France’s National Cybersecurity Policy: Both Defend & Attack

France has recently defined its cybersecurity policy, pledging to use its capabilities in this sphere in an offensive capacity if it should be required. Late last year, it also set out a series of standards that it believes should be adopted internationally for the digital space.

At a global conference in Lille earlier in 2019, the French Defence Secretary, Florence Parly (pictured), said the country would “use its cyber arms as with all other traditional weapons ...to respond and attack”.  

Her comments at the Forum International de la Cybersécurité (FIC), are particularly resonant, when viewed through the prism of the stance most commonly adopted by EU nations in this area; which is one of reactive defence – with overhauls happening in the wake of major cyber incidents. 

Parly said that the “cyber-weapon is not only for our enemies” to deploy, and added that the country’s doctrine in relation to cyber warfare encompassed public and private partnerships, with the nation’s defence establishment working with SME’s in the tech sector, to help bolster the country’s cyber-defence and security capabilities. 

In addition, she called for pan-European cooperation in relation to cyber security threats, a crisis which she said “has no border”.

The French stance on cybersecurity was crystallised at the November 2018 Paris Call announcement, at which Parly unveiled the country’s doctrine for offensive cyber operations. The basis for these developments goes back to the country’s Defence and National Security Review in 2017 and, which identified cyber as an area of priority, leading to the establishment of a Cyber Defence Command, to head the development of a doctrine in this area. 

The French strategy has been financed to the tune of six billion euros up to 2025, and the country’s defence ministry aims to have 4,000 operatives specialising in cyber-security by 2025.

The Paris Call is a non-binding international document. It does not set out specific measures, but rather, it aims to promote existing institutional mechanisms to “limit hacking and destabilising activities” in cyberspace. It came about as a result of an impasse at a UN level, when it came to adapting standards and norms that should be expected across the digital space. 

The Paris Call sets out nine objectives that are intended to represent a compromise of priorities between national governments, business and civil society. To date, over 57 nations have signed up to this accord, from across the globe.
Unveiling its new cyber-doctrine in January of this year, the Defence Secretary referred to three specific cyber incidents over recent years. The first is related to Turla, a Russian speaking cyber espionage group, who experts believe are responsible for multiple cyber incidents. 

Parly said that Turla had targeted two dozen high-ranking French officials for several months in 2017 and 2018, with the reported objective of uncovering details of the French Navy’s oil supply chain. On the eve of the 2017 French election, a coordinated leak of documents from the Macron campaign, raised suspicions of foreign interference in French domestic politics.

In 2015, the 12 stations of TV5Monde were attacked, and taken off the air, in a particularly malevolent assault. The attackers carried out reconnaissance of TV5Monde, to understand the way in which it broadcast its signals. They then developed custom-made malicious software to specifically corrupt and destroy the internet-connected hardware that controlled the TV station’s operations.

This was an attack not aimed at espionage, but at destruction; something that could have real global consequences. 

The attack was initially claimed by a group called the Islamic Caliphate, but investigators warned against early judgements that it was related to the terror group ISIS, who were at the peak of their infamy in 2015. Indeed, subsequent investigations pointed to a Russian organisation, known as APT 28.

One of the most notable aspects of France’s cybersecurity and cyber-defence model, is that it has taken shape in a relatively short period of time, in under three years. On a civilian level, it provides a well-funded and state supported national resource, the National Cyber Security Agency

This Agency delivers an expertly led asset, to both the French business community and the French state itself, including the intelligence community and the military. The fact that the Defence Secretary identified the explicit cyber events that triggered the development of this new position, is a deviation in French policy, which had previously been reluctant to ‘name and shame’ those suspected of cyber incursions.

Going forward, if French policy is to dictate the tempo of cyber operations at a European level, it will need to balance advocating for a set of ‘cyber standards’ as set out in the Paris Call; with a growing need to develop, and if necessary to use, cyber operations, both as a deterrent and a defence.

SouthEUSummit:

You Might Also Read:

Hackers Came, But the French Were Prepared

Neither US, Russia Or China Will Sign Macron's Cyber Pact:

 

 

« Attacks On Business Are Intensifying
The IoT Is A Big Headache For Software Developers »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Cyber Security Agency of Singapore (CSA)

Cyber Security Agency of Singapore (CSA)

The CSA is the national agency overseeing cybersecurity strategy, operation, education, outreach, and ecosystem development.

National Cyber Security Centre (NCSC) - New Zealand

National Cyber Security Centre (NCSC) - New Zealand

The role of the NCSC is to help New Zealand’s most significant public and private sector organisations to protect their information systems from advanced cyber-borne threats.

Sternum

Sternum

Sternum provides reliable and effective endpoint security for any IoT device, using robust technology and seamless integration.

Crayonic

Crayonic

Crayonic digital identity technologies protect and guarantee the identity of people and things.

Securis

Securis

Securis provides organizations and agencies with the highest level of professional, ultra-secure data destruction and IT recycling.

Cyber Wales

Cyber Wales

Cyber Wales provides a focus and forum for everyone in the industry, helping businesses come together and collaborate both within Wales and internationally.

CyberClan

CyberClan

CyberClan’s carefully selected team of experts is capable of solving complex cyber security challenges – keeping your data secure and your businesses running as usual.

Alias Robotics

Alias Robotics

Alias Robotics is a robot cyber security company. We deliver cyber security solutions for robots and robot components.

Guidehouse

Guidehouse

Guidehouse is a leading global provider of consulting services to the public and commercial markets with broad capabilities in management, technology, and risk consulting.

Componolit

Componolit

Componolit GmbH is a highly specialized company with a strong emphasis on trustworthy software, component-based systems and formal verification.

Shorebreak Security

Shorebreak Security

Shorebreak Securioty specialize in conducting highly accurate, safe, and reliable Information Security tests to determine the risks posed to your business.

Sencode Cyber Security

Sencode Cyber Security

Sencode provides a range of IT security solutions and services, including penetration testing and cyber awareness training to help mitigate the growing risks to your corporate infrastructure.

Profian

Profian

Profian’s hardware-based solutions maintain your data's confidentiality and integrity in use, providing true confidential computing to meet regulatory and audit requirements.

Cyber Ranges

Cyber Ranges

Cyber Ranges is the next-generation cyber range for the development of cyber capabilities and the validation of cyber security skills and organizational cyber resilience.

PyNet Labs

PyNet Labs

PyNet Labs is a Training Company serving corporates as well as individuals across the world with ever-changing IT and technology training.

C/side (cside)

C/side (cside)

At c/side, we're creating the ultimate delivery, performance and detection mechanism for browser-side fetched 3rd party Javascript.

Sacumen

Sacumen

Sacumen is a niche player in the cybersecurity market, solving critical problems for security product companies.