To arms, cyber citizens! Form your battalions!
This is how the words of the Marseillaise could be changed if France were to experience an armed aggression similar to the one committed by Vladimir Putin (never accuse “the Russians,” because many of them suffer from this crime against humanity and will be our allies tomorrow).
This mobilisation is not surprising, as we know that the cyber weapon has become part of the panoply of weapons, since the Kosovo war, but especially on the occasion of the attack on Georgia by Russia in 2008. Cyber warfare is now a reality. “The cyber war has begun. We will not be naïve or blind, and we will prepare for it.” So said Florence Parly in January 2019 at the FIC.
Today, no military operation takes place without being preceded, accompanied, and followed by cyber operations. The use of this weapon complies with the law of armed conflict and must respect the general principles that derive from it: humanity, discrimination, proportionality, neutrality, and absence of perfidy. When hackers act directly under the authority of the belligerent, they have the status of combatants and are thus protected by the laws of Geneva and The Hague, subject to compliance with the above principles. In practice, it will be admitted that some of these principles are difficult to apply: for example, what does discrimination mean when civilian and military systems are connected to the same network?
As soon as the operations in Ukraine began, Yegor Aushev, co-founder of Cyber Unit Technologies, launched an appeal to the Ukrainian hacker community. He was responding to a request from the Kyiv government, which needed assistance in protecting vital systems and, if necessary, in attacking Russian automated data processing systems. The mass mobilisation of cyber volunteers arouses understanding and support, as the circumstances fully justify such a mobilisation of skills. It is in this context that the Conti ransomware group was attacked by one of its members, a Ukrainian national, because of the group’s support for Russia.
The question of volunteers operating from a base outside the conflict zone is quite different. First of all, if the operation originates from a territory that is not in conflict with Russia, in the sense of Geneva law, the hacker puts the state from which they are operating in difficulty, because the state must respect the international law principle of “due diligence”. This principle obliges the state to do everything possible (obligation of means) to prohibit hostile actions against a third country. This means that dispersed actions—albeit justified by good intentions—can have perverse effects if they are not controlled.
One must also be wary of “false friends”. When Anonymous attacks official Russian websites, such as the Ministry of Defence or TV stations, some people applaud, forgetting that this community of circumstance does not fail to attack our own interests as soon as the wind changes.
As the law currently stands, a hacker who acts outside the rules of international law cannot invoke the status of cyber combatant, protected by Article L.4123-12 of the French Defence Code. Criminal non-liability is only granted if the soldier’s digital actions comply with the rules of international law and remain within the framework of an operation mobilising military capabilities and taking place outside French territory or territorial waters—regardless of its purpose, duration, or scope. Here, the hacker cannot invoke this article, since they are not enrolled in the French forces, which are not currently in armed conflict with Russia. Therefore, legally speaking, a hacker who would answer the call from the French territory would be a delinquent (from Ukraine, the problem is different). They would thus be committing one of the offences punishable and repressed by the Godfrain law (Art. 323-1 et seq. of the French penal code). This law is neutral with regard to the motive. The offence is qualified by its materiality, even though the motive is noble—which is the case here. Admitting derogations would weaken a body of law by introducing subjectivity where the objectivity of the facts is already complex to demonstrate. And all “noble causes” would be invoked to justify cyber attacks, besides the conflict in Ukraine.
We must not open Pandora’s Box! Tolerating actions contrary to the law would have perverse effects. Cyber volunteers who are more enthusiastic than competent would be easily identified—even if they use a VPN—and would be subject to hack back actions. Who knows if these would be confined to their own computer systems? This context could give rise to a cyber confrontation—or even a cyberwar—not wanted by France. Our country must be able to fully master the cyber weapon, in both its defensive and offensive functions. It is not desirable to support initiatives—however generous they may be—that would impede the government’s freedom of action. The heart has its reasons, but realism dictates.
- Digital Sovereignty
- Cyber industrial safety
- Security and Stability in Cyberspace
- Cyber risks
- Operational security
- Antifraud action
- Digital identity & KYC
- Digital transition