National position of France (2019)

Introduction
This is the position of France on international law applicable to cyber operations. The position, which has been prepared by the French Ministry of Defense, has been published on 9 September 2019.

Applicability of international law
"For France, compliance with international law is a precondition for the emergence of an appropriate regulation of cyberspace. Faced with an increasingly prevalent and abiding cyber threat, and systems made increasingly vulnerable by digitisation and interconnectivity, the regulation of cyberspace between States and private- and public-sector actors must become a priority in order to re-establish a collective and multilateral order capable of preserving international peace and security".

"France reaffirms the obligation for States to respect international law in cyberspace, including the United Nations Charter, and in particular the principles of the sovereign equality of States, the settlement of international disputes by peaceful means and the requirement for States to refrain in their international relations from the threat or use of force against the integrity or political independence of another State or in any other manner inconsistent with the purposes of the United Nations."

Sovereignty
 "Cyberattacks may constitute a violation of sovereignty. The international norms and principles that flow from State sovereignty apply to the use of ICT by States and to their territorial jurisdiction over ICT infrastructure. France exercises its sovereignty over the information systems located on its territory".

"Any cyberattack against French digital systems or any effects produced on French territory by digital means by a State organ, a person or an entity exercising elements of governmental authority or by a person or persons acting on the instructions of or under the direction or control of a State constitutes a breach of sovereignty."

"The principle of sovereignty applies to cyberspace. France exercises its sovereignty over the information systems located on its territory. The gravity of a breach of sovereignty will be assessed on a case-by-case basis in accordance with French cyberdefence governance arrangements in order to determine possible responses in compliance with international law". 

State responsibility
 "A cyberattack is deemed to have been instigated by a State if it has been perpetrated by a State organ, a person or entity exercising elements of governmental authority, or a person or group of persons acting on the instructions of, or under the direction or control of that State." 

Attribution
 "The attribution of a cyberattack having its origin in another State is a national political decision. When a cyberattack is detected, France takes the necessary steps to categorise it, which may include neutralising its effects.

Identification of the instigator is based mainly, though not solely, on technical information gathered during investigations of the cyberattack, especially identification of the attack and transit infrastructure for the cyberoperation and its location, identification of the adversary methods of operation (AMO), the overall chronology of the perpetrator’s activities, the scale and gravity of the incident and the compromised perimeter, or the effects sought by the attacker. This information can help to determine whether or not a link exists between the instigators and a State.

A cyberattack is deemed to have been instigated by a State if it has been perpetrated by a State organ, a person or entity exercising elements of governmental authority, or a person or group of persons acting on the instructions of, or under the direction or control of that State.

The identification of a State as being responsible for a cyberattack that is an internationally unlawful act does not in any way oblige the victim State to make a public attribution. Such attribution is a discretionary choice made, inter alia, according to the nature and origin of the operation, the specific circumstances and the international context. It is a sovereign decision insofar as France reserves the right to attribute publicly, or not, a cyberattack against it and to bring that information to the attention of its population, other States or the international community. This policy does not rule out close coordination with France’s allies and partner States, including international or regional organisations, in particular the European Union (EU) and the North Atlantic Treaty Organisation (NATO). However, while the decision may go as far as collective attribution of a cyberattack, it lies solely with France. In addition, international law does not require States to provide the evidence on which the public attribution of a cyberattack is based, though such information helps to legitimise the validity of such attribution. In all events, a decision not to publicly attribute a cyberattack is not a final barrier to the application of international law, and in particular to assertion of the right of response available to States.

The capabilities of the Armed Forces Ministry contribute to the process of characterising cyber-attacks against the French State. The public attribution of a cyberattack against France is a national political decision. Although this power may be exercised in coordination with other States or international organisations, it is prima facie a sovereign prerogative." 

Countermeasures
 "In general, France can respond to cyberattacks by taking counter-measures. In response to a cyberattack that infringes international law (including use of force), France may take counter-measures designed to (i) protect its interests and ensure they are respected and (ii) induce the State responsible to comply with its obligations.

Under international law, such counter-measures must be taken by France in its capacity as victim. Collective counter-measures are not authorised, which rules out the possibility of France taking such measures in response to an infringement of another State’s rights.

Counter-measures must also be taken in compliance with international law, in particular the prohibition of the threat or use of force. Consequently, they form part of a peaceful response, their sole purpose being to end the initial violation, including in reaction to a cyberoperation that constitutes a use of armed force within the meaning of Article 2, para. 4 of the United Nations Charter. The response to a cyberoperation may involve digital means or not, provided that it is commensurate with the injury suffered, taking into account the gravity of the initial violation and the rights in question.

Lastly, the use of counter-measures requires the State responsible for the cyberattack to comply with its obligations.The victim State may, in certain circumstances, derogate from the obligation to inform the State responsible for the cyberoperation beforehand, where there is a need to protect its rights. The possibility of taking urgent counter-measures is particularly relevant in cyberspace, given the widespread use of concealment procedures and the difficulties of traceability." 

Prohibition of intervention
 "Many States are acquiring the capacity to prepare and conduct operations in cyberspace. When carried out to the detriment of the rights of other States, such operations may breach international law. Depending on the extent of their intrusion or their effects, they may violate the principles of sovereignty, non-intervention or even the prohibition of the threat or use of force. States targeted by such cyberattacks are entitled to respond to them within the framework of the options offered by international law. In response to a cyberattack, France may consider diplomatic responses to certain incidents, counter-measures, or even coercive action by the armed forces if an attack constitutes armed aggression."

Interference by digital means in the internal or external affairs of France, i.e. interference which causes or may cause harm to France’s political, economic, social and cultural system, may constitute a violation of the principle of non-intervention. 

Due diligence
 "France exercises its sovereignty over the information systems located on its territory. In compliance with the due diligence requirement, it ensures that its territory is not used for internationally wrongful acts using ICTs. This is a customary obligation for States, which must (i) use cyberspace in compliance with international law, and in particular not use proxies to commit acts which, using ICTs, infringe the rights of other States, and (ii) ensure that their territory is not used for such purposes, including by non-state actors."

"The failure by another State to comply with its due diligence requirement is not a sufficient ground for the use of force against it in the context of cyberattacks carried out from its territory.

In accordance with the due diligence principle, “States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs”, including acts that infringe the territorial integrity or sovereignty of another State. In addition, States must ensure that non-state actors do not use their territory to carry on such activities, and not use proxies to commit internationally wrongful acts using ICTs. The fact that a State fails to comply with its due diligence obligation can justify the taking of political and diplomatic measures that may include counter-measures or a referral to the UNSC. The fact that a State does not take all reasonable measures to stop wrongful acts against other States perpetrated from its territory by non-state actors, or is incapable of preventing them, cannot constitute an exception to the prohibition of the use of force.

Under these conditions, France does not recognise the extensive approach to self-defence expressed by a majority of the Tallinn Manual Group of Experts which allows a State that is victim of a large-scale cyberattack perpetrated by non-state actors from the territory of another State to use self-defence against that State, including if such a response is carried out in compliance with the principle of necessity, is the only means to counter the armed attack, and the territorial State is unwilling or unable to prevent the perpetration of such acts." 

Distress and necessity
 "France also does not rule out the option of invoking a state of distress or necessity in order to protect a vital interest against a cyberattack which is below the threshold of armed attack but constitutes a serious and imminent danger. In such cases, the measures taken remain peaceful and do not seriously harm a vital interest of the State concerned. Such measures in response to a cyberattack against France in breach of international law are not taken systematically, but according to a discretionary political decision." 

Self-defence, armed attack and use of force
<section begin=FR_2019 self-defence, armed attack and use of force /> "Some cyberoperations may violate the prohibition of the threat or use of force. The most serious violations of sovereignty, especially those that infringe France’s territorial integrity or political independence, may violate the prohibition of the threat or use of force, which applies to any use of force, regardless of the weapons employed. In digital space, crossing the threshold of the use of force depends not on the digital means employed but on the effects of the cyberoperation. A cyberoperation carried out by one State against another State violates the prohibition of the use of force if its effects are similar to those that result from the use of conventional weapons. However, France does not rule out the possibility that a cyberoperation without physical effects may also be characterised as a use of force. In the absence of physical damage, a cyberoperation may be deemed a use of force against the yardstick of several criteria, including the circumstances prevailing at the time of the operation, such as the origin of the operation and the nature of the instigator (military or not), the extent of intrusion, the actual or intended effects of the operation or the nature of the intended target. This is of course not an exhaustive list. For example, penetrating military systems in order to compromise French defence capabilities, or financing or even training individuals to carry out cyberattacks against France, could also be deemed uses of force.

However, not every use of force is an armed attack within the meaning of Article 51 of the United Nations Charter, especially if its effects are limited or reversible or do not attain a certain level of gravity.

'''The prohibition of the use of force enshrined in the United Nations Charter applies to cyberspace. Certain cyberoperations may constitute a use of armed force within the meaning of Article 2, para. 4 of the United Nations Charter."'''

"In accordance with the case law of the International Court of Justice (ICJ), France distinguishes the gravest forms of the use of force, which constitute an armed attack to which the victim State may respond by individual or collective self-defence, from other less grave forms. Cyberattacks may constitute a grave form of the use of force to which France could respond by self-defence."

"France reaffirms that a cyberattack may constitute an armed attack within the meaning of Article 51 of the United Nations Charter, if it is of a scale and severity comparable to those resulting from the use of physical force. In the light of these criteria, the question of whether a cyberattack constitutes armed aggression will be examined on a case-by-case basis having regard to the specific circumstances. A cyberattack could be categorised as an armed attack if it caused substantial loss of life or considerable physical or economic damage. That would be the case of an operation in cyberspace that caused a failure of critical infrastructure with significant consequences or consequences liable to paralyse whole swathes of the country’s activity, trigger technological or ecological disasters and claim numerous victims. In such an event, the effects of the operation would be similar to those that would result from the use of conventional weapons.

To be categorised as an armed attack, a cyberattack must also have been perpetrated, directly or indirectly, by a State. Leaving aside acts perpetrated by persons belonging to State organs or exercising elements of governmental authority, a State is responsible for acts perpetrated by non-state actors only if they act de facto on its instructions or orders or under its control in accordance with the rules on State responsibility for internationally wrongful acts and ICJ case law. To date, no State has categorised a cyberattack against it as an armed attack. In accordance with ICJ case law, France does not recognise the extension of the right to self-defence to acts perpetrated by non-state actors whose actions are not attributable, directly or indirectly, to a State. France has, in exceptional cases, invoked self-defence against an armed attack perpetrated by an actor having the characteristics of a “quasi-State”, as with its intervention in Syria against the terrorist group Daesh (ISIS/ISIL). However, this exceptional case cannot constitute the definitive expression of recognition of the extension of the concept of self-defence to acts perpetrated by non-state actors acting without the direct or indirect support of a State.

Nonetheless, it cannot be ruled out that general practice may shift towards an interpretation of the law of self-defence as being authorised in response to an armed attack by non-state actors whose acts are not attributable to a State. However, any such development will have to be made bearing in mind the Rome Statute of the International Criminal Court (ICC) as amended in 2010 to add the crime of aggression, and the case law of the ICC that may emerge in this sphere."

"Under Article 51 of the United Nations Charter, a State that suffers an armed attack is entitled to use individual or collective self-defence. Self-defence in response to an armed attack carried out in cyberspace may involve digital or conventional means in compliance with the principles of necessity and proportionality. On a decision by the President of the Republic to commit the French armed forces, the Armed Forces Ministry may carry out cyberoperations for military purposes in cyberspace.

Cyberattacks which do not reach the threshold of an armed attack when taken in isolation could be categorised as such if the accumulation of their effects reaches a sufficient threshold of gravity, or if they are carried out concurrently with operations in the physical sphere which constitute an armed attack, where such attacks are coordinated and stem from the same entity or from different entities acting in concert. In exceptional circumstances, France allows itself to use pre-emptive self-defence in response to a cyberattack that “has not yet been triggered but is about to be, in an imminent and certain manner, provided that the potential impact of such an attack is sufficiently serious”. However, it does not recognise the legality of the use of force on the grounds of preventive self-defence.

States which, in the conduct of a cyberoperation or in their response to a cyberattack, decide to use non-state actors, such as companies providing offensive cyber services or groups of hackers, are responsible for those actors’ actions. In view of the risk of systemic instability arising from the private-sector use of offensive capabilities, France, following on from the Paris Call, is in favour of regulating them strictly and prohibiting such non-state actors from carrying out offensive activities in cyberspace for themselves or on behalf of other non-state actors.

Lastly, any response on the grounds of self-defence remains provisional and subordinate. It must be promptly reported to the UNSC and suspended as soon as the Security Council takes the matter in hand, replacing unilateral action with collective measures or, failing that, as soon as it has achieved its purpose, namely to repel or end the armed attack. Other measures, such as counter-measures or referral to the UNSC, may be preferred if they are deemed more appropriate." <section end=FR_2019 self-defence, armed attack and use of force />

International humanitarian law (jus in bello)
<section begin=FR_2019 IHL /> In an armed conflict situation, cyberspace is an area of confrontation in its own right linked to other areas of confrontation. The offensive cyber capability implemented in the theatres of engagement of the French armed forces is controlled by means of a doctrine and a framework for use in accordance with which it is required to comply with international humanitarian law (IHL). <section end=FR_2019 IHL />

Conflict qualification (IAC/NIAC)
<section begin=FR_2019 conflict qualification/><section begin=FR_2019 IAC /><section begin=FR_2019 NIAC /> Cyberoperations that constitute hostilities between two or more States may characterise the existence of international armed conflict (IAC). Likewise, prolonged cyberoperations by government armed forces against one or more armed groups or by several armed groups between themselves may constitute a non-international armed conflict (NIAC), where such groups show a minimum level of organisation and the effects of such operations reach a sufficient threshold of violence. They are generally military operations concurrent with conventional military operations: that is why it is not difficult to categorise an armed conflict situation. While an armed conflict consisting exclusively of digital activities cannot be ruled out in principle, it is based on the capacity of autonomous cyberoperations to reach the threshold of violence required to be categorised as such. Although virtual, cyberoperations still fall within the geographical scope of IHL, insofar as their effects must arise on the territory of the States party to the IAC and on the territory where the NIAC hostilities occur. <section begin=FR conflict qualification/><section end=FR IAC /><section end=FR NIAC />

Conduct of hostilities
<section begin=FR_2019 conduct of hostilities /> "The use of a cyber weapon in an armed conflict situation obeys the principles governing the conduct of hostilities. A cyber weapon, which is governed by IHL, may be used in combination with conventional military resources or in isolation. In support of conventional means, it produces the same intelligence, neutralisation and deception effects as those conventional means, which have long been subject to the targeting procedures used by the French armed forces in compliance with IHL.

The specific nature and complexity of offensive cyber warfare resources demand risk control arrangements just as robust as those applied to conventional operations, taking into account the inherent features of the conduct of operations in cyberspace. In practice, the risks linked to the use of a cyber weapon, especially the immediacy of the action, the duality of targets and the hyperconnectivity of networks, demand a specific digital targeting process spanning all phases of the cyberoperation in order to ensure compliance with the principles of distinction, precaution and proportionality, inter alia in order to minimise potential civilian damage and loss of life. The process involves long and specific planning carried out in close coordination with the planning of operations in the physical sphere." <section end=FR_2019 conduct of hostilities />

Military objectives
<section begin=FR_2019 military objectives /> "In order to ensure application of the rules governing the conduct of hostilities (distinction, proportionality and precaution, prohibition of superfluous injury and unnecessary suffering), a specific digital targeting process is used for cyberoperations, under the responsibility of the commander-in-chief of the armed forces, with the input, inter alia, of operational staff and specialist operational legal advisers. It cannot be ruled out that a serious breach of these principles arising from a cyberoperation could constitute a war crime within the meaning of the Rome Statute.

The principle of distinction

Under the principle of distinction, the parties to an armed conflict must at all times distinguish between the civilian population and combatants, and between civilian objects and military objectives. In this regard, cyber-attacks carried out in an armed conflict situation which are not directed against a specific military objective or whose effects cannot be contained are prohibited. If there is doubt as to whether an individual is a combatant, he or she must be considered a civilian61. Likewise, an object normally used for civilian purposes is presumed not to be used to make an effective contribution to military action. On this point France does not follow the Tallinn Manual, which considers that if there is doubt over the use of a civilian object for military purposes, a determination as to such use should be made only following a careful assessment.

From this standpoint and under the authority of the commander-in-chief of the armed forces, offensive cyber warfare operations are planned and coordinated taking all measures possible in practice to ensure that the targeted objectives are not civilians or civilian objects. Commanders are thus careful to gather the necessary intelligence to identify the objective and choose the most suitable means in order to apply the principle of distinction. Even if cyber weapons can have immediate effects, their integration into the operational manoeuvre is based on often long and specific planning designed to gather the information necessary to identify the nature of the targeted system (such as a map of the enemy network) in order to ensure compliance with IHL. A cyberoperation will be cancelled if the target under consideration proves not to be a military objective.

The distinction between military objectives and civilian objects.

In cyberspace, ICT equipment or systems and the data, processes or flows which constitute a service may be a military objective if (i) they contribute to military action by their nature (armed forces computer workstations, military command, localisation or surveillance networks, etc.), their location (places from which the cyber-attacks are carried out), their purpose (foreseeable use of ICT networks for military purposes) or their use (use of part of the network for military purposes), and (ii) their total or partial destruction, capture or neutralisation confers a definite military advantage. Under these circumstances, a propaganda centre may be a lawful military objective and the target of a cyberattack if it disseminates instructions linked to the conduct of hostilities.

Conversely, all objects which are not military objectives are deemed to be civilian objects. An attack carried out in cyberspace may not be directed against ICT systems used by schools, medical institutions or any other exclusively civilian service, or against systems whose destruction would only entail tangible effects on civilian objects, unless those objects are used for military purposes. Given the current state of digital dependence, content data (such as civilian, bank or medical data, etc.) are protected under the principle of distinction.

Cyberoperations must also take into account the special protection of certain objects, such as medical units, cultural property, the natural environment, objects indispensable to the survival of the civilian population and installations that contain dangerous forces. This protection extends to ICT equipment and services and to the data needed to operate them, such as medical data linked to the operation of a hospital.

ICT infrastructure or a system used for both civilian and military purposes may, after detailed analysis on a case-by-case basis, be deemed a military objective. They may be targeted provided that the principles of proportionality and precaution are respected. Given the hyperconnectivity of systems, commanders exercise vigilance over the action as a whole in order to avoid effects on civilians and civilian objects, or at least keep them to a minimum, in compliance with the principles of precaution and proportionality." <section end=FR_2019 military objectives />

Direct participation in hostilities
<section begin=FR_2019 direct participation in hostilities /> "Cyber-combatants, especially military personnel assigned to a cyberspace operations command, a group of hackers under State command or members of organised armed groups perpetrating cyberoperations against the adversary may be attacked, unless they are hors de combat.

Any other person is considered to be a civilian and enjoys general protection against the dangers arising from military operations, unless and for such time as they take a direct part in hostilities. A cyberoperation which is carried out to adversely affect the military operations or military capacity of a party to an armed conflict to the detriment of that party and to the advantage of an adversary, or which is likely to cause loss of human life, injury and civilian damage may be deemed a direct participation in hostilities.

For example, the penetration of a military system by a party to an armed conflict with a view to gathering tactical intelligence for the benefit of an adversary for the purposes of an attack constitutes direct participation in hostilities. The same applies to installing malicious code, preparing a botnet in order to launch an attack by denial of service, or developing software specifically intended for the perpetration of a hostile act."

"Cyber-combatants integrated into or affiliated with the armed forces or members of organised armed groups may be targeted by conventional means, in the same way as civilians conducting offensive activities that constitute direct participation in hostilities. Given the difficulties of identifying the perpetrators of a cyberattack, the targeting of such individuals remains marginal." <section end=FR_2019 direct participation in hostilities />

The principle of precaution
<section begin=FR_2019 principle of precaution /> "When cyberoperations are conducted, constant care should be taken to spare the civilian population, civilians and civilian objects.

Even though the necessary precautions may be taken, if the neutralisation or destruction of a military objective by digital means nevertheless risks causing civilian damage, it must not exceed the concrete and direct military advantage anticipated. The risks inherent in cyberspace (immediacy of effects, intrinsic duality of military objectives, hyperconnectivity, difficulty of tracing operations, vulnerability of systems) must therefore be taken into account in order to determine the modes of action and means to be implemented in cyber warfare in order to ensure compliance with the principle of proportionality.

Even though the anticipated effect of a cyber weapon may be difficult to measure, given the interconnectivity of information systems, especially on account of the risk of propagation beyond the target, these risks may be contained by the development of specific cyber weapons whose use is decided according to the desired effects, determined beforehand (activation of malware only in the presence of a specific network previously identified by a penetration of the system, existence of a deactivation time, etc.).

The use of malware which deliberately reproduces and propagates with no possible control or reversibility, and is hence likely to cause significant damage to critical civilian systems or infrastructure, is contrary to IHL, in the same way as the temporary interruption without military advantage of an adversary system followed by physical damage to civilian infrastructure.

The assessment of the effects of a cyberoperation takes into account all the foreseeable damage caused by the cyber weapon, whether direct (such as damage to the ICT equipment directly targeted or interruption of the system) or indirect (such as the effects on the infrastructure controlled by the targeted system, or on persons affected by the malfunction or destruction of the targeted systems or infrastructure, or by the alteration and corruption of content data).

In order for offensive cyber warfare operations to be conducted in compliance with the principle of precaution, the Armed Forces Ministry consults operational experts in military cyberdefence under the responsibility of the cyberdefence commander (COMCYBER). They possess the necessary technical knowledge, are able to exploit the available information (intelligence, strict identification of targets, correlation between the weapon and the desired effects, etc.) and have been given specific training in the complexity of cyber weapons.

These precautionary measures in attack are backed up by precautionary measures against the effects of an attack which a State should take in order to protect the civilian population and civilian objects against the dangers resulting from cyberoperations." <section end=FR_2019 principle of precaution />

Means and methods of warfare
<section begin=FR_2019 means and methods of warfare /> "Despite the complexity of cyberspace, the framework for cyberoperations carried out in an armed conflict situation is still determined by compliance with the principles of precaution and proportionality. As such, the digital targeting process takes account of a cyber weapon’s direct and indirect effects.

Despite the interconnectivity of military and civilian systems, the fact of being able to configure a cyber weapon according to the specifically desired effects of an operation helps to avoid excessive damage in relation to the concrete and direct military advantage anticipated. The non-lethal nature of cyber weapons and the possibility of limiting their effects to a previously identified system contribute to the obligation to choose the means and methods of attack most likely to avoid, or at least reduce to a minimum, any incidental loss of civilian lives, injury to civilians or damage to civilian objects." <section end=FR_2019 means and methods of warfare />

Neutrality
<section begin=FR_2019 neutrality /> "Cyberoperations carried out in the context of an international armed conflict, or which trigger such a conflict, are subject to the law of neutrality. As such, the States party to an IAC may neither carry out cyberoperations linked to the conflict from installations situated on the territory of a neutral State or under the exclusive control of a neutral State, nor take control of computer systems of the neutral State in order to carry out such operations. The neutral State must prevent any use by belligerent States of ICT infrastructure situated on its territory or under its exclusive control. However, it is not required to prevent belligerent States from using its ICT networks for communication purposes.

Routing a cyberattack via the systems of a neutral State without any effect on that State does not breach the law of neutrality, which prohibits only the physical transit of troops or convoys."

"The law of neutrality applies to cyberoperations. Belligerents must refrain from causing harmful effects to digital infrastructure situated on the territory of a neutral State or from launching a cyberattack from such infrastructure." <section end=FR_2019 neutrality />