The keys to understanding French cyber-strategy and its risks
Cyberspace has become the new chessboard of war and more and more states are preparing to fight, investing in developing cyber weapons. France is one of the European countries that is investing most in cybernetic capabilities, which are commonly used in military operations, whether in response, initiation or support of an operation.
Last year the French defence minister, Florence Parly, and the CEMA (Chef d'État-Major des Armées) announced a new strategy and doctrine to guide cyber defence and cyber offensive operations. The ministry published a strategic document entitled 'Public Elements for the Military Cyber Warfare Doctrine' which provides the first clear guidelines on how France will use cyber defence and cyber offensive capabilities in the military sphere.
This CEMA document explains the importance of using cyber-offensive capabilities to guarantee national security and to address new cyber-threats. Cyber-offensive capabilities allow countries to carry out discreet operations against digitised systems, replacing, preparing or complementing other conventional methods of action.
At the operational level, this type of cyber-offence is used above all to assess the military capability of the adversary, particularly with regard to its ability to gather and extract information. Lastly, this offensive capability is used to alter the perceptions or analytical capabilities of the adversary by discreetly modifying the data to which they have access. Furthermore, through different types of cyber-attacks, it is possible to turn the enemy's hacking attempts against themselves, by inserting, for example, malware into one of the internal documents known to be extracted.
These cyber weapons are different from conventional weapons and pose very particular risks and challenges in their use. Some examples of the major challenges facing French cyber-attacks are the immediacy of cyber-actions and hyper-connectivity. Furthermore, cyber-offence technology is so sophisticated that it requires great precision in use, and can have unexpected collateral damage, which is not the case of most conventional weapons.
Another risk linked to their sophistication is the difficulty of recruiting and training in these capabilities for military commanders who have to integrate cyber-offensive capabilities into their conventional strategies. Adapting the usual processes to take account of cyber weapons is complex at the national level, and becomes more complicated when other partner actors such as the European Union and NATO have to be added. These challenges are briefly mentioned in the aforementioned strategic document, but there are other doctrinal and operational challenges that need to be taken into account for French cyberstrategy.
As for the doctrinal challenges related to the use of cyber-offensive capabilities, the first gap that needs to be addressed is the difference between the use of offensive means in times of peace and in times of war. Under public international law, cyber-offensive action that causes serious damage may constitute an armed attack by giving the attacked country the right to use self-defence. For example, the Israeli Armed Forces launched an air strike against Hamas after unsuccessfully attempting to hack into Israeli targets. Had they succeeded in hacking into any Israeli life-support system, the confrontation could have escalated into war.
A greater international effort must be made to ensure that the cyber-attacks used in times of peace and war are proportionate and measured. As mentioned above, any action in cyberspace has unimaginable collateral risks. For now, the only international effort to promote good practice is through the "Declaration on Responsible States Behavior", signed by some but not all countries, which is not sufficient as a legal framework.
Related to the aforementioned issue, another unique risk of cyber-offensive capabilities is the problem of traceability and the use of self-defence. Regardless of the type of cyber-attack, no government would announce it had conducted an operation to nullify an enemy's capabilities. It is precisely this secrecy that can lead to international conflict if the attack can be traced back to French territory.
Indeed, France considers that cyber-attacks against systems located in its territory that cause major damage may constitute an armed attack that entitles the use of legitimate defence. Therefore, if the country suffering the cyber-attack succeeds in identifying France as the perpetrator, it could suffer reprisals. This risk is exponentially increased when it is considered that, as the attack comes from French territory, the government is automatically involved, when this might not be the case. This problem is shared with other cyber powers.
With regard to operational challenges, in the case of cyber defence, problems of data storage and the use of private networks and servers are always a security risk. With 5G, for example, if Huawei were the provider of the cloud in which the government stores data relating to cyber-attack, Huawei, and therefore the Chinese government, would have access to this data when transferred from one location to another. Strategic autonomy in the physical servers, the network system and the cloud are becoming most important challenges for France and more difficult to solve due to the cost of a public server of its own with the amount of data stored daily.
Lastly, the development of offensive cyber-attacks, particularly those aimed at obtaining information from the enemy, already has a high component of artificial intelligence and the trend towards investment in autonomous cyber-weapons is increasing every day. As it is the case with almost all technological development, private companies are well ahead of the state, especially in everything related to artificial intelligence. If France is not to become obsolete as a cybernetic power, it is essential for the French government to rely on the development of private companies while maintaining strategic autonomy. The latter will pose a major challenge, particularly when most private defence companies begin to have private investors who are not always nationals.