AFOE reads French cybersecurity policy so you don’t have to

I have finally read the French government cybersecurity paper from here! (Direct link to the reference document.)

The thing that stands out to me, first of all, is that an important difference has emerged between France and the UK (and its allies) quite recently. The authors of the French paper consider a hard institutional distinction between the defensive, infosec/information assurance mission and the offensive, ELINT/cyberwarfare one to be not just advisable but a matter of principle. They see this as important for the security mission’s credibility and as a check-and-balance on the power of the offensive mission. With this, they set themselves apart from the UK and the USA. Since the early 2000s, the UK has rolled both missions into one at GCHQ. The USA took longer to do this and actually only finished it after the Snowden affair.

The irony here is that the UK practised the strict separation of information security and intelligence-gathering through the Second World War and the Cold War, with the divide between the agency known variously as LCSA, LCSG, and CESG on the one hand, and GCHQ on the other. I had the impression that we hadn’t done so badly? But the French have ended up by creating a distinct security-focused agency, ANSSI, replicating in part the structure we abandoned.

An interesting point the paper raises, though, is that the separation of missions requires that they must be coordinated in a broader strategy, which must be set at the political level. In fact, a strong argument for this separation is precisely that the politicians will need to control the spooks.

Separation of powers is a theme throughout the document. The authors define four missions: protection, military operations, intelligence-gathering, and judicial investigation. These are confided in different institutions. ANSSI, which belongs to the prime minister’s defence and security secretariat and therefore eventually reports to the National Assembly, is in charge of protection, including recovery. It also supports the intelligence services, which belong to the president, in their task, which is defined as being mostly about attack attribution. Investigation with a view to prosecution belongs to the judges and the police. Warlike operations are the military’s thing and therefore the president’s responsibility.

As for the point about coordination, the paper also describes a command structure including a top level committee with both the presidency and the ministries, responsible for setting policy, and a permanent operational command staffed by ANSSI and supported by their operations centre. Interestingly, the civilian and prime ministerial power seems to have gained very great influence compared to either the military/intelligence or presidential power, especially as ANSSI is also responsible for technical advice to the military cyber command, even for their own systems.

On international issues, the paper is keen on offering security assistance as a form of diplomatic soft power, probably a reason to keep the defensive and offensive missions separated. It is also very keen to internationalise the whole issue. The paper is quite clear that something bad enough could be an act of war, but it aims to make this match the UN Charter. Three levels of provocation are defined – below the level needed for Article 2(4), above it, and enough to invoke Article 51.

It’s worth pointing out that the paper is very, very much opposed to any kind of “hack back”. In fact it explicitly compares anyone doing so with mercenaries from a legal point of view.

On specific proposals, the paper likes product liability for software. It wants to force end-of-life products or abandonware to be released in open source. It is also very keen on open source for sovereignty, if you will.

I find very little here to disagree with.