New destructive practices are happening in cyberspace: criminal Internet use (cybercrime), including for terrorist purposes, propagation of false news on a large scale, espionage for political or economic purposes, attacks on critical infrastructures (transport, energy, communication...) through sabotage, and so on. Originated by state or non-state groups, cyberattacks occur at over borders and at a distance, making it hard to attribute them, and it is quite difficult to formally identify the true attacker (often acting the under cover of botnets or proxies) and can be carried out relatively easily, at low cost and with a quite low risk for the attacker.
Their objective is to jeopardize the proper functioning of information and communication systems (CIS) used by the general public, businesses and public administrations, including the physical integrity of essential infrastructures and national security.
Cybersecurity covers the entire range of security measures that can be implemented to defend against these attacks. The dramatic increase in the level of sophistication and intensity of cyberattacks has led most developed countries to strengthen their resilience and to adopt national cybersecurity strategies in recent years.
France's national cybersecurity device is based on two essential texts: the White Paper on Security and National Defence 2013 on one hand, and the National Strategy for Digital Security 2015 on the other.
This strategy, designed to accompany the digital transition of French society, responds to the new realities derived from the evolution of digital uses and the threats that this entails, and comprises five objectives:
Ensure national sovereignty
Provide a strong response to cybercrime
Inform the general public
Making digital security a competitive advantage for French companies
Strengthening France's voice internationally
With the national strategy for digital security, the State is committed to the security of computer systems to ensure, through a collective response, a level of digital trust commensurate with stability of the State, economic development and protection of the general public.
At technical and operational levels, different agents contribute to the effectiveness of this device.
Created in 2009, the National Information Systems Agency (ANSII) is the national authority on cybersecurity. The true "fireman" of French cyberspace, it is responsible for prevention (including regulatory aspects) and for dealing with computer incidents involving sensitive institutions.
It also organizes national crisis management drills. ANSSI currently employs more than 500 people and continues to grow.
The Ministry of Defence has the dual mission of ensuring the protection of networks that support its activity and of integrating the digital battle into military operations.
To consolidate the ministry's activity in this area, a cyberdefence chief (COMCYBER), under the command of the Chief of Defence Staff, was established in early 2017. The Ministry of the Interior's mission is to fight against all forms of cybercrime, including national institutions and interests, economic agents, public authorities and individuals. To this end, it mobilizes specialized central services and territorial networks of the national police, the national gendarmerie and internal security. These are the ones in charge of the actions aimed at identifying the perpetrators of cybercrime and bringing them to justice. Additionally, these services contribute to the prevention and sensitization of the public concerned.
THE EU'S DIGITAL AUTONOMY
Within the European Union (EU), France defends an ambitious vision and the concept of "the EU's strategic digital autonomy".
This vision is based on three pillars:
The operational and capacity pillar. The Network and Information Security (NIS) directive of July 2016 was an significant step forward in strengthening cybersecurity in each Member State. France also supports the Commission's proposal to strengthen INISA to become a genuine European cybersecurity agency and to strengthen operational cooperation between Member States.
The industrial pillar. The ambitious public-private contractual agreement on cybersecurity launched by the Commission in July 2016 should make it possible to promote R&D in cybersecurity at European level. Beyond that, the strategic autonomy of the EU will also depend on its ability to be at the forefront of the next technological revolutions in the digital domain. This is the response of the President of the Republic's call for the development of a "DARPA" at European level; that is to say, an innovation funding agency.
The legislative pillar. At both the political and technical level, France has to contribute to the EU's supply of cybersecurity in forms that are compatible with a high level of existence and security. Specifically, this would be in the areas of certification of computer security products and in sensitive data storage.
The strengthening of strategic stability and international security in cyberspace is one of the priority objectives of France. The country thus plays an active role in promoting a secure, stable and open cyberspace. The Ministry of Europe and Foreign Affairs coordinates the work of France on "cyberdiplomacy".
PARTICULARLY ACTIVE AT THE UN
France is particularly active within the UN, where rules of responsible behaviour in cyberspace are debated. Specifically, it has participated in the UN's previous five groups of governmental experts (GGE) on cybersecurity, whose work has allowed to anchor cyberspace in the international system derived from the Charter of the United Nations and to orient the States in a dynamic of prevention, cooperation and non-proliferation in cyberspace (recognition, in 2013, of the applicability of international law and specifically of the Charter of the United Nations to cyberspace).
France is also engaged in other international areas where cybersecurity issues are addressed. Specifically, in the Atlantic Alliance, France has participated in the initiative to adopt a commitment to cyberdefence (Cyberdefence Pledge) by the 28 nations at the summit in Warsaw in June 2016. The recognition, in the course of this summit, of cyberspace as a domain of operations, means that NATO needs to defend itself the same as it does in the terrestrial, air and maritime domains.
In the G-7, where the Ise-Shima group, set up in 2016 and dedicated to cyber issues, in the spring of 2017, made it possible to adopt an ambitious declaration on the rules of States' responsible behaviour in cyberspace.
In the OSCE, which is a regional reference environment for the definition and implementation of confidence measures applied to cyberspace, with the adoption of two confidence packs in 2013 and 2016.
Finally, France is now seeking to reflect on its role and the specific responsibilities of private agents in strengthening the stability and international security of cyberspace with its state members as well as in the private sector and civil society.