It is always good to observe how countries build their strategic capabilities within the cyber domain. It is truly a fascinating time for technology policy, privacy and cybersecurity, speaking here in all means: technically, strategically, diplomatically and militarily.
Some countries either think about doing “something”, instead - others do. Perhaps understandably, most attention to date is devoted to the United States. My take is France, working on the topic for a while now. Earlier this year France completed a “cyber assessment” (Highlights of the French cybersecurity strategy), which contained a number of interesting points.
Now the necessary strategic analyses are closer to realisation. France is seriously working towards meaningful planning in the development of “cyber”. The now almost finished bill updating the general armed forces planning for 2019-2025 (“programmation militaire pour les années 2019 à 2025 et portant diverses dispositions intéressant la défense”) is a rather general document. It speaks about the allocation 2% of GDP on defence in 2025, Leclerc tanks, helicopters, “preparing for future challenges”, creating a strategic European autonomy on the grounds of voluntary cooperation (“construction de l'autonomie stratégique européenne au moyen d'une politique volontariste de coopération avec nos partenaires les plus capables et volontaires”; this might actually be important these days, but not my field - I leave it to others), and so on.
The document also includes a substantial significant section on “cyber”. As a consequence, this post is admittedly more on that particular (military) sphere, and not what is usually regarded as “cybersecurity” (even in policy). “Cyber” touches a number of dimensions.
I provide a summary of the more interesting points, along with my comments. Rather than focusing on particular articles (e.g. requirements for ISPs for an infrastructure allowing to detect incidents, but also collect and retain data), I cover a report included in the annex of this particular bill. Those points are a mixed bag of observations (“diagnosis”) and planned activity (“treatment”). So, a standard strategic analysis process driving action.
1) The report says that continued threats in cyberspace put countries, their people, the public services, companies, and businesses at the risk of potentially large scale damage.
2) Cyberspace is a field of rapid evolution, where malicious activity may still be difficult to attribute to particular threats. Additionally, new operational methods couple information operations and cyber with other means of action, executed with ambiguity of intentions, with a view of causing intimidation. At the same time, information operations in digital media and social networks impact on democratic institutions, contributing to destabilisation.
This is a longish definition of hybrid threats. Some indeed maintain that future conflicts may have a direct “cyber” component.
3) The document speaks of building attribution facilities enabling to gauge the offensive capabilities, and reacting when needed.
4) One of the goal of the new strategy is to strengthen the capabilities in the “cyber” domain (cyber defence). The document in this paragraph strongly highlights achieving a “strategic autonomy”. It must be interpreted as applied to “cyber” as well.
5) Strategic intelligence («renseignement stratégique») will have means to work in federated manner, including the combined input from different domains (e.g. SAT, HUM, CYBER).
6) “Cyber” component will be operational, and ready to deploy during missions. This short item is included in a paragraph speaking of tanks, vessels, nuclear submarines, etc. Am I the only one still finding it curious?
7) Expansion of “cyber” component. Personnel expansion foreseen in the years 2009-2025. 1500 additional people recruited to cyber defence, and “action in cyberspace” (offensive?). This will mean 4000 cyber fighters (“combattants cyber”) in total.
8) France intends to support the building of European strategic autonomy, including in “cyber”, and against “ambiguous” actors.
9) By 2025, cyber defence capabilities to be developed, including protection from digital influence (operations?). This points speaks also about defence of weapons systems from cyber operations, beginning at the design phase, through their use.
There is a certain trend converging information warfare with information security / cybersecurity. That point is another indication. Don’t think of it as firewalls (“cybersecurity”) and Twitter bots (“disinformation”). There’s more to that.
10) New uses of cyber army will be explored. Including cyber weapons (l’arme cybernetique)!
Summary
Around 30 countries have or are building/expanding capabilities. The French document analysed here is interesting. It shows clear strategic thinking, and is a nice follow up to the strategic assessment released earlier this year (Highlights of the French cybersecurity strategy).
From a cybersecurity policy and technology policy perspective, this process looks interesting, and provides insight not found when looking elsewhere.
It is also difficult to not have odd feeling when such text overtly describes the emerging challenges to the “international community”, not merely in cyber. But there are better places for that than this post.