Since 2013, States have repeatedly reaffirmed in multilateral institutions that the principle of sovereignty applies in cyberspace, and in particular that “in their use of ICTs, States must observe, among other principles of international law, State sovereignty, sovereign equality” (A/70/174). As more and more states publish their views on the application of international law in cyberspace, the principle of sovereignty is one of the most debated. This is due in part to the fact that cyberspace takes both the characteristics of an intelligence competition and of military domain where international law is being interpreted to adapt to this new environment. On sovereignty, the debate is structured around two questions. Firstly, there is a question of whether a general obligation to respect the sovereignty of other States exists, the violation of which could in itself constitute an intranational wrongful act. Secondly, States are resorting to different criteria for a cyberoperation to be qualified as unlawful and a violation of sovereignty. In this context, the French position is often framed as being clear on both aspects of the debate. However, a document published in 2022 questions both assumptions and leads to an alternative reading of the French position.
The majority view: France endorsed the sovereignty-as-rule and pure sovereignty approaches
In 2019, the French Ministry of the Armed Forces published a white paper on the application of international law to operations in cyberspace. The document aimed to define France’s views on the subject. It was transmitted by the Ministry of Foreign Affairs to the OEWG Secretariat in December 2021. On the subject of sovereignty, the document states that “any cyberattack against French digital systems or any effects produced on French territory by digital means […] constitutes a breach of sovereignty.”
It has been interpreted as France belonging to the “sovereignty-as-rule” camp. This means that France believes that there is a general obligation to respect sovereignty in cyberspace, as opposed to the “sovereignty-as-principle” camp, where sovereignty is only a principle of international law. In the first case, an international wrongful act could result from a breach of sovereignty itself, an obligation distinct from the principle of non-intervention or the prohibition of the use of force, while in the second case, the violation of a State’s sovereignty in cyberspace would be the consequence of a breach of a specific obligation. This debate was triggered by the publication of the Tallinn Manual on the International Law Applicable to Cyber Operations and was taken up by academics and States. In contrast to the Tallinn Manual‘s approach, the United Kingdom Attorney General claimed in 2018 that sovereignty was a mere principle of international law from which no “specific rule or additional prohibition for cyber activity beyond that of a prohibited intervention” could be extrapolated. This view was repeated in 2021 and 2022 and has led to the United Kingdom being designated as the only State explicitly rejecting the “sovereignty-as-rule” approach, although the United States’ approach has also been described as ambiguous. On the other hand, many States have begun to affirm that sovereignty is indeed a rule of international law in cyberspace (see notably Austria, Czech Republic, Costa Rica, Denmark, or Sweden), or have spoken out, like France, on what they see as a violation of their sovereignty as a result of cyberoperations. They have all been categorised in the “sovereignty-as-rule” camp.
The second point of disagreement on the application of the principle of sovereignty in cyberspace concerns the conditions under which an act constitutes a violation of a State’s sovereignty and is thus unlawful. The French statement has been interpreted as advocating a “pure sovereignty” approach in which no specific thresholds or criteria need to be met for an act to constitute a violation of sovereignty. While many States have adopted an effects-based (see notably Canada, Finland, Germany, Ireland) and a functional approach (see notably Canada, Costa Rica, Denmark or Norway), a smaller group of countries (Iran, China) do not seem to make the violation dependent on an effects threshold and align themselves with France. The African Union’s position would also fall into this category, while Switzerland‘s position could also be categorized as such, although it is very ambiguous.
The existence of clues for an alternative reading of the French position of 2019
Although I would largely agree with most commentators on the 2019 French position on sovereignty, some elements already cast doubt on France’s endorsement of the “sovereignty-as-rule” and “pure sovereignty” approaches. For one thing, unlike many other countries, France did not explicitly state that sovereignty was a rule of international law. On the contrary, it was silent on the primary norm underlying the violation of the principle of sovereignty and focused on the conditions of the violation themselves. Such an approach is shared by other States which identify the hypotheses in which the violation is constituted while being silent on the status of sovereignty itself (see notably Estonia, Japan, Poland or Switzerland). One might say that France’s silence could be explained by the date of release of the document, a time when States were maybe less sharing their views on the existence of a specific obligation distinction from the one to respect the territorial integrity of another State. This might be true. However, the fact that documents published more recently do not touch upon the existence of this specific obligation should be taken into account. I am not taking any position on whether, as a matter of lex lata, there is a rule of sovereignty, in general, or in cyberspace. But these differences in statements are useful to highlight to help understand the French position on this issue and why it might have been misconstrued.
Furthermore, already in the 2019 document, something might have suggested that the “pure sovereignty” view was perhaps not as absolute as it seemed. Indeed, in both the French and English versions of the document, the “pure sovereignty” view was affirmed in the body of the document. But in a sidebar and one of the document’s subheadings, it was indicated that a cyberattack “may constitute a breach of sovereignty.” This opened up room for various interpretations, including the requirement of a certain threshold for it to be a violation. The fact that it was not in the body of the document calls this interpretation into question, but what can at least be said with certainty is that there was a layer of ambiguity alongside a very clear statement.
2022: A new position on sovereignty?
In 2022, the Ministry of the Armed Forces published its Manuel de droit des opérations militaires (Military Law of War Manual). In the chapter dedicated to cyberoperations, small but substantial changes were introduced, in particular on sovereignty. The Manual states: “Toute cyberattaque à l’encontre des systèmes d’information ou toute production d’effets hostiles via des moyens cybernétiques par un organe étatique […] est susceptible de constituer une violation de souveraineté. Ceci au titre du droit à l’intégrité et à l’inviolabilité qu’expriment les obligations de respect de l’intégrité territoriale d’un État, ou encore de non recours à la menace ou à l’emploi de la force” (I emphasize, p. 302). This can be translated as “Any cyber attack against information systems or any production of hostile effects via cyber means by a state organ […] could possibly constitute a violation of sovereignty. This [obligation is derived from] the right to integrity and inviolability expressed in the obligations to respect the territorial integrity of a State [and to not] resort to the threat or use of force” (I emphasize).
This paragraph calls into question the two assumptions that France belongs to the “sovereignty as-rule” and “pure sovereignty” camps.
France and the “sovereignty-as-principle” camp
In this paragraph, the violation of sovereignty is identified here not as arising from the violation of a rule of sovereignty, but as a consequence of the violation of an obligation arising from the principle of sovereignty, here the rule of territorial integrity, distinct from lex specialis obligations that might exist in specific domains. This reinforces the argument that France does not consider that there is a general obligation to respect sovereignty and that it is not in the “sovereignty-as-rule camp.” This reading tends to be confirmed by the subtitle under which this paragraph appears, since the listed obligations are described as flowing from the principle of sovereignty.
One may argue that the statement confirms that France is in the “sovereignty-as-rule” camp because the so-called “sovereignty rule” would encompass an obligation to respect territorial integrity and that, when talking about the sovereignty rule, authors most of the time refer to territorial integrity. But the proposed reading suggests that the rights associated with the principle of sovereignty and the means to protect those rights through specific obligations should be distinguished, even if, from a practical perspective, one might consider that it doesn’t have much impact. The distinction and overlaps between the two have been an object of debate for decades, as shown by the work of the International Law Commission on general principles of international, and the principle of sovereignty is no exception, especially due to its polysemic nature.
The proposed reading also has a consequence that could be described as unexpected. It leads to a new reading of the supposed dichotomy between the UK and the other States on this topic. By focusing on the obligations deriving from the principle of sovereignty, the French position seems closer to that of the UK. Both States would indeed reject the existence of a general rule of sovereignty. There is, however, one notable difference. Unlike the UK, France recognizes that there are prohibitions for cyber activities beyond that of prohibited interventions due to the existence of obligations such as the respect for territorial integrity.
France and the “relativist sovereignty” camp
On the second aspect of the debate on sovereignty, it should first be recalled that France’s behavior has been described as incompatible with its statement on the application of international law in cyberspace. This applies in particular to the dismantling of botnets such as Redatup and Emotet, or more recently with the PlugX malware, three police operations in which the French law enforcement authorities were particularly active. In all three cases, the control and command servers were seized and disinfection methods were pushed to neutralize the original malware, producing effects on the territory of numerous States. Unless consent or another circumstance precluding wrongfulness can be claimed, which seems partly unlikely, these operations would certainly constitute breaches of sovereignty based on the 2019 document. France is also known for developing intelligence capabilities and conducting espionage operations. The 2019 document explicitly states in footnote 2 that it “does not contain any specific analysis or treatment of cyberespionage, which is not illegal in international law, though it may infringe such law when linked with an internationally wrongful act” (I emphasize). A contrario, this means that the following developments could in a general manner apply to such acts. In conjunction with the statement on sovereignty, this could be interpreted as not excluding the possibility that activities simply breaching the confidentiality of data could constitute a violation of sovereignty. This is reinforced by the definition of the term “cyberattack” used in the paragraph dedicated to sovereignty, a definition that defines damage “in terms of availability, integrity or confidentiality to data or the systems that threat them.” This means, again, that unless circumstances precluding wrongfulness can be mobilized, the lawfulness of some of France’s acts could be difficult to reconcile with its statement on sovereignty.
All of this might explain why, in the 2022 document, the wording has been changed to introduce an important nuance: the fact that “any cyberattack […] could possibly constitute a violation of sovereignty.” I should however say that the “could possibly” might not be the best translation depending on the intensity behind the word used in French. In that regard, it will be interesting to see how it will be translated into the forthcoming English version of the Manual. What can be said for now is that the evolution in the formulation is very clear in French. It closes the door to a kind of automatic violation, outside the cases in which circumstances precluding wrongfulness or consent could be invoked.
This has important practical consequences. It opens the door to considering as lawful cyberoperations that would have been unlawful under the 2019 reading. Cyberoperations with a de minimis impact could be affected, although the concept of “de minimis impact” is neither used in the Manual nor generally defined. The situation is difficult to assess when it comes to cyber operations aimed at gathering information. The sentence on espionage activities had already been deleted from the document submitted by the MFA in December 2021. The Manual is also silent on this topic. All of this could be interpreted as signalling a change in how France views the lawfulness of acts of espionage. It should be noted, however, that the Manual does not refer to any of the specific thresholds that States normally use in their statements on the application of international law in cyberspace. There is also nothing to suggest that physical or functional effects of a certain intensity are now required for a cyberoperation to violate state sovereignty. Moreover, and this applies to all 2022 amendments, the Manual still refers to the 2019 document. We should also underline that we are dealing here with an extract from a military manual. We could, therefore, question the scope of the document and its ability to define the French position as such, particularly in view of the debates on the 2019 Ministry of the Armed Forces document. Without deciding the question, it should be pointed out that the Manual, unlike, for example, the American and British manuals on the law of armed conflict, does not contain the usual caveat to the effect that it cannot be seen as authoritative in terms of the State’s interpretation of the law of armed conflict.
Conclusion
To conclude, France’s views on sovereignty are not without ambiguity, and different readings can be made of the various documents. Whether it concerns its approach to the primary obligations that support breaches of sovereignty or the thresholds for these breaches to happen, the publication of the 2022 document clearly questions what has been said so far about France’s views on sovereignty. In my view, it is difficult not to see an evolution, even though doubts remain about the scope of the changes. One might wonder why no clarification has been made. No clear answer can be given to that. But clarification would be welcome for at least three reasons. Firstly, clarifying whether or not there is an amendment to the 2019 position, and if so, what its scope is, would benefit international relations and prevent escalation of the conflict by informing other States of how France could potentially respond when targeted with cyber operations. Secondly, sharing the evolution of the French position in this area would at least deflect certain criticisms, particularly in the area of countering cybercrime. Finally, this would further align with the GGE and OEWG recommendations that States should share their views on the application of international law in cyberspace. Clarifying the French position would help to implement this commitment by showing that France intends to be fully engaged in this area, even if it has already published on the subject.
