Cybersecurity and Deterrence

France’s New Offensive Cyber Doctrine

By Arthur P.B. Laudrain
Tuesday, February 26, 2019, 9:00 AM

Since its November 2018 announcement of the Paris Call, a code of conduct for cyber space, France has turned to the offensive. On Jan. 18, French armed forces minister Florence Parly unveiled the country’s first doctrine for offensive cyber operations. This announcement is the latest in a series of deep and fast-paced measures aimed at organizing and clarifying the defense of French interests in cyberspace.

The Strategic Review for Defense and National Security, released in 2017, recognized digital sovereignty and cybersecurity as top priorities. Immediately afterward, a Cyber Defense Command was established to coordinate cyber defense within the armed forces, with the exception of the foreign intelligence agency, DGSE, which retained some level of autonomy. In parallel, the foreign affairs ministry unveiled France’s International Digital Strategy, from which emerged the Paris Call, which I summarized and analyzed on Lawfare last year.

The Military Programming Law for 2019–2025, enacted in the summer of 2018, reinforces the armed forces ministry’s efforts by dedicating an additional 1.6 billion euros for cyber operations along with 1,500 additional personnel for a total of 4,000 cyber combatants by 2025. In February 2018, the country’s first National Strategy for Cyber Defense clarified both the organization and integration of cyber operations among all government entities as well as the legal framework surrounding their use.

The French Approach to Cybersecurity and Defense

The French approach to cybersecurity and defense contrasts with that embraced by the United States or the United Kingdom. Most notably, France assumes a clear separation between military and civilian cyber defense. This means that, contrary to the National Security Agency or the U.K.’s Government Communications Headquarters, France’s leading agency for cybersecurity is civilian and not part of the intelligence community. This is a defining element of the Cyber Strategy Review and infuses the whole structure of French cyber defense. The rational is that having a distinct civilian agency separate from offense-oriented military intelligence agencies “facilitates the acceptance of State intervention […] whether in public administration or the economic sphere”.

The National Cyber Security Agency, abbreviated in French as ANSSI and established in 2009 under the Prime Minister’s General Secretariat for Defense and National Security, has responsibility for coordination of the state’s cyber security, hosts the national computer emergency response team and acts as a regulatory body for the private sector, primarily for critical infrastructure operators.

ANSSI has six missions—cyber threat prevention, anticipation, protection, detection, attribution and reaction. Because of the number of involved actors and their overlap in each mission, the National Strategy for Cyber Defense established four “operational chains” to centralize and streamline public action in the field. They are referred to as the protection, intelligence, judicial investigations and military-action chains. Two committees, one under the prime minister and the other under the president, coordinate state policies, while a center is dedicated to the coordination of its actions in times of crises.

Peculiarities of the French cyber model are not limited to its structure for handling domestic cyber issues. On the diplomatic stage, France has also adopted a different stance than most of its counterparts. Most NATO allies are increasingly inclined to “name and shame” states involved in cyber attacks. The latest example can be found in October 2018, when the U.S., U.K., Canada and the Netherlands denounced Russian attempts at disrupting the Organization for the Prohibition of Chemical Weapons. Paris added its voice but fell short of directly blaming Moscow. Instead, it prefers forthright bilateral dialogues with Russia and other cyber powers such as the U.S., China, India, Brazil and Japan. In other words, France favors red phones over the megaphone.

“We Are Not Afraid”

This preference for discrete diplomacy over public attribution may have changed slightly, however. At the unveiling of the new offensive cyber doctrine in January, Minister Parly first revealed that threat actor Turla targeted two dozen high-ranking officials for several months between 2017 and 2018 with the objective of uncovering details on the navy’s oil supply chain. State-sponsored attacks are not new to France. The shutdown of TV5 Monde in early 2015 represented a moment of reckoning for the country, while the leaking of documents stolen from the Macron campaign on the eve of the 2017 election sounded alarm bells at the possibility of foreign meddling in domestic politics. But the Turla announcement is different, as it represents one of the first recorded instances of public attribution of a cyber attack by French authorities. Though the minister stopped short of explicitly recognizing the group’s affiliation with the Russian state, she attributed the attacker’s mode of operation to a specific group for the first time.

In response to these and other threats, France is “not afraid” of using cyber weapons, said Parly, confirming a change of tone. France did not wait until now to perform or even publicly admit doing so. Offensive operations were first mentioned in the 2008 National Defense White Paper and then again with more details in 2013. The case for proportional reprisals in response to a major attack was later made by then-Defense Minister Jean-Yves Le Drian: “In times of war, cyber weapons may be the response, or part of our response, to an armed attack [aggression armée], being of a cyber nature or otherwise.”

But so far, offensive cyber operations for purposes other than self-defense have been absent from public sight. Such clandestine undertakings have been the prerogative of the Directorate General for External Security, or DGSE, the country’s foreign intelligence service. Unsurprisingly, the cyber command chief happens to have served in DGSE previously. The new offensive cyber doctrine expands and details the scope of offensive cyber operations. It assumes their preparation and conduct, not only in a clandestine context but also as an integral part of or substitute for conventional military operations.

Integrating the Cyber Domain in Conventional and Influence Operations

The armed forces ministry first unveiled a summary of existing defensive operations policies.

The defensive cyber doctrine entails the prevention, anticipation and detection of and protection against cyber attacks. The scope of the doctrine is limited to reacting to and attributing the attack—limited to defensive and nonmilitary measures. To perform these tasks, the doctrine sets up an adaptive Permanent Cyber Security Posture, orienting France’s military cyber units to be prepared for what the summary describes as a “peace-crisis-war” continuum. The document thus seems to acknowledge what has been described as a state of unpeace, a state of hostility that falls short of full conflict.

Meanwhile, the document provides the first framework for offensive operations. Until the release of this document, the armed forces had focused on defending their own systems—although with an understood element of active defense—while DGSE was in charge of the most sensitive operations, namely, espionage and disruption of adverse systems.

What is new in the offensive doctrine is the integration of cyber activity in conventional military operations. The offensive approach is described as stealthy actions aimed at denying the availability or confidentiality of adverse systems. Implicitly, the doctrine seems to exclude operations with destructive kinetic effects. It mentions the neutralization of enemy systems, but the concept is ambiguous. Offensive operations can prepare or complement conventional operations—acting as a force multiplier—or substitute them entirely where appropriate.

The offensive doctrine also includes counterinfluence operations, aimed at protecting conventional action in cyberspace. Such operations are already performed in the conventional domain through the CIAE, or Joint Centre for Environmental Action, the military influence and civil-military cooperation branch of the French armed forces that was created in 2012.

The offensive doctrine places great emphasis on the consideration and mitigation of political, legal and military risks. It introduces the principle of risk balancing in the preparation and conduct of offensive operations: balancing against the risk of escalation in an asymmetric environment, or against the risk of collateral damage or unforeseen indirect impacts, on civilian infrastructures. This balancing exercise may be the reason the doctrine does not clearly mention operations against the integrity of information or weapon systems. The doctrine reaffirms the applicability of public international law and international humanitarian law in cyber operations, a topic addressed at great length by the National Strategy for Cyber Defense, and reminds us that France is actively seeking the adoption of norms of good conduct, which it gathered in the Paris Call. Finally, public acknowledgement of offensive operations, as decided by political leadership, must take into account the risk of retorsion.

Challenges Ahead: Alliances, Procurement and Human Resources

The January announcement reaffirms the imperative for strong partnerships—and their formalization through NATO’s Cyber Defense Pledge and the European Intervention Initiative, an ad hoc structure outside of the European Union. To be effective, such partnerships must be founded on mutual trust, added Minister Parly at the announcement. Trust is also necessary between the government and the private sector, which is why the new Defense Innovation Agency will be in charge of developing a framework for the emergence of a “trusted digital sector.”

The research and development of cyber weapons is the responsibility of the Defense Procurement Agency (DGA), in close cooperation with operational needs expressed by France’s cyber command. The offensive doctrine indicates the DGA will adapt its procurement processes to take into account the tempo of operations and nature of these weapons. Indeed current processes designed to procure tanks or submarines, or even major software programs, would be ill-suited. This may hint at the creation of an ad hoc procurement process designed from the ground up to research vulnerabilities and develop exploits and payloads. Contrary to the U.S. or, more recently, the U.K., France has no vulnerability equities process, at least publicly. The reform of the DGA’s processes is a major challenge, the first of several mentioned by Minister Parly during her speech. Another one is human resources, for which the cyber command will scale up its efforts to attract talented individuals.

Conclusion

France has, in only three years, conceptualized and adopted a comprehensive cybersecurity and cyber defense model. The recently released offensive doctrine is the culmination of this deep transformation. It particularly represents a turning point for the armed forces, breaking offensive operations from their intelligence silo. The wording of the document and of the accompanying speech by Minister Parly is also a clear signal to Russia, a message France had previously been reluctant to send in such stark terms. France aims to promote international rules and stability in the cyber domain to prevent escalation of crises, yet seeks room to maneuver to support conventional operations, deterrence and retorsion. Such balance is, and will remain, delicate.