France and cyber security
New destructive practices are developing in cyber space, including criminal use of the Internet (cyber crime), including for terrorist purposes; large-scale propagation of false information and manipulation; espionage for political or economic ends; and attacks on critical infrastructure (transport, energy, communication, etc.) for the purposes of sabotage.
Coming from State or non-State groups, these cyber attacks:
- Know no border or distance;
- Are difficult to trace: it is very hard to formally identify the true culprits, who are often acting under the cover of unwitting relays (botnets) or proxies;
- Can be carried out with relative ease, with little cost or risk for the attacker. They aim to jeopardize the smooth functioning of communication and information systems (CIS) used by citizens, businesses and administrations, and even the physical integrity of infrastructure that is crucial to national security.
Cyber security covers the entirety of security measures that could be taken to defend against these attacks. The constant increase in the sophistication and intensity of cyber attacks in recent years has led most developed countries to toughen their resilience and adopt national cyber security strategies.
A robust national initiative being ramped up
France adopted a national cyber security strategy in 2015. This Strategy aims to accompany French society’s digital transition and address the new challenges of changing uses of digital technology and the associated threats: It focuses on five goals:
- Guaranteeing national sovereignty,
- Providing a strong response to acts of cyber crime,
- Informing the public,
- Making digital security a competitive advantage for French businesses,
- Enhancing France’s voice on the international stage.
This strategy has since been supplemented by:
- France’s international digital strategy
The strategy was presented by the Minister for Europe and Foreign Affairs in December 2017. It compiles all the strategic goals France promotes in the digital field around the three pillars of governance, the economy and security. - Strategic Review of Cyber Defence (in French)
The Strategic Review of Cyber Defence was entrusted to the General Secretariat for Defence and National Security (SGDSN) by the Prime Minister and presented in February 2018. It sets out a doctrine to manage cyber crises. This review clarifies the goals of a national cyber defence strategy and confirms the relevance of the French model and the primary responsibility of the government in this field.
Many players contribute to the efficacy of this French approach from technical and operational standpoints.
- The French Network and Information Security Agency (ANSSI) was created in 2009 and is the national cyber security authority. Acting as a genuine “first responder” in French cyber space, ANSSI is responsible for preventing (including from a normative perspective) and reacting to IT incidents affecting sensitive institutions. It also organizes crisis exercises on a national level. ANSSI currently employs 600 people and continues to grow.
Lien vers l’ANSSI - The French Ministry for the Armed Forces has a two-fold mission to ensure the protection of the networks underpinning its action and integrating digital warfare into military operations. In order to consolidate the Ministry’s work in this field, a cyber defence operational chain of command (COMCYBER), under the orders of the Armed Forces Chief of Staff, was created in early 2017.
- The role of France’s Ministry of the Interior is to combat all forms of cyber crime against national institutions and interests, economic stakeholders and government authorities, and individuals. It draws on specialized central services and the local networks of the national police, national gendarmerie and internal security forces. These forces are responsible for investigations aimed at identifying and prosecuting cyber criminals. They also contribute to prevention and outreach work with relevant audiences.
Stability and international security in cyber space
Enhancing strategic stability and international security in cyber space is a French priority. The Ministry for Europe and Foreign Affairs coordinates France’s work on “cyber diplomacy”. This work is carried out in a European and international framework.
Guaranteeing European strategic digital autonomy
Within the European Union, France defends an ambitious vision and the concept of the “EU’s digital single market”, a key aspect of our collective capacity for initiative and action. This mission is three-fold:
- Technological aspect
The European Union’s industrial policy supports cutting-edge research and development in order to foster the deployment of secure digital technologies and services. It must be possible to assess the reliability of these services. Ensuring the security of all digital components will also help give a competitive advantage to European products and services.
- Regulatory aspect
The European Union’s external policy needs to set down regulations taking into account the competitiveness needs and potential of digital technology while continuing to protect citizens, businesses and Member States in accordance with our common values such as the right to privacy and protection of personal data, and the protection of critical infrastructure.
- Capacity aspect
The European Union has an essential role to play in promoting and supporting the development of the cyber defence capabilities of public and private entities within the Member States and EU institutions themselves, drawing on European expertise. It can also provide support in the fields of training and instruction, creating synergies and avoiding duplication of capabilities.
Above and beyond these dimensions, operational cooperation needs to be stepped up between EU Member States. The aim is to establish pan-European tools to share technical information on threats, supporting preparation and rapid response in the event of cyber attacks. The creation in 2017 of the EU Cyber Diplomacy Toolbox (CDT) to combat cyber attacks is a full-fledged aspect of this cooperation.
Mobilizing the international community through the Paris Call
The Paris Call for Trust and Security in Cyberspace demonstrates France’s active role in promoting a safe, stable and open cyber space. This high-level political declaration marks renewed commitment to the fundamental issue of stability in cyber space. The Paris Call was presented at the Paris Peace Forum on 12 November 2018 and was promoted by the French President at UNESCO before the Internet Governance Forum. It shows France’s ability to widely support its vision for cyber space regulation.
The text was supported by more than 500 entities including States and businesses. It recalls fundamental principles, such as the applicability of international law and human rights to cyber space, and mentions a number of principles such as responsible behaviour of States, the State monopoly on legitimate violence, and acknowledgement of the specific responsibilities of private stakeholders, that are part of France’s vision for a safe cyber space.
The inclusive approach of the Paris Call highlights the need for a multi-stakeholder approach to drawing up standards and best practices in order to reliably and securely enjoy the opportunities offered by the digital revolution. France intends to review, with its foreign government partners but also the private sector and civil society, the role and specific responsibilities of private stakeholders in strengthening the stability and international security of cyber space.
Promoting the stability of cyber space in international forums
Within the United Nations, building on the last five meetings of the Group of Governmental Experts (GGE) on international cyber security issues in which France actively participated, the United Nations General Assembly adopted two resolutions in late 2018 aiming to relaunch international negotiations on these issues in two different forums: the Open-ended Working Group (OEWG) open to all Member States and sixth Group of Governmental Experts with 25 members. France will participate in the two discussion processes in order to defend its vision of the international cyber space regulation, particularly the principles in the Paris Call for Trust and Security in Cyber Space. Negotiations will begin in September 2019 for one year in the OEWG and in December 2019 for two years in the EGG.
For more information on the resumption of UN negotiations on cyber space, visit the website of UNODA.
In mid-May 2019, France put forward its contribution to the United Nations presenting the key points of France’s position on global cyber space issues. It set out:
- The actions undertaken by France to strengthen its cyber defence apparatus and its policy of transparency regarding its international and national strategy;
- The ways it intends to prevent crises by strengthening cooperation, building international capabilities and developing norms regulating actors’ behaviour in cyber space;
- The concepts and principles it advocates at the United Nations and the measures that would make it possible to bolster international security in the cyber space.
France is active in other international forums where cyber security issues are tackled, including :
- Within NATO, France instigated the adoption by the 28 Nations of a Cyber Defence Pledge during the Warsaw Summit in June 2016. This pledge recognized cyber space as a field of operations and now commits NATO to defending itself in cyber space as it does in the land, air and maritime fields. In May 2018, France hosted the first ever Cyber Defence Pledge Conference.
- On 6 April 2019, G7 Foreign Ministers met in Dinard, France, and launched a Cyber Norm Initiative dedicated to sharing best practices and lessons learned on the implementation of previously recognized voluntary, non-binding norms of responsible State behaviour. The norms that are presented in this document have notably emerged during the previous sessions of the United Nations Group of Governmental Experts (GGE) and are a subset of the international cyber stability framework. G7 countries are committed to continuing this work and to sharing views on the full range of important recommendations that have been underlined in GGE reports.
- At the OSCE, which has established itself as a key regional forum for defining and implementing confidence-building measures for cyber space, France continues to promote an ambitious agenda for the effectiveness of these measures to enhance transparency, cooperation and confidence between the Organization’s member countries.
Updated: May 2019