,
24 tweets,
11 min read
Read on Twitter
France today published its views on how international law applies in cyberspace. It is a substantial document, containing many important points (and some disagreements with the #TallinnManual 2.0). Below a short thread abt France's view on peacetime int'l law in cyberspace.
/2 France subscribes to the view that sovereigtny is a rule (rather than a mere principle) cyberattacks can violate a State's sovereignty. 
/3 Every (!) cyberattack against French computer systems as well as any production of effects on French territory constitute a violation of sovereignty. Note that physical effects are not required. Any penetration of French networks is automatically a violation of sovereignty.
/4 Contrast this with UK Attorney Generals view that sovereignty is a principle rather than a rule.
/5 Contrast this also with the #TallinnManual 2.0's view that there has to be an infringement upon the target's territorial integrity (physical damage or loss of functionality) or an usurpation of inherently governmental functions.
/6 Cyberattacks may violate the principle of non-intervention. Nothing controversial here.
/7 Cyberattacks can constitute use of force if effects are similar to those employed by conventional weapons. Comparability criteria:
➡️physical damage
➡️origin of attack & military character
➡️degree of intrusion
➡️effects
➡️nature of target
➡️physical damage
➡️origin of attack & military character
➡️degree of intrusion
➡️effects
➡️nature of target
/8 Cyberattacks can constitute an armed attack if effects reach a certain gravity and are comparable to the use of physical force.
/9 In particular, an armed attack exists when there is substantial loss of life or considerable physical or economic damage. Examples:
➡️attacks against critical infrastructure with significant effects
➡️paralysis of parts of the country
➡️ecological disasters with many victims
➡️attacks against critical infrastructure with significant effects
➡️paralysis of parts of the country
➡️ecological disasters with many victims
/10 Self-defence is legitimate only against States, not against non-State actors with the exception of non-State actors which have State-like characteristics like ISIS.
/11 Consequently, France rejects the unable-or-unwilling justification for self-defence against cyberattacks from the territory of States to which the attack cannot be attributed.
/12 Compare this to the majority opinion in #TallinnManual Rule 71 para. 25.
/13 Interestingly, France subscribes to the accumulation-of-events theory on armed attack, i.e. that a series of attacks which individually do not amount to an armed attack, but produce cumulatively produce sufficiently grave effects, may constitute an armed attack.
/14 Measures in self-defence can only be employed by States. No private sector hack-backs, as this would increase systemic instability.
/15 States may employ countermeasures against cyberattacks which constitute an internationally wrongful acts, including a violation of sovereignty. France reiterates the general requirements stated in the ILC Articles on State responsibility.
/16 There is one caveat: in certain situations a State employing countermeasures may derogate from the obligation to notify the responsible State.
/17 France will not participate in collective countermeasures as it says that they are not authorised [by international law] at present! (Sorry #Estonia and @KerstiKaljulaid)
/19 Due diligence: France essentially repeats Corfu Channel, i.e. that States should not knowingly allow their territory to be used for cyberattacks. Violation of due diligence obligations may lead to countermeasures.
/20 BUT: failure to prevent cyberattacks undertaken from one's territory does not authorise use of force in self-defence (see also /11).
/21 Finally, attribution. In general, France reaffirms ILC Articles on State Responsibility Artt. 4, 5, 8.
/22 BUT important criteria for identification of attacker:
➡️location of attack- and transit-infrastructure
➡️modes of operation of the adversary
➡️chronology of activities
➡️magnitude and gravity of the incident and the perimeter
➡️effects sought by attacker
➡️location of attack- and transit-infrastructure
➡️modes of operation of the adversary
➡️chronology of activities
➡️magnitude and gravity of the incident and the perimeter
➡️effects sought by attacker
/23 Lastly: a State may, but is not obliged to attribute publicly & to give reasons for attribution. A faliure to attribute publicly does not diminish the rights to react under international law.
Link to full document here: defense.gouv.fr/salle-de-press…
Link to full document here: defense.gouv.fr/salle-de-press…
