Alex Grigsby is the assistant director of the Digital and Cyberspace Policy program at the Council on Foreign Relations.
Earlier this month, French Digital Economy Minister Mounir Mahjoubi released a strategic review of France's approach to cybersecurity. The review is a wholesale reassessment of the cyber threats France faces but recommends a number of policies that will be familiar to anyone who has read a national cybersecurity strategy document in the last decade: delineate clear roles and responsibilities for government organizations; protect government systems and critical infrastructure providers; and modernize cybercrime laws and investigative techniques.
And coming in at 186 pages, it is far too lengthy to provide a faithful overview of the whole thing in a blogpost. Instead, here are three takeaways that provide insight into France's approach to responding to cyberattacks, promoting cyber norms, and regulating private sector action online.
First, the white paper recommends France adopt a classification mechanism for cyberattacks that will allow policymakers to assess the effect and impact of an operation directed at France, and recommends a model loosely based on the Department of Homeland Security's Cyber Incident Scoring System. The classification mechanism ranges from 0 (an insignificant event) to 5 (an urgent and extreme crisis, and the only type of incident that could trigger the threshold of an armed attack within the meaning of the UN Charter). Cyberattacks would be classified based on the effects that they cause, their severity (e.g. intent, nature of the target, the nature of the attacker, the relative severity of an incident compared to others, and the odds of recurrence), as well as how damaging they are to French sovereignty, public safety, quality of life (e.g. attacks on critical infrastructure), and the economy.
None of these criteria are particularly revolutionary, but simply outlining the thought process French decision-makers will consider to craft a response acts as a signal to international audiences. It gives potential adversaries insight into the considerations French leaders will consider as they develop a response, improving decision-making transparency and reducing the odds of misperceptions that can lead to escalation (more on why that matters here). The white paper also makes clear that the classification mechanism is meant to guide French policymakers, and that a response should always be a political decision based on the facts of a case—it is not intended to telegraph an automatic "if this, then that" response.
Second, the review argues that France should continue to support the development of cyber norms, despite the stalemate of the 2016-17 UN Group of Governmental Experts. France should encourage the widespread implementation of the cyber norms contained in the 2013 and 2015 GGE reports through an intergovernmental peer review mechanism. No details are given on what a mechanism would look like but it wouldn't be surprising if the Financial Action Task Force, which monitors compliance with money laundering and terrorism financing rules based in Paris, was used as a model. The United States has sought to hold states accountable for non-compliance for cyber norms but has not yet called for a new international organization, instead relying on ad hoc actions like calling out Russia over NotPetya.
The white paper further argues that states victim of a cyberattack should be able to exercise three rights. First, states should have the ability to petition the UN Security Council if the cyberattack they suffered amounted to a threat to international peace and security. Second, states have a right to respond to a cyberattack, and though they have a duty to respond peacefully, they can also resort to "necessary and proportionate measures to neutralize the effects of an attack." The third is a state's right to consider a cyber operation as tantamount to an armed attack as defined in international law. That last one may not sound controversial, but it is worth recalling that China and a few others have yet to publicly agree that a cyber operation can trigger the right to self defence.
The third takeaway is that France should encourage the adoption of new norms that regulate the actions of private sector actors in cyberspace to ensure that states "maintain a monopoly on the legitimate use of violence in cyberspace." The white paper proposes three actions:
- Ban non-state actors from undertaking offensive cyber activity in pursuit of their own interests or on behalf of other non-state actors. In other words, France views policies of allowing private companies to "hack back" as a non-starter. Having a state hire a contractor to conduct cyber operations on its behalf, however, is OK.
- Strengthen the export control regime that limits the spread of intrusion tools, software, and techniques that contributes to the proliferation of the vulnerability and exploit market.
- Promote a norm that private sector actors have a responsibility to incorporate security through the development lifecycle of their products, and release the source code and documentation to the public once a product reaches its end of life. That would allow those who still use the discontinued product to support it.
The white paper notes that the first two were endorsed by UN GGE members during the 2016-17 negotiations. That might make them less controversial with states and the document hints France might raise them at future G20 meetings, but private companies, particularly in the United States might take issue. There are a few think tanks in Washington, DC that will tell you that hacking back is a good idea (it's not). And there are more than a few that will tell you that their experience with creating cyber export controls through the Wassenaar arrangement does not bode well for future efforts.
If you are within the Venn diagram of cyber policy nerds who can read French, you should take the time to read the whole document. There are sections that address the use of industrial policy to encourage national champions (none of the Cellebrites or Crowdstrikes of the world are French) and the need to develop a mechanism to put a price on cyber risk. There's also a recommendation to have the government launch a think tank that could be used to promote French positions on cyber issues. Living in Paris to ponder the great cyber questions of our time sounds nice doesn't it? No? Just me?