France Says 'No' To Company Hack-Backs Following Online Attacks — But Wants To Keep The Option Open For Itself
from the French-have-a-word-for-it dept
Ten years ago, Techdirt was warning about the hype surrounding the concept of “cyberattacks“, and after that “cyberwar“, both of which were routinely presented in apocalyptic terms. As we now know, the real online battles are being fought much more subtly in the form of low-profile foreign organizations subverting nations in sophisticated ways. Unlike the predicted take-downs of an entire electricity grid, these kind of attacks by foreign states and their proxies have already happened, and with troubling effects.
Governments have a responsibility to consider all possible attacks that may be conducted via the Internet, which means that drawing up policy documents in the field is important. The French government has just published its “Revue stratégique de cyberdéfense (pdf)” — that is, a Strategic Review of Cyberdefense. It was written by the General Secretariat for Defense and National Security, which operates under the authority of the French Prime Minister, and assists the head of government in designing and implementing security and defense policies. It’s extremely thorough and well worth reading, but it’s also rather long (and in French). Fortunately, Lukasz Olejnik has put together a post discussing some of the main highlights of the document, which is much shorter — and in English. As he notes, in France, cyberdefense and cyberoffense are two separate domains, and the strategy document lays out six main approaches to the former: prevention, anticipation, protection, detection, attribution, and reaction (remediation). On the offense side:
France strongly opposes giving private companies the rights to retaliate following a cyberattack. In the French view, such actions would constitute a point of instability in cyberspace. Especially when considering retaliation against actors located in a different state. France wants to put forward the issue of hack-back on the international level.
Notable thing. The fact that the strategy mentions these concepts should probably be interpreted as an indirect response to the ideas discussed in the US, where certain proposals considered giving companies the powers to hack-back.
As far as offensive actions are concerned, the review may not want companies to unleash hack-backs after an online attack, but it does want to keep that option open for the French authorities:
Annex 7 considers retaliatory actions following a cyberattack. Although the text points out that such actions should be considered provided that all the other approaches (prevention, cooperation, negotiation) fail, it acknowledges that a response can be made using cyber or non-cyber means. The strategy also highlights that major cyberattack can be interpreted as an armed aggression, in line with the Article 51 of Charter of United Nations.
Olejnik points out the following interesting idea from the document:
France apparently suggested a desire to put the security liability in hands of product suppliers. In other words, making companies responsible for the security of products they put on the market — as long as the products are commercially available. The strategy then mentions that one of the solutions could be to release source code and documentation after an end of support date. The strategy itself mentions taking this discussion to the international level.
France’s Strategic Review offers a good starting point for thinking about these issues. It would be great if somebody could translate it into English for even wider appreciation.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: cybersecurity, france, hack backs
Comments on “France Says 'No' To Company Hack-Backs Following Online Attacks — But Wants To Keep The Option Open For Itself”
mistaken hackbacks
It isn’t hard to make it look like someone else hacked you, so hackbacks are a bad idea in every sense, as one mistaken hackback could cause a cascade of damage.
But leaving a batch file or simple virus that deletes the user’s C drive labled “Company President Passwords” or such in a root folder on your server would be fair game if you ask me.
Re: mistaken hackbacks
Yeeesss, theoretically. That does seem a bit much, though.
Re: mistaken hackbacks
i FIND IT INTERESTING THAT the Old ways have not pervaded Current computer system protections.
Mis- labeled files that are traps.
Making a system look SIMPLE, but isnt..
Honey traps, that isolate hackers, make it SEEM they are inside. But them Ping, locate their system with From multiple locations.
ALWAYS split files, that are important, and hide them in diff locations. And have 1 Main program that could/would combine them Properly.
1 remote system that is backing up the data, ALL day long..and has multiple copies, 2 weeks worth, and 1 ORIGINAL BACKUP..
OS, separate from DATA, and never written to.
MULTIPLE sections and password requirements..
Only specific systems allowed, and they have CODES that allow access, to the system, TO Sections of the system, To Data sections.
PHYSICAL PERSONS monitoring Client connections. its called a SYSOP/ADMIN.. Seeing incoming persons, and What they are doing, and HOW LONG THEY HAVE BEEN ONLINE…(sending/receiving TB of data is NOT a fast thing. Jumping section to section, means someone has Passwords, …
EVERY SYSTEM SHOULD be Unique..They should NOT be Copycats/Specific designs based on 1 FORM…its stupid, and makes it easy for anyone to get into, and find what they want. as well as the Same failures are the Same for each server system.
Re: mistaken hackbacks
This, exactly. Or claimed mistaken hackbacks. Or claims there were hacks to hack back against.
Having the concept so formed, it makes it easier to think of doing it, and doing it faster than actual evidence can be produced.
They were stockpiling weaponized hacks, and moving them around so no one could find them, i swear.
but aren't corporations above the law?
Look up DreckTV and “Black Sunday”.
Look up DiSH Net and “America’s Top One”.
Look up “sony rootkit”.
There is a long history of this sort of thing, with seeming impunity. Only in America?
Re: but aren't corporations above the law?
But of course they are.
"subverting nations" -- Yup, as predicted you Techdirt clowns are ACTUALLY claiming that 13 Russians with a couple million bucks swayed the election! -- You pack a lot of lies into few words, you low-profile foreign influencer, YOU.
“low-profile” — FOUR-THOUSANDTHS OF ONE PERCENT TOPS!
“foreign” — You only think bad when Russia or other designated ginned-up enemies.
“organizations” — Just like thousands of public-relations and corporate-funded lawyers and “think-tanks” (such as “Copia”, to be explicit) in US and Europe.
“subverting nations” — Again: HA, HA! Ever heard of the Cold War, sonny? Tens of thousands of ACTUAL commies in the US actively trying to influence, variously “Fifth columnists” and “hidden persuaders”, all easily spotted because promoting “gun control”.
“in sophisticated ways” — HA, HA! With rather wacky posts on Facebook? We’d better shut down that weapons systems entirely!
Re: "subverting nations" -- Yup, as predicted you Techdirt clowns are ACTUALLY claiming that 13 Russians with a couple million bucks swayed the election! -- You pack a lot of lies into few words, you low-profile foreign influencer, YOU.
At least wait for them to post something on the topic before having your mental breakdown….
Re: "subverting nations" -- Yup, as predicted you Techdirt clowns are ACTUALLY claiming that 13 Russians with a couple million bucks swayed the election! -- You pack a lot of lies into few words, you low-profile foreign influencer, YOU.
Yeah it was just those thirteen, and yeah, they totally swayed the election. @@
God, i hope there are communists somewhere, that would be great for all sorts of reasons.