Last week, the French Ministry of the Armies (formerly the Ministry of Defense) released the most significant statement to date by any State regarding the application of international law in cyberspace. Droit International Appliqué aux Opérations dans le Cyberspace (International Law Applicable to Operations in Cyberspace) follows on the heels of an important speech by the United Kingdom’s then Attorney General, Jeremy Wright, on international cyber law last year at Chatham House. Estonia’s President has also spoken out on certain key international law rules as applied to cyberspace, which I discussed previously at Just Security. So too did the United States in speeches by the State Department’s Legal Advisers Harold Koh and Brian Egan. While other States have also proffered various comments on the subject, the UK and French are noteworthy for having staked out positions on a number of key unsettled issues.
This post will highlight the key points made in the French position paper and, where useful, compare and contrast them to statements by representatives of other governments, as well as Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, which was repeatedly cited in the French paper. A forthcoming analysis at Just Security will examine the international humanitarian law aspects of the document, which are thus excluded from my analysis below.
The most contentious debate regarding the applicability of international law in cyberspace surrounds the principle of sovereignty. The Tallinn Manual 2.0 International Group of Experts (IGE) was unanimous in the view that sovereignty constitutes both an international law principle from which various rules derive (such as the prohibitions on coercive intervention and the use of force) and a primary rule in its own right capable of being violated. For the Experts, remote cyber operations may violate sovereignty territorially, as in remotely causing effects on another State’s territory, or through usurpation of, or interference with, an inherently governmental function, as in conducting remote law enforcement searches in cyber infrastructure located on another State’s territory without its consent. The open questions were: 1) what type of effects qualified as a violation, a point on which consensus could not be reached beyond physical damage, relatively permanent loss of functionality of systems, or injury; and 2) under what circumstances are inherently governmental functions usurped or interfered with.
In his Chatham House speech, Wright challenged the characterization of sovereignty as a primary rule capable of being breached in the cyber context. The UK’s position is that no such rule can be “extrapolated” from the general principle of sovereignty. Instead, the prohibitive work of the sovereignty principle commences only when the prohibition on coercive intervention, which stems from the principle of sovereignty, is breached. This position caused many in scholarly and other governments’ circles angst, for they rightly wondered if it unnecessarily forfeited the protective value of the sovereignty rule. Indeed, when in 2018 the UK government accused Russia of having violated international law through a number of its hostile cyber operations, commentators (including myself) were left wondering how Russia had done so if there is no sovereignty rule, as the UK claimed.
France has come down firmly, and in this author’s view correctly as a matter of law and policy, on the side of sovereignty as a rule. In doing so, it has staked out a powerful position on the correct question – the nature of remote cyber operations that violate sovereignty. France contends that a hostile cyber operation against French cyber infrastructure or one causing “effects” on French territory violates French sovereignty if it has been launched by another State’s organs, persons or entities exercising elements of government authority, or by persons or entities operating under the instruction or direction or control of another State. These standards of attribution draw directly on Articles 4, 5, and 8 of the Articles on State Responsibility.
While unambiguously spurning the view that only cyber operations causing physical effects qualify as violations of sovereignty, the precise “effects” that would so qualify by the French approach are somewhat unclear. For instance, would an operation causing a system to slow down or a short-term distributed denial of service (DDoS) attack violate the target State’s sovereignty? Wherever the line is to be drawn, France’s position will spark a much-needed discussion among States on the matter.
Intervention requires, according to the ICJ, coercive acts affecting the State’s domaine réservé (areas of activity left to the State by international law), the paradigmatic example being manipulation of election results or election machinery. The French position paper, in text drawn from the International Court of Justice’s Nicaragua judgment, sets forth France’s view that digital interference in its internal or external affairs constitutes prohibited intervention if it is likely to affect the French political, economic or social system. Of particular note, it highlights military and economic security as protected by the prohibition.
Although no mention of coercion appears in the position paper, France would presumably require coercive effect since the paper draws so directly on the Nicaragua judgement, which is typically cited as authority for the requirement. No State objects to application of the prohibition of intervention in the cyber context, as evidenced in part by its inclusion in the 2015 report of the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, bolstered by the report’s subsequent endorsement by the General Assembly.
However, further State comment and practice is needed to identify where the threshold of breach lies. The UK places particular emphasis on the issue and will presumably proffer a relatively low threshold for what constitutes coercion, as it must to compensate for its dismissal of sovereignty as a primary rule of international law. Whether the French will likewise support a broad interpretation of the rule remains to be seen, although its embrace of a stringent rule of sovereignty gives it more maneuvering room in this regard than the British enjoy.
The obligation of due diligence was recognized by the International Court of Justice in the 1949 Corfu Channel judgment. As set forth in Tallinn Manual 2.0, the due diligence rule requires States to ensure their territory is not used as a base for State or non-State hostile cyber operations against another State that cause serious adverse consequences with regard to a right of the target State. The obligation extends to cyber operations conducted remotely from outside the State using cyber infrastructure in the State that the attacker controls. Imagine a hacking group in State X that uses the cyber infrastructure in State Y to conduct a malicious operation in State Z; in this case, State Y has a due diligence obligation to stop that use of its cyber infrastructure.
By the prevailing view, the due diligence rule is limited to situations in which the hostile operations are ongoing; there is no duty to take preventive measures such as monitoring systems for misuse. Additionally, the due diligence obligation only attaches when it is feasible for the territorial State to take measures to end the hostile cyber operations from or through its territory. Finally, breach requires actual or constructive knowledge of the misuse of the State’s territory.
Presently, the international community is split as to whether due diligence is a binding obligation in cyberspace. France, and a number of other key States in the norms discourse – such as the Netherlands, Estonia, and Finland – endorse its status as a legal rule. There is a firm basis in international law for their position. Moreover, the view is sensible, for it offers normative protection: should another State fail to put an end to harmful operations, the door opens to the taking of countermeasures (see below) on the basis of that breach, which may take the form of cyber actions against the cyber infrastructure being used to conduct the attack.
France is crystal clear on this issue, and commendably so. It asserts that failure to comply with the obligation of due diligence, including failure to terminate operations by States or non-State actors that would violate the sovereignty of another State if conducted by the territorial State, is an internationally wrongful act that may be responded to with countermeasures (discussed below).
The French position paper, however, misreads Tallinn Manual 2.0 on the relationship between due diligence and self-defense. It cites the IGE majority as taking the position that a breach of due diligence entitles a victim State to take measures in self-defense against a hostile actor conducting a cyber armed attack from a territorial State to which the attack may not be attributed. This confuses due diligence with the “unwilling or unable” test of self-defense described below. The difference is significant because due diligence envisages a response only if the territorial State is “unwilling,” since feasibility is a condition for breach. The unwilling or unable test derives, instead, from a balancing of competing rights – sovereignty and self-defense. So where exactly the unwilling or unable doctrine draws the line in that careful jus ad bellum balance may not be the same as the line drawn by due diligence. Moreover, breach of the due diligence obligation might open the door to countermeasures and other remedies provided for in the law of State responsibility, but not the use of force since resort to force buy a State requires an armed attack or authorization by the UN Security Council.
Use of Force
That the prohibition on the use of force in Article 2(4) of the UN Charter and customary international law applies in cyberspace can hardly be doubted. Indeed, the UN GGE expressly confirmed the applicability of the prohibition to cyberspace in its 2015 report. The remaining question is when does a cyber operation not causing meaningful physical damage or injury (which would clearly qualify) amount to a use of force?
States generally have not addressed this issue with any precision, instead merely opting to confirm the prohibition’s applicability (e.g., see here for UK statement). The one important exception to this trend came in an important speech by the Dutch Minister of Defence, Ank Bijleveld, in which she suggested that if “a cyber-attack targets the entire Dutch financial system…or if it prevents the government from carrying out essential tasks such as policing or taxation…… it would qualify as an armed attack.” As all armed attacks are also uses of force, a severe non-destructive attack on the Dutch economy or government could qualify as a wrongful use of force if conducted by, or attributable to, another state.
The Tallinn Manual 2.0 IGE was unable to definitively resolve the issue. Instead of setting out a threshold, therefore, it offered factors that State decision-makers are likely to consider when determining whether to characterize cyber operations as a use of force. These non-exclusive factors included severity, directness, immediacy, invasiveness, measurability of effects, military character of the operation, degree of State involvement, presumptive legality, prevailing political environment, identity of the attacker, and nature of the target.
France has adopted the Tallinn Manual 2.0 approach fully by rejecting the requirement of damage, highlighting factors that should be considered when determining if a non-destructive cyber operation crosses the use of force threshold, and emphasizing that the factors are not exhaustive. The report singles out the prevailing circumstances at the time of the hostile operation, its origin, the effects caused or sought, the degree of intrusion, and the nature of the target. It offers as examples of a use of force: (1) operations that penetrate military systems to weaken French defensive capabilities; and (2) the financing and training of groups to conduct cyber attacks against France (the latter example drawn from the Nicaragua judgment’s holding that arming and training armed groups is a use of force).
Notably, the U.S. in 2012 also used a factors-based approach in assessing what cyber operations would amount to a use of force, as expressed in a speech by then-State Department Legal Adviser Harold Hongju Koh: “In assessing whether an event constituted a use of force in or through cyberspace, we must evaluate factors: including the context of the event, the actor perpetrating the action (recognizing challenging issues of attribution in cyberspace), the target and location, effects and intent, among other possible issues.”
That the right of self-defense exists in cyberspace pursuant to Article 51 of the UN Charter and customary international law, subject to the requirements of necessity and proportionality, likewise cannot be doubted. This is so despite an unfortunate unwillingness by Russia, China and a number of other States to include reference to self-defense in the aborted 2017 GGE Report. However, many unsettled legal issues surround the exercise of self-defense and France boldly has taken a position on most of them in the cyber context.
The most noteworthy position taken by France deals with the threshold at which a cyber use of force qualifies as an armed attack, thereby affording the victim State a right of self-defense. By the French interpretation, an armed attack includes cyber operations that cause substantial loss of life or significant physical or economic damage. Cyber attacks on critical infrastructure with substantial consequences, cyber operations that paralyze whole sectors of the nation’s activities, and ones that cause technological or ecological disasters are offered as examples. The fact that France does not require physical damage or injury is especially significant and likely signals a trend on the part of States to focus on the severity of consequences in addition to their character (damaging or not). In this regard, the French position appears to go well beyond that set forth for the UK in the Attorney General’s speech, which cited “imminent threat of, death and destruction on an equivalent scale to an armed attack.” The UK position and that of other countries will likely, in the authors’ opinion, move in the general direction of the French stance over time.
France rejects the US position that all uses of force are armed attacks that allow forceful responses in self-defense. Rather it adopts the position set forth in the Nicaragua judgement that armed attacks are the “most grave” forms of the use of force, a characterization adopted by the large majority of States and scholars. As examples below the armed attack threshold, the position paper cites cyber operations that are limited, reversible and have not reached the requisite level of gravity.
Likewise, and also contrary to the US view and that adopted by the majority of the Tallinn Manual 2.0 IGE, France rejects the premise that cyber armed attacks can be perpetrated by non-State actors unless attributable to another State because they were conducted pursuant to the instructions or direction or control of that State. Interestingly, this standard derives from the law of State responsibility instead of the Nicaragua judgement’s “by or on behalf of a State…or its substantial involvement therein” threshold.
In rejecting the extension of the right of self-defense to non-State actors, France adopts a position suggested by the International Court of Justice in the Armed Activities judgement and the Wall advisory opinion. The position paper does caution that in “exceptional” cases self-defense is available against armed attacks conducted by a so-called “quasi-State” like Daesh (ISIS). It hastens to add that this should not be read as endorsing a general right of self-defense against non-State actors, but then fairly acknowledges a trend in the opposite direction.
Additionally, France adopts the “accumulation of effects” approach to armed attacks, by which individual attacks that do not reach the threshold of armed attack may nevertheless be combined to do so as long as they are launched by the same actor or by different attackers acting in concert. This is the precise approach adopted by the IGE in Tallinn Manual 2.0. France also accepts the right of anticipatory self-defense in the face of an imminent armed attack but rejects the notion of preventive self-defense. The latter can be described as a situation in which the State against which defensive action is to be taken lacks the capability to mount an attack, does not intend to attack, or attack is not “imminent” because other options to preclude it have not been exhausted.
Finally, France rejects the “unwilling or unable” approach to self-defense, which allows an injured State to conduct military operations in another State even when the attack cannot be attributed to the territorial State. The “unwilling or unable” doctrine has been championed by the United States and was accepted by the majority of the Tallinn Manual 2.0 IGE in the cyber context. It is interesting in this regard that the position paper highlights its disagreement with Tallinn Manual 2.0 rather than with other States that frequently engage in counter-terrorist operations in other countries on this basis.
Other Noteworthy Positions
The position paper repeatedly refers to the right to take countermeasures in the face of a hostile cyber operation that violates international law. Countermeasures are acts (actions or omissions) that would violate international law but for the fact that their wrongfulness is precluded because they proportionally respond to another State’s unlawful action and are designed to compel that State to desist (or to secure reparations for harm caused). The classic example is the hackback that would otherwise violate sovereignty.
Somewhat surprisingly in light of its central place in the NATO alliance and its key role in European security affairs, France rejects the position recently set forth by Estonian President Kersti Kaljulaid that collective countermeasures – that is, countermeasures taken by one State on behalf of another State that is entitled to take countermeasures by virtue of being the target of an unlawful cyber operation – are permissible. While France has substantial capabilities to respond to unlawful cyber operations, other States, including many in the NATO Alliance, do not. As a practical matter, they would need to look to friends and allies to assist them in responding to hostile cyber operations or to act on their behalf; such States are likely to, and should, follow the Estonian lead in advocating for collective countermeasures.
France also took the position that forceful countermeasures are impermissible. This view is consistent with that set forth in the Articles on State Responsibility and adopted by the majority of the Tallinn Manual 2.0 IGE in the cyber context, but disputed most famously by Judge Simma in his Oil Platforms case separate opinion. The approach would permit countermeasures crossing the use of force level, but not that of armed attack, in response to unlawful cyber operations of the same severity. Most States have remained silent on the issue, but it remains a contentious one among States that accept the “gap” discussed above between the use of force and armed attack thresholds.
Finally, France rejected an absolute duty to notify the State against which countermeasures are to be taken before mounting them. That purported obligation is found in the Articles on State Responsibility but was rejected by the Tallinn Manual 2.0 IGE on the basis that a notification requirement could deprive a countermeasure of its effectiveness. In the Attorney General’s speech, the UK also rejected the strict notification requirement as impractical if applied to cyber countermeasures. This represents a trend likely to be followed by other States.
In addition to the possibility of responding to a hostile cyber operation not reaching the level of armed attack with a countermeasure, France accepts the “plea of necessity” as the basis for responding to hostile cyber operations by means that would otherwise be unlawful under international law. Set forth in the Article 25 of the Articles on State Responsibility and found applicable to cyber operations by the Tallinn Manual 2.0 IGE, the plea allows a state facing “grave and imminent peril” to one of its “essential interests” to take those measures that are necessary to end the peril. This is so even if those measures violate the rights of other States (such as sovereignty). However, the right to act based on the plea of necessity does not arise if the responsive measures, such as hacking back, would place the essential interests of other States that are not responsible for the situation at risk, or when the State concerned is responsible for bringing about the conditions that give rise to the “necessity”
Lastly, France rejects suggestions that it is required to publicly set forth the evidence on which it bases attribution of a cyber operation to another State, a purported requirement that was likewise rejected in Tallinn Manual 2.0. However, France did support a voluntary non-binding norm in the 2015 GGE report to the effect that when possible State should generally do so.
France is to be congratulated for providing its views with such comprehensiveness and clarity. Doing so will enhance deterrence by setting forth red lines that cannot be crossed without consequences and prevent escalation due to normative misunderstanding. Hopefully, other States will soon follow the lead of the UK and France in articulating their legal positions regarding the cyber operations because normative transparency contributes to international peace and security in cyberspace. Ambiguity regarding the rules of the game in cyberspace is a dangerous, destabilizing, and self-defeating strategy.