Cyber-defense policies in France undergo major changes

Major reform of cybersecurity policies in France

This document, which is described by its authors as a “real white paper on cyber-defense”, is divided into three parts, followed by approximately 20 priority recommendations summarizing the central elements of the document.

This document, which is described by its authors as a “real white paper on cyber-defense”, is divided into three parts, followed by approximately 20 priority recommendations summarizing the central elements of the document.

Note: The following contains links to articles and information in French. If you would like to read this article in French, please visit here.

As the European Union readies itself for GDPR on May 25, the French government presented some major changes to its cyber-defense policies in February.

Louis Gautier, Secretary General of Defense and National Security, along with Secretary of State for Digital Affairs, Mounir Mahjoubi, tabled a Strategic Cyber Defense Review. This document, which is publicly accessible (partially classified) here, marks the beginning of a new French cyber-defense strategy.

This document, which is described by its authors as a “real white paper on cyber-defense”, is divided into three parts, followed by approximately 20 priority recommendations summarizing the central elements of the document.

The first part of this Strategic Review provides a portrait of the cyber-dangers that government institutions, businesses and the public could face. These include possible vulnerabilities, various types of cyberattacks (including incidents such as WannaCryptor and NotPetya, which can often pose a bigger immediate risk compared to cyberespionage), as well as limitations related to international regulation.

The second part details the measures that the government has taken or needs to take, in order to ensure the protection of national interests. It details the characteristics of the French cyber-defense model, the importance of protecting sensitive activities – including the activities of vital operators (VIOs) and essential activities – and the establishment of the most effective measures to combat cybercrime. In particular, it recommends a gradual harmonization of security rules within the European Union, but also an increase in the role of electronic communication operators in protecting cybersecurity.

Finally, the report presents the importance of cybersecurity for private actors and institutions, as well as the responsibilities of the state and the general population. These include public awareness issues, the importance of the cybersecurity economy and digital sovereignty issues.

cyber-defense

 

In parallel with the tabling of this review, and in response to some of the recommendations contained therein, the French government has also tabled a review of its Military Programming Act (MPA).

The announcement was made in early February by Guillaume Poupard, director of the Agence nationale de la sécurité des systèmes d’information (ANSSI).

The new powers granted to electronic communications operators are among the most significant measures of the new MPA.

The latter, as indicated in the Strategic Review of Cyber Defense, will now be called upon to play a significantly greater role in the protection and detection of computer threats.

Telecommunication companies will have the power to scan their networks for technical clues of an ongoing or possible future attack. Depending on the situation, if these indicators suggest a potential attack it will be provided to operators by Anssi, or, for more serious threats to the Electronic Communications and Postal Regulatory Authority (Arcep).

If operators detect an attack, these companies will have to provide ANSSI with any computer traces left by cybercriminals. On the other hand, they will not have to assume responsibility for ending the attack. In some cases, operators will be required to notify their customers.

According to Louis Gautier, Secretary General of Defense and National Security, the objective is not to force operators to act proactively: “Our reasoning is that no operator has an interest in having its customers targeted by computer attacks. We rely heavily on the incentive effect of the measure, operators have a commercial interest in offering this type of service to their customers.”

While these policies are fundamental elements of cybersecurity in France, the government stresses that they are not an end point, but rather an important step in “the construction of a digital space of trust in partnership and for the benefit of citizens, institutions and all those involved in the economic, industrial, social and cultural dynamism of our country”.

Discussion