In the last decade, cyber-attacks have increased considerably in France. In order to limit the occurrence at a national level, numerous initiatives have been carried out to regulate lawful actions that can be carried out in cyberspace, but with limited results due to differences in cyberspace use, especially by state actors such as Russia and China.
At the beginning of 2018, Prime Minister Edouard Philippe entrusted the General Secretariat of Defence and National Security to draft a strategy to combat cyber threats. According to the French strategy, cyber deterrence presents two main problems. The first relates to the impossibility of following a transparent and credible public position, that is of explaining the methods and systems through which cyber deterrence should be carried out. This difficulty is generated because, unlike conventional or nuclear deterrence, knowing the response methods implies an evolution of the attack methods and a consequent ineffectiveness of the deterrence itself. The second limit is related to a cyberattack’s consequences, which do not necessarily cause destructive effects as nuclear weapons.
In cyber deterrence, it is not possible to ensure international stability in the proliferation of computer systems that can be used for offensive purposes, on the one hand, because they can also be used for non-malicious uses. On the other hand, non-malicious actors can also hold the technology developed by States, with the consequent impossibility of imposing a specific limit on their proliferation.
From an operational point of view, the French government laid the foundations for establishing the National Agency for the management of cyberattacks and the protection of the State Information System. The agency’s creation with an inter-ministerial character also marked the separation between offensive capabilities – information gathering and attack operations – and defensive capabilities – protection and defence of assets. This division allows a faster reaction to cyber-attacks and better cyber coordination, which brings together the various ministries concerned and allows the implementation of the most appropriate response concerning the extent of the attack. In the event of a hostile cybernetic event of national significance or directed towards the armed forces, the Ministry of Defence will intervene. The agency cooperates with the Cyber Defence Command, established in 2017 and responsible for the security and cyber defence of systems, infrastructures, and operations of the Ministry of Defence, which helps to acquire a complete picture of the threat.
About NATO, the 2018 strategy had underlined the importance of carrying out the work to strengthen the allies’ cyber capabilities through a more outstanding commitment within the Cyber Defence Pledge and a better integration of defence capabilities in operational scenarios and NATO missions. The latter concept reiterated that France would not hesitate to use the cyber weapon in military operations, and those sector operators carrying out their functions will benefit from the same protections as soldiers employed in operations abroad.
Furthermore, with regards to the international framework, France is a part of the so-called Fourteen Eyes Agreement, known as Sigint Seniors Europe. This interstate intelligence sharing agreement unites France with 13 other countries on three continents. It is an alliance of states that have agreed to share information. Its origin dates back to 1943, when an agreement was reached between the British and the United States on a ten-page communication agreement. It initially started with just five countries and was known as the BRUSA agreement. The program has since grown to 9 countries and now includes 14 countries in total.
From an industrial point of view, France paid much attention to the industry’s national and European development in the cyber domain. Much of the 2018 strategy was dedicated to the partnership between government agencies and companies in the sector. In November 2019, a cyber agreement was signed between the Ministry and the eight major industries supplying weapons systems in France, which provides for creating specific working groups to better respond to the French cyber defence needs.
The constant technological evolution in the cyber field, as well as the high number of attacks suffered by the Ministry of Defence, have led to the inclusion in the military planning law 2019-2025 of investment of 1.6 billion euros in the fight in the cyber domain and an increase in personnel equal to 1,000 “cyber fighters” to be distributed between the Comcyber, the Direction générale de la sécurité extérieure (Dgse) and the Direction générale de l’armement (Dga) to reach 2025 with a total of 4,500 units. Of these, about half will be dedicated to the protection of information systems, a quarter to cyber defence, and the remainder to offensive cyber operations.
Paris has a clear understanding of the possibilities arising from the active use of cyber defence. For the European capital, cyber defence and deterrence are equivalent to ensuring not only the ability to react in the event of a cyberattack, but also the possibility of preventive action against potential adversaries, whether state-owned or not. It is according to this logic that France is structuring cyberattacks against Advanced Persistent Threat attributable to Daesh.
Written by Emilio Lo Giudice and Cosimo Melella.