At a global conference in Lille earlier in 2019, the French Defence Secretary, Florence Parly, said the country would “use its cyber arms as (with) all other traditional weapons (…) to respond and attack”. Her comments at the Forum International de la Cybersécurité (FIC), are particularly resonant, when viewed through the prism of the stance most commonly adopted by EU nations in this area; which is one of reactive defence – with overhauls happening in the wake of major cyber incidents. Parly said that the “cyberweapon is not only for our enemies” to deploy, and added that the country’s doctrine in relation to cyber warfare encompassed public and private partnerships, with the nation’s defence establishment working with SME’s in the tech sector, to help bolster the country’s cyber-defence and security capabilities. In addition, she called for pan-European cooperation in relation to cyber security threats, a crisis which she said “has no border”.
The French stance on cyber-security was crystallised at the November 2018 Paris Call announcement, at which Parly unveiled the country’s doctrine for offensive cyber operations. The basis for these developments goes back to the country’s Defence and National Security Review in 2017 and, which identified cyber as an area of priority, leading to the establishment of a Cyber Defence Command, to head the development of a doctrine in this area. All in all, the French strategy has been financed to the tune of six billion euros up to 2025, and the country’s defence ministry aims to have 4,000 operatives specialising in cyber-security by 2025.
The Paris Call is a non-binding international document. It does not set out specific measures, but rather, it aims to promote existing institutional mechanisms to “limit hacking and destabilising activities” in cyberspace. It came about as a result of an impasse at a UN level, when it came to adapting standards and norms that should be expected across the digital space. The Paris Call sets out nine objectives that are intended to represent a compromise of priorities between national governments, business and civil society. To date, over 57 nations have signed up to this accord, from across the globe.
Unveiling its new cyber-doctrine in January of this year, the Defence Secretary referred to three specific cyber incidents over recent years. The first is related to Turla, a Russian speaking cyber espionage group, who experts believe are responsible for multiple cyber incidents. Parly said that Turla had targetted two dozen high-ranking French officials for several months in 2017 and 2018, with the reported objective of uncovering details of the French Navy’s oil supply chain. On the eve of the 2017 French election, a coordinated leak of documents from the Macron campaign, raised suspicions of foreign interference in French domestic politics.
In 2015, the 12 stations of TV5Monde were attacked, and taken off the air, in a particularly malevolent assault. The attackers carried out reconnaissance of TV5Monde, to understand the way in which it broadcast its signals. They then developed custom-made malicious software to specifically corrupt and destroy the internet-connected hardware that controlled the TV station’s operations. This was an attack not aimed at espionage, but at destruction; something that could have real global consequences. The attack was initially claimed by a group called the Islamic Caliphate, but investigators warned against early judgements that it was related to the terror group ISIS, who were at the peak of their infamy in 2015. Indeed, subsequent investigations pointed to a Russian organisation, known as APT 28.
One of the most notable aspects of France’s cyber-security and cyber-defence model, is that it has taken shape in a relatively short period of time – in under three years. On a civilian level, it provides a well-funded and state supported national resource, the National Cyber Security Agency. This Agency delivers an expertly led asset, to both the French business community and the French state itself, including the intelligence community and the military. The fact that the Defence Secretary identified the explicit cyber events that triggered the development of this new position, is a deviation in French policy, which had previously been reluctant to ‘name and shame’ those suspected of cyber incursions.
Going forward, if French policy is to dictate the tempo of cyber operations at a European level, it will need to balance advocating for a set of ‘cyber standards’ as set out in the Paris Call; with a growing need to develop, and if necessary to use, cyber operations – both as a deterrent and a defence.