  It is, of course, what we do to each other.

 

Professor Eric Talbot Jensen:  Indeed.

 

Professor Jeremy A. Rabkin:  That's what a campaign is.

 

Professor Eric Talbot Jensen:  Unfortunately.

 

Professor Jeremy A. Rabkin:  But, I mean, I'd just add one small thing that matters. If really we could pin this down that some foreign government has interfered with the tabulation of votes on voting machines, even if it didn't change that many votes, it didn’t really affect the outcome, that would really undermine people's confidence that the announced vote totals are the real vote totals. So that could have a really, really corrosive effect on our system. So I think that ought to go to the top of the charts on things that we're concerned about, and we should articulate very explicitly that if you do that, you're going to be extremely sorry.

 

Professor Eric Talbot Jensen:  Right. And I think we need to be clear, Jeremy, that we're not saying that anything that Investigator Mueller is doing is wrong because he's doing this all under a domestic law paradigm, right? I mean, he's indicting people for --

 

Professor Jeremy A. Rabkin:  Oh, yeah. Nah, he's on his own. He's not the concern of the International Law & National Security Practice Group.

 

Professor Eric Talbot Jensen:  Right.

 

Eric J. Kadel, Jr.:  Great --

 

Professor Jeremy A. Rabkin:  However, I will indulge myself in saying I think he should finish already. [Laughter from speakers]. Just as a citizen.

 

Eric J. Kadel, Jr.:  All right. Great. Well, Wes, I think with that, we're ready to open the floor to questions from our audience. While we're waiting for some questions to queue up for the speakers, maybe I can ask one additional question to get it started. And that is with all we've talked about and where we are today, where do you see things like Tallinn and other governmental and private sector responses going in the short term? And do you think that there is some initiative and impetus behind a more coordinated response between private sector, public sector? Do you think there will be efforts among various nations to get together and really work through standards in this area? What might we expect over the next three, four years?

 

Professor Eric Talbot Jensen:  All right. Well, I'll be happy to jump in on that, and what I would say initially is I hope that all of these things that you suggested happen. I hope states get together. I hope that states start working together better with private enterprise and private companies. I hope all of that happens. Am I optimistic that it will? I actually am a bit optimistic because I think the risks of not acting together are getting too great. One of the things that is just different about cyber that is different about other things is that cyber capabilities in the hands of an individual almost give that individual state-like level of violence. Not many people own tanks and cruise missiles and things like that. But with cyber capabilities, an individual can wreak severe havoc on the state. And so I think that that is different about cyber and I hope that will push us—governments, people, corporations—to work together better.

 

      And two areas that I think need the most attention, particularly with respect to interstate conversation is this issue that Jeremy raised of due diligence. Can we not say to a country, whether that's Russia or China or America or whoever else is doing malicious things, can we not say to that country, "You have an obligation to control your citizens. And if you don’t control your citizens, than you are responsible for what they do." We believe this is a part of international environmental law. There're a number of other areas of international law that have embraced this, but nation states have not yet embraced this with respect to cyber activities. And I think that would be a move in the right direction, potentially.

 

      The second thing is sovereignty. I think that we wrestle amongst ourselves as governments, as nation states, on how we're going to treat sovereignty in the cyber area. There's a good discussion of that in the blogosphere that's going on. I think that that -- we could come to more clarity on that issue. Jeremy, sorry I took so long to answer.

 

Professor Jeremy A. Rabkin:  No, no, no. I was going to say -- I mean, you started off by saying you are somewhat optimistic, and I was thinking, "It's great to live in Utah."

 

Professor Eric Talbot Jensen:  [Laughter].

 

Professor Jeremy A. Rabkin:  The sun is always shining --

 

Professor Eric Talbot Jensen:  We're all optimists out here.

 

Professor Jeremy A. Rabkin:  -- everyone is optimistic. [Laughter]. If you live in Washington, you lose that optimism. I mean, I'm sure there will be serious discussion. If the question was are we going to have either the United States government or, even more ambitiously, a bunch of governments publicly say, "And from now on, we're committing to this," I think that's probably not going to happen until there's a crisis, until some "catastrophic" event. I'm putting catastrophic in quotation marks. I mean, it doesn’t have to be mass death. But until something really bad happens and galvanizes the process, I think the default is always, "Oh well. We need to think more about it. We need to have more discussion." This doesn’t seem to be high on the agenda of governments right now.

 

Eric J. Kadel, Jr.:  Thank you. Wes, do we have any questions from the floor?

 

Wesley Hodges:  We do have one in the queue.

 

Caller 1:  Yes, well, I'd like to say that Trump colluded with the voters to get himself elected [Laughter from speakers] to do things that in the past have made the economy better, like reduce the high marginal tax rates like Coolidge did, which brought us the Roaring Twenties. But a huge example of vote fraud came back in, I think it was back in the early '80s, maybe before that, Dade County. There's a book, I think it was memorialized on a website named VoteScam.com, and in Dade County, these two guys had run I think as Republicans. One guy was running for congressman, and he noticed that the vote totals started coming in and then suddenly—he was approaching 20%—then suddenly a total was announced 15 minutes after the polls closed, and he couldn't figure how out that was done. So the next year they went to the polls with a camera and said the boss sent this. They had no idea who the boss was but the guards did, and they let them in to watch the polling. And the cards that they were supposed to be counting were all on white punch cards that the voters had voted on. But the ones they were counting were all a different color—blue, I think they were. And so this sort of cyber hacking has been going on for a long time --

 

Professor Jeremy A. Rabkin:  No, no, no, wait, wait. Corruption is very old and ballot stuffing is very old. The story that you're telling is not about cyber hacking, right? --

 

Caller 1:  Well, it was done with computers.

 

Professor Jeremy A. Rabkin:  -- It was replacing one set of cards with another. This is someone onsite, right?

 

Caller 1: That's true. It wasn't actually --

 

Professor Jeremy A. Rabkin:  That's actually important, right? Because I think we're not so worried that North Korean agents or Russian agents will infiltrate voting booths.

 

Caller 1:  But our voting machines can be easily hacked by the Brazilians who supplied them.

 

Professor Jeremy A. Rabkin:  Yes, yes. Electronic machines may be more vulnerable to this. People --

 

Caller 1:  And there've been --

 

Professor Jeremy A. Rabkin:  -- can do this, right?

 

Caller 1:  I think there would've been counties where they've gotten, like, many times the number of votes that are actually registered voters on these machines.

 

Professor Eric Talbot Jensen:  Well, I think this is a great point. And it goes back to our discussion about intervention in the elections. NBC News reports that the only time President Obama used the red phone, you know, that direct phone between him and President Putin, was when he called President Putin to discuss the fact that the DOJ had said that there were Russians—again, whatever that means—in these state-voting machines, or at least trying to get into the state-voting machines. So all of the other cyber stuff surrounding the election's never caused that kind of a stir, but when it was reported to President Obama that they were actually in the voting machines, that's when he called up Putin and said, "Knock it off."

 

      So I think that the point that you're making, caller, which is a good one, is that that's the point where, at least at that point, you cross the line where you're violating international law.

 

Caller 1:  And in New York we sort of prevented that, at least in a really large scale, although if they don’t do the revote, the recount, it doesn't do you any good. All the votes that are done in New York are done on paper ballots which are scanned in. --

 

Professor Jeremy A. Rabkin:  Yep.

 

Caller 1:  -- And so the count is a scan, and it's not a bunch of electrons that are just floating around waiting to be manipulated by somebody with a thumb drive.

 

Professor Jeremy A. Rabkin:  Yes. I really hope that -- I mean, I think -- I have not heard that the federal government is really being serious about this, but I hope at least different states pay attention to this.

 

Caller 1:  Of course, that doesn’t prevent hundreds of dead voters from voting in Nassau County. --

 

Professor Jeremy A. Rabkin:  No, no, no. there's a lot of things -- we have a lot of problems in our system. But I think it's hard for foreign intelligence agencies to round up and deliver those non-citizen voters, right?

 

Caller 1:  Right. Yes.

 

Professor Jeremy A. Rabkin:  That's our problem, not their problem.

 

Professor Eric Talbot Jensen:  Good point.

 

Caller 1:  Yeah, it is.

 

Eric J. Kadel, Jr.:  All right. Thank you very much for that question.

 

Professor Jeremy A. Rabkin:  I'll just say a couple years ago, people were talking about this as if we could figure out how to perfect defenses and then we'd all be safe. And that was really silly. It was basically imaging that there's some kind of, you know, magic screen that you can put over American cyber networks and then they'll be protected. People should think about this like terrorism. There's not going to be an end of terrorism. You can reduce it, you can control it, you can retaliate, you can do various things, but there's not going to be a moment when they say, "Our war on terror has now concluded with a victory." And I think this is true with cyber vulnerabilities. It's just part of the modern world.

 

Professor Eric Talbot Jensen:  Right. And we only engage ourselves more deeply into cyber capabilities and create greater cyber reliance. And so, again, it's just going to continue to be an issue, one that we're going to have to get used to dealing with.

 

Professor Jeremy A. Rabkin:  Yes. Oh, I'm glad to hear you say that.

 

Professor Eric Talbot Jensen:  Yeah. But I'm still optimistic out here in Utah.

 

Professor Jeremy A. Rabkin:  I was just going to say -- yeah -- [Laughter].0

 

Professor Eric Talbot Jensen:  [Laughter].

 

Professor Jeremy A. Rabkin:  A little dark cloud floated over your horizon out there.

 

Professor Eric Talbot Jensen:  [Laughter].

 

Eric J. Kadel, Jr.:  All right. Very good. Well, we'll say thank you to everybody for tuning in. Thank you very much to our speakers for such an excellent presentation. And we hope you will join us on the next Federalist Society teleforum.

 

Wesley Hodges:  Thank you, all. Well, on behalf of The Federalist Society, I'd like to thank our experts for the benefit of their valuable time and expertise today. We welcome all listener feedback by email at [email protected]. Thank you all for joining us. This call is now adjourned.

 

Operator:  Thank you for listening. We hope you enjoyed this practice group podcast. For materials related to this podcast and other Federalist Society multimedia, please visit The Federalist Society's website at fedsoc.org/multimedia.