Is silence strategic when your adversary barely hides? For years, France maintained a policy of quiet restraint, generally refusing to publicly name foreign governments behind cyber attacks, disinformation campaigns, or covert interference — even when evidence pointed squarely at Moscow. But on May 13, 2025, President Emmanuel Macron announced that France would now systematically attribute hostile acts in response to the growing Russian threat. This policy shift was backed by a 16-page report from French domestic and foreign intelligence services disclosed to L’Express, detailing 13 acts of aggressions by Russian President Vladimir Putin against France. These announcements mark the end of France’s long-standing policy of avoiding public attribution to state actors — especially in cyber attacks — and mark a clear break from a policy that once defined its approach.

The move marks a cautious but deliberate shift in France’s approach to public attribution — preserving elements of past restraint while probing the strategic and domestic value of greater transparency and specificity in disclosing intelligence, especially amid rising threats from Russia.

Why Attribution Matters

Public attribution by states involves the communication of internal analytical judgments that identify perpetrators of specific activities. Typically based in part or in whole on national and partner intelligence assessments, these attributions belong to a broader practice of disclosing sensitive information to external audiences. Public attribution can be an operational or policy decision communicated by technical, legal, or political authorities. As former director general of France’s cyber security agency Guillaume Poupard has explained, when it involves identifying state responsibility, “attribution is ultimately a very high-level political decision” for most governments, given the diplomatic ramifications.

Public attribution has several rationales. Some governments view exposure as a disruptor of and deterrent to covert influence operations and hostile acts. The logic is that exposure denies state and non-state actors the secrecy they need to conduct their operations, forcing them to adapt or reconsider their plans. Israel has used this tactic extensively against Hizballah. Naming and shaming is also seen as a way to help set and enforce international norms and promote stability on issues like cyber security and nuclear proliferation by imposing audience and reputational costs on the offending party.

Governments also use intelligence disclosure to justify their policies, actions, and capabilities, and to build support by achieving narrative superiority. Ukraine’s military intelligence service, for example, has used disclosure to create a coherent wartime narrative and rally international backing. Some governments also use attributions to warn domestic audiences and build their resilience against hostile foreign interference.

A Cautious Shift

French governments have unattributably disclosed intelligence on cyber espionage and sabotage targeting France since at least 2012. In 2019, French authorities made their first direct public attributions of cyber threat actors — linked by other partners and private sector organizations to Russia and North Korea. Unlike allies such as the United States (since 2014), United Kingdom (2017), Germany (2018) and the Netherlands (2018), France avoided publicly attributing cyber intrusions to state sponsors. As the French cyber security agency explained, “attribution of a cyber attack to a threat actor is a complex exercise and is not the goal of this document nor [our] mission.”

One significant difference between France and its anglophone partners is that it does not have the same breadth of resources and intelligence coverage as the “Five Eyes” intelligence network of the United States, United Kingdom, Canada, Australia, and New Zealand. This limits French services’ access to corroborating intelligence and their level of confidence in making attributions. Still, as Germany and the Netherlands show, non-anglophone states can attribute with enough certainty to support disclosure.

Political considerations also shaped France’s restraint. For years, France’s cyber security agency and political leaders prioritized disclosing technical descriptions of adversaries’ tactics, techniques, and procedures to strengthen domestic resilience. Senior security officials have pointed to diplomatic risks of naming a state and the danger that doing so narrows policy options, shifting from dialogue to forceful responses. They have viewed private, bilateral signals as more effective.

As these concerns highlight, public attribution and disclosure are not risk-free. The chief risk for most intelligence and security services is the possibility that this enables adversaries to identify the discloser’s sources and methods and adapt to make future collection harder. As the British and American disclosure of intelligence to gain support for invading Iraq in 2003 underscored, using intelligence in this manner can erode audience trust if the claims prove politicized and misleading.

France’s first public attribution of cyber operations to Russia and disclosure of thirteen hostile acts linked to Russian President Vladimir Putin seem to represent a major policy shift. In reality, France has been moving incrementally in this direction. In 2021, France’s cyber security agency publicly identified intrusion sets linked to advanced persistent threat actors APT44 (“Sandworm”) and APT31 (“Zirconium”), while officials offered ambiguous remarks referencing partners’ and open source reports linking the groups to Russia and China, respectively. France’s cyber security agency moved from a technical disclosure in 2021 about APT29’s (“Cozy Bear”) targeting of French diplomatic entities to a more explicit public assessment in 2024, linking the group to global cyber espionage activities that had “been publicly linked to the Russian [foreign intelligence service] by different sources.” The leap this spring was small, but meaningful.

France has also used intelligence-led attribution outside of cyberspace. Under Presidents Hollande and Macron, French authorities blamed the Bashar al Assad regime for chemical attacks on Syrian civilians in 2013, 2017, and 2018 through intelligence disclosures. In 2022, they used intelligence to expose a Russian disinformation campaign in Mali, revealing that operatives from the Wagner Group — a Russian state proxy — planted corpses near a military base to frame French troops and stoke anti-French sentiment.

France’s agency for countering information manipulation has contributed to this gradual shift. It issued reports in 2023 and 2024 linking Russian actors to influence operations. Its May 2025 assessment of Storm-1516, released between France’s cyber security agency’s public attribution and Macron’s announcement last month, described the group as operating from Russia, with ties to the Kremlin. France’s Ministry of Foreign Affairs condemned Russia’s “destabilizing activities” alongside this disclosure.

Still, France’s approach remains cautious. The newly released attributions involve Russian activities dating back to 2017, and were already widely reported by allies, the private sector, and French and international media. France’s cyber security agency, for example, privately briefed candidate Macron in 2017 on a Russian hack-and-leak operation targeting his presidential campaign, but France withheld public attribution even as other European governments disclosed suspected Russian involvement in European election interference that year more publicly. The United States even publicly attributed the election interference targeting Macron to Russia’s military intelligence service in 2020 without public confirmation by France until this May. Similarly, France’s April 2025 attribution of APT28 (“Fancy Bear”) to Russian military intelligence built on France’s cyber security agency’s 2023 technical assessment and echoed public statements by allies and the private sector since 2018.

Most past French disclosures have focused on Russia. Macron’s policy announcement explicitly scopes the shift to Russian threats — an important caveat that underscores continuity. Other hostile states, such as China, have received different treatment. This underscores the political nature of attribution and reflects a broader strategic continuity. While France’s ends remain stable, its ways have shifted cautiously in response to deteriorating ties with Moscow. As relations worsen, the diplomatic costs of attribution have declined, especially as France’s support for Ukraine has grown more resolute.

This is not a wholesale turn to intelligence disclosure as a tool of statecraft. The practice remains debated. As recently as March 2025, Gen. Jacques Langlade de Montgros, France’s director of military intelligence, cautioned against excessive declassification, criticizing the U.S. approach to intelligence disclosure in the lead-up to and during Russia’s invasion of Ukraine. But breaking with the long-standing norm against public attribution to states could lead to broader adoption if seen as useful. It also enhances France’s flexibility to join coordinated international attributions, such as one this past May on APT28. In doing so, France can more visibly align its intelligence and diplomacy with allies and reinforce President Macron’s push to strengthen Europe’s strategic response to Russian aggression.

Strategic Utility Meets Domestic Politics

Such signaling also targets domestic audiences. Political considerations at home shape disclosure decisions. President François Hollande and his national intelligence coordinator Alain Zabulon cited the need to prepare the French public for a possible intervention in Syria as a key reason for disclosing Assad’s crimes. In May 2025, L’Express opened its article with a quote from Macron expressing frustration that the French public was more concerned with “veiled women” — a likely nod to domestic debates about political Islam — than with Russia. Macron’s decision may therefore reflect a perceived need to communicate more authoritatively to the French public about the Russian threat. These domestic motives — often overlooked in studies of intelligence disclosures — are crucial. Yet, domestic and foreign security are part of a strategic continuum, with attribution policies serving not only to manage external threats but also to shape internal consensus.

Implications

France’s decision to systematically attribute hostile acts by Russia marks a shift but not a rupture. It reflects a recalibration in response to a geopolitical environment where ambiguity is increasingly used as a tool of influence and disruption. It also represents a personal reckoning for President Macron, dating back to Moscow’s effort to undermine his election in 2017. Whether this approach will expand beyond Russia remains to be seen. Much depends on how the public responds and whether other adversaries escalate in kind.

The impact of intelligence disclosures on target audiences remains hard to assess. Academic research on public cyber attribution suggests it has failed to deter attackers. Further empirical study is needed to clarify what objectives disclosures can realistically achieve.

Still, the signal is clear. Macron has bet that transparency, when carefully managed, can serve deterrence. He is wagering that France can impose reputational costs without undermining its intelligence capabilities. And he is trying to educate a distracted public about the nature of 21st century threats. In that sense, monitoring the effect of attribution and intelligence disclosure on the French public will likely play an important role in the evolution of France’s attribution policy.

Much remains to be learned from France’s shift on attribution, as information about the decision-making process and the ways in which opportunity analysis and risk mitigation are handled are currently absent from public debates. On this, the processes developed by other countries could support reflection on the organizational implications of France’s new policy. In the United Kingdom, for instance, the disclosure process has been centralized around the Joint Intelligence Organisation and National Security Council. The Dutch military intelligence agency has developed its own internal process with the establishment of a disclosure board. In the context of renewed debates on the perceived need to transform France’s defense council into a national security council, similar to what exists in the United States, this new policy could also add to the workload and institutional pressure weighing on specialized agencies.

Beyond the internal dynamics of the French state, the increasing use of attribution will also affect France’s international cooperation, both in securing permissions from partners with intelligence equities and in coordinating joint attributions. France’s cautious embrace of attribution additionally raises the question of a unified trans-Atlantic approach.

Quentin Jalabert is a Ph.D. candidate working on French intelligence disclosures at Leiden University

Damien Van Puyvelde is associate professor and head of the Intelligence and Security Research Group at Leiden University. He is the author of the forthcoming book The DGSE: A concise history of France’s foreign intelligence service (Georgetown University Press, 2027).

Thomas Maguire is an assistant professor of intelligence and security at Leiden University, where he leads a project on intelligence disclosures.

Image: École polytechnique via Wikimedia Commons