France has this week unveiled a new cyber-warfare unit aimed at increasing its cyber-defence and offence capabilities.
Cybercom will employ 2600 cyber-security experts by 2019 and receive an initial commitment of €2.1 billion (£1.77bn) in funding.
France's defence minister Jean-Yves Le Drian in announcing Cybercom said that it was the country's response to the realities of a new style of warfare, on a par with the use of aircraft in the early 20th century.
"The emergence of a new area, a new cyber-battlefield, must make us rethink profoundly our way of approaching the art of war," Le Drian said.
Under the new doctrine of war, a cyberattack could constitute an act of war, necessitating an “appropriate response” from Cybercom. France might hold states responsible for any hacking activity that came out of their country if it was found that they hadn't taken steps to stop them.
He said that cyber offence would be an option. "Our offensive cyber-capabilities must allow us to breach the systems and networks of our enemies to cause damage, service suspensions or temporary or definitive neutralisations," he added.
The French initiative comes at a time of heightened political cyber-security tensions, as US President Obama vows to take action against Russia over alleged interference in the US presidential election campaign and the US Central Intelligence Agency (CIA) links Russian President Vladimir Putin directly to the attacks.
The French government is also concerned about the threat of Russian interference in its elections, and the National Cybersecurity Agency of France (ANSSI) is working closely with parts of the electoral system to raise awareness of the threats.
However, it would be wrong to assume that Cybercom has been created solely as a response to that, said Frédérick Douzet, professor at the French Institute of Geopolitics at Paris 8 University and chairwoman of the Castex Chair of Cyber Strategy.
Cybercom is the natural development of France's developing cyber-security strategy. In October last year, the prime minister Manuel Valls unveiled a national cyber-security strategy at a conference organised by ANSSI.
The new cyber command will be under the command of the chief of staff of the armed forces and is a follow up to a 2011 initiative to build a cyber-defence unit within the Joint Chief of Staff, Douzet told SC Media UK in an email.
“Making it official increases transparency over cyber-defence activities which is important in terms of predictability of state behaviour in a context of great cyber instability and increased offensive activities by a multiplicity of actors,” she said.
“This new organisation will allow [the government] to bring cyber issues at the top strategic level for better integration in strategic thinking and planning and strong reactivity. It is also an opportunity to reorganise the team and build up forces, with the goal to integrate cyber operations into all military operations.
“I think the idea of having a small centralised team handling offensive operations is a way to make sure offensive operations are conducted under the highest degree of scrutiny and control, to avoid miscalculations and potential conflict escalation and encourage restraint.
“But the emphasis will be mostly on defence operations. The challenge with a centralised command is to create a strong incentive across all armed forces to strengthen their cyber defence while not being directly in control of cyber operations.”
The investment in Cybercom follows the creation by the UK government of the National Cyber Security Centre (NCSC) and the investment over five years of £1.9 billion in national cyber-security capabilities.
Douzet said that the French approach will differ from the UK, the US and other countries in several respects.
“The new French organisation is different from the United States or the UK because the activities of the intelligence services are not under the same commandment as the cyber military operations,” she said. “Germany has set up a new cyber army but it's much broader as it integrates not only cyber but also all geo-information, information technologies, intelligence and operative communications. Whereas France is creating a dedicated cyber defence unit under a small command at the top strategic level. This shows how much of a priority cyber has become for the French Ministry of Defence.”
Melissa Hathaway, president at Hathaway Global Strategies and creator of the Potomac Institute's Cyber-Readiness Index (CRI), told SC that the creation of Cybercom is an important step for France in becoming more cyber ready. “In 2011, France declared that it would become a world cyber power and has been making investments to achieve that goal ever since,” she said.“This includes strengthening the authorities of ANSSI and establishing a Cyber Defence General Officer with associated operational units (the beginning of Cyber Command).”
France's White Paper on National Defence in 2013 highlighted the need for full spectrum cyber defence capacity, which is generally taken to mean offence as well as defence, and it was funded in the 2014 budget.
“The Cyber Defence Pact of 2014-2016 continued to invest and expand these capabilities. This new announcement is consistent with their plan and outwardly acknowledges their development of offensive capabilities – and increases its spending,” Hathaway said. “France is increasing its cyber readiness — and its ability to defend and manage a cyber crisis.”
Gerome Billois, cyber security senior manager at Wavestone, told SC that France's cyber capabilities are now focused more strongly on offensive capabilities than before but added that it would take years for this to come to be completed.
France's strategy is based on a similar analysis to the UK of the importance of the digital economy and a plethora of threats including nation-states, criminals and hacktivists. “Clearly both countries are quite aligned and their approach is not dissimilar to the one being developed in the US”, he said.
“To achieve this goal both countries have a similar approach based on securing critical assets, using cyber capability to improve intelligence and being able to respond to cyberattacks with an offensive approach,” Billois said. “This response could be either in the cyberspace or in the physical world.”
He expects both countries will work closely with the commercial sector to develop and improve technical solutions.
“The shortage of skills is also a problem on both side of the Channel,” he said. “Both strategies also put international coordination at EU and UN level at the core of their plans.* Melissa Hathaway will join SC Media UK for the annual SC Congress in London on 23 February 2017, to take part in a panel discussion on the law in cyberspace.