Defending Democracy: The Road to Cyber Global Governance in Safeguarding Elections Kiana Harkema International Affairs Program College of Arts and Sciences University of Colorado, Boulder Defended March 31, 2021 Honors Thesis Defense Committee Dr. B. Clara Park, Primary Advisor Department of Political Science Dr. Douglas Snyder, Honors Council Representative International Affairs Program Dr. Nolen Scaife, Thesis Committee Member Department of Computer Science Technology, Cybersecurity, and Policy Program DEFENDING DEMOCRACY Abstract Since Russian interference into the 2016 United States Presidential Election, the need for stronger safeguards against cyberattacks upon elections has never been more apparent. Cyberattacks transcend national borders and require international cooperation if effective deterrence measures are to be established - this means establishing acceptable and unacceptable behavior in cyberspace. While progress had been made in this endeavor, it is unclear whether nations are successful in translating the normative values they hold domestically to an international framework. My research investigates the cybersecurity practices the United States exercises, in safeguarding its election infrastructure, to understand what norms the United States internalizes and how influential those norms have been internationally. The United States has been a vocal actor in the norms formulation process, as well as one that has participated in a variety of ways thus making it an informative case study. By analyzing the extent to which the United States is successful in promoting its domestic normative values on the international stage, it may be possible to not only better understand the process of cyber norms development, but also understand where the future of cyber global governance is headed. ii DEFENDING DEMOCRACY Acknowledgements Thank you to the members of my committee for offering your expertise in support of my research. Thank you, Dr. Park, for helping guide my research topic from the very beginning and challenging me to think deeply about the intersection of technology and governance. Dr. Snyder, thank you for helping me articulate my ideas in a way that improved my abilities as a researcher immeasurably. All the while, your enthusiasm for my research was greatly appreciated. In spite of my unorthodox interests as a computer science student, thank you, Dr. Scaife, for being so accommodating and encouraging my interests in your class, research group, and beyond. And finally, thank you Mr. Russell for encouraging me to join your cybersecurity club when I was a freshman in high school and being a relentless advocate for me ever since. I owe my passion for cybersecurity to your continuous support - including that which you have offered in direct support of this research. iii DEFENDING DEMOCRACY TABLE OF CONTENTS INTRODUCTION ...................................................................................................................................... 1 CHAPTER 1: FRAMING THE RESEARCH PROBLEM ................................................ 6 SECTION 1.1: BACKGROUND ............................................................................................................... 6 Subsection 1.1.a) Threats to the Electoral Process .................................................................... 6 Subsection 1.1.b) State of International Law and Cyber Norms ............................................. 9 Subsection 1.1.c) The United States' Institutional Methods of Protecting Elections ............... 12 SECTION 1.2: THEORETICAL FRAMEWORK AND LITERATURE REVIEW ................................................. 15 Subsection 1.2.a) Domestic Engagement with International Law and Cyber Norms ........... 15 Subsection 1.2.b) Private-Public Partnerships in Safeguarding Elections ............................. 18 SECTION 1.3: METHODOLOGY .......................................................................................................... 20 Subsection 1.3.a) Keywords in Context (KWIC) Analysis ....................................................... 20 Subsection 1.3.b) Thematic Analysis ........................................................................................ 22 CHAPTER 2: ANALYSIS OF ELECTION CYBERSECURITY PRACTICES ................. 25 SECTION 2.1: THEME 1 - ELECTION INFRASTRUCTURE AS CRITICAL INFRASTRUCTURE ....................... 27 Theme 1a) Standardization of Election Cybersecurity Practices ........................................... 28 Theme 1b) Risk Management and the National Institute of Standards and Technology (NIST) Cybersecurity Framework ....................................................................................................... 33 SECTION 2.2: THEME 2 - SECURING ELECTRONIC VOTING MACHINES ............................................... 37 Theme 2a) Decentralized Accreditation .................................................................................. 39 Theme 2b) Software Independence .......................................................................................... 45 SECTION 2.3: THEME 3 -PRIVATE-PUBLIC PARTNERSHIPS IN MANAGING MISINFORMATION AND DISINFORMATION ............................................................................................................................ 50 Theme 3a) Multi-stakeholder Engagement and Information Sharing: An Elusive Solution 51 Theme 3b) The Role of Internet Freedom ................................................................................. 57 CHAPTER 3: ANALYSIS OF INTERNATIONAL ENGAGEMENT .............................. 61 SECTION 3.1: THE UNITED STATES AND THE UN GROUP OF GOVERNMENTAL EXPERTS ..................... 64 Subsection 3.1.a) Protecting Critical Infrastructure ............................................................... 64 Subsection 3.1.b) The Applicability of International Law and Voluntary Standardization ...................................................................................................... 68 SECTION 3.2: TENSIONS WITH RUSSIA - ELECTORAL INTERFERENCE AND THE UN OPEN-ENDED WORKING GROUP........................................................................................ .................................................... 72 Subsection 3.2.a) International Law of State Responsibility and Cyber Attacks as "Armed Attacks" ................................................................................................................... 73 Subsection 3.2.b) International Humanitarian Law and Internet Freedom ........................ 76 SECTION 3.3: THE PRIVATE SECTOR AND CIVIL SOCIETY IN NORM DEVELOPMENT - A FRACTURED MULTI- STAKEHOLDER FRAMEWORK ........................................................................................................... 79 Subsection 3.3.a) The Paris Call for Trust and Security in Cyberspace ................................. 80 Subsection 3.3.b) The Global Commission on Stability in Cyberspace .................................. 83 CONCLUSION ................................................................................................................................... 88 BIBLIOGRAPHY ................................................................................................................................ 92 APPENDIX ..................................................................................................................................... 100 iv DEFENDING DEMOCRACY Introduction In 2017, the Tallinn Manual 2.0 on International Law Applicable to Cyber Operations was published. It was a step forward in understanding how international law is applicable in an era of cyberwarfare and was lauded as being vital toward a more secure, predictable global society. By offering interpretations of how traditional international laws and norms such as sovereignty, jurisdiction, and the legal responsibility of states applied when conducting and responding to cyber operations, it appeared progress was made toward establishing deterrents to such malicious cyber activities. Of these malicious activities, digital interference and influence into a state's elections is one of particular importance and one whose progress is inexorably tied to the development of international norms in cyberspace, and not just those related to international law. The United States' methods of election protection were forever altered by Russian interference and influence in the 2016 Presidential Elections. Discovery of activities like Russian social media accounts spreading misinformation and disinformation and the breaching of voter registration databases shook voter confidence to the core. Unfortunately, the Unites States is only one of many countries who have suffered at the hands of such cyber operations. Questions formulated regarding the best way to deter states and other actors from participating in activities that degrade the fundamental core of democracy: free and fair elections. While publications like the Tallinn Manual seek to address these questions, the purpose of my research is to understand the road to global governance through the lens of a nations' cybersecurity practices and its corresponding normative values. The road to global cyber governance in safeguarding elections is paved by international organizations that are seeking to establish norms. Like the Tallinn Manual, 1 DEFENDING DEMOCRACY these norms are proposals for how international law should play a role in establishing conduct in cyberspace, as well as other guidelines for behavior. My