Published by The Lawfare Institute
in Cooperation With
In the context of cyber operations, there is a debate between those who consider sovereignty to be an underlying principle of international law from which other primary rules emanate, and those who consider it to be a primary rule of customary international law that can be violated by cyber operations resulting in an internationally wrongful act. The application of rights inherent in sovereignty are particularly important in the cyber domain because the vast majority of cyber operations occur below the threshold of a prohibited use of force. The nonbinding 2013 and 2015 reports of the U.N. Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security determined that, in principle, existing international law—in particular the U.N. Charter—applies to cyber operations and that states must observe the principle of state sovereignty (also recognized in the Revised Pre-Draft Report of the U.N. Open-ended Working Group).
France is among a growing number of states that assert cyber operations can violate the sovereignty of a state as a rule of international law. Other states that recognize the application of “sovereignty as a rule” to cyber operations include Austria, the Czech Republic, Finland, Germany, Iran, the Netherlands and New Zealand, although there are significant differences in the positions of these states on how a rule of sovereignty applies. The threshold at which cyber operations may violate the sovereignty of a state remains unclear, though proponents consider the rule to apply below the threshold of a prohibited intervention as it lacks the demanding element of coercion. States that recognize a rule of sovereignty applies to cyber operations may do so with a view to the rule serving as a “normative firewall” that offers protection against low-level cyber operations by finding them to constitute internationally wrongful acts. States would then be able to invoke responsibility for a breach of international law, including the resort to countermeasures, with their exercise governed by general international law, to put an end to the responsible state’s unlawful conduct.
The French position exemplifies a “purist” approach to sovereignty as it recognizes an extremely broad “catch-all” rule under which virtually any nonconsensual cyber operation carried out under the direction or control of a state against systems on the territory of another state constitutes a violation of the sovereignty of that target state, regardless of effects caused. However, despite taking this position, France continues to engage in cyber operations that appear to be incompatible with this rule of sovereignty. For example, according to the rule recognized by France, the recent Emotet operation and two other cyber operations conducted by France, the EncroChat and Retadup operations, violate the sovereignty of the large number of states on whose territory systems were targeted. The purist approach to a rule of sovereignty for cyber operations, as exemplified by the French position, is currently at odds with the practice of cyber-capable states. Instead, states must balance certain interests to develop a de minimis threshold at which a violation of sovereignty takes place.
The French Position on Sovereignty and Cyber Operations
In 2019 the French Ministry of Armed Forces published a document outlining the French position on how international law applies to cyber operations. It asserts that “any cyberattack against French digital systems or any effects produced on French territory by digital means by a State organ … constitutes a breach of sovereignty” (emphasis added).
Russell Buchan’s analysis highlights the importance of the disjunctive “or” in the phrasing of the French position. The text provides two distinct bases under which cyber operations violate the sovereignty of a state:
Under the first base, “any cyberattack against French digital systems … constitutes a breach of sovereignty.” The French document defines a “cyberattack” as “[a] deliberate offensive or malicious action carried out via cyberspace and intended to cause damage (in terms of availability, integrity or confidentiality) to data or the systems that treat them, which may consequently harm the activities for which they are the medium” (emphasis added).
The operation must be deliberate or malicious and have intended to affect at least one of the CIA Triad principles of cybersecurity, that is, the confidentiality, integrity or availability of targeted data or systems. It does not appear to be necessary for these effects to actually manifest. This base is not limited to the conduct of state organs described in Article 4 of the Articles on State Responsibility and may therefore include operations carried out by non-state actors acting under the direction or control of a state, as set out in Article 8.
Under the second base, “any effects produced on French territory by digital means by a State organ … constitutes a breach of sovereignty” (emphasis added). The document generally discusses effects in relation to the CIA Triad principles outlined above. The operation must manifest “any [effect]” on the confidentiality, integrity or availability of data or systems. This base is limited to the conduct of state organs.
The first base is arguably the broader of the two, only requiring an operation to be carried out with the mere intent of affecting the confidentiality, integrity or availability of data or systems, while also encompassing the conduct of non-state actors under the direction or control of a state. There is not necessarily any significant difference in the broad scope of targets covered by the two bases, which appear to encompass both state and private infrastructure on the territory of a state, unless “French digital systems” is understood to refer exclusively to state infrastructure.
The Emotet (2021), EncroChat (2020) and Retadup (2019) Operations
Three case studies of operations conducted by France appear to be incompatible with the state’s position on sovereignty. The first is the recent Emotet operation, a coordinated cyber operation by law enforcement authorities from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine to disrupt the Emotet malware. State authorities seized a number of command-and-control servers on their own territory before placing a malicious software update on three primary command-and-control servers, two of which were located in the Netherlands, under the direction and control of state authorities. State authorities, working with a number of private-sector professionals, appear to have used these compromised primary servers to spread the update to attack and assume control of at least 700 further Emotet command-and-control servers located on the territory of more than 90 different states. Computer systems around the world that are infected by Emotet retrieved this update, which altered their behavior and effectively quarantined the Emotet infection. Statements by participating state authorities suggest that systems infected by the malware update will no longer request new instructions from the command-and-control server infrastructure. In addition, the update contains a “time-bomb-like code” that will remove the Emotet software from the infected computers on April 25. This will affect as many as 1 million botnet computers worldwide (the Dutch statement claims that the Emotet infection is no longer active on the computers of more than 1 million victims worldwide as a result of the operation).
The second case study is the 2020 EncroChat operation carried out by the Center for Combating Digital Crime (C3N) of the French National Gendarmerie. The operation dismantled and shut down the servers of EncroChat, a private company that provided users with an encrypted phone network for secure communications. The operation covertly attacked a server in France belonging to EncroChat. After penetrating the server, C3N subsequently used it to send a malicious update to attack more than 60,000 user devices in at least 120 states (this number was confirmed to the author by a relevant authority in an email). In normal use, end-to-end encryption makes the message contents unreadable in transit. However, the malicious update bypassed this encryption by retrieving data directly from the user’s devices. The data obtained from the compromised devices was subsequently shared with several partner states that were involved in examining the data containing messages from users of the service to conduct criminal investigations in their domestic jurisdictions. On March 10, state authorities from Belgium, France and the Netherlands announced a similar operation had been conducted against Sky ECC, an encrypted communication service that EncroChat users reportedly migrated to after it was shut down. Statements by states are less clear on exactly how the operation was carried out, though the Belgian press release appears to acknowledge two stages that bear some resemblance to the EncroChat operation.
The third case study is the 2019 Retadup operation. On Aug. 28, 2019, shortly before the French Ministry of Armed Forces published its position on how international law applies in cyberspace, the National Gendarmerie announced that C3N had conducted a cyber operation with the private-sector cybersecurity firm Avast to combat the malicious Retadup worm. The operation gained access to a hosting provider to copy or image the operating system of a genuine command-and-control server used by the malware. The operation then set up a fake or imitation command-and-control server on French territory, and requests from computers infected with the Retadup malware to the genuine server were redirected to it. The imitation command-and-control server sent a modified version of the malware to 850,000 infected computers in 140 states that connected to it to alter the functioning of the malicious element of the infected computer system and disable the malware.
These operations appear to have been conducted without the consent of any of the states on whose territory systems were affected (at least 90, 120 and 140 states, respectively). In relation to the first base of a violation of sovereignty outlined in the French position, these were deliberate offensive operations by state organs that intended to affect the confidentiality or integrity of systems on the territory of multiple states or, for the Emotet and Retadup operations, the availability of such systems. Under the second base, these intended effects manifested as described, affecting the CIA Triad principles of systems on the territory of target states. It may additionally be argued that the operation affected the availability of systems in the EncroChat operation, though indirectly, as the operation caused EncroChat to shut down its systems. As such, all three operations violated the sovereignty of the states on whose territory the systems were located under each of the separate bases outlined in the French position.
Purist Approach to Sovereignty at Odds With Current Practice of Cyber-Capable States
The purist approach to a rule of sovereignty for cyber operations, as exemplified by the French position, is clearly incompatible with the operations outlined above. The Netherlands and Germany, which were also involved in the Emotet operation, likewise take the position that cyber operations may violate the sovereignty of a state, but they do so generally, without identifying a specific threshold at which a violation takes place. The position of the Netherlands acknowledges that, in relation to a violation of sovereignty, “the precise boundaries of what is and is not permissible have yet to fully crystallise.” The German position, updated on March 5, largely endorses the rule of sovereignty formulated by the international group of experts in the Tallinn Manual 2.0, pushing back somewhat against a purist approach to sovereignty, stating that “negligible physical effects and functional impairments below a certain impact threshold cannot—taken by themselves—be deemed to constitute a violation of territorial sovereignty.” Nonetheless, those who recognize that cyber operations are capable of violating the sovereignty of a state would likely consider these operations to be incompatible with such a rule. For example, the Tallinn Manual 2.0 considers law enforcement operations by a state attacking command-and-control servers located in another state (without the consent of that state) to constitute a violation of that state’s sovereignty, as the operation usurps an inherently governmental function reserved exclusively to the territorial state.
Outside of law enforcement operations, there are further considerations for cyber-capable states in endorsing an interpretation of a purist or catch-all rule of sovereignty for cyber operations. The Digital Watch Observatory identifies evidence of offensive cyber capabilities for 23 states. Under a purist approach, persistent engagement operations—the widespread practice among cyber-capable states of penetrating networks of foreign states to maintain a presence on those networks to gather intelligence—would effectively render cyber-capable states in continuous and permanent violation of each other’s sovereignty. Consider, for example, policies of the U.S. (“defend forward”), the U.K. (“active defense”), Canada (“active cyber”), New Zealand (“internationally active” engagement), and Australia (“deter and respond”), as well as attributions of offensive cyber operations to actors in Russia, China, Iran, North Korea and the like. In Nicaragua the International Court of Justice found that frequent violations of a rule do not necessarily detract from its status as a rule of customary international law. However, the value of states recognizing such a rule would surely be seriously undermined by these operations unless there is a significant change in the practice of cyber-capable states.
This explains the more cautious and pragmatic position adopted by the U.K., which expressly rules out the existence of a “cyber specific rule of a ‘violation of territorial sovereignty’” and would not limit its ability to conduct such operations. However, choosing not to recognize such a rule means you are not able to rely on it as a “normative firewall”: Jeffrey Biller and Michael Schmitt highlight the “dilemma” of the U.K. position with respect to its 2018 attribution of multiple campaigns of cyberattacks to Russia’s GRU (Russia’s military intelligence service) as being “conducted in flagrant violation of international law.” If not a violation of sovereignty, which the U.K. has expressly ruled out, then what rule exactly has been violated? Similarly, in 2020, the U.K.’s National Cyber Security Center (NCSC) assessed with “almost certainty” that the GRU conducted attacks against Georgian web hosting providers “to undermine Georgia’s sovereignty” and expressed “[unwavering] support for Georgia’s sovereignty and territorial integrity,” challenging the Russian government to “become a responsible partner which respects international law.” Ciaran Martin, formerly chief executive of the U.K.’s NCSC, warns against classifying Russian operations as unacceptable without facing up to the consequences of that conclusion for the activities of Five Eyes states (Australia, Canada, New Zealand, the U.K. and the U.S.). For this reason, some states, like the U.S. and Israel, have refrained from making their positions clear to maintain operational flexibility by adopting a “wait and see” approach.
The purist approach to a rule of sovereignty for cyber operations, as exemplified by the French position, is at odds with the current practice of cyber-capable states that conduct persistent engagement strategies and low-level cyber operations for reasons of national security and to achieve policy goals. States that choose not to recognize that a rule of sovereignty applies to cyber operations, such as the U.K., maintain operational flexibility but leave their infrastructure open to attacks that would not be prohibited by a rule of international law below a prohibited intervention.
It is not possible for states to enjoy both the protection of a rule of sovereignty as a catch-all “normative firewall” and the unfettered operational flexibility to conduct low-level offensive cyber operations. For France, on ne peut pas avoir le beurre et l'argent du beurre, and for the U.K., you cannot have your cake and eat it too.
It is clear that for states to develop an understanding of how the rights inherent in sovereignty apply to cyber operations, they must balance the interests of operational freedom with the protection of critical national infrastructure on a state’s territory to identify a “half-way house” de minimis threshold at which a violation of sovereignty takes place. Over time, in the absence of a treaty, statements by states on how they interpret the rights inherent in sovereignty to apply with specificity to cyber operations may contribute to the formation of specific customary international law that may focus or clarify the application of such rules.