September 2010. In the basements of the hypersecure nuclear power station of Natanz, the turbines stop working. Iranian officials suspect an attack – but no one entered the compound, nor was they bombed. The truth came to light a few weeks later. This is the result of a cyberattack, dubbed Stuxnet. Since then, no less than 200 cyber attacks between sovereign states have been recorded (Financial Times – “Top general lifts lid on Britain’s cyber attack capability”, September 25, 2020).Degraded military infrastructures, electricity networks put out of service, theft of state secrets … their recurrence feeds fears and fantasies of a war which does not speak its name, but which nevertheless seems well underway.
Cyber attacks are not just the act of states, and can meet various objectives: ransom, industrial espionage, political activism. They range from anecdotal to acts that endanger national security, and sometimes both. In 2017, the ransomware (“ransomware”) WannaCry infected hundreds of thousands of systems across nearly 150 countries (The world, “Massive Cyber Attack Blocks Computers in Dozens of Countries,” May 19, 2017), ranging from SMEs to the Russian Home Office, to UK hospitals. Equally disturbing, the speed of evolution of these techniques is very great, adapting each day in a game of cat and mouse permanent between defenders and attackers.
And the number of attacks explodes: SonicWall reported a 20% increase in attacks ransomware in 2020 compared to the previous year (sonicwall.com/2020-cyber-threat-report). Hence a race against time for sovereign states to arm themselves against this threat.
To meet these challenges, staffs and governments are thus developing their cyber capabilities, as recalled by Florence Parly in Rennes on September 7 (Speech by Florence Parly, Cyberdefense Command in Rennes, September 7, 2020).
Cyberspace: the fifth area of war
In his book The Perfect Weapon, David Sanger notes that no less than 30 states have developed offensive cyber capabilities. The NCPI 2020 report ranks the United States, China, the United Kingdom and Russia first in military capabilities, with France in sixth position. The first question for States is that of responsibilities in the event of an attack.
In the United States, the Department of Defense is responsible for the security of its own systems and attacks against foreign targets, through the National Security Agency, while the powerful DHS (Department of Homeland Security, a sort of ministry of Interior) is responsible for the security of all other government networks. Israelis and British have a close organization.
In France, a certain confusion remains around the prerogatives of cyber defense, which concern three ministries: The Prime Minister has under his supervision the National Agency for the Security of Computer Systems (ANSSI), created in 2009, which has an information mission , supervision and is in charge of the response in the event of an attack on the State systems. The Ministry of Defense protects its own networks and undertakes offensive operations. Finally, the Ministry of the Interior is focusing on the fight against cybercrime, via the police and the gendarmerie.
There are also a large number of coordination bodies: the Cyber Steering Committee, the Cyber Steering Committee, the Cyber Crisis Coordination Center, itself split into 4 distinct branches … However, faced with a threat too large, any state entity operating alone takes the risk, as Sun Tzu wants it, that“by wanting to defend everywhere we do not win anywhere”.
In addition, a good defense is not always enough: France thus detailed in 2018 the concept of “offensive computer warfare”. But this cannot be enough to define a doctrine.
Towards a French cyber deterrence?
Reflections on nuclear weapons in the mid-twentieth century resulted in a central idea: deterrence. This aims to discourage the opponent from hitting by letting him know that his attack will be followed by a counterattack that is at least as devastating. A French-style “cyber-deterrence”, explicit and vigorous, without being aggressive, could force potential attackers to think twice.
This cyber-deterrence would benefit from relying on European synergies. As such, the Cyber Defense Pledge signed in 2016 by NATO members opens up promising prospects, but would benefit from being supplemented by the emergence of European groups fighting offensive IT.
Deterrence will not stop all attackers, however. As General Sanders of the British Army reminded us, in an interview on September 25, 2020, the British armed forces are attacked … more than 60 times a day (“Top general lifts lid on Britain’s cyber attack capability”, Financial Times)! If it is indeed an all-out war that we are facing, we must also ensure mobilization at the rear.
Mobilize the rear
A defense system is only as strong as the weakest of its links. The pirates know this well. This is why they take advantage of the lack of cyber culture of ordinary citizens to threaten national sovereignty.
In recent months, research centers against Covid in the United Kingdom (., Le Parisien, “Vaccine against the coronavirus: Russian hackers accused of targeting British research”, July 16, 2020)and in Spain were thus the object of computer attacks, which were respectively carried out by Russian and Chinese hackers (El Pais, “Hackers chinos robaron informacion de la vacuna espanola para la Covid”, September 18, 2020). It appears that the boundaries between state cyber defense and civil society are often blurred, and that it is important to protect this one in order to defend that one.
In this context, the best prevention is informing citizens. In the same way that it is necessary to wear a coat in very cold weather to avoid getting sick, it is now essential to adopt good reflexes on the Net in order to protect individuals and organizations. ANSSI has already initiated several actions that go in this direction through its publications and recommendations, providing solid support for information. The GDPR now requires companies to notify their customers of the theft of their data, allowing them to be aware of the threat and react accordingly.
It’s a very good start, but there is still a long way to go before civil society understands the Internet as a living space in its own right, with its own risks. It is only by guaranteeing this transparency, and by amplifying the educational work on these subjects, that mentalities will be able to change and good reflexes be perpetuated.
From this perspective, three cardinal objectives could be pursued:
- Establish a cyber-deterrence policy. First of all, to make known the extent of French cyber-capacities with attacks against indisputable targets (“rogue states”, criminal or terrorist groups). Then, make public the doctrine of deterrence, specifying the perimeter subject to French cyber-deterrence, as well as a gradation of the country’s responses according to the targets and the severity of the attack. This could include all the entities of the French State, as well as certain large strategic industrial and energy companies.
- Help companies adapt to the new paradigm. Large groups such as VSEs / SMEs must all tackle cyber issues head on, and the public authorities must help them. Beyond the prevention campaigns, the “Diag Cyber”, the device to help cyber securing SMEs and midcaps in the defense industry, is an initiative to be extended. Targeted tax credits could facilitate the upgrade.
- Create a cutting-edge ecosystem around the cyber campus. We could regret the lack of cooperation between the world of research, companies and public actors. However, only the pooling of skills within an ecosystem, inspired by the Israeli Technion model, will make it possible to resolve the challenges of tomorrow. In this perspective, the inauguration of the cyber campus is a unique (and not to be missed) opportunity for France to take the lead and assert its influence.
The double priority is therefore to train and inform: educate students from middle school on cybersecurity professions; repeat over and over again the conclusion steps that basic protection. Maybe in the long run these little mantras will come into our habits, like the thought of looking before crossing. But until then, there will never be too many of us speaking out.