war on the rocks

Signaling, Victory, and Strategy in France’s Military Cyber Doctrine

May 8, 2019

On Jan. 18, French Minister for the Armed Forces Florence Parly and Chief of the Joint Staff Gen. François Lecointre unveiled part of France’s new military cyber strategy. Both officials released a defensive policy (Politique ministérielle de lutte informatique défensive) and a partially unclassified offensive doctrine (éléments publics de doctrine militaire de lutte informatique offensive). On Apr. 23, François Delerue, Alix Desforges, and Aude Gery published an essay giving a first and closer look at these announcements. They focused on the strategic significance of both documents in the broader context of France’s posture toward cyberspace. My aim in the following essay is to explore the operational and organizational implications of the military cyber strategy for the French armed forces.

As François, Alix, and Aude show, while some elements are new for the broad domestic and international audiences, both doctrines result from a process which started in 2009 with the creation of ANSSI (Agence Nationale de Sécurité des Systèmes d’Information) as an inter-ministerial body. Additionally, it is credited to the progressive emergence of an organization tasked with operationalizing cyber capabilities inside the armed forces, first as an individual position in the Joint Staff – the general officer commanding cyberdéfense – and then as a proper Cyber Command under the auspices of the Joint Staff in 2017. Writing an offensive doctrine was part of the first missions given to Cyber Command by then-minister of Defense Jean-Yves Le Drian when he announced its creation in Dec. 2016.

In sum, these developments may be interpreted as the completion of the first phase of operational preparation for Cyber Command and the Ministry of Armed Forces. First, they confirmed the structuration of military cyberdéfense in two major operational dimensions under Cyber Command: lutte informatique défensive and lutte informatique offensive, thus consolidating the organizational distinction between offense and defense. Second, they must be put in perspective with the effort made by both French policymakers and the armed forces since 2014 to produce organizations, capabilities, and doctrines consistent with the overall strategic and political goals stated from 2006 to 2009 and with the corollary imperative to integrate armed forces with the inter-ministerial level.

Analyzing these documents and both speeches is an important task to help explain and understand the French cyber strategy in three important ways. First, the declaratory dimension of doctrines and official speeches cannot be overlooked. As such, a careful analysis of the doctrine reveals a framework for employing offensive cyber operations, thus signaling motives and red lines. Second, doctrines impact the planning and conduct of operations through a theory of victory. A detailed and analytical look at it tells us how the French military represents cyberspace as an operational domain and what uses of offensive operations it envisions for both gaining or maintaining operational initiative in cyberspace and supporting conventional operations in overseas theaters. Third, a doctrine is a starting point for recruiting and training, maintaining and developing capabilities, and socializing members of the armed forces to the threats, challenges, and opportunities borne by offensive and defensive cyber operations.

Framing the Context of Use: The Declaratory Side of Cyber Doctrines

For French strategist Hervé Coutau-Bégarie, declaratory strategy aims to “[orient] the adversary’s behavior and prevent its miscalculations.” Doctrines and official or semi-official speeches are thus integral to any strategy in that they complement – and in the case of deterrence, they precede – the operational aspects and the use of force. Although most of the doctrine remains classified, its public elements make it possible to identify the employment framework for cyber offensive operations.

The legal aspects are clearly outlined: On the one hand, offensive operations are governed by France’s commitments to international humanitarian law and its promotion of responsible standards of behavior. On the other, it is ruled by compliance with the Defense Code in accordance with the exemptions provided for in Article L2321-2, which authorizes state security services “to carry out the technical operations necessary to characterize the attack and neutralize its effects by accessing the information systems that caused the attack.”

 

Operations are also closely supervised at the decision-making level since they are carried out by Cyber Command under the supervision of the Joint Chiefs of Staff and under the authority of the prime minister. This clearly indicates a desire for restraint in order to avoid escalation. But this also points to the seriousness of the French government in initiating offensive cyber operations if necessary.

 

Nevertheless, as pointed out by François, Alix, and Aude, there remains an ambiguity regarding the applicable legal framework when resorting to offensive operations. This situation results partly from the absence of consensus among governments to deal with cyber operations, including outside armed conflict, and the regulation of military conduct in cyberspace. But it may also result from the distinction made between lutte informatique défensive and lutte informatique offensive as operational constructs.

Importantly, the publications provide a better understanding of the operational – and therefore organizational – distinction between offensive and defensive operations. Defensive operations partially relate to neutral and enemy networks and systems, indicating that the distinction is more functional than spatial. The doctrine states that lutte informatique défensive mainly covers anticipation, detection, and reaction, which are oriented towards the outside of the networks to be defended. Meanwhile, lutte informatique offensive occurs alongside a spectrum of military functions encompassing intelligence (attribution, characterization, surveillance), defense (identification, intervention, neutralization), and action (counter-influence, counter command and control). In short, offensive operations are meant to generate effects against an adversary system, while defensive operations are meant to preserve freedom of action facing a threat. This is thus an operational and not a tactical distinction. In a conventional way, the offensive doctrine recalls the importance of operational secrecy, while stressing that any claim to offensive actions is a political decision. It thus recognizes the necessary balance between military and political imperatives when dealing with offensive operations, especially absent a state of war and/or when pursuing coercive goals. This approach is consistent with the empirical and theoretical research conducted on this subject.

Strategically, the general framework for offensive operations seems clearly delineated. In the doctrinal publication as well as in the press release, offensive cyber operations are aimed at the engagement of the armed forces, more particularly in overseas operations. In this area, it is mainly a question of publicly confirming an operational use. Nevertheless, offensive operations are likely not to be limited to this framework. In her speech, Parly emphasized the role offensive cyber operations could play in response to an attack, as well as in contributing to deterrence alongside conventional means. This indicates that a significant part of offensive cyber operations is the responsibility of the Direction Générale de la Sécurité Extérieure (External Intelligence Service, which belongs to the Ministry of Armed Forces) and lies outside the lutte informatique défensive/lutte informatique offensive framework. This remaining ambiguity is partly a deliberate move, but it also brings to light the resulting loopholes when attempting to draw organizational boundaries in a new context of operations. Lutte informatique défensive and lutte informatique offensive are dimensions of the military actions in cyberspace. To sum up, this signals the advancement of cyber capabilities without unveiling the means used at the national and strategic levels by other agencies.

Which Theory of Victory? Offensive Cyber Operations as an Effects Amplifier

Doctrines also reveal a lot about how military and political leaders envision the use of force to achieve their goals. They encapsulate a “theory of victory”; concepts about the environment, threat, critical tasks, and mechanisms through which threats are dealt with or goals are achieved. In that matter, both lutte informatique défensive and lutte informatique offensive doctrinal documents provide numerous statements.

Lutte informatique offensive

First and foremost, offensive cyber operations contribute to traditional military functions (intelligence, defense, action) as effects amplifiers. These modes of action are combined with, or replace, conventional military capabilities to produce effects at the tactical and strategic levels. They are implemented by specialized units integrated into a global maneuver in order to control their effects and limit the risk of collateral damage. In particular, offensive cyber operations contribute to the assessment of enemy capabilities, the reduction or neutralization of those capacities, and the alteration of the enemy’s ability to assess the situation.

Second and more broadly, offensive operations are conceived to ensure the ability to operate in cyberspace as well as in other domains dependent on digital networks and systems. Thus, offensive cyber operations are seen as a critical tool to achieve operational superiority in the theater of operations. This denotes a representation according to which cyberspace is both an operational domain in its own right and an enabler of military operations in all other domains.

Lutte informatique défensive

Lutte informatique défensive is responsible for the defense of the networks of the ministry of Armed Forces. To this end, it is tasked with anticipating, detecting, and responding to a certain level of threat or to an attack. Lutte informatique défensive relies on cyber means but also on kinetic or even civilian means, such as diplomatic pressures, economic sanctions, or legal actions. Lutte informatique défensive is thus an operational task, concerned both with the networks to be defended and with potential threats or risks from outside. It also implies the necessary integration with partners at the national (other agencies and ministries), private and regional levels (in the case of NATO and the European Union), and the pursuit of multilateral as well as bilateral cooperation.

To ensure the armed forces’ freedom of action, the Ministry of Armed Forces established a permanent cyber security posture, which reveals an understanding of cyberspace as an environment of permanent confrontation, including in peacetime. This representation, in converging with the “persistent engagement” vision of the United States Cyber Command, also conceives of risks and threats according to the severity of the impact and the threshold of an attack.

In addition, lutte informatique défensive and lutte informatique offensive are part of a full-spectrum of operations alongside intelligence operations, influence operations, resilience and strictly defensive tasks (cyber protection). This denotes an understanding of cyber operations as a continuum. Nevertheless, the boundaries between lutte informatique défensive and lutte informatique offensive on the one hand, and other offensive operations on the other hand remains a bureaucratic and operational challenge to be managed on a case-by-case basis.

The Strategy of Means: Achievements and Challenges Ahead

The January announcements mark an important step for the development of capabilities in the ministry of Armed Forces. With nearly 3,400 cyber combatants – and the recruitment of an additional 1,000 personnel – Cyber Command is nearing full operational capability, in accordance with the Pacte Défense Cyber launched by Le Drian in February 2014. The purpose of this approach was to operationalize the ministry by focusing on six topics: organizational and technical capabilities, academic and industrial research, human resources and career paths, international partnerships, fostering a cyber national community, and creating a “Pôle d’excellence cyber” in Brittany.

The announcements are also consistent with the reorganization promoted by the Strategic Review on Cyberdéfense released in February 2018. This document stressed the importance of clearly delineating the areas of responsibility of ANSSI – the defense of national networks – and of the Ministry of Armed Forces – ensuring the ability to operate by defending the ministry’s networks. Cyber Command was therefore entrusted first with defending the ministry’s networks and information systems in conjunction with ANSSI and secondly with participating in the “military action” operational chain under the authority of the president. By organically separating the protection of critical infrastructure (ANSSI) and offensive and intelligence operations (Ministry of Armed Forces), the reorganization allows for greater efficiency. The ministry of Armed Forces has achieved horizontal integration at the inter-ministerial level, allowing for the release of public or partially public doctrines on military cyber operations.

The integration of Cyber Command inside the ministry, particularly in relation with other directorates and services, remains a challenge. Following the release of the documents at the end of January, Cyber Command attained full operational control of two important components charged with lutte informatique défensive: the CALID (Centre d’Analyse en Lutte Informatique Défensive), which is the operational center tasked with defending the Ministry of Armed Forces’ networks, and the CASSI (Centre d’Audits de la Sécurité des Systèmes d’Information) tasked with penetration testing of systems inside the ministry. Thus, placed directly under the authority of the Joint Chiefs, Cyber Command has achieved full operational control of both lutte informatique défensive and lutte informatique offensive. That said, its role in the overall recruitment, training, and careers of cyber combatants is limited since it must rely on the various services’ human resources policies. Hence  it is critical that members of the armed forces are educated on the lutte informatique offensive and lutte informatique défensive.

Conclusion

The release of the doctrinal papers on military cyber operations is an important step for the affirmation of France’s stance in cyberspace. By acknowledging it will resort to offensive operations if necessary, the only ministry of defense to have done so, along with the United States, France has made itself a top-tier cyber power while breaking an entrenched taboo. At the same time, the articulation of a military doctrine allows French policymakers to carefully limit and frame its use. Thus, it is consistent with France’s posture as a stability-seeker and as norm entrepreneur in cyberspace.

Beyond these declaratory goals, challenges and questions remain. First on implementing this approach; the integration of cyber capabilities in a whole-of-government approach is still a work in progress. Doctrinal consistency doesn’t necessarily translate into unity of effort both inside and outside the ministry. Organizational integration depends upon the incentives to embrace change and to overcome bureaucratic silos. There are also geopolitical issues. As shown by the French and American publications of offensive cyber doctrines, in trying to balance between national security and strategic stability, governments must consider the competing systemic and geopolitical risks. Building stability in an interdependent field requires the promotion of collective security and advancing norms. Ensuring national security requires the development of military means and postures that can deter threats. These two security models are only partially reconcilable. As such, the French military doctrine strikes a pragmatic approach to deal with this dilemma.

 

Stéphane Taillat is an associate professor of War and Strategic Studies in the Department of International Relations at St Cyr French Army Academy, and a researcher at Centre GEODE. He is deputy director of the master’s degree specialized in the conduct of operations and crisis management in cyberdéfense at St Cyr. He co-edited La cyberdéfense, politique de l’espace numérique [Cybersecurity: Politics in the Digital Domain] (Paris : Armand Colin, 2018) with Amaël Cattaruzza and Didier Danet. He recently authored “Disrupt and Restraint: the evolution of cyber conflict and the implications for collective security” for Contemporary Security Policy. Opinions expressed herein are his own. You can find him on Twitter @staillat.

The author would like to thank Arthur Laudrain and Aude Géry for their helpful feedback.

Image: War on the Rocks