France’s National Cybersecurity Policy: Both Defend & Attack

France has recently defined its cybersecurity policy, pledging to use its capabilities in this sphere in an offensive capacity if it should be required. Late last year, it also set out a series of standards that it believes should be adopted internationally for the digital space.

At a global conference in Lille earlier in 2019, the French Defence Secretary, Florence Parly (pictured), said the country would “use its cyber arms as with all other traditional weapons ...to respond and attack”.  

Her comments at the Forum International de la Cybersécurité (FIC), are particularly resonant, when viewed through the prism of the stance most commonly adopted by EU nations in this area; which is one of reactive defence – with overhauls happening in the wake of major cyber incidents. 

Parly said that the “cyber-weapon is not only for our enemies” to deploy, and added that the country’s doctrine in relation to cyber warfare encompassed public and private partnerships, with the nation’s defence establishment working with SME’s in the tech sector, to help bolster the country’s cyber-defence and security capabilities. 

In addition, she called for pan-European cooperation in relation to cyber security threats, a crisis which she said “has no border”.

The French stance on cybersecurity was crystallised at the November 2018 Paris Call announcement, at which Parly unveiled the country’s doctrine for offensive cyber operations. The basis for these developments goes back to the country’s Defence and National Security Review in 2017 and, which identified cyber as an area of priority, leading to the establishment of a Cyber Defence Command, to head the development of a doctrine in this area. 

The French strategy has been financed to the tune of six billion euros up to 2025, and the country’s defence ministry aims to have 4,000 operatives specialising in cyber-security by 2025.

The Paris Call is a non-binding international document. It does not set out specific measures, but rather, it aims to promote existing institutional mechanisms to “limit hacking and destabilising activities” in cyberspace. It came about as a result of an impasse at a UN level, when it came to adapting standards and norms that should be expected across the digital space. 

The Paris Call sets out nine objectives that are intended to represent a compromise of priorities between national governments, business and civil society. To date, over 57 nations have signed up to this accord, from across the globe.
Unveiling its new cyber-doctrine in January of this year, the Defence Secretary referred to three specific cyber incidents over recent years. The first is related to Turla, a Russian speaking cyber espionage group, who experts believe are responsible for multiple cyber incidents. 

Parly said that Turla had targeted two dozen high-ranking French officials for several months in 2017 and 2018, with the reported objective of uncovering details of the French Navy’s oil supply chain. On the eve of the 2017 French election, a coordinated leak of documents from the Macron campaign, raised suspicions of foreign interference in French domestic politics.

In 2015, the 12 stations of TV5Monde were attacked, and taken off the air, in a particularly malevolent assault. The attackers carried out reconnaissance of TV5Monde, to understand the way in which it broadcast its signals. They then developed custom-made malicious software to specifically corrupt and destroy the internet-connected hardware that controlled the TV station’s operations.

This was an attack not aimed at espionage, but at destruction; something that could have real global consequences. 

The attack was initially claimed by a group called the Islamic Caliphate, but investigators warned against early judgements that it was related to the terror group ISIS, who were at the peak of their infamy in 2015. Indeed, subsequent investigations pointed to a Russian organisation, known as APT 28.

One of the most notable aspects of France’s cybersecurity and cyber-defence model, is that it has taken shape in a relatively short period of time, in under three years. On a civilian level, it provides a well-funded and state supported national resource, the National Cyber Security Agency

This Agency delivers an expertly led asset, to both the French business community and the French state itself, including the intelligence community and the military. The fact that the Defence Secretary identified the explicit cyber events that triggered the development of this new position, is a deviation in French policy, which had previously been reluctant to ‘name and shame’ those suspected of cyber incursions.

Going forward, if French policy is to dictate the tempo of cyber operations at a European level, it will need to balance advocating for a set of ‘cyber standards’ as set out in the Paris Call; with a growing need to develop, and if necessary to use, cyber operations, both as a deterrent and a defence.

SouthEUSummit:

You Might Also Read:

Hackers Came, But the French Were Prepared

Neither US, Russia Or China Will Sign Macron's Cyber Pact:

 

 

« Attacks On Business Are Intensifying
The IoT Is A Big Headache For Software Developers »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CloudEndure

CloudEndure

CloudEndure offers Disaster Recovery and Continuous Replication for the Cloud.

Kore Telematics

Kore Telematics

Kore is a leading managed service provider for IoT and M2M applications.

ODVA

ODVA

ODVA is a global trade and standards development organization whose members comprise the world’s leading industrial automation companies.

Galvanize

Galvanize

Galvanize is a leading provider of award-winning, cloud-based security, risk management, compliance, and audit software for some of the world’s largest organizations.

Volexity

Volexity

Volexity is a leading provider of threat intelligence and incident suppression services and solutions.

ComCERT

ComCERT

ComCERT SA is an independent, private consulting company focusing in the assistance of its customers facing the dangers of cyber threats and security incidents.

Information and Communication Technology Authority (ICT Authority) - Kenya

Information and Communication Technology Authority (ICT Authority) - Kenya

The ICT Authority is responsible for enforcing ICT standards in Government and ensuring information security.

Tech-Recycle

Tech-Recycle

Tech-Recycle was formed to help companies and individuals securely, ethically and easily recycle their IT and office equipment. We destroy all data passed to us safely and securely.

Griffeshield

Griffeshield

Griffeshield is a company specialised in new information technologies used to protect Intellectual Property.

Tokio Marine HCC

Tokio Marine HCC

Tokio Marine HCC is a leading specialty insurance group with a Financial and Professional product line including Tech and Cyber.

Cyber Security Canada

Cyber Security Canada

Cyber Security Canada is an accredited Certification Body for government-backed Cyber Security Certification Programs, designed specifically for small and medium-sized Canadian businesses.

HEROIC Cybersecurity

HEROIC Cybersecurity

HEROIC’s enterprise cybersecurity services help improve overall organizational security with industry best practices and advanced technology solutions.

Bluefin Payment Systems

Bluefin Payment Systems

Bluefin is the recognized integrated payments leader in encryption and tokenization technologies that protect payments and sensitive data.

MAUSHIELD

MAUSHIELD

MAUSHIELD is the national platform for sharing cyber threat information and intelligence that can help organisations to improve their cybersecurity posture, minimize risks and prevent cyber-attacks.

Custom Computer Specialist (CCS)

Custom Computer Specialist (CCS)

CCS offers an extensive range of services including cybersecurity solutions, consulting, implementation, and support to help our clients maximize the value derived from IT investments.

Robust Intelligence

Robust Intelligence

Robust Intelligence enables enterprises to secure their AI transformation with an automated solution to protect against security and safety threats.