Cybersecurity and Deterrence

France's Cyberdefense Strategic Review and International Law

By François Delerue, Aude Géry
Friday, March 23, 2018, 8:00 AM

French Louis Gautier presented the French on Feb. 12 at . Gautier compared the Cyberdefense Strategic Review to the which established the nuclear doctrine of France, thus framing it as a seminal work on French cyber policy. The Cyberdefense Strategic Review, similar to other French white papers and strategic reviews, is , aimed at framing the discussions and prospective considerations leading to the adoption of the Military Planning Acts—acts aimed at establishing a multi-year programming of the expenses that the French State devotes to its armed forces.

The French approach to cyber defense in 2017 and 2018 has been pivotal. After the creation of the Cyber Defense Command (COMCYBER) within the Ministry of the Armed Forces on Jan. 1, 2017 several key strategy documents have been published: the on Oct. 11, 2017; the on Dec. 15, 2017; the on Feb. 12; and the , which will be published this coming summer and will contain provisions relating to French cyberdefense strategy.

The Cyberdefense Strategic Review (the Review) reaffirms and develops the French position-- already expressed in:

The Cyberdefense Strategic Review is made of three parts. The first , devoted to the “[d]angers of the cyber world,” assesses the threats, their evolution and the actors involved. It also reaffirms the French rejection of the concept of “cyber deterrence” by explaining that deterrence is only for nuclear matters. The second part, entitled “The State, responsible for the cyberdefense of the nation,” details the French approach to cyberdefense. It reaffirms the principle of the separation between defensive and offensive capabilities and missions which implies that the in charge of insuring France’s cybersecurity does not conduct any offensive missions and strictly operates on a defensive level. Conversely, some other institutions are in charge of offensive cyber operations and intelligence gathering. It also details France’s international strategy on cyberdefense issues, including its positions on international law. The third part, entitled “The state, responsible for the cybersecurity of society,” defines the concept of digital sovereignty as distinguished in legal terms from “sovereignty.”

We don’t intend to outline the entirety of the review. Rather, this post will focus on the main points on international law developed in the Strategic Review of Cyberdefense. It states that “France has a clear, specific and precise vision of the application of international law in cyberspace.” Specifically, section 2.5 “France’s international action in the cyber domain” and appendix 7 focus on international law. Several other segments of the Review also integrate—directly or indirectly—aspects related to international law.

International Law Applies to State behavior in Cyberspace

The review holds true to the French policy position that “[t]he principles and rules of international law apply to the conduct of States in cyberspace.”

In this section, the review repeatedly recalls France’s commitment to the work of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (GGE), including recognition of the applicability of international law and, in particular, of the U.N. Charter, affirmed in the and reports. The review also recalls the , stating that the result signaled “a fundamental divergence of perception, among the different countries, of the international security architecture with which to govern relations between states in the digital age.” It says although the failure of the last UN GGE halted negotiations at the U.N., it “does not in any way call into question the norms and principles agreed upon in previous years,” thus reaffirming France’s commitment to the adopted recommendations.

Finally, the text restates the French position on the points of contention in the last GGE:

France also had the opportunity, with several of its partners, to affirm its position in favor of a clear and unequivocal recognition of the lawfulness of the means of response to a cyber attack, whether they involve the use of force (self-defense) or do not (countermeasures, retaliation, etc.), as well as of the applicability of international humanitarian law to cyber operations taking place during armed conflicts.

But, the review goes further than simply recognizing the applicability of international law to cyberspace. It details specific international obligations and possible reactions to internationally wrongful acts.

States’ International Obligations in Cyberspace

Given that the breach of an international obligation by a state, by act or omission, constitutes an internationally wrongful act, the review reminds readers that a state is responsible for acts undertaken by its organs or by “non-state actors ... in the event that the State exercises a form of control over the authors of the attack.” Given the significant role played by proxies in cyberspace and the challenging questions of attribution, it would have been interesting if the review had clarified exactly what level of control would have to be exercised in order for the acts of a non-state actor to be attributable to a state. The review, however, does not go in such details.

The review states that:

[T]he principle of sovereignty applies to cyberspace. In this respect, France reaffirms its sovereignty over information and communication technologies (ICT) infrastructure [systèmes d’information], persons and cyber activities located within its territory, subject to its international legal obligations.

It then affirms that cyber operations could constitute violations of state sovereignty, the principle of non-intervention, the prohibition of the use of force and the obligation of due diligence.

In addition, it refers to the duty of due diligence. In other words, the state has the “obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States” (paraphrasing the International Court of Justice’s formula in the Judgment) and that it bears an obligation of conduct, whereby the state may be held responsible even if it is not the sponsor of the act. Indeed, in such case, the state will be held responsible because it did not implement a certain precaution. That is to say, the state should be held because it failed to take all the necessary and feasible measures to prevent or stop an act from occurring not because the act occurred. It also stresses that “the State must first be notified that its infrastructures are being used for malicious purposes (knowledge criterion) and it must be verified that the State has not fulfilled its obligation (of conduct) to stop the attack.”

One may have expected the review to refer to the elements on due diligence present in the , considering its reinforcement of the GGE’s work. The 2015 GGE report implicitly mentions due diligence twice: “States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs” and “States must not use proxies to commit internationally wrongful acts using ICTs, and should seek to ensure that their territory is not used by non-State actors to commit such acts.” The absence of an explicit reference is surprising considering the initial framing of the French position as aligned with GGE reports.

On the implementation of due diligence, the review notes that “from this perspective, France must, in particular, work to reach an agreement at the international level on the obligations faced by a State whose infrastructure would be used for malicious purposes.” This assertion was not further elaborated and raises several questions: Is the proposal referring to a potential legally binding agreement, such as an international treaty, or more simply a call to prolong the development of norms of behavior on that matter? Similarly, are these responsibilities legally binding obligations or soft law?

The paragraph that follows incorporates the GGE’s recommendations and proposes to extend them to other fora and frameworks—for example, the G20, G7, and OSCE. Therefore, it seems likely that this portion of the report refers to an agreement that is not legally binding on norms of behavior and that does not advocate for the creation of a cyber due diligence treaty. Moreover, the review seems to specify the content of one of these obligations by proposing the “establishment of a chain of responsibility allowing the victim State to benefit from the assistance of those States through which the attack passes.” According to the review, this proposal is derived from the 2015 GGE’s norm which specifies that:

[A] State should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. A State should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from its territory, taking into account due regard for sovereignty.

One might have expected more detail on a proposal as interesting as this, but the Report leaves its description at a high level of generality.

Available Responses under International Law

The review also outlines possible responses to cyber attacks. First, the report states that “France must first endeavor to resort to mechanisms of international cooperation and the peaceful settlement of disputes.” The review goes on to point out that:

[I]f the situation so requires, it would then be possible to adopt measures of retorsion, to recourse to exceptional self-help mechanisms [mécanismes exceptionnels d’autoprotection], and/or to take peaceful countermeasures. The gravest circumstances may require a response involving the use of force.

The notion of “exceptional self-help mechanisms [mécanismes exceptionnels d’autoprotection]” used may be referring to the above-mentioned possible responses or alternatively to other circumstances precluding wrongfulness that may be contemplated (most likely the plea of necessity). More specifically, the review details the three forms of unilateral self-help measures that France could adopt in response to a cyber operation in accordance with international law: measures of retorsion, countermeasures and self-defense. These possible responses were, however, at the core of the failure of the last GGE in June 2017.

Some states (namely China, Cuba and Russia) rejected the applicability of countermeasures, self-defense and international humanitarian law to cyberspace.

This approach to the responses is in line with the recent evolution of domestic law, particularly since the adoption of , codified in , which states:

in responding to a computer attack targeting ICT systems that affects the defense or economic potential of the State, the security or the survival capacity of the State, then the security services of that State can, under conditions determined by the Prime Minister, carry out the technical operations necessary to characterize the attack and to the neutralization of its effects by accessing the ICT systems at the origin of the attack.

The review seems to repeat the content of Article 21, while specifying that its implementation must fall within the limits of international law: It recalls

the possibility for the victim State, that has had its critical infrastructure affected by a cyberattack, to take necessary and proportionate technical measures in order to neutralize the effects of this attack, in compliance with its obligations under international law.

The review also discusses the conditions and modalities for the invocation of self-defense. It refers to Article 51 of the U.N. Charter (but without any reference to customary international law). It emphasizes that an armed attack is defined by its scale and effects, implicitly taking up the two cumulative criteria defined by the ICJ in the judgment. It further states that a cyber attack could be characterized as an armed attack “because of substantial human casualties” (“pertes en vies humaines substantielles”) or “considerable physical damage to objects” (“dommages physiques aux biens considérables”). In such a case, the state would be the victim of a cyber attack causing damage and/or casualties similar to those that would result from the use of conventional weapons.”

The review defines armed attack further by referring to the theory of the accumulation of events, and thus recognizes that an armed attack may consist of a series of acts which, on their own, do not reach the threshold of an armed attack. This clarification seems to be a general statement on the French position on “armed attacks” in international law and thus not exclusive to the evaluation of cyber attacks. In addition, it states that “a second hypothesis could be that of a computer attack targeting a State, which would appear to be the first step in a more conventional mass military intervention.”

The review confirms the French position in favor of preemptive self-defense:

given the specificities of the cyber vector (an attack can be prepared clandestinely and be conducted very quickly; damage may be considerable at multiple levels, human, financial, organizational), France cannot exclude the use of self-defense, in exceptional circumstances, against an armed attack that has not yet been unleashed but is about to be, that is imminent and certain, provided that the potential impact of this attack is sufficiently serious/severe.

This position is not new and had already been introduced in : “the possibility of preemptive action could be considered, provided that an explicit and proven threat situation is identified.” Nevertheless, it is the first time that this stance has been expressed so explicitly.

With preemptive self-defense and the theory of the accumulation of events, the French approach is similar to that of a number of other states (notably the U.S.), although it diverges from a literal reading of Article 51 of the U.N. Charter.

The modalities of self-defense in response to a cyber operation may also be analyzed in light of points developed elsewhere in the document. First, the review proposes the creation of a new category of critical infrastructure that, in playing the role of service provider to other critical infrastructures, can be described as “supercritical.” The qualification of an armed attack generally depends on its scale and effects, as prescribed by the ICJ in the judgment. However, the nature of the target may also be taken into account as an aggravating factor, as it may lead to consider its consequences as more severe as they would concern an interest particularly essential for the functioning of the society or the economy.

Second, the review proposes a classification scheme for cyber attacks, paralleling the adopted by the United States, which “cannot be directly transposed” to the French context; the classification scheme is based on the effects of the incident. It is likely that this scheme will be used to determine whether a cyber operation constitutes an armed attack and, more broadly, to evaluate possible responses to any form of cyber operation. That said, the report does not elaborate on how the scheme will be implemented.

Third, while recalling its opposition to hack-backs (offensive actions taken by a non-state actor to respond to a cyber operation) by the private sector, the review indicates that “the matter of a potential exception to the general prohibition of recourse to cyber offensive measures by private companies in the case of legitimate self-defense will have to be debated at the international level.”

The review restates that it is not possible to invoke self-defense if an operation does not constitute an armed attack, even if it is a use of force and only retorsion and countermeasures would be available under certain conditions. Countermeasures can only be taken in response to an internationally wrongful act, and must be necessary, proportionate and peaceful. While these rules are generally true, the review states the French view with unique clarity. It then proceeds to define the measures of retorsion for the purposes of response to cyber operations.

The review places particular emphasis on the importance of international cooperation and potential multilateral responses, mentioning the possibility to refer a situation to the United Nations Security Council and implicitly suggesting that nations may draw on the recently adopted by European Union to coordinate responses in case of a cyber operation against one of the member states.

Finally, the review restates that jus in bello is applicable and that its “main principles […] are necessity, proportionality, distinction and humanity.” It adds “cyber weapons must be able to be used in a discriminating manner.” Finally, when dealing with the law of neutrality, the review distinguishes the mere transit of a cyber operation by a cyber infrastructure from its use for the launch of a cyber operation, the first being tolerable and the second intolerable.

The review is a landmark document outlining France’s cyber defense strategy as well as the French approach to international law; it is likely the most comprehensive document on France’s use of international law ever published by the government. In its deference to international norms, France reaffirms its commitment to the international order as the pillar of international peace and stability.

The review also devotes much time to the discussion of soft law measures, including standards of responsible behavior and confidence-building measures, relating to State and non-state actors, as well as to international discussions and fora where discussions are taking place and could take place in the future. These points were, however, outside of the scope of this post.

With the publication of such a comprehensive document on cyber defense France is positioning itself as a leading force on these issues at both the European and global levels. In troubled times for international cyber law following the failure of the last UN GGE and, more generally, for the international legal order, France asserts its vision and commitment to an open, secure and peaceful Internet.

Disclaimer: The authors were not associated with the redaction process of the Revue stratégique de cyberdéfense, and this blog post represents the authors’ own opinions and cannot be attributed to any other persons or institutions. The quotes drawn from the Revue stratégique de cyberdéfense were translated by the authors, and do not represent an official translation.