France’s National Cybersecurity Policy: Both Defend & Attack

Uploaded on 2019-04-29 in GOVERNMENT-National, GOVERNMENT-Defence, FREE TO VIEW

France has recently defined its cybersecurity policy, pledging to use its capabilities in this sphere in an offensive capacity if it should be required. Late last year, it also set out a series of standards that it believes should be adopted internationally for the digital space.

At a global conference in Lille earlier in 2019, the French Defence Secretary, Florence Parly (pictured), said the country would “use its cyber arms as with all other traditional weapons ...to respond and attack”.  

Her comments at the Forum International de la Cybersécurité (FIC), are particularly resonant, when viewed through the prism of the stance most commonly adopted by EU nations in this area; which is one of reactive defence – with overhauls happening in the wake of major cyber incidents. 

Parly said that the “cyber-weapon is not only for our enemies” to deploy, and added that the country’s doctrine in relation to cyber warfare encompassed public and private partnerships, with the nation’s defence establishment working with SME’s in the tech sector, to help bolster the country’s cyber-defence and security capabilities. 

In addition, she called for pan-European cooperation in relation to cyber security threats, a crisis which she said “has no border”.

The French stance on cybersecurity was crystallised at the November 2018 Paris Call announcement, at which Parly unveiled the country’s doctrine for offensive cyber operations. The basis for these developments goes back to the country’s Defence and National Security Review in 2017 and, which identified cyber as an area of priority, leading to the establishment of a Cyber Defence Command, to head the development of a doctrine in this area. 

The French strategy has been financed to the tune of six billion euros up to 2025, and the country’s defence ministry aims to have 4,000 operatives specialising in cyber-security by 2025.

The Paris Call is a non-binding international document. It does not set out specific measures, but rather, it aims to promote existing institutional mechanisms to “limit hacking and destabilising activities” in cyberspace. It came about as a result of an impasse at a UN level, when it came to adapting standards and norms that should be expected across the digital space. 

The Paris Call sets out nine objectives that are intended to represent a compromise of priorities between national governments, business and civil society. To date, over 57 nations have signed up to this accord, from across the globe.
Unveiling its new cyber-doctrine in January of this year, the Defence Secretary referred to three specific cyber incidents over recent years. The first is related to Turla, a Russian speaking cyber espionage group, who experts believe are responsible for multiple cyber incidents. 

Parly said that Turla had targeted two dozen high-ranking French officials for several months in 2017 and 2018, with the reported objective of uncovering details of the French Navy’s oil supply chain. On the eve of the 2017 French election, a coordinated leak of documents from the Macron campaign, raised suspicions of foreign interference in French domestic politics.

In 2015, the 12 stations of TV5Monde were attacked, and taken off the air, in a particularly malevolent assault. The attackers carried out reconnaissance of TV5Monde, to understand the way in which it broadcast its signals. They then developed custom-made malicious software to specifically corrupt and destroy the internet-connected hardware that controlled the TV station’s operations.

This was an attack not aimed at espionage, but at destruction; something that could have real global consequences. 

The attack was initially claimed by a group called the Islamic Caliphate, but investigators warned against early judgements that it was related to the terror group ISIS, who were at the peak of their infamy in 2015. Indeed, subsequent investigations pointed to a Russian organisation, known as APT 28.

One of the most notable aspects of France’s cybersecurity and cyber-defence model, is that it has taken shape in a relatively short period of time, in under three years. On a civilian level, it provides a well-funded and state supported national resource, the National Cyber Security Agency

This Agency delivers an expertly led asset, to both the French business community and the French state itself, including the intelligence community and the military. The fact that the Defence Secretary identified the explicit cyber events that triggered the development of this new position, is a deviation in French policy, which had previously been reluctant to ‘name and shame’ those suspected of cyber incursions.

Going forward, if French policy is to dictate the tempo of cyber operations at a European level, it will need to balance advocating for a set of ‘cyber standards’ as set out in the Paris Call; with a growing need to develop, and if necessary to use, cyber operations, both as a deterrent and a defence.

SouthEUSummit:

You Might Also Read:

Hackers Came, But the French Were Prepared

Neither US, Russia Or China Will Sign Macron's Cyber Pact:

 

 

« Attacks On Business Are Intensifying
The IoT Is A Big Headache For Software Developers »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CERT-UG/CC

CERT-UG/CC

CERT-UG/CC is the national Computer Emergency Response Team for Uganda, operating under the National Information Technology Authority (NITA-U)

Cryptovision

Cryptovision

cv cryptovision GmbH is one of the leading specialists for modern, user-friendly cryptography and solutions for secure electronic identities.

Spire Solutions

Spire Solutions

Spire Solutions is the Middle East & Africa region’s leading cybersecurity solution provider and value-added distributor (VAD).

Search Guard

Search Guard

Search Guard® is an Open Source security suite for #Elasticsearch and the entire #ELK stack that offers encryption, authentication, authorization, audit logging and multi tenancy.

Industrial Cybersecurity Center (CCI)

Industrial Cybersecurity Center (CCI)

CCI is the first center of its kind that comes from industry without subsidies, independent and non-profit, to promote and contribute to the improvement of Industrial Cybersecurity.

Paladin Capital Group

Paladin Capital Group

Paladin is a leading global investor that supports and grows the world’s most innovative cyber companies.

Delfigo Security

Delfigo Security

Delfigo Security, a pioneer in intelligent authentication, provides a strong, multi-factor authentication solution to prevent identity theft and reduce fraud.

Purism

Purism

Purism works with hardware component manufactures and the free software community to build high quality hardware that respects your digital life.

Appdetex

Appdetex

Appdetex is a global leader in securing your brand’s digital footprint. We are a full-service brand protection company in the online and mobile brand protection space.

Oivan

Oivan

Oivan harnesses the strengths of the web, mobile, cloud, cybersecurity, and blockchain technologies to help our clients to launch transformative digital services.

Veriti

Veriti

Veriti is a unified security posture management platform that integrates with your security solutions and proactively identifies and remediates potential risks and misconfigurations.

Guardsman Cyber Intelligence (GCI)

Guardsman Cyber Intelligence (GCI)

GCI provides proven cyber intelligence solutions to protect your business against ever present physical and digital threats shadowing your online business.

SecureChain AI

SecureChain AI

SecureChain are combining blockchain and AI technology to create a smarter blockchain platform especially in terms of security.

VENZA

VENZA

VENZA is a data protection company that can help organisations mitigate their vulnerabilities and ensure compliance, keeping guests and their data safe from breaches.

IEC Cyber Ltd

IEC Cyber Ltd

IEC Cyber provides Cyber security consulting services for OT systems, with emphasis on process systems aligned to IEC 61508 and IEC 61511. We are a preferred consulting firm for IEC 62443 services.

Wired Assurance

Wired Assurance

Wired Assurance is a testing and assurance company, specialized in software applications and blockchain smart contracts.