A Close Look at France’s New Military Cyber Strategy
“Cyber warfare has begun and France must be ready to fight it,” Florence Parly, the French minister for the armed forces, declared on Jan. 18. Parly was introducing the new French Military Cyber Strategy, which consists of two separate documents: the Ministerial Policy for Defensive Cyber Warfare (hereafter the Ministerial Policy) and the Public Elements for the Military Cyber Warfare Doctrine (hereafter the Public Elements). Together, these documents outline the French Ministry of Defense’s (ministère des Armées) doctrine on lutte informatique défensive et offensive, or defensive and offensive cyber warfare.
This marks the first time France has disclosed elements of its military cyber strategy, most importantly the offensive aspects of that strategy. As Parly noted, this new strategy is part of a broader effort she is leading to adapt the French army to 21st-century threats.
This article will analyze the main elements of France’s military cyber defense strategy and doctrine and examine how they relate to France’s overall cyber defense strategy as outlined in the 2018 Strategic Review of Cyberdefense. The content of the newly released documents is not so surprising, as it reflects the long evolution of military cyber defense in France over the past decade and illustrates France’s global approach to this emerging domain, outlined in War on the Rocks last year by Boris Toucas. But the choice to publicly release the doctrine — especially its offensive dimension — both affirms France as a cyber power and sets a precedent for future national cyber strategies.
Going Public: France Reaffirms Its Status as a Cyber Power
In France, “cyber defense” refers to the national framework that aims to ensure the protection of the state’s networks, including — but not limited to — the Ministry of Defense’s networks. Therefore, cyber defense in general is the responsibility of the director general of the ANSSI, or National Cybersecurity Agency of France, while the commander of cyber defense (COMCYBER) is exclusively in charge of the Ministry of Defense’s cyber defense. The new documents deal with military cyber strategy, and thus apply only to the ministry’s efforts to protect itself against attacks. Thus, it appears the doctrine does not apply to cyber operations led by intelligence services.
The public acknowledgement that French military cyber strategy is both defensive and offensive is not new. This was first noted in the 2008 White Paper on Defense and National Security and has since been reaffirmed in every strategic document that mentions cyber defense capabilities. Two years ago, then-Minister of Defense Jean-Yves Le Drian declared that military superiority could not be achieved without superiority in cyber space and that cyber weapons were now part of France’s military capabilities alongside conventional and nuclear weapons. However, the new strategy offers an unprecedented level of detail about both defensive and offensive military cyber warfare.
Why is this notable? By publicly outlining its doctrine, France assumes the posture of a cyber power, sending a message to allies and partners, as well as to potential attackers. In her remarks, Parly repeatedly affirmed that France has the capacity to identify perpetrators. As such, it is not afraid of using its cyber capabilities and has the power to retaliate if need be, seemingly an effort to discourage those who would consider attacking the Ministry of Defense.
Publicly exposing elements of the offensive doctrine can also be seen as a way to show strength without publicly attributing cyber attacks. Unlike its Western allies, the French government does not go public with its assessments of who committed an attack, preferring to use diplomatic channels to discuss the issue with the allegedly responsible actor. It must be noted, however, that France seems to be slowly moving toward public attribution. In October 2018, the Ministry of Foreign Affairs reacted to the hack of the Organization for the Prohibition of Chemical Weapons — which other countries attributed to Russia — by saying that France stands alongside its allies. Just a few months later, Parly indirectly attributed a cyber operation targeting the Ministry of Defense to the Turla hacking group.
The fact that the French government rarely speaks publicly about cyber operations, whether offensive or defensive, makes it difficult to point to specific examples of the country’s cyber warfare doctrine in action. But this is also why the release of these documents is interesting. By publishing an offensive cyber warfare doctrine, France has raised expectations about its future response to cyber attacks. The Public Elements anticipates these expectations by noting that France’s military cyber operations are subject to secrecy, thus avoiding some of the risks associated with charged political statements.
The Offensive Military Cyber Warfare Doctrine
The first of the two documents comprising France’s strategy is the Public Elements for the Military Cyber Warfare Doctrine. The Public Elements document defines military offensive cyber warfare as “all military actions undertaken in cyberspace, in support or not of other military capabilities. Cyber weapons aim, in accordance with international law, at producing effects against an adversarial computer system to alter availability or data confidentiality.” Thus, the document asserts that France can operate at both the defensive and offensive levels, as well as counter information manipulation by “discreetly” altering data.
The Public Elements exposes how the French Ministry of Defense thinks about the way it actually uses cyber capabilities. According to the document, cyber capabilities have a tremendous “multiplier effect” that can bolster conventional capabilities. As cyber operations become an integral part of military operations, cyber weapons are becoming part of the capabilities at the disposal of the French military. Offensive cyber capabilities have three operational goals: intelligence gathering, neutralization of adversarial capabilities, and deception of adversaries. According to France’s doctrine, the commander of cyber defense can also decide to use offensive capabilities in support of defensive cyber warfare if an attack targeted operational military capabilities or the Ministry of Defense chains of command.
Significantly, the Public Elements dedicates one of its 12 pages to the risks of offensive cyber capabilities, which “require an absolute control of political, judicial, and military risks at all stages of the operation.” The document emphasizes the need for political leaders to have in mind all the risks associated with offensive capabilities when deciding to use them. Thus, the doctrine emphasizes “end-to-end strict control over the use of cyberweapons, notably to avoid any risk of diversion, of tools being compromised or of collateral damages.” It notes the risks of escalation as well as of public disclosure, which includes but is not limited to the question of attribution.
The document also reiterates France’s position on international cooperation. Following up on the Cyber Defense Pledge that NATO members adopted in 2016, France says it will cooperate on some aspects of offensive cyber warfare but will always maintain full control over its operations and capabilities, which “remain within the scope of its strict sovereignty.” In this way, France reaffirms its position on military cooperation in cyber space, a posture characterized by both cooperation and independence – as is the case in other areas of its defense and foreign policy.
Both the Public Elements and Parly’s remarks put great emphasis on the legal framework surrounding the use of cyber capabilities. They remind us that any cyber operation undertaken would be subjected to strict prior legal review and that the targeting processes are very stringent. There is nevertheless some ambiguity around the legal framework regulating the use of these capabilities. Somewhat surprisingly, France’s strategy emphasizes the role of international humanitarian law, which only applies to armed conflict. Other branches of international law seem more applicable to cyber operations, particularly the law of state responsibility and the principles of territorial sovereignty and non-intervention.
The document’s focus on international humanitarian law thus raises interesting questions about the most appropriate legal framework to regulate military conduct in cyber space. It also highlights the urgent need for the international community to reach consensus on how international law applies to cyber operations, including outside of an armed conflict. Ultimately, the Public Elements state that when offensive capabilities are used in support of offensive cyber warfare, the applicable legal framework is set by article L. 2321-2 of the Defense Code, which defines when French authorities can resort to offensive cyber capabilities to characterize or neutralize a cyber operation.
Defensive Military Cyber Warfare Doctrine
The second document is the Ministerial Policy for Defensive Cyber Warfare. Based on an acknowledgment that cyber defense is a shared responsibility, the Ministerial Policy aims to better define the enterprise and the division of labor among the Ministry of Defense, its various components, and its industrial partners outside of government.
Defensive cyber warfare is defined as any action, technical or not, undertaken to counter a cyber attack (or a threat or risk thereof) to maintain the Ministry of Defense’s freedom of action. The doctrine of defensive cyber warfare is rooted in the idea of an end-to-end chain of cyber defense. First, it implies a certain organizational hierarchy. The chief of the defense staff is responsible for defending the Ministry of Defense from cyber threats, and the COMCYBER is in charge of its implementation. The individual chiefs of staff of each component of the armed forces, as well as each directorate or component of the ministry, are responsible for cyber defense within their perimeters. The CALID, or defensive cyber warfare analysis center, now under the authority of the COMCYBER, is in charge of overseeing the technical aspects of cyber defense within the ministry.
The strategy goes beyond just defining the organization and missions of the Ministry of Defense. As Parly stated, some previous cyberattacks directly targeted the ministry’s networks, while some were directed at the defense industry or the ministry’s partners but impacted or could have impacted the ministry’s security. This is why, a few days after rolling out the strategy, she proposed a convention between the defense industry, the COMCYBER. and the Defense Procurement and Technology Agency (Direction générale de l’armement) which is in charge of building the ministry’s capacities. This proposal is a smart idea, as it takes into account how attackers can get to the Ministry of Defense. In the same vein, last year the Ministry of Defense created the Agency of Defense Innovation, aiming at developing the new technologies essential to the efficient exercise of sovereignty. This followed up on the recommendation of the Strategic Review of Cyberdefense to rely on secure capabilities (relating to the issues of security by design and autonomous strategy).
The Military Cyber Strategy — both its offensive and defensive components — demonstrates a comprehensive approach to cyber defense by involving the entire French military industrial complex in addition to the Ministry of Defense itself. More broadly, the documents follow naturally from the 2018 Strategic Review of Cyberdefense and are part of the French government’s effort to adopt a global approach on these issues.
A Long Evolution in French Thinking
The Military Cyber Strategy is the result of a long evolution of the French cyber defense framework. Over the last decade, at least 10 landmark documents have contributed to this evolution: white papers on defense and national security, military planning laws, cyber defense strategies. The recently unveiled strategy ought to be read in light of this ongoing shift and in the context of France’s global effort to strengthen its cyber defense.
Recent changes in the Ministry of Defense’s organization for cyber defense are also important context for the new documents. The COMCYBER was created in January 2017 and placed directly under the authority of the chief of the defense staff. In France, cyber space has been considered a military field since 2008. Before the creation of the commander of cyber defense, the “officier général cyberdéfense” was involved in military operations – reflecting that France already had an operational vision of cyber space – but with fewer prerogatives. Moreover, the French Military Programming Act 2019-2025 of July 2018 allocates significant resources for military cyber defense (1.6 billion euros and the hiring of 1,000 new cyber combatants), stressing the need to continue investing in the field. The publication of a military doctrine is only the latest step in the ongoing growth of military cyber defense in France.
The Military Cyber Strategy strikes a balance between power, strength, and responsibility. In addition to applying a strict legal framework, the minister insisted on a strong French role in maintaining security and stability in cyber space, including through the adoption of norms of responsible behavior. This approach appears to be a direct outgrowth of what was outlined in the Strategic Review of Cyberdefense. Indeed, that document emphasized France’s commitment to the U.N. Group of Governmental Experts process and its outcomes, highlighting the applicability of international law and the development of norms.
Even as France stresses cooperation, it is also a clear message to allies and other actors who may seek to do harm to the Ministry of Defense. As Parly declared:
In case of an attack against our military forces, we reserve to ourselves the right to retaliate, in accordance with the law, by the means and at the time of our choice. We also reserve to ourselves, whoever the attacker is, the right to neutralize the effects and the digital means used.
Thus, the new cyber defense strategy reflects France’s posture at both the national and international level. At the national level, the strategy is consistent with French defense policy since World War II, which is based on strong national military capabilities, so as to be able to decide when and how to operate in cyberspace.
At the same time, France will take care in cyber defense to act multilaterally as much as possible and to meet its international commitments and obligations. Ultimately, the new document reflects France’s longstanding proclivity toward international cooperation, but at the same time, more than any other French cyber document, it highlights the country’s efforts to forge its own way as a cyber power.
François Delerue is a research fellow on cyber defense and international law at the Institute for Strategic Research (IRSEM – Institut de Recherche stratégique de l’École militaire) and rapporteur on international law of EU Cyber Direct. In 2016, he defended his PhD on the international law applicable to cyber operations at the European University Institute (EUI). You can follow him on Twitter: @francoisdelerue
Alix Desforges is a postdoctoral researcher at the center GEODE (Geopolitics of the datasphere) at Université Paris 8. From 2013 to 2018, she was a researcher at the Castex Chair of Cyberstrategy at the Institute of Higher National Defense Studies (IHEDN). Her PhD research is based on a geopolitical approach to cyber space and analyzes the stakes for French defense and security strategy.
ude Géry is a PhD candidate in international law. Her thesis focuses on cyber weapons proliferation and international law. More generally, she works on national legal and diplomatic strategies on the regulation of cyber space. She is an associate researcher at the center GEODE. You can follow her on Twitter: @AudeGery
The authors were not associated with the redaction process of the Military Cyber Strategy. This article represents the authors’ own opinions and cannot be attributed to any other persons or institutions. The quotes drawn from the strategy were translated by the authors and do not represent an official translation.