France today published its views on how international law applies in cyberspace. It is a substantial document, containing many important points (and some disagreements with the #TallinnManual 2.0). Below a short thread abt France's view on peacetime int'l law in cyberspace.
/2 France subscribes to the view that sovereigtny is a rule (rather than a mere principle) cyberattacks can violate a State's sovereignty.
/3 Every (!) cyberattack against French computer systems as well as any production of effects on French territory constitute a violation of sovereignty. Note that physical effects are not required. Any penetration of French networks is automatically a violation of sovereignty.
/4 Contrast this with UK Attorney Generals view that sovereignty is a principle rather than a rule.
/5 Contrast this also with the #TallinnManual 2.0's view that there has to be an infringement upon the target's territorial integrity (physical damage or loss of functionality) or an usurpation of inherently governmental functions.
/6 Cyberattacks may violate the principle of non-intervention. Nothing controversial here.
/7 Cyberattacks can constitute use of force if effects are similar to those employed by conventional weapons. Comparability criteria:
➡️physical damage
➡️origin of attack & military character
➡️degree of intrusion
➡️nature of target
/8 Cyberattacks can constitute an armed attack if effects reach a certain gravity and are comparable to the use of physical force.
/9 In particular, an armed attack exists when there is substantial loss of life or considerable physical or economic damage. Examples:
➡️attacks against critical infrastructure with significant effects
➡️paralysis of parts of the country
➡️ecological disasters with many victims
/10 Self-defence is legitimate only against States, not against non-State actors with the exception of non-State actors which have State-like characteristics like ISIS.
/11 Consequently, France rejects the unable-or-unwilling justification for self-defence against cyberattacks from the territory of States to which the attack cannot be attributed.
/12 Compare this to the majority opinion in #TallinnManual Rule 71 para. 25.
/13 Interestingly, France subscribes to the accumulation-of-events theory on armed attack, i.e. that a series of attacks which individually do not amount to an armed attack, but produce cumulatively produce sufficiently grave effects, may constitute an armed attack.
/14 Measures in self-defence can only be employed by States. No private sector hack-backs, as this would increase systemic instability.
/15 States may employ countermeasures against cyberattacks which constitute an internationally wrongful acts, including a violation of sovereignty. France reiterates the general requirements stated in the ILC Articles on State responsibility.
/16 There is one caveat: in certain situations a State employing countermeasures may derogate from the obligation to notify the responsible State.
/17 France will not participate in collective countermeasures as it says that they are not authorised [by international law] at present! (Sorry #Estonia and @KerstiKaljulaid)
/18 This, of course, is a response to Estonia's view, presented at this year's @ccdcoe #CyCon conference, that States which are not directly injured may apply countermeasures.
/19 Due diligence: France essentially repeats Corfu Channel, i.e. that States should not knowingly allow their territory to be used for cyberattacks. Violation of due diligence obligations may lead to countermeasures.
/20 BUT: failure to prevent cyberattacks undertaken from one's territory does not authorise use of force in self-defence (see also /11).
/21 Finally, attribution. In general, France reaffirms ILC Articles on State Responsibility Artt. 4, 5, 8.
/22 BUT important criteria for identification of attacker:
➡️location of attack- and transit-infrastructure
➡️modes of operation of the adversary
➡️chronology of activities
➡️magnitude and gravity of the incident and the perimeter
➡️effects sought by attacker
/23 Lastly: a State may, but is not obliged to attribute publicly & to give reasons for attribution. A faliure to attribute publicly does not diminish the rights to react under international law.

Link to full document here:…
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Przemysław Roguski 🇵🇱🇪🇺
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!