France’s Declaration on International Law in Cyberspace: The Law of Peacetime Cyber Operations, Part I

[Przemysław Roguski is a Lecturer in Law at the Jagiellonian University in Kraków (Poland) and an expert on cybersecurity and international law at the Kościuszko Institute and a Visiting Fellow at The Hague Program for Cyber Norms at Leiden University’s Institute of Security and Global Affairs.] 

On 9 September 2019 the French ministry of defense published a document setting out its views on how international law applies in cyberspace. Its publication coincided with the start of the first substantive session of the Open-Ended Working Group on developments in the field of information and telecommunications in the context of international security (OEWG) and makes a powerful statement of France’s intent to shape the future discussions on the applicability of international law in cyberspace. This two-part post describes France’s position on the law of peacetime cyber operations and offers some initial comments. It will be followed up by a post on France’s view on international humanitarian law, which will appear at Just Security.

The Evolution of France’s Position on International Law in Cyberspace

The 20-page document on “International Law Applicable to Operations in Cyberpace” (Droit international appliqué aux operations dans le cyberespace) marks the (provisional) high point in the evolution of the French position on the applicability of international law in cyberspace. As a permanent member of the Security Council, France has taken part in the work of all Groups of Governmental Experts (GGE) on developments in the field of information and telecommunications and has helped to shape the consensus view, first expressed in the GGE Report of 2013, that international law applies to State activities in cyberspace. Since 2013, France has expressed and expanded upon this view in several key strategic documents such as the 2013 “White Book on Defense and National Security” (Livre blanc sur la défense et la sécurité nationale), the 2017 “International Cyber Strategy” (Stratégie internationale de la France pour le numérique) and the 2018 “Strategic Review of Cyberdefense” (Revue stratégique de cyberdéfense) as well as two major speeches by Jean-Yves Le Drian, the then minister of defense (and later of foreign affairs), of 12 December 2016 in Bruz and 15 December 2017 in Aix-en-Provence. The new document therefore does not offer a radically new view, but rather a synthesis of the French position on international law in cyberspace. While intended as a stand-alone document, it has to be understood in the context of France’s overall cyber strategy and the corresponding political and military doctrines.

The declaration starts out by reaffirming the GGE consensus that in their use of information and communication technologies (ICTs) States have to respect their international law obligations, especially those deriving from the United Nations Charter. Cyber operations are not per se illegal under international law, but may be regarded as such if they produce effects which violate international law obligations. Should France fall victim to a cyberattack which constitutes such a violation, it may respond diplomatically, by way of countermeasures or employ its armed forces to repel an armed attack.

To assess the legal qualification (both under national and international law) of a hostile cyber operation and the type of response permitted under international law, France uses a national cyber incident classification system (Schéma national de classement des attaques informatiques), first proposed in the “Strategic Review of Cyberdefense” and based on a technical and effects-based assessment of the cyber security incident caused by the cyber operation. Any cyberattack – defined as a “voluntary, offensive or malicious action conducted through cyberspace and intended to cause damage to the availability, integrity or confidentiality of data or the systems that carry the data and thus potentially harming the activities they support” – triggers a cyber security incident. Its classification – in steps from 0 to 5, where 0 signifies an event of negligible impact and 5 a situation of extreme urgency – depends on the gravity of the incident, assessed on the basis of the actual or intended impact on:

• the fundamental interests of the nation (sovereignty, democracy, territorial integrity),
• internal and civilian security,
• the availability of fundamental services to the population (water supplies, electricity, healthcare) and
• the economy.

In consequence, the legal qualification of a cyberattack, i.e. the determination of the norm of international law affected by it, depends on the gravity of the incident with regard to its effects or degree of intrusion. Accordingly, France states that cyber operations may violate the principles of sovereignty, non-intervention or the prohibition of the threat or use of force.

Sovereignty and non-intervention

France reaffirms that “State sovereignty and international norms and principles that flow from sovereignty apply to the conduct by States of ICT-related activities”. Therefore, it exercises sovereignty over information systems located within its territory. From this France concludes that any cyberattack, i.e. any operation which breaches the confidentiality, integrity or availability of the targeted system, constitutes at minimum a violation of French sovereignty, if attributable to another State. It is particularly noteworthy that, according to the French view, a violation of sovereignty occurs not only when effects are produced on French territory, but already when there is a penetration of French computer systems.

The French view of sovereignty as a baseline norm of international law in cyberspace is important for two reasons. First, it stands in direct opposition to the views held by the United Kingdom (here) and at least parts of the U.S. cyber community (see for example Col. Gary Corn here and here) that sovereignty is just a principle of international law and therefore “there is no such rule [of territorial sovereignty] as a matter of current international law” (as stated by UK Attorney General Jeremy Wright). In this, it joins the Tallinn Manual 2.0 and other scholarly voices (for instance Michael Schmitt here and Sean Watts here) which have long argued that the applicability of sovereignty as a rule of international law follows from the jurisprudence of the International Court of Justice (ICJ) in cases such as Corfu Channel and Nicaragua. Secondly, however, France goes even further than the proponents of the sovereignty-as-a-rule-approach. The Tallinn Manual 2.0, for instance, argues that a violation of State sovereignty occurs when remote cyber operations manifest themselves on a State’s territory either through physical damage, loss of functionality (but only in some cases) or the interference with or usurpation of inherently governmental functions. The Manual’s experts could not agree on whether a cyber operation which affects only data, but does not lead to physical effects or loss of functionality, also violates the target State’s sovereignty. However, this appears to be exactly the position France takes.

The French position on sovereignty in cyberspace is not without its merits. Focusing on the penetration of a computer system, rather than on the effects this penetration produces, it is in line with the technical framework used to assess cyber security breaches by most CERTs and which forms the basis for the legal assessment under the Convention on Cybercrime and national criminal law. And while the breach of national criminal law does not automatically violate international law – even if undertaken by a State agent in performance of his official functions – unless there is a breach of a corresponding norm of international law, one might argue that the penetration of a computer system located on territory of another State constitutes the exercise of State power within that territory, which is prohibited under international law, as stated by the Permanent Court of International Justice in its Lotus decision. This view, however, creates problems with regard to the (il-)legality of cyber espionage. Given that many, if not most, acts of cyber espionage violate the confidentiality – and by planting surveillance programs also the integrity – of the targeted computer system, it would appear that under the French view such acts would violate the sovereignty of the targeted State. Rather disappointingly, the French declaration does not address this issue at all. On the topic of cyber espionage the document remains largely silent. It only states that espionage is not illegal per se (but might be, if it is “associated with an internationally wrongful act”) and follows up by stating that the legality of cyber espionage falls outside of the scope of analysis in the present document.

With regard to the prohibition of intervention into the internal affairs of another State, the French declaration is very brief. It only states that an interference by cyber means with the internal or external affairs of France, that is with its political system, economy or in social or cultural matters, may constitute a violation of the principle of non-intervention.

Due diligence

In agreement with the 2015 GGE consensus report (§13 c), France states that sovereignty over computer systems (including equipment and infrastructure) situated on its territory creates a customary duty of due diligence, which obliges the State not to knowingly allow its territory to be used for internationally wrongful acts using ICT. Accordingly, States should not use proxies to commit internationally wrongful acts using ICT and should ensure that their territory is not used for such purposes, in particular by non-State actors. A violation of the due diligence obligation may justify political or diplomatic action, including the seizing of the UN Security Council of the matter, or the imposition of countermeasures. However, France stresses that even if a State failed to take all reasonable measures to stop its territory being used to commit internationally wrongful acts against third States by non-State actors, or if it were incapable to prevent them, this would not constitute an exception from the prohibition of the use of force. Accordingly, in France’s view, only political and diplomatic action as well as non-forcible countermeasures are allowed against States which are unwilling or unable to stop non-State actors from using its territory for internationally wrongful acts.

Even this brief analysis of parts of the French declaration shows, that France has produced an elaborate, thoughtful and thought-provoking document, which affirms the GGE consensus, but is not afraid to deviate from the U.S. and U.K. views or the Tallinn Manual 2.0 on matters not dealt with in the GGE reports, such as the applicability of the unable-or-unwilling-test. The rejection of this theory has further repercussions for the French view on the right to self-defense, which will be covered in Part II of this post, along with questions of attribution and State responsibility.