France Outlines Its Approach to Cyberwar

In a document published earlier this month (in French), France described the legal framework in which it will conduct cyberwar operations. Lukasz Olejnik explains what it means, and it's worth reading.

Posted on September 23, 2019 at 5:59 AM • 18 Comments

Comments

Clive RobinsonSeptember 23, 2019 8:21 AM

@ All,

Whilst the author is well thought of for technical input into privacy and web standards (he now works for W3C). I see no indication that he has legal training.

Further the blog post is partly lost in translation, so care should be taken in reading it (germanic and romance based languages differ quite a lot thus the way people produce a sentance from thinking in a romance language such as French to a mixed old germanic and courtly romance language such as English can cause issues).

That said the same caution should be applied to the Tallinn Manual which was developed mainly by those of English language and law backgrounds which in the past has caused me concern concern.

The original manual was a child of it's times and looked mainly at server or as some portrayed them "existential" threats. The second manual has attempted to fill in with lower level threats.

My viewpoint which conflicts with the premise of the Tallinn manual is that what are often called Cyber-warfare attacks are anything but, they are in the main Cyber-Crime and should be dealt with in that light.

For instance "Ransomware" has been predominantly cyber-crime though some from Five-Eye and WASP nations have repeatedly tryed to promote a cyber-warfare view point, which I find quite escalatory, and a sign of actually being incapable of dealing rationaly with any kind of major cyber-event. If you like it's "the Chicken little" point of view. In part because those nations are overly reliant on what is quite deliberatly defficient in security products and infrastructure. Thus they are in effect maximally vulnerable, thus easily pray to asymetric attacks of all types be they a teenager in some vilage in South America or Africa using a PC that is a decade or more old, or students in nations that WASP nations have tried to starve into some humanitarian hell through politically inspired sanctions.

The problem with asymetric attacks is as I keep noting "attribution is hard" and the fact you are being attacked by traffic from country A does not mean it has not come through a number of other countries from country G.

Whilst international law says that nation A should take attempts to stop attacks, in the real world that is at best an ideal with limited applicability. That is if even the most Internet sophisticated country America can not stop malware and other cyber-crime code, how the heck do we expect any other nation to do so?

Whilst "shiny kit" might look good in military parades, the military mentality is not suited in most cases to what is police investigatory work where questions answere are rather more important than target strikes.

International law is also not always applicable, much of it is to do with "the law of the sea" which is mainly irrelevant when it comes to land based borders that are more often regulated by treaties specific to the two abutting Sovereign Nations. International law for land is mainly based not on criminal law but acts of war. For obvious reasons that is not a good place to start dealing with what is mainly cyber-crime.

Thus my first take on the article is that in general it appears to be a move all be it small in the right direction.

But what we realy need is a proper translation of the French document and for it to be discussed by those of the legal proffession who deal with international crime rather than acts of war.

[1] https://en.wikipedia.org/wiki/Germanic_languages

[2] https://en.wikipedia.org/wiki/Romance_languages

[3] https://en.m.wikipedia.org/wiki/Tallinn_Manual

[4] https://ccdcoe.org/research/tallinn-manual/

lukaszSeptember 23, 2019 8:38 AM

Hi Cleve,

Original author here.

Perhaps consider looking at the other links I point to, for example in the linked article.
Not sure what made you conclude I work for the W3C :)

ATNSeptember 23, 2019 8:58 AM

> Thus my first take on the article is that in general it appears to be a move all be it small in the right direction.

Not precluding nuclear retaliation against a state cyber attack is a small move...
One can read anything on Internet these days.

Clive RobinsonSeptember 23, 2019 9:25 AM

@ lukasz,

Not sure what made you conclude I work for the W3C

From your "about" page,

    I'm a W3C Invited Expert, in 2018 I was elected to the W3C's Technical Architecture Group.

Do you prefer "working with" rather than "working for"?

Impossibly StupidSeptember 23, 2019 10:42 AM

@Clive Robinson

The problem with asymetric attacks is as I keep noting "attribution is hard" and the fact you are being attacked by traffic from country A does not mean it has not come through a number of other countries from country G.

Doesn't matter. I'm not paid to police A's network, nor any connection leading back to G. If I can cut off A at the firewall without serious collateral damage (i.e., nobody there is buying our stuff and we're not buying theirs), I'm going to do that to stop the attacks. The onus is on A to get their security in order if they want a seat on the world stage.

That is if even the most Internet sophisticated country America can not stop malware and other cyber-crime code, how the heck do we expect any other nation to do so?

Are you joking? The US is nowhere near implementing best practices when it comes to these matters. Look no further than the cloud providers who will sell their services to anyone with a couple of bucks. When a "customer" pays Amazon for the use of a server, Amazon doesn't do jack to vet them, or monitor their traffic. If they attack me, Amazon doesn't reward me for reporting them or compensate me for any damage done. The profit motive here makes America one of the least Internet sophisticated countries when it comes to dealing with abuse.

France is no better, of course. They are on my list of countries that, when attacked by a single server there, the firewall gets an entry for not just that server or the providers network, but the largest CIDR managed within the country. If they want people to take their stance on cyberwarfare seriously, they need to do a better job of stopping the attacks already being launched from their own territories.

loSeptember 23, 2019 12:07 PM

@Clive

Why yes indeed, it's among the other things I did in 2018. I don't see why some of the things I do/did makes the above analysis problematic.
Cheers

Who?September 23, 2019 12:10 PM

Sometimes I ask myself about the difference between cyberwar and cybercrime. It is not clear, in the same way traditional war and criminal assassination are the same to me. Only the context changes, the methods are the same.

Are we talking about destroying the adversary assets? Ramsonware (or ransomware-like malware that blocks or kills an adversary computer system without asking for a ransom) seems a valid method.

Are we talking about spying the adversary to obtain intelligence? Not very different to what does a cybercriminal or, for the case, a nation state against its citizens.

There is nothing honorable on war, either cyber or not.

Casquenoir de la JemenfoutisteSeptember 23, 2019 1:45 PM

Well, I get all my French intel from the TV series Le Bureau des Légendes.

DroneSeptember 24, 2019 1:58 PM

"Whilst "shiny kit" might look good in military parades, the military mentality is not suited in most cases to what is police investigatory work where questions answere [sic] are rather more important than target strikes [sic]."

Do your "police investigatory work" as much as you can - it is a good thing. But remember; that military "Shiny Kit" you speak of is the big dangerous club that your adversaries fear so much that they leave you alone. Peace through strength... Unilateral disarmament is an invitation to War!

Clive RobinsonSeptember 24, 2019 3:14 PM

@ Drone,

But remember; that military "Shiny Kit" you speak of is the big dangerous club that your adversaries fear so much that they leave you alone.

That is only true of other nations with their own "big dangerous club" supplying shiny kit. In asymetric warfare that does not impress or scare those "army of one" types. It's never scared insurgents, or patriots or terrorists.

Militaries have never stopped such people, but their methods have sure created tens of thousands of them. The people that stop the dangerous "army of one", insurgents / patriots, or terrorists are those who investigate methodically and carefully.

It's a lesson that those in that "big dangerous club" have been pretending does not need to be learnt.

As the Chinese political leadership pointed out to the US politicians in the Korean war it was a numbers game. Even though the US forces had killed something like a third of the population in the North they were going to keep on fighting because they sufficiently out numbered the number of US troops and with China backing them all the way there would always be more North Korean's and Chinese fighting than the US could ever hope to match.

The rules of asymetric warfare are vastly different to anything conventional troops can hope to deal with. Foreign troops especially need the civilian population to survive, if they can not subdue the population no matter how many drums are banged, flags waved or sabres rattled, they will lose. The history of Afghanistan is proof of that any atttempt to gain victory by military strengtb has always been pyric.

The thing about Cyber-Crime is it realy realy favours the "army of one" approach and it easily hides them from view such that that shiny kit has no targets to be pointed at. Worse the more dependent a nation is on technology the more susceptible that nation is to it's technology being used against it.

It's the single biggest lesson of 9/11 that people realy should get to understand. Whilst 3000 people died that day how many have died since because of it and the actions of US Guard Labour effectively against US Citizens before you even factor in "lost opportunity cost" into the equation.

AndersSeptember 24, 2019 3:17 PM

Hi lukasz

Although this document is important, you should also
take into consideration that with very carefully executed
plan it's nearly impossible to ID the adversary. So attribution
is hard and therefore most certainly legal part will be omitted
in the end. It's nice to talk that we have rules for this and
that but in the end this doesn't matter at all.

Expect more one/off guerilla type warfare. Hostile code is
a new Molotov Cocktail.

name.withheld.for.obvious.reasonsSeptember 24, 2019 4:42 PM

I believe we have to call into question the U.S. Policy as it and the positions, rationale, and OLC opinions are largely absent. Several classified presidential orders, memos, and directives remain inaccessible to public and congressional scrutiny.

From available information the U.S. DoD and the IC's have treated the policy as procedural in nature when it appears it is not. Again, from what is available, authorities and directives are scarcely out of bounds constitutionally.

The need for clear and established boundaries respecting law and precedent must be made obvious. There is a great deal of danger as I and others, including scientists involved in the problem space, can attest to.

marc OlanieSeptember 25, 2019 1:34 PM

Hi
@ Mr Robinson

As French native and (a little bit) involved in the digital security field, I can assure you that mr Lukasz Olejnik gave a very close explanation of the new "doctrine" enacted by the current government.

You are definitely right when you mentionned the difficulties translators could face when dealing with such "touchy" subjects. But this time, the made comments do not betray the spirit of the text. Kuddos to you, Lukasz. And thank your for your neutrality.

From a more general point of view, these statements mark a radical move of the general European posture (not only the French one). During these last 20 years, the political posture concerning cyberthreats where…. how should I say…. very cautious, and the moto was "we only protect ourself".

so far, the political position here in Europe is still far from the "best defense is sometimes a good offense" we heard so many times during many US InfoSec conférences -at least each of the last 5 BlackHat conf.

@Casquenoir : that's probably the best reference, you can consider it as reliable (but the exact English translation of the series is "the bureau")

cheers


vas pupSeptember 25, 2019 3:14 PM

With cyber war as all respected bloggers agree upon attribution is key, and without proper attribution you may retaliate to 'innocent bystander'.

Same kind to mind when satellite become harmed, but you do not have 100% clear attribution for the cause.

In IC history (and in criminal activity) evidence were planted n the crime scene pointing to those who did have anything whatsoever with the act/crime committed.

What is good in French approach is that cyber activity should bring some harm to be considered the act of war. But, e.g. planted code should have dual features: collecting the information and sending it back to perpetrator and active leg which could be activated in a critical time and disrupt IT system was planted on.

Sancho_PSeptember 25, 2019 5:28 PM

So we are talking about “cyberwar”, but what does the term mean?
Let’s strip the “cyber” part, because “war” is the basis:

War: https://en.wikipedia.org/wiki/War

Declaration of war is dead:
”Since 1945, developments in international law such as the United Nations Charter, which prohibits both the threat and the use of force in international conflicts, have made declarations of war largely obsolete in international relations.”
( https://en.wikipedia.org/wiki/Declaration_of_war )

Declaration of war is dead - war is dead, too (?).

It seems (not only) the French are a couple of decades back in time.
Strategic papers and international laws require partners / cooperation to work.
There are rules (Hague, Geneva), but they don’t apply - See Iraq.
International law is (always was) the right of might.

"cyberwar":
Attribution is nearly impossible.
To stop malware is nearly impossible.
Vulnerability is built in and kept in place by intention.
Aggression is the preferred defense strategy.
International cooperation is zero (nazzionalism).

Until possible targets of cyberwarfare (from gov over industry down to individuals) are deliberately kept vulnerable by the IC we are vulnerable.

Wesley ParishSeptember 29, 2019 3:57 AM

@Sancho_P

Declarations of war are a mediaeval European tradition, and are based in part on the idea that war need not be total, absolute.

I would say that the Gulf of Tonkin Incident showed that if the nation-state that goes on so much about the Rule of Law couldn't be bothered to abide by it itself, then that tradition has been discarded. And war has "de-escalated" from "total" war to proxy conflict, with the world-wide communications systems playing host to that conflict.

Welcome to the jungle, we got fun and games ...

The irony is that because surveillance has now become total, there is very little difference between one state actor surveilling one set of people, and another state actor surveilling that self-same set of people. I suppose you could make the argument that the border separating the two state actors makes a difference, but not if both sets are equally hostile to the set of people concerned. To give an example, what difference does it make for a group of French people if one state actor surveilling them is Russian and another is French? Their security has been compromised in either case. One cannot assume that one state actor's surveillance is acceptable because you pay it taxes versus the other's unacceptability because you don't pay it taxes ...

Distinguishing between civilians and combatants, including objects/targets; attacks may not be directed against systems used by schools, medical facilities, any other exclusively civilian).
Good in theory, different in practice. I expect the United States to actively target an opponent's medical facilities, using the excuse that "it will shorten the conflict" and "their medical facilities are dual-use whereas ours are sacrosanctimonious".

I could go on ...

Sancho_PSeptember 30, 2019 5:44 PM

@Wesley Parish

So I think “war” in context with “cyber” gives a completely wrong idea about the hostilities and is misleading. (Cyber)security will never improve until we dismiss the term “war” here.
War is is a hardware game of the top brass, against international conventions but still played to gain influence, by twisting or ignoring international law, simply because they can.
However, MSM like to use ”war” because it relates to blood, death and heroes.

“Cyber” is intangible, completely different from war. The aggression is best described by the term sabotage, well known by several countries (but not in the USA?).
So the term we should use would be something like “Cybersabotage”.

Exploiting weaknesses is usually done, as @Clive Robinson mentioned, by the “army of one” (or a couple of people), technically based in any territory that seems to fit their needs, likely not affiliated with the government. They do it either for money (e.g. ), political (business) motives or simply for fun, but not for blood.

This kind of attacker is not a target for people thinking in war (aggression) tactics.
The best remedy would be improving defense, resilience and proper international relations / cooperation.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.