France Says 'No' To Company Hack-Backs Following Online Attacks -- But Wants To Keep The Option Open For Itself

from the French-have-a-word-for-it dept

Ten years ago, Techdirt was warning about the hype surrounding the concept of "cyberattacks", and after that "cyberwar", both of which were routinely presented in apocalyptic terms. As we now know, the real online battles are being fought much more subtly in the form of low-profile foreign organizations subverting nations in sophisticated ways. Unlike the predicted take-downs of an entire electricity grid, these kind of attacks by foreign states and their proxies have already happened, and with troubling effects.

Governments have a responsibility to consider all possible attacks that may be conducted via the Internet, which means that drawing up policy documents in the field is important. The French government has just published its "Revue stratégique de cyberdéfense (pdf)" -- that is, a Strategic Review of Cyberdefense. It was written by the General Secretariat for Defense and National Security, which operates under the authority of the French Prime Minister, and assists the head of government in designing and implementing security and defense policies. It's extremely thorough and well worth reading, but it's also rather long (and in French). Fortunately, Lukasz Olejnik has put together a post discussing some of the main highlights of the document, which is much shorter -- and in English. As he notes, in France, cyberdefense and cyberoffense are two separate domains, and the strategy document lays out six main approaches to the former: prevention, anticipation, protection, detection, attribution, and reaction (remediation). On the offense side:

France strongly opposes giving private companies the rights to retaliate following a cyberattack. In the French view, such actions would constitute a point of instability in cyberspace. Especially when considering retaliation against actors located in a different state. France wants to put forward the issue of hack-back on the international level.

Notable thing. The fact that the strategy mentions these concepts should probably be interpreted as an indirect response to the ideas discussed in the US, where certain proposals considered giving companies the powers to hack-back.

As far as offensive actions are concerned, the review may not want companies to unleash hack-backs after an online attack, but it does want to keep that option open for the French authorities:

Annex 7 considers retaliatory actions following a cyberattack. Although the text points out that such actions should be considered provided that all the other approaches (prevention, cooperation, negotiation) fail, it acknowledges that a response can be made using cyber or non-cyber means. The strategy also highlights that major cyberattack can be interpreted as an armed aggression, in line with the Article 51 of Charter of United Nations.

Olejnik points out the following interesting idea from the document:

France apparently suggested a desire to put the security liability in hands of product suppliers. In other words, making companies responsible for the security of products they put on the market -- as long as the products are commercially available. The strategy then mentions that one of the solutions could be to release source code and documentation after an end of support date. The strategy itself mentions taking this discussion to the international level.

France's Strategic Review offers a good starting point for thinking about these issues. It would be great if somebody could translate it into English for even wider appreciation.

Follow me @glynmoody on Twitter or, and +glynmoody on Google+

Filed Under: cybersecurity, france, hack backs

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    ECA (profile), 21 Feb 2018 @ 12:55pm

    Re: mistaken hackbacks

    i FIND IT INTERESTING THAT the Old ways have not pervaded Current computer system protections.
    Mis- labeled files that are traps.
    Making a system look SIMPLE, but isnt..
    Honey traps, that isolate hackers, make it SEEM they are inside. But them Ping, locate their system with From multiple locations.
    ALWAYS split files, that are important, and hide them in diff locations. And have 1 Main program that could/would combine them Properly.
    1 remote system that is backing up the data, ALL day long..and has multiple copies, 2 weeks worth, and 1 ORIGINAL BACKUP..
    OS, separate from DATA, and never written to.
    MULTIPLE sections and password requirements..
    Only specific systems allowed, and they have CODES that allow access, to the system, TO Sections of the system, To Data sections.

    PHYSICAL PERSONS monitoring Client connections. its called a SYSOP/ADMIN.. Seeing incoming persons, and What they are doing, and HOW LONG THEY HAVE BEEN ONLINE...(sending/receiving TB of data is NOT a fast thing. Jumping section to section, means someone has Passwords, ...
    EVERY SYSTEM SHOULD be Unique..They should NOT be Copycats/Specific designs based on 1 FORM...its stupid, and makes it easy for anyone to get into, and find what they want. as well as the Same failures are the Same for each server system.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.