New destructive practices are developing in cyber space, including criminal use of the Internet (cyber crime), espionage for political or economic ends, and attacks on critical infrastructure (transport, energy, communication, etc.) for the purposes of sabotage.
Coming from governmental or non-governmental players, these cyber attacks:
- know no border or distance;
- are anonymous, and it is very difficult to formally identify the true culprit, who is often acting under the cover of unwitting relays (botnets) or intermediaries (proxies);
- can be carried out with relative ease, with little cost or risk for the attacker.
They aim to jeopardise the smooth functioning of communication and information systems (CIS) used by citizens, businesses and administrations, and even the physical integrity of infrastructure that is crucial to national security.
Cyber security covers the entirety of security measures that could be taken to defend against these attacks. The spectacular increase in the sophistication and intensity of cyber attacks has, in recent years, led most developed countries to toughen their resilience and adopt national cyber security strategies.
The strategic stances taken in recent years at the highest political level have enshrined cyber security’s place as a priority of the government’s action. France conducted a profound overhaul of its defence and national security policy in the 2008 and 2013 White Papers and new priorities have been defined and validated by the then President of the French Republic. These include cyber attack prevention and response, which have been identified as a major priority in the organization of national security.
- The French Network and Information Security Agency (ANSSI, Agence nationale de sécurité des systèmes d’information) was created in July 2009 to address the increasing challenge of cyber attacks, in line with the recommendations of the White Paper on Defence and National Security. It is an interministerial agency attached to the Prime Minister’s office. ANSSI’s importance was raised in early 2011 when the Agency became the national authority for information systems defence.
Following the creation of the Agency, France published a national Strategy for the defence and security of information systems in 2011. The 2013 White Paper confirmed the cyber threat and specifically identified the threat of sabotage against critical infrastructure.
- As part of the Ministry of Defence’s efforts to strengthen its cyber defence capacities, a position of General Officer responsible for cyber defence was created in 2011 to coordinate the Ministry’s action in this area and provide a primary interface in the event of a cyber crisis. In February 2014, a Cyber Defence Pact was produced to lay down the Ministry of Defence’s ambitions through to 2019.
- For its part, the Ministry of the Interior (Police and Gendarmerie) is responsible for fighting cyber crime. A position of Prefect responsible for the fight against cyber threats was created in 2014.
- Lastly, the Ministry of Foreign Affairs and International Development ensures the coherence of France’s positions internationally as regards cyber security. Indeed, one of the major focuses of the national cyber security strategy adopted in 2011 is the development of our international cooperation: in addition to the establishment of bilateral relationships in the area of cyber security, France contributes actively to the design of cyber security policies within international organizations. In this respect, we are particularly attentive to the work underway within NATO and the European Union on cyber security, as well as at the UN and the OSCE.
Like other countries, including the United States, the United Kingdom, Germany, Russia and Japan, which have created cyber issues coordinator positions within their Foreign Ministries, the French Ministry of Foreign Affairs and International Development entrusted these matters to the Deputy Secretary-General in 2011, later creating a specific cyber security coordinator position in October 2014. That position is currently occupied by Ambassador Florence Mangin.
Within the European Union, a cyber security strategy was presented in February 2013 by the European Commission and the European External Action Service (EEAS). France contributes actively to the implementation of its five pillars:
- overall resilience of the EU (including EU bodies);
- combating cyber crime;
- cyber defence issues in the framework of the Common Security and Defence Policy;
- industrial issues;
- EU international cyber space policy.
At NATO, cyber defence is a major aspect of the Alliance’s renovation and its adaptation to new threats. Following the adoption of the new strategic concept during the Lisbon Summit in November 2010, a NATO Policy on Cyber Defence was approved by the 28 members in June 2011 and “enhanced” during the Newport (Wales) Summit in September 2014.
At the G8, the Deauville Summit, organized by the French Presidency in 2011, acknowledged the importance of exchanges between major global players on cyber security issues and highlighted the need to adopt common principles for the activities of governments in cyber space.
At the UN, talks are underway within the Group of Governmental Experts (GGE) on international security in cyber space, meeting from June 2014 to June 2015. France is represented there by the cyber security coordinator, Florence Mangin.
At the OSCE, a working group on cyber security was launched in 2012, aimed at developing confidence-building and transparency measures in cyber space between States. A first list of transparency measures was adopted in December 2013.