28 April 2019

The French doctrine of offensive cyber operations


Many countries are developing cyber capabilities, including for their military forces. Details are often secret. Public discussions are therefore always refreshing. There is a good opportunity. France just made public the elements of the offensive cyber operation doctrine.

This is a good move. It helps informing the public (national, international) opinion about the state and the direction of cyber security (here: offensive!). This announcement can also be seen as having a dual nature: transparency (support the public debate by giving data to the public opinion), but also deterrence (provide context to potential adversaries).

I analyze (along with providing comments and context) the doctrine, familiar matter to me. In past, France has acknowledged the options of recognizing specific cyber attacks as armed aggression (I wrote about it here: highlights of the French cybersecurity strategy).)). Furthermore, France is in the process of expanding its COMCYBER, the cyber command created in 2017 (I wrote about it here: Recent developments in cyber - France). 1.6 billion euros is allocated to this project. There is a clear political will to move forward (fast). Resources are allocated, plans are made. We’re speaking about not only execution but operation now.


The doctrine begins with the “motivations”: the past DDoS against Estonia (2007), the power cuts on Ukraine (2015), the WannaCry ransomware campaigns and the NotPetya wiper (both in 2017). The strictly French detail mentioned are the attacks targeting TV5Monde (2015), which almost destroyed the TV channel. All these activities are believed to be made by actor(s) linked to state(s).

We’re speaking about military component, which is rather less about chasing individual petty cyber crime, and perhaps more about activity in context of armed conflict, not necessarily purely cyber conflict.
Details of the doctrine

The doctrine describes how the French military forces act in cyberspace. Specifically how offensive (and defensive) cyber operations are conducted. This capability is seen on grounds of national sovereignty.
Military cyber operations

Cyber operations can be conducted on their own, or in conjunction with other (non-cyber, i.e. kinetic) activities, i.e. in support of other operations; we are speaking about activities in context of armed conflict.

In the French doctrine, the aim of cyber operations is to achieve effects against “enemy systems”. The effects could target the availability or confidentiality. Attacks on integrity are apparently not included in the definition, although of course tampering with data, for example destructive activity, may lead to impacting on the (loss of) availability (“produire des effets à l’encontre d’un système adverse pour en altérer la disponibilité ou la confidentialité des données“). Attacks on integrity (data alteration) are actually mentioned later in the doctrine, too. This might give an impression that the definition of cyber operation in the doctrine might not be coherent with how they are actually made or understood. Or that the doctrine wasn’t proofread. How reassuring is it is for you to decide, but let’s move on.

In the French doctrine, cyberspace is defined by three layers: physical (i.e. targeting network equipment or hardware; routers, satellite links, etc.), logical (protocols, software, applications, etc.), social (this is about information exchanged between endpoints or users, so includes the addresses, e-mails, but also blogs!). Cyber operations manipulate these layers to achieve goals.
The three objectives

Cyber operations offer discrete means of action against an adversary, complementing the more traditional non-cyber means. The primary objectives may be:

reconnaissance about enemy capabilities or plans (data collection and/or exfiltration)
reducing or neutralizing enemy capabilities, temporary or prolonged (i.e. by destructive action)

targeting perception or analytical capacity: altering data, exploiting stolen information
Cyber operations for tactical and strategic advantage

The doctrine lists examples of applying cyber operations on the strategic and tactical level, such as:

reconnaissance of targets for immediate action (tactical), general reconnaissance, e.g. in preparatory stage (strategic)

neutralizing systems or command post (tactical), neutralizing capacity, such sources of propaganda (strategic)

tampering with data of command systems (tactical), disorganisation of propaganda centers (strategic) [see also the remark above that “tampering” was not included in the definition?]

This shows how cyber operations are put in the broader picture. It indicates the internal ways of thinking.

Assessing the risk of cyber operations

Operational risk assessments must always be made. There are, for example mission-specific aspects such as the cost/benefit analyses, foreseeing the political risks, etc. So it’s not exactly like what you see in the movies.

Perhaps more importantly, the doctrine speaks of identifying risks of conducting offensive cyber operations (e.g. including the collateral damage). This is a standard requirement in any military activity, in any domain. This requirement is well grounded in laws of armed conflict (i.e. Geneva Conventions). This even though for “cyber” these kind of assessment frameworks are still not mature. The fact that the doctrine mentions these points should be seen as an advantage. Sooner or later, the points will need to be debated (the points were among the priorities of my recent role (fraction about it here).

Few challenges of conducting cyber operations

The doctrine correctly stipulates that making risk assessments is often be a challenge. Among the challenges are the dual nature of the internet (hosting both military and civilian systems, even though the internet is in vast majority civilian), and the related great number of connections between networks (just think how insanely NotPetya spread in 2017!). Furthermore, risks exist that the military (cyber) tools might be stolen and reused for different or malicious purposes. We’ve already seen this nature (again think what vulnerability NotPetya or WannaCry used).
In cyber, not all countries are equal!

The doctrine correctly recognizes that while some adversaries might be less vulnerable to cyber attacks than others, both can still possess cyber offensive capabilities. This means that the attack-defense surfaces are asymmetrical (assuming that both sides can essentially do the same in offence, one has a greater potential to be damaged, and the other to inflict the damage). Specifically for France, a modern and advanced economy, the risks are definitely above the average. The country depends on digital infrastructure.
Cyber operations are secret… Until they are not

The doctrine stipulates that the details of all offensive cyber operations are secret. This is not surprising.

But the doctrine also says that, depending on political will and motivations, details may become disclosed at some point. This is very interesting. Is the French doctrine effectively giving grounds to the potential of claiming responsibility for certain cyber operations?
France subjects cyber operations to international rules

The doctrine mentions an intention to follow follow the rules of responsible behaviorand international codes conduct to prevent cyber conflict. France considers that international humanitarian law applies to cyber operations. In these respects, France also appears to aspire to become “the reference” for such applications of international rules.

These announcements may sound like boilerplate, but they in fact aren’t. There still is no consensus as to the details of the application of international law to cyberspace. Furthermore, I’ll also translate the points this to accessible language: France appears to say that “they know how to do this”, and are open on sharing and influencing the general debate. We can be certain at least about the second point.
More cyber tools

In closing, France wants to accelerate the “production” of offensive tools (“cyber weapons”?). Perhaps in connection, a need to amend the existing human-resources policies (in the military) to attract the right talent is expressed. Good thinking?
Summary

This is an interesting document. Although the details of the entire doctrine are not public, the public elements are interesting. They provide clarity on a number of points, such as when and how (military) cyber operations are made, and what are the identified (international) rules that apply. Even though no details of the specific rules are listed (for example, what specific elements of international laws allow targeting disinformation centers?), it is a step in the right direction.

It is also an important step in the international policy (to some extent also technical) debate on cyber security. We should expect more interesting developments of the kind.

Find the full doctrine (in French) here.

No comments: