Many countries currently discuss cybersecurity on multiple levels. France is not an exception. The new REVUE STRATÉGIQUE DE CYBERDÉFENSE (Strategic Review of Cyberdefence) is a complex, coherent and strategic document listing the many actions that France has already taken, as well as those ahead.
I will not analyze this document in detail (166 pages), inviting you to read it. I will merely focus on a selection of points. The document itself is very interesting, and aside from discussing the technical, organizational, and strategic aspects, it also provides a specific Agenda.
First, the document describes that in France cyberdefence and cyberoffence are separated. This is directly opposed to the models employed in Anglo-Saxon countries. But it’s shown as an asset. Key argument: it respects freedoms and civil liberties.
The document then lists the six general objectives of cyberdefence, namely: prevention, anticipation, protection, detection, attribution, reaction (remediation). The strategy itself is complete, it focuses on civil, military, domestic, external, and international levels. Let’s say it’s a rarity in the business in strategic cybersecurity documents.
Now on to specific items
International level regulation
Following the failure of GGE negotiations, France intends to take an active role in international regulations of cyberspace, including cyberwarfare,
No Hack-Back for private companies
France strongly opposes giving private companies the rights to retaliate following a cyberattack. In the French view, such actions would constitute a point of instability in cyberspace. Especially when considering retaliation against actors located in a different state. France wants to put forward the issue of hack-back on the international level.
Notable thing. The fact that the strategy mentions these concepts should probably be interpreted as an indirect response to the ideas discussed in the US (1, 2), where certain proposals considered giving companies the powers to hack-back.
France apparently suggested a desire to put the security liability in hands of product suppliers. In other words, making companies responsible for the security of products they put on the market - as long as the products are commercially available. The strategy then mentions that one of the solutions could be to release source code and documentation after an end of support date. The strategy itself mentions taking this discussion to the international level. This will be interesting. It might be somewhat related with other attempts on the level of European Union (I describe them here).
France identified key players in cyberspace: UK, China, Russia, USA. The idea is to seek communication channels as a precaution to limit the risk of destabilizing actions following certain unspecified events. Well, you know.
Hack-back, the French way?
Annex 7 considers retaliatory actions following a cyberattack. Although the text points out that such actions should be considered provided that all the other approaches (prevention, cooperation, negotiation) fail, it acknowledges that a response can be made using cyber or non-cyber means. The strategy also highlights that major cyberattack can be interpreted as an armed aggression, in line with the Article 51 of Charter of United Nations
The whole document can be found here.