On 8nd of April, 2015, TV5 monde, an international French channel boasting 32 million viewers every week, was suddenly cut off air, with its websites eventually displaying banners advertising a so-called “Cyber Caliphate.” The channel had been the victim of a sophisticated cyber attack, stoking anxiety exactly four months after the Charlie Hebdo terrorist attacks. It turned out that the plot was a false flag sabotage operation conducted by APT28, a Russian group of hackers that would later get involved in the Democratic National Committee hack.
The attack was an embarrassment, but not a surprise. A sought-after target for foreign spies and cyber terrorists, France had long anticipated that cyber security would emerge as a strategic domain, but struggled to meet the challenge. The birth and rise of France’s cyber security culture has been slow and painful, since the country lacked resources and knowledge, especially in military cyber capabilities. Civilian, military, and intelligence agencies competed for responsibilities, which led to scattered budgets and duplicated efforts.
It took a dramatic increase in cyber attacks for France to fully accomplish its digital revolution. In 2009, France created a National Cybersecurity Agency (ANSSI) to better distribute roles between various institutions. The 2011 National Cybersecurity Strategy confirmed the aim of creating a centralized cyber model, under which the government would help protect key private actors. The 2013 White Paper on Defense outlined France’s cyber ambitions and its intent to treat major cyber attacks as “acts of war”. The country slowly started to acknowledge that it was developing offensive cyber capabilities. At the end of 2016, M. Le Drian, then the French minister of defense, assembled the disparate elements of cyber doctrine into a seminal speech, in which he announced the creation of a French cyber command.
The Strategic Review on Cyberdefense that the General Secretariat of National Defense and Security released on Feb. 13 completes this evolution. The document, complementary to the International Digital Strategy, which came out in December 2017, is a decisive leap forward in defining a full-fledged cyber defense doctrine, after a partial attempt in 2015. Officials describe the new review, which comes in at 167 pages, as nothing less than a “White Book on cybersecurity”, providing an excellent overview of France’s civilian and military ambitions in the cyber domain.
The document is the cornerstone of France’s efforts to become a world-class cyber actor. It sets in stone the French distinction between offensive and defensive cyber missions, reasserts France’s resolve to aggressively defend against and respond to large-scale attacks, including by using force in legitimate self-defense, and pleads for a collective effort to regulate private and public behaviors in a cyber domain described as a new “Wild West.” The review strikes a balance between France’s realization of its limited influence on international trends in cyber space and its determination to promote its unique vision, using the European Union as a vehicle to voice its concerns.
Chasing sovereignty: Preventing the rise of a digital golem
France was once a pioneer in digital networks with its moderately open Minitel environment, only to see the U.S.-created Internet surpass it in the 1990s. It stands to reason that today, while in the US thriving private companies like Facebook worry that an overregulated cyber space may become business-hostile, the French review, citing a Berkeley study as a source, is concerned that the internet might be evolving into a “cyber Wild West.” The review goes as far as to suggest that absent consensual rules of behavior in cyber space, rogue initiatives, reckless state actions, disruptive technologies, loosely controlled malwares, and complacency could lead to the rise of a “digital golem” a powerful unformed mass without a soul, with adverse effects on international security.
If cyber space resembles the “Wild West”, digital sovereignty is an asset one must seek out rather than a natural right owed to all countries. Apart from the US, where powerful private companies act as guarantors of digital sovereignty, other countries generally have a set of tools, infrastructures, and regulation to secure it - and few governments fully master the concept. France and the European Union lack any world-class private sector champions the size of Amazon, Huawei, or Google. France therefore seeks EU cooperation to shift the balance of power. It transposes onto the cyber domain its quest for “EU strategic autonomy” (a concept that has raised eyebrows in the US). The cyber defense review heralds the European Union as the main vehicle for capability development, whereas NATO is lauded primarily as a framework to promote best practices and incentivize national capacity-building efforts (via the alliance’s cyber defense pledge).
The french cyber defense model
The French model is based on a clear compartmentalization between defensive and offensive missions. The ANSSI, a civilian body, serves as a liaison with public and private operators of vital importance, while intelligence agencies supply the agency with a broad picture of global cyber threat patterns. Finally, the ANSSI delegates authority to the Ministry of Defense for the protection of military networks only. The “military action” chain of command is entitled to conduct offensive operations under the authority of the French president.
The review posits the French model as an alternative to the U.S. vision, in which, as the French see it, most defensive cyber capabilities are concentrated in the intelligence community. In France, the ANSSI has no organic link to the Ministry of Defense or the intelligence agencies, yet it retains the authority and tools to provide defensive assistance to and advise third parties on cyber protection. France believes this division of labor builds trust with private entities. Under this thinking, private companies will be more willing to tolerate governmental assistance - and direct intervention - if they don’t fear such collaboration could incidentally help the intelligence community pursue its own goals (likestarting an unrelated legal investigation or collecting more data than necessary).
However, there is a more prosaic explanation for this setup. The French model was built incrementally out of loosely coordinated institutions that gained cyber skills gradually. As threats became more sophisticated and the number of governmental bodies grew, generating a risk of bureaucratic traffic jams, so did the need to establish clear rules and repartition of roles between civilian, military, and intelligence institutions. The new review does exactly that.
Cyber attacks and potential responses
The review establishes cyber defense as a strategic priority, confirming that a conflict that starts in the cyber domain could have broader diplomatic, political and military consequences. It displays a five-grade scale of potential response to cyber incidents based on the US Cyber Incident Severity Schema. Although less precise than its US equivalent, the French chart signals that a predefined set of responses would be available to leadership in case of a crisis, across the spectrum of non-military and military capabilities.
Cyber Incident Severity Schema
Factors determining the nature and scale of a response include the adversary’s intent to cause extensive physical damages, especially to human life. Still, the chart makes a subtler distinction between vital infrastructure (transportation, the health system, and so forth) and “supercritical infrastructure” (energy and communication). This distinction will help assess the intent of the adversary, as an attempt to destroy or disable supercritical infrastructures would probably foreshadow an imminent large-scale attack, and trigger a much stronger response.
The chart echoes the logic of France’s broader defense posture. Le Drian said in 2016 that “deterrence” doesn’t apply to cyber space, an unsurprising remark since in France deterrence (“dissuasion”) is limited to the nuclear domain. Still, the fifth level of the chart shows that, just like dissuasion nucléaire protects France’s intérêts vitaux, France hopes to deter the gravest cyber attacks against its vital infrastructure by threatening to escalate to the next level - overt conventional conflict.
Self-defense and reprisals under international law
France pledges to use force only in legitimate self-defense, that is, in response to a cyber attack that would cross the UN Charter’s Article 51 threshold. This rules out the possibility of a “preventive cyber attack” against a hostile third party (along the lines of one option the administration envisaged for disrupting Iranian installations.) By contrast, strictly preemptive action (to contain an attack or prevent an imminent aggression) could in certain circumstances be legal under international law, depending on the scale and effects of the attack.
The decision to abide by international law in times of conflict constrains the range of possible responses to cyber attacks with more ambiguous consequences. For example, although the document claims democratic life is an asset of vital importance just like a power grid, even a large hack aimed at disrupting an election would be less likely to trigger a conventional military response than an attack against a key power grid would be. If the threshold for offensive action is not met, France claims it would act under the UN Charter’s Chapter VI, taking economic or political reprisal measures, a stance consistent with America’s response to Russia’s electoral interference in 2016. Judicial cooperation with allies and partners to sue state-sponsored as well as lone cyber criminals will also be increased.
Finally, the very nature of cyber space (which permits relative anonymity and lacks a central authority) complicates efforts to identify the attacker. The attribution dilemma draws states into lengthy investigations to demonstrate the lawfulness of a response. France presents an innovative solution to this well-known problem by declaring the attribution dilemma irrelevant, as any country through which a cyber attack occurs must in “due diligence” provide assistance to the victim, regardless of the identity of the attacker. This would allow France to request help from allies (through the EU Treaty’s article 42.7 or NATO’s article 5) early in a crisis. But it could also portray inaction on the part of a suspect entity as an admittance of guilt, opening the door to coercive responses.
Building a digital space of trust behind thick walls
Because they anticipate large-scale cyber attacks, French authorities aim to build up national resilience and create “a digital space of trust in partnership” between governmental agencies and private actors. In such a system, large private actors are of strategic importance and authorities expect them to actively contribute to enhance systemic stability. However, they are not responsible for defining how to achieve this goal.
From a French standpoint, the state is the primary body responsible for national cyber security (in contrast to the US, where experts vocally support private sector empowerment). A series of scandals involving private cyber security players corroborated this view: the Kaspersky products might have contained an (intentional or not) backdoor for Russian intelligence, while the review states that Hacking Team, an Italian company, trapped its own clients’ data-collection tools. France therefore advocates a global initiative to ban private actors from using offensive cyber weapons and techniques, such as through “hacking back”.
Private digital actors are liable for the products they distribute, especially if they fail to patch identified vulnerabilities. All operators deemed “of vital importance” must strengthen their cyber security standards, while ANSSI will be entitled to make sure that new sensitive or significant public digital projects meet specific cyber security standards. The measures proposed in the review will allow electronic communications operators to implement detection systems in their networks to detect cyber attacks. In a situation of absolute emergency, the ANSSI will be entitled to intervene directly on a web host’s server or on the equipment of an electronic communications operator.
The French cyber defense review preaches stability in cyber space, but ultimately prepares for war. The document emerges just before discussion begins on the next Military Planning Act (2019-2025). The choice to present elements of doctrine and the creation of the incident classification scheme with a toolbox of potential responses indicate a desire to warn and, at the higher end of the spectrum, deter, potential adversaries. It is noteworthy that while the review promotes strategic bilateral dialogues with the US, China, and Brazil to enhance cooperation, what it primarily describes is a need to clarify norms of behavior, thresholds and breaking points for non-cooperative state activities in cyber space. France seems dubious about prospects for multilateral cooperation in cyber space in the short run.
France sets a high-level of ambition, but it is unclear whether it has the industrial and economic potential to close the cyber gap with leading competitors. Lacking capabilities to symmetrically respond to China or Russia, the country will have to bridge the gap by cleverly using public and private diplomacy to manage tensions. To circumvent rigidities inherent to the international system, France intends to use - once again - the European Union as an echo chamber to propagate its vision of an international cyber order. If Europe succeeds in establishing international standards and helps the French vision take off, France will use its own clout to promote them further in other multilateral formats, such as the G7.
France’s insistence on the European dimension of its cyber security environment will certainly raise eyebrows, especially in the US. Particularly, the document’s call to consider the creation of a “EU Rapid Reaction Team,” that would assist EU member states in responding to a severe cyber attack, will inevitably generate criticism. It might even be dismissed as yet another French attempt to create an EU (digital) army, a mantra for commentators on European security. However, such criticism would be a misrepresentation of the proposal, which comes with a lot of guarantees (voluntary basis, collective decision-making process, political endorsement) and would strengthen the effectiveness of the E.U. treaty’s article 42.7 mutual defense clause.
Yet the French president was clearly infuriated by the “Macron Leaks” during the 2017 election, so much so that he announced a bill aimed at fighting propaganda. The absence of any proposal in the cyber defense review only means this issue will be dealt with separately - France will be holding a dedicated international conference on 4.4., which could set the stage for next steps.
The French cyber defense review provides a long-awaited overview of France’s vision of cooperation, cohabitation, and conflict in cyber space. The document voices noticeable concerns about respecting international law and using existing multilateral frameworks to impose norms of behavior in cyber space, remaining conscious that some of its orientations could raise important debates, even in the US. The review, as it plans for potential conflict, is not native about the fact that cyber space will remain.