Cyber security

France and cyber security issues

New destructive practices are developing in cyber space, including criminal use of the Internet (cyber crime), including for terrorist purposes; large-scale propagation of false information; espionage for political or economic ends; and attacks on critical infrastructure (transport, energy, communication, etc.) for the purposes of sabotage.

Coming from State or non-State groups, these cyber attacks:

  • know no border or distance;
  • are difficult to attribute: it is very hard to formally identify the true culprits, who are often acting under the cover of unwitting relays (botnets) or intermediaries (proxies);
  • can be carried out with relative ease, with little cost or risk for the attacker. They aim to jeopardize the smooth functioning of communication and information systems (CIS) used by citizens, businesses and administrations, and even the physical integrity of infrastructure that is crucial to national security.

Cyber security covers the entirety of security measures that could be taken to defend against these attacks. The spectacular increase in the sophistication and intensity of cyber attacks has, in recent years, led most developed countries to toughen their resilience and adopt national cyber security strategies.

A robust national initiative which continues to ramp up.

France’s national cyber security policy is based on two essential texts: The 2013 White Paper on national security and defence and the 2015 National Strategy for Digital Security.

This Strategy is designed to accompany French society’s digital transition and meets new challenges brought about by changing uses of digital technology and the associated threats with five objectives:

  • Guaranteeing national sovereignty,
  • Providing a strong response to acts of cybercrime,
  • Informing the public at large,
  • Making digital security a competitive advantage for French businesses,
  • Enhancing France’s voice on the international stage.

With the National Cyber Security Strategy, the French State is working to ensure the security of IT systems to move towards a collective response, towards the digital trust required for the stability of the State, economic development and the protection of citizens.

Many players contribute to the efficacy of this strategy from technical and operational standpoints.

  • Created in 2009, the French Network and Information Security Agency (ANSSI) is the French national authority on cyber security. The authority is a genuine “firefighter” of French cyberspace, it is responsible for preventing (including from a normative perspective) and reacting to IT incidents regarding sensitive institutions. It also organizes crisis management exercises on a national level. ANSSI currently has over 500 staff members and continues to grow.
  • The French Ministry of Defence has a dual mission to ensure the protection of the networks which underpin its action and to integrate digital warfare into military operations. In order to consolidate the Ministry’s work in this field, a cyber defence operational chain of command (COMCYBER), placed under the orders of the Armed Forces Chief of Staff, was created in early 2017.
  • The French Ministry of the Interior aims to fight against all forms of cybercrime, aimed at national institutions and interests, economic stakeholders and government authorities, and individuals. It therefore involves specialised central services and the territorial networks of the general directorates of the national police, French gendarmerie and national security. They are responsible for leading investigations aimed at identifying those responsible for acts of cyber crime and handing them over to the authorities. These services also help to carry out prevention and awareness-raising activities with the relevant audiences.

Guaranteeing the digital autonomy of the European Union

Within the European Union, France defends an ambitious vision and the concept of the “EU’s digital single market”. This vision is based on three pillars:

  • An operational and capability pillar: the Network and Information Security (NIS) directive of July 2016 represents an important step forward in enhancing the cybersecurity of each Member State. France also supports the Commission’s proposal to bolster the European Union Agency for Network and Information Security (ENISA) which is destined to become a genuine European Agency for Cyber Security and enhance operational cooperation between Member States.
  • An industrial pillar: The ambitious public-private partnership contract on cyber security launched by the Commission in July 2016 should help to promote R&D in the field of cyber security across Europe. In addition, the EU’s digital single market will also be achieved by its ability to put the next technological revolutions at the forefront in the field of digital technology. This is why the President of the French Republic called for the creation of a European “DARPA”, an agency for the financing of disruptive technology.
  • A normative pillar: France must ensure that the EU adopts standards in the cyber field which are compatible with a high level of expectation and security, both from a political and technical standpoint. This is particularly true regarding the certification of products for digital security or the localisation of sensitive data.

Ensuring the strategic stability and international security in cyber space

Enhancing strategic stability and international security in cyber space is one of France’s key objectives. It therefore plays an active role in promoting a safe, stable and open cyber space. The Ministry for Europe and Foreign Affairs coordinates France’s work on “cyber diplomacy”.

France is particularly active within the UN where the rules of responsible behaviours in cyber space are discussed. It has participated in the UN’s last five group of governmental experts (GGE) on cyber security whose work has helped to place cyber space in the international system created by the United Nations Charter and to guide States towards prevention, cooperation and non-proliferation in cyber space (recognition in 2013 of the applicability of international law, especially the United Nations Charter, in cyber space, consolidation in 2015 of core voluntary commitments for good behaviour (“behaviour standards”) for States in cyber space.

France is also involved in other international fora where cyber security issues are tackled, including:

  • Within the Atlantic Alliance, France instigated the adoption by the 28 Nations of a Cyberdefence Plege during the Warsaw Summit in June 2016. The recognition during this summit of cyber space as a field of operations now commits NATO to defending itself as it does in the land, air and maritime fields.
  • At the G7, where the Ise-Shima Cyber Group, created in 2016, helped to reach the adoption by the G7 Ministers of Foreign Affairs in 2017 of an ambitious declaration regarding standards for responsible behaviour for States in cyber space.
  • At the OECD, which has come to the fore as a key regional forum for defining and implementing trust-worthy measures regarding cyber space with the adoption of two groups of trust measures in 2013 and 2016.

Lastly, France now wishes to review, with its State partners but also the private sector and civil society, the role and specific responsibilities of private stakeholders in strengthening the stability and international security of cyber space. The Ministry for Europe and Foreign Affairs therefore held an event on this issue on 18 September 2017 on the sidelines of the 72nd UN General Assembly.

European Cyber Security Month (October 2017)

It is within the context of European Cyber Security Month that David Martinon, ambassador for cyber diplomacy and the digital economy, agreed to an interview during which he spoke about the global nature of this new type of conflict, France’s level of preparedness in the field as well as the state of the European strategy or global cooperation in tackling these threats.

Updated: 04.10.17