France’s National Cybersecurity Policy: Both Defend & Attack

Uploaded on 2019-04-29 in GOVERNMENT-National, GOVERNMENT-Defence, FREE TO VIEW

France has recently defined its cybersecurity policy, pledging to use its capabilities in this sphere in an offensive capacity if it should be required. Late last year, it also set out a series of standards that it believes should be adopted internationally for the digital space.

At a global conference in Lille earlier in 2019, the French Defence Secretary, Florence Parly (pictured), said the country would “use its cyber arms as with all other traditional weapons ...to respond and attack”.  

Her comments at the Forum International de la Cybersécurité (FIC), are particularly resonant, when viewed through the prism of the stance most commonly adopted by EU nations in this area; which is one of reactive defence – with overhauls happening in the wake of major cyber incidents. 

Parly said that the “cyber-weapon is not only for our enemies” to deploy, and added that the country’s doctrine in relation to cyber warfare encompassed public and private partnerships, with the nation’s defence establishment working with SME’s in the tech sector, to help bolster the country’s cyber-defence and security capabilities. 

In addition, she called for pan-European cooperation in relation to cyber security threats, a crisis which she said “has no border”.

The French stance on cybersecurity was crystallised at the November 2018 Paris Call announcement, at which Parly unveiled the country’s doctrine for offensive cyber operations. The basis for these developments goes back to the country’s Defence and National Security Review in 2017 and, which identified cyber as an area of priority, leading to the establishment of a Cyber Defence Command, to head the development of a doctrine in this area. 

The French strategy has been financed to the tune of six billion euros up to 2025, and the country’s defence ministry aims to have 4,000 operatives specialising in cyber-security by 2025.

The Paris Call is a non-binding international document. It does not set out specific measures, but rather, it aims to promote existing institutional mechanisms to “limit hacking and destabilising activities” in cyberspace. It came about as a result of an impasse at a UN level, when it came to adapting standards and norms that should be expected across the digital space. 

The Paris Call sets out nine objectives that are intended to represent a compromise of priorities between national governments, business and civil society. To date, over 57 nations have signed up to this accord, from across the globe.
Unveiling its new cyber-doctrine in January of this year, the Defence Secretary referred to three specific cyber incidents over recent years. The first is related to Turla, a Russian speaking cyber espionage group, who experts believe are responsible for multiple cyber incidents. 

Parly said that Turla had targeted two dozen high-ranking French officials for several months in 2017 and 2018, with the reported objective of uncovering details of the French Navy’s oil supply chain. On the eve of the 2017 French election, a coordinated leak of documents from the Macron campaign, raised suspicions of foreign interference in French domestic politics.

In 2015, the 12 stations of TV5Monde were attacked, and taken off the air, in a particularly malevolent assault. The attackers carried out reconnaissance of TV5Monde, to understand the way in which it broadcast its signals. They then developed custom-made malicious software to specifically corrupt and destroy the internet-connected hardware that controlled the TV station’s operations.

This was an attack not aimed at espionage, but at destruction; something that could have real global consequences. 

The attack was initially claimed by a group called the Islamic Caliphate, but investigators warned against early judgements that it was related to the terror group ISIS, who were at the peak of their infamy in 2015. Indeed, subsequent investigations pointed to a Russian organisation, known as APT 28.

One of the most notable aspects of France’s cybersecurity and cyber-defence model, is that it has taken shape in a relatively short period of time, in under three years. On a civilian level, it provides a well-funded and state supported national resource, the National Cyber Security Agency

This Agency delivers an expertly led asset, to both the French business community and the French state itself, including the intelligence community and the military. The fact that the Defence Secretary identified the explicit cyber events that triggered the development of this new position, is a deviation in French policy, which had previously been reluctant to ‘name and shame’ those suspected of cyber incursions.

Going forward, if French policy is to dictate the tempo of cyber operations at a European level, it will need to balance advocating for a set of ‘cyber standards’ as set out in the Paris Call; with a growing need to develop, and if necessary to use, cyber operations, both as a deterrent and a defence.

SouthEUSummit:

You Might Also Read:

Hackers Came, But the French Were Prepared

Neither US, Russia Or China Will Sign Macron's Cyber Pact:

 

 

« Attacks On Business Are Intensifying
The IoT Is A Big Headache For Software Developers »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Nmap Project

Nmap Project

Nmap Project is a Free and open source tool for network discovery, administration, and security auditing.

Secure Identity Alliance (SIA)

Secure Identity Alliance (SIA)

The Secure Identity Alliance is dedicated to supporting sustainable worldwide economic growth and prosperity through the development of trusted digital identities and the adoption of secure eServices.

Advanced Systems International SAC

Advanced Systems International SAC

Advanced Systems international is a global company dedicated to data security software design, development, support, and licensing.

AVeS Cyber Security

AVeS Cyber Security

AVeS combines expert knowledge and services with leading technology products to provide comprehensive Information Security and Advanced IT Infrastructure solutions.

Cybersecurity Competence Center (C3)

Cybersecurity Competence Center (C3)

The Cybersecurity Competence Center was created to further strengthen the Luxembourg economy in the field of cybersecurity.

IoTsploit

IoTsploit

IoTsploit provides 20/20 visibility of network connections, protecting critical infrastructure assets from IoT vulnerabilities.

Asvin

Asvin

Asvin provides secure update management and delivery for Internet of Things - IoT Edge devices.

RUSCADASEC

RUSCADASEC

RUSCADASEC is an independent non-profit initiative on developing the open Russian-speaking international community of industrial cyber security/ICS/SCADA cyber security professionals.

689cloud

689cloud

689Cloud is a cloud content collaboration platform that allows users to protect, track, and control files AFTER they have been shared.

VectorUSA

VectorUSA

VectorUSA is a premier technology solution provider. We design, build and maintain cybersecurity, data center, wireless and managed solutions – transforming business needs into technology solutions.

Cipher

Cipher

Founded in 2000, Cipher is a global cybersecurity company that delivers a wide range of Managed Security Services.

StrataCore

StrataCore

StrataCore is a single-source technology lifecycle advocate that works behind IT teams as a strategic partner to help them achieve peak enterprise outcomes.

Raman Power Technologies

Raman Power Technologies

Raman Power Technologies focus on bringing value and solving business challenges through the delivery of modern IT services and solutions including cybersecurity.

Istari

Istari

ISTARI is a new kind of cyber risk management company. We’re an agile collective of best-in-class capabilities and experts, who build ongoing partnerships with clients.

HashiCorp

HashiCorp

At HashiCorp, we believe infrastructure enables innovation, and we are helping organizations to operate that infrastructure in the cloud.

Black Alps

Black Alps

Black Alp's mission is to promote cybersecurity through the organization of dedicated events.