France, Cyber Operations and Sovereignty: The ‘Purist’ Approach to Sovereignty and Contradictory State Practice

In the context of cyber operations, there is a debate between those who consider sovereignty to be an underlying principle of international law from which other primary rules emanate, and those who consider it to be a primary rule of customary international law that can be violated by cyber operations resulting in an internationally wrongful act. The application of rights inherent in sovereignty are particularly important in the cyber domain because the vast majority of cyber operations occur below the threshold of a prohibited use of force. The nonbinding 2013 and 2015 reports of the U.N. Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security determined that, in principle, existing international law—in particular the U.N. Charter—applies to cyber operations and that states must observe the principle of state sovereignty (also recognized in the Revised Pre-Draft Report of the U.N. Open-ended Working Group). 

France is among a growing number of states that assert cyber operations can violate the sovereignty of a state as a rule of international law. Other states that recognize the application of “sovereignty as a rule” to cyber operations include Austria, the Czech Republic, Finland, Germany, Iran, the Netherlands and New Zealand, although there are significant differences in the positions of these states on how a rule of sovereignty applies. The threshold at which cyber operations may violate the sovereignty of a state remains unclear, though proponents consider the rule to apply below the threshold of a prohibited intervention as it lacks the demanding element of coercion. States that recognize a rule of sovereignty applies to cyber operations may do so with a view to the rule serving as a “normative firewall” that offers protection against low-level cyber operations by finding them to constitute internationally wrongful acts. States would then be able to invoke responsibility for a breach of international law, including the resort to countermeasures, with their exercise governed by general international law, to put an end to the responsible state’s unlawful conduct. 

The French position exemplifies a “purist” approach to sovereignty as it recognizes an extremely broad “catch-all” rule under which virtually any nonconsensual cyber operation carried out under the direction or control of a state against systems on the territory of another state constitutes a violation of the sovereignty of that target state, regardless of effects caused. However, despite taking this position, France continues to engage in cyber operations that appear to be incompatible with this rule of sovereignty. For example, according to the rule recognized by France, the recent Emotet operation and two other cyber operations conducted by France, the EncroChat and Retadup operations, violate the sovereignty of the large number of states on whose territory systems were targeted. The purist approach to a rule of sovereignty for cyber operations, as exemplified by the French position, is currently at odds with the practice of cyber-capable states. Instead, states must balance certain interests to develop a de minimis threshold at which a violation of sovereignty takes place.

The French Position on Sovereignty and Cyber OperationsBecome a supporter of IT Security News and help us remove the ads.