France today published its views on how international law applies in cyberspace. It is a substantial document, containing many important points (and some disagreements with the #TallinnManual 2.0). Below a short thread abt France's view on peacetime int'l law in cyberspace.

/2 France subscribes to the view that sovereigtny is a rule (rather than a mere principle) cyberattacks can violate a State's sovereignty.

/3 Every (!) cyberattack against French computer systems as well as any production of effects on French territory constitute a violation of sovereignty. Note that physical effects are not required. Any penetration of French networks is automatically a violation of sovereignty.

/4 Contrast this with UK Attorney Generals view that sovereignty is a principle rather than a rule.

/5 Contrast this also with the #TallinnManual 2.0's view that there has to be an infringement upon the target's territorial integrity (physical damage or loss of functionality) or an usurpation of inherently governmental functions.

/6 Cyberattacks may violate the principle of non-intervention. Nothing controversial here.

/7 Cyberattacks can constitute use of force if effects are similar to those employed by conventional weapons. Comparability criteria:
➡️physical damage
➡️origin of attack & military character
➡️degree of intrusion
➡️effects
➡️nature of target

/8 Cyberattacks can constitute an armed attack if effects reach a certain gravity and are comparable to the use of physical force.

/9 In particular, an armed attack exists when there is substantial loss of life or considerable physical or economic damage. Examples:
➡️attacks against critical infrastructure with significant effects
➡️paralysis of parts of the country
➡️ecological disasters with many victims

/10 Self-defence is legitimate only against States, not against non-State actors with the exception of non-State actors which have State-like characteristics like ISIS.

/11 Consequently, France rejects the unable-or-unwilling justification for self-defence against cyberattacks from the territory of States to which the attack cannot be attributed.

/12 Compare this to the majority opinion in #TallinnManual Rule 71 para. 25.

/13 Interestingly, France subscribes to the accumulation-of-events theory on armed attack, i.e. that a series of attacks which individually do not amount to an armed attack, but produce cumulatively produce sufficiently grave effects, may constitute an armed attack.

/14 Measures in self-defence can only be employed by States. No private sector hack-backs, as this would increase systemic instability.

/15 States may employ countermeasures against cyberattacks which constitute an internationally wrongful acts, including a violation of sovereignty. France reiterates the general requirements stated in the ILC Articles on State responsibility.

/16 There is one caveat: in certain situations a State employing countermeasures may derogate from the obligation to notify the responsible State.

/17 France will not participate in collective countermeasures as it says that they are not authorised [by international law] at present! (Sorry #Estonia and @KerstiKaljulaid)

/18 This, of course, is a response to Estonia's view, presented at this year's @ccdcoe #CyCon conference, that States which are not directly injured may apply countermeasures.

/19 Due diligence: France essentially repeats Corfu Channel, i.e. that States should not knowingly allow their territory to be used for cyberattacks. Violation of due diligence obligations may lead to countermeasures.

/20 BUT: failure to prevent cyberattacks undertaken from one's territory does not authorise use of force in self-defence (see also /11).

/21 Finally, attribution. In general, France reaffirms ILC Articles on State Responsibility Artt. 4, 5, 8.

/22 BUT important criteria for identification of attacker:
➡️location of attack- and transit-infrastructure
➡️modes of operation of the adversary
➡️chronology of activities
➡️magnitude and gravity of the incident and the perimeter
➡️effects sought by attacker

/23 Lastly: a State may, but is not obliged to attribute publicly & to give reasons for attribution. A faliure to attribute publicly does not diminish the rights to react under international law.

Link to full document here: defense.gouv.fr/salle-de-press…

cc @Schmitt_ILaw @KuboMacak @liisvihul @zetelegraph @IKosciuszki @j_swiatkowska @Barrie_Sander @ccdcoe @HagueCyberNorms @CyberDefence24 @CYBER_MIL_PL @patrykpawlak @nbozhkoff @SmeetsMWE