You may have heard of the cliché “there are no rules in cyberwar". It is false. There are rules. The trick is how those apply. Countries rarely speak clearly how they see or would see things. Most countries accept that international law applies to cyberspace, including to cyber operations (“cyberattacks”). What does it actually mean is another story. This changes today.
Some people encouraged me to compile this post. I assess cyber strategies. I was and am also involved in some works which allowed me to get familiar with the rules, from many sides. Previously also, I looked at the French cyber plans (the initial position, the cyber military programmation, and the doctrine of offensive cyber operations).
The document is interesting as it defines the context for when cyberattacks may be interpreted as really serious, warranting State response; or how the situation looks like in existing conflict. How ransomware affects some interpretation, etc.
The document is important not only because it’s a first. It is authored by the permanent member of United Nations Security Council. It goes against some common beliefs held by some. What will be noticed by many experts - the position contradicts many previously held beliefs. For example, it contradicts the points present in the eminent work, the Tallinn Manual. In that the French position sends the following message about Tallinn Manual: it is a very influential, useful, important work, and just a book (disclaimer: I hold great respect for the book editor; this work is seminal and has big value).
It’s title “international law applied to operations in cyberspace” makes the content clear. This is also about the practice of cyberwarfare. Let’s have a hot look at the key messages.
Note, in many cases “attack” below is the attack as understood in the context of international law, where common cyberattacks are not attacks; hence why it is sometimes better to use the name “offensive cyber operation”, and not “cyberattack”
Time of peace
Most cyberattacks happen in times of peace.
France says that unauthorized state-run operations violate country sovereignty.
France reserves its right to respond to cyberattacks, as well as to attribute cyberattacks to the responsible threat actors, specifically in this case: the countries responsible. Such attribution is always a political decision.
Cyberattacks warrant a diplomatic response. The best response is countermeasures. But cyberattacks with sufficient impact can amount to armed aggression in the sense of United Nations Charter, triggering Article 51:
“Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations (...).”
...and result in a military response. As you might imagine, it is a carefully weighed political decision. Do not expect that executing a port scan would trigger aerial bombardment in response. On the other hand, crippling hospital systems may be a different matter.
The response is always a function of the character of the effects. The methods of cyberattack (DDoS, ransomware, mass exploitation of whatever, in whatever way) are not important.
“au regard du droit international, une cyber-opération n’est pas illicite en soi, mais peut le devenir dès lors qu’elle ou les effets produits entraînent des violations du droit international”.
It essentially means that although cyber operations may not be illegal on their own, its effects may amount to a violation of international law. That's the key. What matters are the effects, for example, are there are casualties or physical effects (destruction)? Other sensitive regions like impacting defense capabilities, country finance, critical infrastructure, etc. are also relevant. This includes causing considerable economical costs or causing environmental catastrophes.
These not always need to be the “necessary conditions”. The criteria to perceive a cyberattack as use of force include the attack circumstances, the character, the operation origin, the level of intrusion, the intended effects. Also, the nature of the attacker - for example, if it was a military unit (more and more countries have them, escalations follow). If the effects are low impact or otherwise minuscule, this normally does not warrant a strong response.
Interestingly, cyber attacks activity can also stack up - meaning the collective effects of multiple cyber operations can also reach a significance threshold. This applies to single actors and multiple threat actors acting in cooperation. Furthermore, France does not exclude preemptive action.
France contradicts Tallinn Manual also in acknowledging that while States are required to stop unlawful cyberattacks originating from their territory, failure to do so does not give the right to alleviate the prohibition of non-recourse to force. In other words, France is skeptical about attacking another country, which was unable to stop cyberattacks on France. And maybe this provides more stability?
In armed conflict
When a country is already in conflict (more or less: at war) specific body of rules apply - international humanitarian law (IHL; so here Geneva Conventions and its additional protocols). In this place, France speaks about cyberattacks accompanying existing, conventional conflict. In cyber domain there are no front lines, in the French view, pure-cyber conflict (cyberwar, i.e. conflict only via digital means) is a hypothesis. But in some cases, cyber operations could even amount to war crimes.
French view is most cyber operations would not constitute attacks (like for example intelligence gathering). But France acknowledges that cyber-attacks and the use of “cyber weapons” may amount to the definition of attack, in line with the Additional Protocol I to Geneva Conventions. In general, all the IHL principles apply.
Distinguishing between civilians and combatants, including objects/targets; attacks may not be directed against systems used by schools, medical facilities, any other exclusively civilian).
The following example of combatants involved in a conflict are specifically listed as constituting legitimate targets of military engagement:
- hacking of a military system of a party to armed conflict for intelligence purpose,
- directly useful in the conflict,
- installing malicious code,
- building a botnet to launch a denial of service attacks,
- developing software for the specific use in later hostile acts (cyberattacks).
Proportionality and precaution
Effects and actions must be carefully considered. That said predicting in advance some effects of some cyber operations may be difficult (consider what WannaCry accidentally led to). The specific case considered here is also the need for avoidance of propagation of dangerous payloads, and triggering them only on legitimately targeted systems to limit collateral damage.
France says that resorting to the use of indiscriminate malware, like worms, used in the context of armed conflict is illegal (as any interruption of systems not taking part in military activities is).
Cyberattacks can amount to hostilities between States involved in a conflict. These attacks can target, in general, confidentiality, integrity and availability of information systems, temporary or prolonged, reversible or not, They, of course, can also amount to visible, physical effects, even if more rare. When an intervention is needed (fixing, system reinstallation, etc) it checks the box of formal attack definition. French interpretation somewhat contradicts Tallinn Manual here too. To be considered an attack, there may be no exclusive need for casualties, injurious effects, or physical destruction as a result of the cyber operation. This is also the case when cyberattack render systems inoperable or useless. While most experts agree that temporary or easily reversible effects do not amount to attacks, France includes an important caveat:
“... ont été mis en place, ceci y compris de manière temporaire et réversible, dès lors qu’une intervention de l’adversaire est nécessaire pour rendre l’infrastructure ou le système de nouveau opérant”.
Which here means more or less that temporary or reversible effects may amount to attack if effects are reversible when subject to adversary intervention.
When may such a need for adversary intervention arise? For example, if the attacker encrypted the system to render it useless. It is technically reversible. Perhaps the attacker has the decryption key. But to make the system usable again, adversary intervention is needed. In this case, France considers it an attack. This might also relate to distributed denial of service, but perhaps less so as powerful DDoS usually have, well, less permanent effects (although technically it could still apply to DDoS).
This may effectively mean that France identified the potential, and the risk, of offensive use of ransomware in cyber conflict. The interpretation of international law follows accordingly.
You should have absolutely no doubts about the importance of this document. States speaking on the record about how international law applies is rare. While there are still gaps in details, and we should expect more in the future - this is a great start.
Furthermore, France fully acknowledged the application of international law to cyber operations, which is good because it is the key body of rules that can provide restraint.
There are also other technical takeaway from the document, like contradicting to beliefs popularised by Tallinn Manual (the sole event of contradicting should already be illuminating), and also visible proofs of strategic thinking. Evidenced by the thinly veiled attempts at reconciling what is known about the law, and what is known about the past cyberattacks, namely ransomware.
Ps. Did you like my work? Have comments or are you perhaps interested in another type of analysis? firstname.lastname@example.org.