By Franck Cecile - TheExpert Cybersecurity Squad
On January 18, 2019, Florence PARLY, Minister of the Armed Forces, unveiled France's doctrine on Offensive Cyber Operations (LIO). This set of activities, already mentioned three years earlier by Jean-Yves LE DRIAN, then Minister of Defense, embodies the very use ofcyber weapons by a state. The establishment of this doctrine officially opens up a new field of operation for the armed forces, on a par with land, sea, air, and space. Its purpose is to contribute to French military superiority in cyberspace.
Why LIO?
While the need to lead and coordinate cyber protection and cyber defense actions is no longer a novelty in France (creation of the DCSSI in 2001, which became ANSSI in 2009, the 2013 Military Programming Law, the strategic review of cyberdefense by the SGDN in 2018, etc.), the need to develop offensive capabilities echoes the growing number of cyberattacks targeting the state.
Operating methods have evolved, and it is no longer just isolated hackers who are behind them, but rather "states that are, to say the least, intrusive and uninhibited," according to our Minister. While in its 2018 annual report, ANSSI cites online fraud and cryptocurrency generation as growing threats, it also fears the exfiltration of strategic data, indirect attacks, and destabilization or influence operations. In other words, the concern is no longer just about attackers with a simple profit motive, but rather structured organizations with substantial, even virtually unlimited, resources. These include states, organized crime, but also terrorists and activists. This fear is reinforced by the growing number of attacks aimed not at directly impacting us, but at testing our detection and response capabilities, particularly within our critical infrastructure. These methods can be illustrated by the increasingly frequent aerial patrols along our borders, which come ever closer without ever crossing the line.
While the creation of a cyber strike force is primarily intended as a deterrent, "France reserves the right to retaliate" and "will be prepared to use cyber weapons in external operations for offensive purposes, either alone or in support of our conventional capabilities, in order to multiply their effects."
Furthermore, the number of countries with cyber armies and cyber warriors is growing. The United States (approximately 7,000), Russia, North Korea (6,000), China, Great Britain, and Germany, to name a few, already officially have cyber military forces. The figures are uncertain, as this type of information is rarely made public. But one thing is certain: more and more military personnel are operating in cyberspace to prepare for the wars of the future. Hence the need to establish an LIO doctrine for France, which already has around 3,000 cyber warriors, and whose ranks are set to grow further with the 2019 Military Planning Law (4,000 in 2025).
What is IOL?
The LIO doctrine establishes France's military strategy in the context of cyberwarfare. In its public section (available online), it specifies in concrete terms the types of operational objectives it enables:
- Intelligence: the extraction of information enabling the assessment of enemy military capabilities or situations (geographical location of forces, number of men or equipment deployed in the field, troop transport, etc.).
- Neutralization: Reducing enemy offensive capabilities (unavailability of a combat system, vehicle, etc.)
- Deception: Modification of enemy information or analytical capabilities (discreet alteration of information or combat system operating modes, etc.)
It is important to remember that the impacts are very real; the consequences of cyberwarfare are not limited to cyberspace. This does not involve using one computer to render another unavailable, but rather seeking to corrupt digital systems in order to extract information, alter the functioning of a weapon or military system (aircraft, ship, combat system, detection equipment, etc.), or mislead an adversary (more commonly referred to as manipulation).
LIO, but for what target audience?
A public section also means a confidential section. This is quite logical given the strategic importance of such a document. However, this raises questions about its content.
While it is easy to imagine the scale of the impact of a cyberattack on a military target, the impact would be no less significant if the target were civilian. In fact, it would certainly be much worse. In addition, the visibility or invisibility of a cyberattack must also be taken into account. While the neutralization of communications, energy production, or banking institutions would have a considerable—and visible—impact, it would ultimately be measurable. However, a cyberattack aimed at deceiving the nation—i.e., destabilizing or manipulating the masses (through the internet and social media, for example)—would have consequences that are extremely complex to analyze and measure.
It can therefore be widely assumed that the confidential part of the doctrine focuses on the possibilities of conducting cyber attacks against civilian institutions, either directly or indirectly. Extracting strategic information in the context of a multi-billion euro contract with a foreign supplier, neutralizing vital infrastructure in order to destabilize the economy of an adversary country at an inopportune moment (a global sporting event, for example), or manipulating public opinion to give power to the candidate one wishes to see in office... Always with the aim of tipping the balance in their favor. Does that remind you of anything?
Obviously, France has implemented this strategy primarily to align itself with other major cyber powers, whether enemies or allies! Russia, China, Israel... But also the United Kingdom, Germany, the United States... All these countries have recently developed their own cyber defense strategies and defined cyberattack doctrines. Let's not forget North Korea's recognized offensive capabilities in this area either. Generally speaking, the conclusion is clear: we are witnessing a cyber arms race, similar to the one that took place during the Cold War between the United States and the USSR, but with more traditional weapons. With a few differences.
Who are our allies and enemies in cyberspace?
Whereas it was easy to see that the world was divided in two during the Cold War, with communist society, as desired by the USSR, on one side and capitalist society, supported by the United States and its allies, on the other, there is no clear separation between the major powers in cyberspace.
Firstly, because there are no clear geographical boundaries. Cyberspace blurs the traditional boundaries between states, actors, and sectors. What's more, the major powers that make up cyberspace are not only states, but also criminal organizations, companies, hacktivists, etc., all acting in their own interests. But above all, while until the end ofthe 20th century, in the context of a conventional conflict, it was easy to attribute an attack with certainty to the party that carried it out (physical identification of the attacker, technical sophistication of the attack, means and methods used, victims affected, possible underlying geopolitical reasons, etc.), the ability to attribute a cyberattack is considerably reduced in cyberspace. Malicious actions are very rarely claimed by identified actors, even more so if it is a state. Tracing the source of a cyberattack to identify its perpetrator is technically very complicated. What's more, even if the original attacker can be formally identified, they are rarely the instigator of the action. Attacks carried out in cyberspace are rarely direct. The absence of borders in this environment and the multiple interconnections that comprise it favor the anonymity of attackers.
States or companies that are victims of cyberattacks regularly direct their suspicions (or even point the finger directly) at the major cyber powers. Sometimes it is China, sometimes the United States, often Russia... Each accuses the other, and vice versa. The technical difficulties encountered mean that these statements remain officially at the stage of (strongly supported) suspicions. But these are impossible to verify with absolute certainty. We can see a kind of parallel with terrorism and the wars ofthe 21st century, which have broken the codes of traditional confrontation, where two sides in battle formation wage war on open terrain. Attacks are now brief, stealthy, difficult to predict and assess, and require few resources to carry out. The attackers are more or less known, and it is not always possible to formally identify them or locate them, making it extremely difficult to develop a direct response. As a result, while major historical enemies such as the United States and Russia regularly play cat and mouse by attacking each other indirectly and accusing each other of cybermaliciousness (whether justified or not), it is also becoming increasingly apparent that powers considered to be allies (France, Germany, the United Kingdom, etc.) are spying on each other, or even disrupting each other's activities... But we can never be really sure.
More than ever before in the real world, implementing means of detecting and responding to incidents (Defensive Cyber Warfare – Cyber Defense) is crucial if we want to be able to counterattack and, in a way, defend ourselves (by having the necessary means of pressure at our disposal).
What limits?
All these suspicions and assumptions—which are far from fanciful—raise further questions. What limits does France set for itself in terms of cyberwarfare? And if France sets these limits, what about our allies, or our enemies? Is the risk of a large-scale cyberwar or cyberattack really real?
After all, a growing number of studies regularly cite cyber risk as the most feared of all, both in business and more broadly. Many experts across all fields believe that the consequences of a large-scale cyberattack would be more devastating than a natural/ecological disaster, an unstable geopolitical context, or an unfavorable market trend. This is due to the diversity of scenarios and possible consequences of a cyberattack.
For many years, and even today (although a clear shift has begun in this area), experts in the field have played on fear to raise awareness of cyber risk. While today we are more interested in the business benefits of digital security than the concerns it raises, a Cyber-Pearl Harbor is increasingly feared. But what would it actually look like? A sudden and brutal shutdown of society? Simply the unavailability of an online service? War against machines? Numerous scenarios, some more fantastical than others, such as the TV series Mr. Robot, have been imagined in an attempt to outline the contours of a large-scale cyberattack. It is therefore legitimate, as an individual, to wonder how far a cyberattack could go in terms of impact.
See also on the same topic:
