Writing in Lawfare in April 2018, I considered the role of foreign sovereign immunity in the Democratic National Committee’s lawsuit against the Russian Federation and Russian individuals and entities. The case raised an interesting set of issues, I noted, but “these questions will only arise if Russia and the state-related defendants are properly served and if they decide to litigate rather than default.” The courts may get to think through some of these questions after all. It appears that Russia has been served, and on Nov. 9 it responded with a letter and a “Statement of Immunity” (SOI).
The SOI does not merely invoke immunity—it also provides an analysis of various provisions of the Foreign Sovereign Immunities Act (FSIA), describes the purported benefits to the United States of according immunity to Russia in this case, and argues that the case should be dismissed as a political question.
The Democratic National Committee (DNC) alleges that the Russian government hacked into the DNC, exfiltrated information and conspired with the Trump campaign and others to publicize the information during the 2016 presidential campaign. The case has changed a bit since my initial analysis. The amended complaint no longer names “Guccifer 2.0” and the “John Does” (unnamed Russian intelligence operatives) as defendants, so the issues of individual immunity addressed in my earlier post are unlikely to arise.
The SOI invokes immunity for the Russian Federation, which is still named as a defendant in the amended complaint. The arguments it advances likely apply to the General Staff of the Armed Forces of the Russian Federation (commonly called the GRU)—also a named defendant—as well, although the SOI does not explicitly take that position. The amended complaint (¶ 34) alleges that the GRU is an “agency or instrumentality” of Russia under the FSIA. It is unclear whether that allegation is correct: The GRU might be classified as the Russian government itself rather than an agency or instrumentality. In many contexts, however, the distinction does not matter. Foreign states and their agencies and instrumentalities are both entitled to immunity unless an exception applies.
The Russian “Attack” on the DNC
The SOI makes much of the complaint’s allegations that the hacking and dissemination of information constituted an “attack” at the direction of the Russian military. A “military attack” (a term that the amended complaint does not actually use), the SOI argues, is classic sovereign conduct for which a foreign government is immune. Taken at its broadest, this argument is unconvincing. Foreign sovereigns are, indeed, generally entitled to immunity from the jurisdiction of foreign domestic courts for traditional military operations, as discussed below. But the mere involvement of military officials in cyber-operations should not automatically render the foreign state immune from suit under the FSIA.
Consider a slightly different context: The United States has recently indicted foreign state-owned enterprises (SOEs) for stealing trade secrets to benefit foreign businesses. Military involvement of the foreign government in such cases should not automatically entitle an SOE to immunity for activity that targets business and commercial interests, even if that activity might be characterized as an “attack” attributable to the military. Indeed, Chinese military officials have been indicted in the U.S. for violating the Computer Fraud and Abuse Act—the same statute on which the DNC complaint is based in part. And, of course, the conduct alleged in the DNC suit formed the basis for the indictment of twelve Russian officials under that same statute. The GRU has not been indicted.
Although the FSIA probably does not apply in criminal cases (and it certainly does not apply in any cases against individual officials), the customary international law of immunity does apply to criminal prosecutions. The indictments themselves are instances of state practice that tend to show that under customary international law, the United States does not believe that the defendants in those cases are entitled to immunity just because of the military involvement. In civil cases that are governed by the FSIA, the same basic point applies: Military involvement in foreign hacking, theft of trade secrets and similar conduct should not, standing alone, render an SOE or the foreign state itself immune. To be clear, we do not know whether the U.S. government thinks immunity is appropriate in the DNC v. Russia case.
The relationship between military action and the international law of sovereign immunity also suggests that Russia is not immune from suit just because the hacking was allegedly conducted by military officials. International law, like U.S. law, includes an exception to foreign sovereign immunity for tortious conduct in the forum state, but the exception arguably does not cover certain military activities. See Germany v. Italy: Greece Intervening, (¶¶65-78); Restatement (Fourth) § 457, rn 9 (describing, for example, the understanding that the U.N. Convention on the Jurisdictional Immunities of States and Their Property (U.N. Convention) does not apply to activities of armed forces). International law might thus suggest that Russia is entitled to immunity for hacking conducted by its military, even if the conduct would otherwise fall within the tort exception.
The SOI oddly says nothing about international practice or law at all, but Russia might have argued that it is entitled to immunity under customary international law, and that the FSIA should be read in the same way. The military conduct to which immunity extends is generally described in these sources as actions by “armed forces” when on the territory of the other state or in the conduct of “armed conflict,” to use the language of the International Courts of Justice in Germany v. Italy. The cyberattack by Russia was not conducted by military personnel stationed in the United States, nor was it conducted in the course of armed conflict, and the hack of the DNC should not be characterized as a use of force under Article 2.4 of the U.N. Charter. The language in foreign and international practice suggests that Russia’s actions against the DNC should not be exempted from the tort exception just because of their connection to the Russian military. This discussion has assumed that the tort exception available under international law would apply to the DNC suit in the first place—which it may not, because the person or entity committing the tort was not in the United States. (See, for example, Article 12 of U.N. Convention, which provides an exception to immunity for forum torts “if the author of the act or omission was present in that territory at the time of the act or omission.”)
The SOI further discusses the two specific exceptions to immunity cited in the DNC’s Complaint: commercial activity (28 U.S.C. § 1605(a)(2)) and tortious conduct that causes injury or damage in the United States (28 U.S.C. § 1605(a)(5)). According to the SOI, neither exception to the FSIA applies.
The Commercial Activity Exception
The complaint alleges that Russia and the Trump campaign worked together to interfere with the U.S. elections in ways that advanced Russian governmental interests. That does not sound like “commercial activity.” Note, however, that a section of the statute not cited in the SOI (28 U.S.C. § 1603(d)) defines “commercial activity” based on the nature of conduct, not its purpose. Conduct that only sovereigns can engage in is not commercial. Examples include setting exchange rates as a regulator of the marketplace, employing diplomats, operating a police department, or administering a public benefits system. But the conduct alleged by the DNC is not unique to sovereigns. For example, intentionally accessing a protected computer and obtaining valuable information, as alleged in Count One of the complaint, as a violation of the Computer Fraud and Abuse Act is “garden-variety” (to use Justice Scalia’s phrase from Argentina v. Weltover) hacking of the sort frequently used in the context of financial or commercial gain.
The SOI notes that murder and kidnapping are not commercial activities, arguing that an action is not necessarily commercial just because a private party is “capable” of committing it. But the SOI fails to mention cases holding that “nefarious” and “illegal” conduct can be commercial. Part of the harm to the DNC, after all, was the release of the confidential business information obtained through hacking. Discrediting a competitor is a classic business tactic, and the day-to-day operation of a campaign is much like a business in many respects.
Nevertheless, it is unlikely that a court would find the commercial activity exception applicable. Attempting to swing an election, even by engaging in conduct available to private parties and even putting aside the sovereign purpose motivating the attempt, is not a business or financial activity that falls within the term “commercial activity.” Russia is likely to prevail on this argument.
The Tort Exception to Immunity
A stronger basis for denying immunity to Russia is the exception to immunity for cases involving “personal injury or death, or damage to or loss of property, occurring in the United States and caused by the tortious act or omission of the foreign state.” Not surprisingly, the SOI argues that the “entire tort” did not take place in the United States, a requirement imposed by many lower courts. That issue has been analyzed extensively, so I will not dwell on it here. Current case law favors immunity in cases in which some part of the act in question took place outside the United States, but the law is still developing.
The SOI also argues that the disclosure of information does not constitute damage or loss in the United States. Whether or not that is correct, the amended complaint alleges (in ¶¶ 29, 30) that stealing proprietary computer code caused damage to the DNC and that the DNC incurred expenses to “repair and remediate electronic equipment.” Finally, the SOI argues that the “discretionary function exception”—which preserves immunity when the tort exception would otherwise apply in cases in which a policy judgment on the sovereign’s part is involved—applies here and preserves immunity for Russia. Unlike the “entire tort” doctrine, the discretionary function exception is written into the FSIA itself. As The Restatement (Fourth) of Foreign Relations Law describes (§457, rn 4), however, some violations of statutory obligations, including federal criminal law, are not classified as discretionary functions. And, as noted above, Russia may be immune from suit under customary international law because the author of the act or omission was not in the United States. If so, international law provides a reason to read the FSIA’s tort exception narrowly.
The most powerful part of the SOI is not the legal analysis but instead the policy argument that alleged election interference by Russia is best resolved through state to state negotiations and measures, not by private litigation. Russia reminds the reader that the U.S. government and its officials engage in cyber operations of many kinds, and that subjecting Russia to private suit in the U.S. helps clear the way for private damages suits against the United States in other countries.
Perhaps the general trend is moving in that direction. The U.S. Congress has repeatedly expanded the ability of private litigants to recover for harm caused by foreign states in the context of terrorism (see, for example, this analysis of the Justice against Sponsors of Terrorism Act) and as described above, the executive branch is using criminal prosecutions against foreign officials and even against state-owned enterprises to counter some forms of computer-related espionage. The DNC case gives courts the opportunity to take a similar step in the civil cyber context by denying immunity to Russia. The best approach for the courts may be to move cautiously, however, keeping in mind that Congress can step in and lift immunity for government-sponsored cyber operations and that federal prosecutors are engaging in their own investigations of Russian hacking.