24 Sep France’s Declaration on International Law in Cyberspace: The Law of Peacetime Cyber Operations, Part II
[Przemysław Roguski is a Lecturer in Law at the Jagiellonian University in Kraków (Poland), an expert on cybersecurity and international law at the Kościuszko Institute and a Visiting Fellow at The Hague Program for Cyber Norms at Leiden University’s Institute of Security and Global Affairs.]
In the previous post I have described France’s assertion that the legal qualification of a cyberattack, i.e. the determination of the norm of international law affected by it, depends on the gravity of the incident with regard to its effects or degree of intrusion. In consequence, a cyberattack may violate either the sovereignty of another State (which forms a baseline norm and is breached through the penetration of a computer system), the principle of non-intervention or, if it reaches a certain threshold of gravity with respect to a State’s territorial integrity or political independence, it may be classified as a violation of the obligation to refrain from the threat or use of force under Art. 2(4) UN Charter. In this part, I will further describe France’s views on the use of force in cyberspace, the right to self-defense and questions of attribution and State responsibility.
Use of Force and Self-defense
In France’s view, the classification of a cyber operation as a use of force does not depend on the cyber means used, but on the effects produced by the operation. Accordingly, France joins States like Australia, Germany the United Kingdom or the United States in holding that whether a cyber operation constitutes a use of force depends on the similarity of the effects produced to those which result from the use of conventional weapons.
However, in France’s view physical effects are not necessary for a cyber operation to reach the threshold of force. Rather, the qualification of a cyber operation as a use of force should depend on several criteria including (but not limited to):
- the overall circumstances surrounding the operation,
- the origin of the operation and the nature of the attacker (i.e. the military character of the operation),
- the degree of intrusion,
- the effects intended or achieved by the operation and
- the nature of the target.
By way of example, the French document states that penetrating military systems in order to attack French defensive capabilities or financing and even training individuals to carry out cyberattacks against France could be classified as a use of force.
The document goes on to say that not every use of force constitutes an armed attack within the meaning of Art. 51 UN Charter. Only those operations which are comparable to an armed attack by conventional means would fall under Art. 51 UN Charter. This, in turn, depends on the gravity of the effects caused by the cyber operation, their reach and reversibility. In particular, the document suggests the following criteria to assess whether a cyber operation is comparable to a conventional armed attack:
- substantial loss of life,
- considerable physical or economic damage,
impact on critical infrastructure, in particular when resulting in
- paralysis of large parts of the country’s activities
- technological or ecological catastrophies or
- a significant amount of victims.
Furthermore, France supports the “accumulation of events” theory. The doctrine states that cyberattacks which, viewed separately, would not reach the threshold of an armed attack, may nevertheless be classified as such if their accumulated effects are either sufficiently grave or if they occur in a coordinated fashion with other actions which may be classified as an armed attack and emanate from the same entity or different entities acting in concert. To justify its position France points out that the “accumulation of events” theory has not been ruled out by the ICJ in the Oil Platforms case (para. 64).
In accordance with Art. 51 UN Charter, a State which has been a victim of an armed attack through cyberspace has the right to individual or collective self-defence. Legitimate self-defense can be conducted with conventional or cyber means and has to respect the principles of necessity and proportionality. Furthermore, legitimate self-defense includes preemptive action to respond to a (cyber) armed attack which has “not yet begun, but is imminent and certain, provided that the potential impact of this aggression is sufficiently grave”. At the same time, France rejects the right to use force in preventive self-defense, i.e. when the armed attack is not imminent, but may only potentially occur in the future.
Moreover, France does not recognise the right to self-defense against non-State actors if the act is not attributable, directly or indirectly, to a State. It specifically rejects the view held by a majority of the Tallinn Manual 2.0 experts whereby State practice has established such a right in circumstances where use of force against non-State actors “complies with the principle of necessity (…), is the only effective means of defence against the armed attack, and the territorial State is unable (…) or unwilling to take effective actions” to repress the cyberattack (see Tallinn Manual 2.0, rule 71, para. 25). However, where the non-State actor shows characteristics of a quasi-State, such as ISIS in Syria, France views the use of force as justified, but is at pains to stress the exceptional character of this case, which cannot be regarded as a definitive recognition of the concept of self-defense against acts perpetrated by non-State actors. Nevertheless, France admits that State practice may evolve to accept the use of force against armed attacks perpetrated by non-State actors, but stresses that such an evolution should take into account the spirit of the Statute of the International Criminal Court (ICC) in view of the inclusion of the crime of aggression and the jurisprudence of the ICC which may develop from this inclusion.
Attribution and State Responsibility
France reaffirms that the rules on State responsibility are applicable to State action in cyberspace. Accordingly, a State is responsible only for those cyber operations which violate an international obligation and are attributable to it. France admits that the particular circumstances of cyberspace, including the fact that States use proxies to conduct cyberattacks, make the identification of the perpetrators or sponsors of such attacks for the purposes of attribution particularly challenging. The identification of the attacker rests mainly, if not exclusively, on a technical analysis of the cyberattack. Helpfully, France offers a non-exhaustive list of factors which may be taken into account when making such an identification and determining the existence of a link between the attacker and a State. These factors are:
- the determination of the cyber infrastructure from which the cyberattack originated and through which it transited and their geographical locations,
- the identification of the modes of operation of the adversary,
- the general chronology of the activities of the perpetrator,
- the scale and severity of the incident,
- the compromised area and
- the effects sought by the attacker.
Once the attacker is identified, the cyberattack is attributable to a State either through the conduct of that State’s organs (see Art. 4 ILC Articles on the Responsibility States for Internationally Wrongful Acts (ARSIWA)), the conduct of persons or entities exercising elements of governmental authority (Art. 5 ARSIWA) or through conduct directed or controlled by the State (Art. 8 ARSIWA).
However, France stresses that the identification of a particular State as responsible for a cyberattack does not oblige the injured State to make a public attribution. The decision to publicly attribute a cyberattack depends on a series of factors and remains the sovereign right of a State. Accordingly, France reserves the right to decide if it attributes a cyberattack publicly or not and whether and when it shares the information with its population, third States or the international community. The competence to publicly attribute remains exclusively with the State so far as it does not preclude close coordination with France’s allies, the EU or NATO. If a public attribution is made, France asserts that international law does not oblige a State to disclose evidence upon which the attribution has been made. Nevertheless, the voluntary disclosure of evidence may help to establish the validity of the attribution. In any case, the lack of a public attribution does not diminish a State’s right to react to a cyberattack in accordance with international law.
Countermeasures and necessity
In response to a cyberattack which constitutes a violation of an international obligation (including the use of force), France reserves the right to adopt countermeasures in order to protect its interests and to induce the responsible State to comply with its international obligations. According to the French document, this right rest solely with the injured State. As in the “Paris Call for Trust and Security in Cyberspace”, France firmly opposes the idea of hack backs by private companies, mainly due to the systemic insecurity such hack backs would introduce into the international system. Moreover, France rejects the adoption of countermeasures by States other than the injured State as currently not authorised by international law. This is a strong rebuke of Estonia’s view, presented by president Kersti Kaljulaid at the opening of this year’s CyCon conference in Tallinn, whereby States should be able to “respond collectively to unlawful cyber operations where diplomatic action is insufficient, but no lawful recourse to use of force exists”. France does not elaborate, however, whether it rejects collective countermeasures in general, that is against all violations of international obligations, or whether it allows an exception for violations of erga omnes norms, which finds support in State practice (as argued by Federica Paddeu here and Martin Dawidowicz here).
France reiterates that countermeasures have to be executed in respect of international law as laid down in the ILC Articles on State Responsibility. In particular, they have to be of a peaceful nature and may last only until the cessation of the injuring act. The response to a cyber operation may be undertaken by cyber or conventional means, provided that it is proportional to the harm suffered, taking into account the seriousness of the initial violation and the rights at issue. The victim State may, in certain circumstances, derogate from the obligation to notify the State responsible for the cyber operation in advance, where there is a need to protect its rights. According to France, this possibility of adopting urgent countermeasures is all the more appropriate in cyberspace, given the prevalence of concealment and the difficulties of traceability. In this, France sides with the United States, which previously argued that the requirement to give the responsible State notice and call upon it to comply with its international obligations before a countermeasure may be taken “should be evaluated on a case-by-case basis in light of the particular circumstances of the situation at hand and the purpose of the requirement”.
Apart from countermeasures, France does not exclude the possibility to invoke the state of distress or the state of necessity to protect its essential interests against a cyberattack below the threshold of an armed attack, yet constituting a serious and imminent danger. In that case, the measures adopted have to remain peaceful in nature and must not seriously undermine an essential interest of the State concerned.
Lastly, in the most serious cases constituting a threat to international peace and security, France may also refer the situation to the UN Security Council under Chapter VI of the United Nations Charter, or even under Chapter VII in the event of a threat to the peace or a breach of the peace (Art. 39 UN Charter).
Overall it has to be said that the French declaration of “International Law Applicable to Operations in Cyberspace” is an impressive document which lays out a detailed and coherent interpretation of international law as applicable to cyberspace. While it does treat all issues with the same depth and omits certain questions altogether, it is nevertheless an important and much needed voice in the ongoing discussion, which will undoubtedly generate a lively debate (for instance on the issue of sovereignty) and hopefully will serve as a model for other States how to lay out their views on the international law applicable to cyber operations.