Threat Inteliigence / OSINT / NETSEC / NATSEC

France and its doctrine of cyber operations - offensive actions

The state's approach to activities in cyberspace is a river topic and a subject of discussion both on the political and academic level. It is all the more interesting how different countries develop their doctrines and face, for example, the problem of how to react to incidents, how to treat those whose source is criminal activity, and how those resulting from the activities of groups sponsored by other countries. In terms of European countries, one of the most interesting examples of an attempt at a comprehensive approach to the subject and the formalization of the doctrine is France. In January 2019, the doctrine of offensive and defensive cyber operations was announced, and in October 2021, the doctrine of cyber influence operations. So we will look at how these documents shape the approach to activities in cyberspace and how they affect the functioning of individual agencies.

So let's start with the documents from 2019, i.e. Public Elements for the Military Cyber Warfare Doctrine. This document formalized cyber operations as part of the activities of the French Armed Forces, stating that the Ministry of Armed Forces had the capabilities and doctrine to use offensive cyber operations related to the tasks of the armed forces. Starting with the preamble, we can look at the policy's motivation. The document places these capabilities on an equal footing with other elements of the defense system, listing them in line with conventional and nuclear forces. Further points are drawn to the need for France to fulfill its obligations in the field of international order and the role of the Ministry of Armed Forces in a geopolitical situation in which crisis situations, terrorist, conventional and hybrid threats are more and more frequent. As concrete examples of threats, the cyber attacks against Estonia in 2007, attacks on Ukrainian energy networks, the attack on TV5 Monda and the effects of Wannacra and NotPetya are indicated. The role of cyber operations as an increasingly frequent tool of impact in conflicts and crises, and the related growing importance of hybrid and asymmetric activities, is further emphasized. It is also worth going back for a moment to 2017, when COMCYBER was created - the cyber defense command. In the preamble to the doctrine, we find a statement that this component is responsible for offensive and defensive activities in cyberspace, ensuring the proper operation of the ministry and the effectiveness of the armed forces.

Moving on to the content of the document, the very beginning indicates the position of cyber capabilities among other military possibilities. The doctrine states that the ability to conduct defensive and offensive operations in cyberspace is part of the guarantee of state sovereignty by providing operational advantage in the areas of operations of the armed forces and providing them with IT protection. The doctrine indicates the three most important assumptions of cyber operations:

First, offensive operations in cyberspace include all activities, including those carried out exclusively in the cyber dimension as well as in conjunction with conventional forces. Importantly, the definition of the assumptions of "cyber weapons" (l'arme cyber) is also indicated here - it is intended, in a manner consistent with international law, to have effects against hostile systems in terms of data availability and confidentiality. The three dimensions of cyber operations are further described:

  1. Physical layer - including computer and network equipment, physically existing and in the electromagnetic spectrum - such as computers, routers, cables, satellite links.
  2. Logical layer - consisting of data stored in digital form, processes and tools for their management and exchange and providing specific functionality. Examples are files, protocols, applications.
  3. Semantic and social layer - information that is exchanged in cyberspace and the identity of people operating there. The creators here point to the digital dimension of existence as a person on information exchange services and provide nicknames, email addresses, IP addresses, blogs as examples of this layer.

The doctrine also draws attention to the temporal aspect of the operation, noting that while the effects can be produced instantly, the preparation and integration of operations with other forms of activities may take a long time due to the need for long and precise planning. In terms of the effects of the operation, two points are underlined. On the one hand, the possibility of causing both material (such as the neutralization of weapons systems) and immaterial (intelligence gathering) effects. On the other hand, the role of cyber elements in the comprehensive enhancement of the effectiveness of the armed forces as a whole and the widest possible use of how networked military systems are to a large extent.

As you can see, France treats cyber operations in a very comprehensive way, also pointing to the layer of information exchange and even specific identities of people on the Internet. Additionally, emphasizing the role of the effectiveness of the armed forces as a whole demonstrates the will to deeply integrate and limit the "siloing" of operations separating conventional forces and cyber units. This, moreover, is discussed in more detail in the second of the main points.

The second point is devoted to the purpose of cyber operations as a means of ensuring military advantage in cyberspace. Here we find an indication of the role that cyber activities can play - from supporting the assessment of capabilities and situational awareness, through limiting and neutralizing enemy military capabilities, to misleading enemy forces by modifying the data available to the enemy. The doctrine also mentions the role of cyber assets as independent activities as well as complementary to other operations of other types of armed forces. It is emphasized here that the goals can be achieved by connecting to the Internet or some other network, so physical contact is not necessary to achieve the goals. And further that operations can support defensive operations if enemy operations are directed against force systems by stopping an attack or, notably, directing an attack against targets without value. France therefore considers the range of actions available, from deceiving the attacker to actively disrupting their operations, to be on a par. As we can see, the emphasis on the effects of the operation and their role in supporting the entire armed forces runs through the document.

Finally, the third point concerns the organization of units responsible for cyber operations and the chain of command in this area. The doctrine speaks of the already mentioned COMCYBER as responsible for planning and coordinating activities under the office of the President of the Republic and the decision of the Chief of Staff of the Armed Forces. This role is to ensure efficient cooperation in planning and conducting operations with individual units and types of armed forces, as well as with intelligence agencies. Additionally, COMCYBER is to establish and develop cooperation with allied forces. Then, the goals of the cyber operation are indicated in the tactical and strategic dimensions. Examples of activities at the tactical level are:

  1. Providing information of direct and immediate relevance to the operations of the armed forces.
  2. Neutralization of weapons systems or the command center.
  3. Change of data in the enemy command system.

And the counterparts of these activities at the strategic level:

  1. Obtaining information for the preparation of operations or capacity development.
  2. Neutralization of enemy abilities such as propaganda activities or neutralization of the command system at the strategic level
  3. Disrupting the operation of hostile propaganda centers.

Finally, the doctrine emphasizes the need for operations to be conducted by specialized units whose skills ensure the success of highly complex operations.

The next part of the document describes the methods of risk management related to cyber activities. These operations are equated here with conventional ones, which translates into the need to assess proportionality, jus in bello, efficiency and the political context. In particular, according to the authors, the threats related to cyber operations result from the immediate effects, the dual nature of goals and the degree of computerization of modern infrastructure. The last two points are particularly emphasized in the doctrine that requires careful monitoring of the effects of surgery and avoidance of collateral damage in the context that surgery may produce effects beyond its intended goals. This is due to the need to take into account unknown variables in terms of configuration and connection to other systems of the targeted targets. Likewise, the document indicates the possibility of leakage of tools used for offensive activities, which, as is the case with software, can be copied or recreated on the basis of captured artifacts. He also draws attention to the asymmetric dimension of actions and the proportionately greater vulnerability of large countries with a highly computerized economy. Therefore, the risk related to the possibility of escalation by an entity with a smaller attack surface, and therefore bearing a lower risk, should be taken into account. After all, a very important point ends this part of the doctrine - a reservation as to the confidential nature of the operation. As a rule, all cyber operations are to be secret in order to ensure their effectiveness and limit the risk of escalation. The decision to make an action public is of a political nature and can be taken by political and military bodies on the basis of an assessment of the pros and cons of circumstances.

Further, the doctrine speaks of the necessity to operate within a legal regime encompassing national and international law, including the law of armed conflicts. The document indicates, in particular, the defense activities undertaken under the responsibility of the Chief of Staff of the Armed Forces, which are subject to the code de la defense and the prime minister's orders in the scope of their application. France also undertakes to support responsible cyberspace practices to ensure stability and conflict prevention, as well as building international law practice in this area.

In the next section, the document mentions the role of France in NATO and the partnership in Europe related to ensuring cyberspace security, in which it refers to 2016 NATO member states' commitments to strengthen capabilities for defense against cyber attacks. The development of French capabilities in the field of operations in cyberspace is therefore also intended to strengthen collective defense, subject to national control over the final shape of the operation.

The last point of the doctrine is to indicate the further course of action. Five major challenges are identified here:

  1. Increasing the pace of developing the defense capabilities of the armed forces in combating cyber operations,
  2. shaping a human resources policy enabling the recruitment of personnel with appropriate qualifications to create and implement new opportunities,
  3. conducting exercises on the use of cyber operations in the context of military operations and combined operations of military force,
  4. adapting the possibility of acquiring abilities to the pace of information technology development,
  5. cooperation with partners, with an emphasis on Europe, in the field of allied activities.

As we can see, France places cyber operations as an integrated part of the armed forces, emphasizing both their supportive role and the possibility of independent implementation of goals. In the context of the organization of units responsible for conducting operations, it is worth noting a clear division into offensive and defensive parts. While COMCYBER also has defense operations to ensure the security of the armed forces, we will not find here an agency that, like the American NSA or the British GCHQ, would have departments responsible for the offensive and supporting defense at the level of the civil infrastructure of the state. ANSSI, i.e. the national entity responsible for cybersecurity, is not part of the French intelligence community, keeping the scope of tasks strictly focused on defense activities. The emphasis on the discretion and secrecy of operations is also visible in the preferences of a different model of drawing responsibility than those characteristic of, for example, USA directly identifying the perpetrators. France avoids public attribution, but this approach is not absolute. ANSSI did not indicate specific military or intelligence units responsible for the attacks, but assigned activities to activity groupswhich, given the attributions by other entities, could be read as an element of signaling that France is aware of who is behind the attacks. On the other hand, we will find no public admission to carrying out offensive operations as we saw in June, for example, from the US in connection with the war in Ukraine. And in the context of sending signals, it is also impossible not to mention the public declaration Florence Parly, who until recently headed the Ministry of the Armed Forces, who said that France was able to identify the perpetrators of the attacks and was not afraid to use offensive means to retaliate. This position clearly fits into the scope of the use of cyber operations defined in the doctrine, taking into account both supportive and independent activities.

Cooperation, efficiency, responsibility. These three words perhaps best describe the doctrine of cyber operations adopted by France. The constantly emphasized place of such activities as part of the armed forces arsenal, the emphasis on cooperation in the international arena and the division of responsibility for individual elements of the cybersecurity system are the pillars that define the approach to the functioning and future of the country's cyber components. However, as I mentioned in the introduction, France has also defined its doctrines in the field of defense and information operations, which will probably be discussed soon on

Leave a Reply

Your email address will not be published. Required fields are marked *