Chapter 3

French Perspectives on Cyber-conflict ¹

,

 

 

 

Discoursing on how a State comprehends the cybernetic dimension of a conflict amounts to asking yourself how this entity reconsiders its role and position on the international scene. Through theoretical, political and strategic reflections on cyber-conflict, cyber-war, cyber security, cyber defense, information warfare or information operations, this consists of viewing the power of this State through the lens of relatively new criteria and environments. These are different from those already known and used up until now by nations in order to secure their positions. The cybernetic dimension appeared during the second half of the 20^th Century and has forcefully established itself at the beginning of the 21^st Century, while greatly influencing political, economic and strategic decisions. Cyberspace is no longer solely the subject of economic growth or cultural development, nor even the target of crime. It has become a potential vehicle of confrontation, crisis and conflict, and a facilitator of revolts.

On the international scene, the balance of power is likely to be modified by the use of cyberspace. There is the commercial use of the space, but also the economic, political, security and military dimensions. States do not position themselves only in relation to one another via economic warfare; there are strategies for influence, soft and hard power. Intelligence is at the heart of the activities conveying this competition and this constant balance of power between States. There are also more violent relations, with more aggressive conflicts in times of crisis and, of course, of open conflict.

Henceforth, governments have to be afraid of the internal as much as the external. Revolts forcing out governments, large-scale protests, etc., all this seems possible thanks to means of telecommunication, networks, the Internet and Web 2.0.

Destabilization movements can come from the inside and be encouraged or supported from the outside. States have very few really efficient means by which to prevent or counter these risks. Part of the information can be filtered and controlled. Not all of it can be controlled, except if we accept complete systemic paralysis.

In this context, all States and governments, including the most democratic ones, can fear for their existance. The United States (US), China and other great powers continue to pursue the mastery of this new dimension. Smaller nations with limited capacities must, however, do everything they can in order to stay in the game and play a significant role in this space.

French reflections on matters as important as the mastering of information and the information space are topical in this context of a changing environment.

France, and all the connected countries on Earth, must face up to several challenges. They must secure their own cyberspace and ensure that spies or novice spies are not hacking into their computers to uncover their secrets, which can sometimes be just a few clicks away. They must ensure that crime does not significantly destabilize their economies and they must ensure the protection of their values within their borders. They must also foresee possible attacks, which would be more open, aggressive, disruptive and sometimes more destructive – attacks that would strike insidiously at the fundamental values (via the exchange of ideas) and attacks against the functioning of the systems themselves, which would disturb companies, critical and sensitive facilities. The worst scenarios we could imagine are the layoff of the armies or the start of large industrial disasters.

The State, administration, the police, the army, security and defense agencies cannot guarantee the control of all these issues by themselves. They cannot control all areas. Internet crime does not necessarily come from inside a country’s borders. Contents are shared nationally and yet they can come from abroad. The most direct attacks, such as espionage (which can sometimes be very invasive), from individual’s to destabilize, via attacks against the systems themselves, are often instigated abroad. We thus cannot tackle these problems at the source. International cooperation is, however, not very effective. It is, for example, illusory to counter the effects of cybercrime in a State, when the same activity can immediately be moved onto another area.

The States thus do not know how to think of solutions other than putting restrictive rules and authoritarian laws on their own populations, in the name of the defense of freedoms and their sovereignty. We build digital, physical and legal strongholds; we create new rules that are added to the previous ones and we strengthen the norms, principles, laws, constraints and restrictions. But this is apparently not enough, as we can see every day. Attacks – which we are still hesitant to call acts of war – keep on happening, one after another. Nothing seems to be reversing the rising curve of the global statistics of acts of cybercrime or intrusions for purposes of espionage. Attacks aiming to disturb the functioning of institutions and to question them contributes to the creation of insecurity. Managers, major companies and institutions are targeted. This creates lawlessness, a sense of disorder, specters of chaos, etc.

These fears and constraints are shared by all States. France is no exception. Its authorities maintain a discourse on all the forms of insecurity. Its security and defense forces are structured in order to address new threats and maintain and strengthen the position of France in a constantly evolving international context. Economic crises and the new global balances appearing after the revolutions in North African countries are new challenges in which cyberspace now plays a major role.

As has happened in several nations, awareness increased in France that cyberspace had become a space of conflicts following the cyber attacks on Estonia in 2007. We need to go back further in time, however, to find the sources of this awareness in France.

The first Gulf War, the development of information highways, the start of the Internet era and the end of the Gulf War were major events and founding moments that have led to reflections in France and everywhere else. Such reflections have covered the revolution of military affairs, the computerization of the armies and the importance of cybernetic space – and more broadly the information space – in conflicts, in the field of war and in international competition (economic, political, diplomatic and cultural). Digital information, in the era of the Internet and new telecommunications, (again) became a tool in the service of power.

3.1. Cyberspace

Cyber-conflict is a conflict that is entirely or partially expressed in cyberspace, whether it is carried out in it or whether it uses this space as a vehicle. The mastering of various forms that cyber-conflict can take, then, presupposes a good comprehension of the space in which they will occur: cyberspace.

The online “Trésor de la Langue Française Informatisée”¹ thus recalls that from a philosophical point of view, the space designates an “ideal undefined environment in which all our perceptions are located and which contains all the existing or conceivable objects” or else that it is “an imaginary body, as time is a fictive motion”. The “space” can also refer to the idea of a defined area (urban and littoral spaces, etc.), however, or an undefined one (extra-atmospheric space). It can still refer to the concept of living space and be a synonym of territories. It can be a partition (between two moments, a duration). It can also be measured (a memory space is measurable in bytes, bits, Kbits, Gbits, etc.).

Cyberspace is a compound word (“cyber” + “space”) that was invented by William Gibson in 1982. In France, the philosopher Pierre Lévy defined cyberspace as “a computer whose center is everywhere and whose circumference is nowhere; a hypertext, dispersed, living, proliferating and unfinished computer” [LEV 97].

Even if it is considered as the symbol of the modern world, cyberspace was prefigured in 17^th Century literature. This was the case when Francis Bacon [BAC 27] was describing scientists working for the collection of information and who had invented a machine transporting sounds in conduits on long distances, without being disturbed by reliefs in New Atlantis. We can see a machine foreshadowing phone networks here, and maybe even the Internet. The scientists manipulate information and create databases.

Inventions such as telegraphy and then telephony have led to the birth of images from a new world, a technicized world that prefigured our contemporary representations of a high-tech means of communication.

In 1883, Albert Robida² published Le Vingtième Siècle [ROB 83], a book in which he imagines the future. In Chapter V, called “Les merveilles du téléphonoscope”³, he imagines an advanced phone that would show images of vehicles:

“The former telegraph allowed us to understand at a distance a correspondent or an interlocutor, the phone enabled us to hear them and the ‘téléphonoscope’ enabled us to see them at the same time. What more could you want? When the phone was universally adopted, even for long distance correspondences, everyone could subscribe for a very small price. Each house had its ramified wire, with section, local and regional offices. Therefore, for a small sum, we could communicate at any time, any distance and without any difficulty or having to go to any office. […] The invention of the ‘téléphonoscope’ was very favorably welcomed; by paying a higher fee, the device was adapted to the phone of all of those asking for it. Drama found in the ‘téléphonoscope’ the elements of a great prosperity. […] New and significant source of income […] what would you have said to the dreamer announcing to you that one day fifty thousand people, scattered all over the planet, could, from Paris, Beijing or Timbuktu, follow one of your plays shown in a Parisian theater… The device consists of a simple crystal plate, which is built-in the wall of a flat or put down as a mirror above any chimney. The show devotee sits in front of this plate, chooses the theater, establishes the communication and the show starts instantly […]. While staying home, we are part of the international audience […] and those at home can send applauses as well”.

This text is extraordinary because of its power of anticipation:

– it imagines the economic model of telecommunications and the Internet;

– it imagines personalized, a la carte (the future Web) and real-time services;

– it imagines a computer connected to networks (a crystal plate on which we can see a device that we just need to connect to in order to choose the content);

– it imagines a communication of contents without border;

– it outlines the concept of affiliation to a virtual community, which will be the fundamental principle of the Internet and of telecommunications at the end of the 20^th Century;

– it outlines the principle of the group and interactions between members of the group (applause). It then imagines actors with deviant behaviors or with behavior considered deviant, that disturb the good functioning of the communication. “Could we also transmit boos if needed? Ah no, said M. Ponto, this is forbidden. You will understand that if it was allowed to do so, practical jokers could, from their homes, disturb the performances”⁴. Prohibiting rules are thus written and a form of censorship is implemented. Practical jokers are feared, as hackers pirating the system solely for their own entertainment. Nothing that is not in accordance with the rules should be included. The audience can boo the show, but in their homes, without disturbing the community. Thus, the concept of regulation, of right (the necessity to impose rules for the use of this new media) and of disturbing behaviors is already implicitly present. From simply failing to respect the etiquette that does not require any police control, the behaviors over time will become a failure to respect laws and will thus lead to delinquency and crime; and

– the description also recalls video-on-demand via television by cable or satellite, according to the same diffusion principle and facilitated access to numerous contents.

In 1892, Emile Gautier published Les Étapes de la Science: Chroniques Documentaires [GAU 92]. The chapter on “Téléphoneries” gives us a reflection on the phone.

“In reality, the phone is from yesterday […] However, in less than fifteen years, it has incorporated so intimately our lives and we are so used to it without realizing it and with such a mechanical silliness, that it seems nowadays as a very natural institution or even as something due, something that has always existed. At least, we have some difficulty to remember the ancient time […]. This is nothing less than a revolution […] and we can only imagine with difficulty now, the regular operating of trade, industry, finance, journalism, politics or diplomacy without the help of this small ordinary device […]. We are already starting to find imperfections, disadvantages and vices in the phone… Finally, do we need to add that it has the serious disadvantage of not leaving any traces and of not being able to keep or fix the transmitted speech.”

The themes tackled in these few lines can be found in almost identical words in the Internet era:

– this technology has established itself very quickly;

– it has become essential, vital;

– there is a before and an after: before the appearance of this technology, humanity was living in a “prehistoric” period;

– this implies that going back to what was before is impossible; and

– it is a revolution.

By referring to the 1888 book by Edward Bellamy, Looking Backward⁵, describing the life of the next century, he takes up the following ideas:

“In this blessed time, where State socialism had definitely triumphed, all the professions will be experimented, the smallest details of life will be scientifically organized and regulated, all the citizens will be unburdened from the concern of their own happiness and will become many passive wheels of the great machine; telephone will naturally play a significant part.”⁶

The author proceeds with a description of principles that are quite similar to the future Internet:

“I know here indeed a teacher […] who suggests nothing less than to organize […] music lessons – music theory and piano – by phone! […] And Mrs Garnier-Gentilhomme does not intend to limit her ambitions to piano only. She dreams of also teaching everything by electrical wire, including drawing, speech and languages […]. Here is now an inextricable electric wire cast net of human voices promising to wrap the entire world with the tight mesh of its ‘pipes’…”⁷

We can see here how Internet and more generally cyberspace result from telephony.

In 1923, with Je vous offre la santé, la gaieté, l’économie, le bien être, je suis la fée Electricité, Henri Letorey [LET 23], an electrical engineer, offers an analysis of the contribution of electricity to our society:

“Immediately, the following question comes to mind: what is electricity? The answer is still fleeting. We precisely know what are air, water, fire and earth; their chemical composition is fixed by our scientists. But electricity? Vibrations or waves? No proper material answer has yet been made to this astounding question.”⁸

These are some ideas that we still use when talking about the Internet:

– All the hopes we have from technology are found in the title of the book. All of society relies on it: its happiness and its economy. Here the promise of a society completely dependent on technology is roughly described. The contemporary leitmotif on the dependence of our societies on communication networks is an idea that is already known. Here we talk about the “nervous system”, but the image is the same. Electricity will be distributed by cabled networks. These cables are bringing happiness and the economy is developing based on them.

– Questions on the nature of the object considered that are similar to the recurrent contemporary questions on the nature of cyberspace or information. What is cyberspace? What is information? The answer is still fleeting. Let us note how paradoxical it was even at this time to pretend that the development of a society relies on a technology, when we do not understand its essence.

– Cyberspace is put into perspective in comparison to the four known dimensions (earth, air, sea and space); in Letorey’s work, electricity was put into perspective in relation to the four elements.

– Electricity seems to escape any description relying on known (chemical) elements. Cyberspace escapes a satisfying description, because we lack some elements to do so.

– The author here is an engineer. He describes electricity and he is the one who can open the doors of knowledge and understanding of the phenomena, as nowadays the computer engineer is the one who has the keys to the knowledge of cyberspace.

– We need to use metaphors to spread a concept. Resorting to metaphors is a mode of description for cyberspace. The latter is no longer personified and we prefer to talk about a machine. But we are still resorting to the world of dreams.

– Here, in the “astounding question” we are even finding a hint of the “hallucination” that William Gibson used to describe cyberspace in 1982.

Beyond words, cyberspace iconography also has an origin in the engravings from the end of the 19^th Century and of the beginning of the 20^th Century.

In 1883, Le Vingtième Siècle, written and illustrated by Albert Robida, shows representations of the height of cities where buildings are topped by electrical pylons, between which are hundreds of cables forming a tangle of lines. We see communication networks, which are already taking the appearance of a spider’s web. Representations of the Internet often rely on this image, which is that of its basic infrastructure, i.e. the telephone network. It seems to be difficult for the authors of short stories, graphic designers, illustrators or even engineers to move away from this basic structure: the lines are the cables and the points of interconnections are the machines and the users. If such pictures announce the large modern cities under construction at the beginning of the 20^th Century, is the height of the cities also prefiguring the contemporary representations of cyberspace, as will be shown in cinema for example? Thus, engravings of cities topped by cables transmitting data are the picture of cities from the 20^th Century yet to come, but also the ancestor of the virtual cities that we find in movies such as Hackers and The Matrix.

Cyberspace, as we know and describe it nowadays, is thus broadly borrowed from representations of previous centuries.

Nevertheless, it remains a mysterious and unknown space that is under construction and, above all, a space to explore or conquer.

In 2002, during a speech, the secretary-general of the ITU (International Telecommunication Union), Yoshio Utsumi, declared that “cyberspace is a new land, without borders and for now, without government. Cyberspace is not a parallel universe: it interacts with our own world and raises many new challenges for politicians”⁹.

Cyberspace is firmly perceived as a space in its own right, which we need to explore (with the help of tools, such as Internet Explorer), as if we were on our way to discover new territories. The conquest of cyberspace recalls the history of the great conquerors of continents and lands unknown to Europeans: but whereas these spaces, often new from an ethnocentric point of view (America was new for Europeans in 1492 but not for those already living there), cyberspace is truly new. At least it was for the first designers.

In 1995, Joël De Rosnay¹⁰ wrote that: “Cyberspace is an unlimited ocean, a Terra Incognitae in which we venture with basic maps” [DER 95]. He was referring to the legendary wide-open spaces. Cyberspace is a “digital Wild West” according to him; alluding to the individuals running wild there (pirates and crooks). Cyberspace is a place of adventure but also of danger, where the fittest rules: “cyberspace is still a jungle, rustling of many dangers”. He mentions the geopolitical vision of the world (the world is a jungle for States) and the hostile jungle in which 19^th Century colonists were venturing at their own risks.

Jacques Attali¹¹ in an article published in the French newspaper Le Monde on August 7, 1997 [ATT 97], described the Internet (cyberspace?) as a new continent. He was using metaphors: the Internet is a continent, on which we need to land, because it possesses treasures that we should not leave for the others. Cyberspace becomes a living space and we must have a conquering spirit. The Internet is a:

“virtual continent, the seventh continent, where we will soon be able to install everything already existing in the real continents, but without any materiality […] Inside this continent devoid of real inhabitants, a huge trade will be developed between the virtual agents of a pure and perfect market economy, without any intermediary, without taxes, State, payroll, unions, political parties, strikes or social minima. Internet thus becomes nowadays, in the world of imagination, what America was in 1492 for Europeans: a place undamaged by our shortcomings, a space free from our legacies, a haven of free trade, where we could finally build a new and clean man, free from what corrupts and limits him, an insomniac consumer and a tireless worker”.

Then, speaking of the American hegemony on this new territory, he adds that:

“it is urgent and vital to discuss this problem as we would face the discovery of a new continent. Let’s set up a large conquest program! Five centuries after America’s discovery, will Europe have the strength to do it? […] The growth of the seventh continent will be the main drive of growth of the 21^th century. We have to seize this opportunity and transform a virtual utopia into a conquering reality. Europe is staking here its survival.”

Behind this conquering will, there is naturally a necessity of confrontation. The Internet is open to all and thus imposes a confliction.

The military domain offers several definitions of “cyberspace”. In Concept d’Emploi des Forces de l’Armée Française, published in January 2010 [PIA 10], cyberspace is designated as:

“[the] global network which virtually connects human activities through the interconnection of the computers, and helps the fast circulation and exchange of information. Cyberspace, as electromagnetic space, supports many civil and military applications which are necessary for entire sections of national activity. It has become a fully-fledged ill-controlled field of activity and thus a potential space of conflict for armed forces. They must protect themselves at any time from an attack aiming to destroy the functioning of the networks, their throughput and their security level, but they must also be able to prevent their misuse by potential opponents, by leading offensive actions.”

From this definition, we retain the following:

– the term cyberspace first designates a network and thus an infrastructure;

– cyberspace is distinct from the cognitive layer, since the field of perceptions is considered separately;

– cyberspace is a network on a planetary scale, but would a local network be part of a global network, even if it is disconnected from it?;

– this network establishes a virtual connection. This concept of “virtuality” is, however, undefined;

– the fast data exchange recalls the American wording, mentioning the propagation of information at the speed of light;

– cyberspace is not electromagnetic space;

– cyberspace is neither civil nor military, but both at the same time. The report does not mention whether soldiers should only take part in the military section of cyberspace and leave to the private/public sector the civilian part of cyberspace;

– cyberspace is ‘ill-controlled’ as it is modeled on territories avoiding State control. The consequences of such poor control will then be the same as for ill-controlled States (‘poor’ does not mean ‘too little’ or ‘too much’);

– the poor quality of the control of cyberspace is in fact a military confrontation space;

– the poor quality of control, understood as a lack of technical security, creates security breaches endangering army networks;

– armies must protect themselves from attacks aiming to disturb the functioning of their networks, and there must be OCW¹² operations against their adversaries;

– in this definition, we are not speaking of national, international or transnational spaces; and

– this approach is for the most part negative and does not show the possible advantages of the use of the capacities offered by cyberspace.

As the American discourse on the nature of the threats and of cyberspace, the French army considers this new dimension as a confrontation place. The new Concept d’Emploi des Forces de l’Armée Française (PIA-00.100)¹³ highlights that “other threats are coming to light nowadays in new fields, such as the attacks in cyberspace and in extra-atmospheric space”. Thus, we must know how to position ourselves within this space, in order to remain a world-ranking military power. The document indicates that military forces must “intervene in new confrontation fields, such as the space, cyberspace and information”.

3.2. Assessments, view on the world and awakening

As with most States in the world, France has been aware of the major events of the past 20 years: the first Gulf War; the introduction of the Internet; the development of the information society; the growing dependence of society on cyberspace; the new wave of cyber-attacks; the rise of the feeling of insecurity rapped out in political speeches and media; and terrorism. All these factors have significantly modified the perception of the world and have triggered new defense and security policies, strategies and doctrines, in which cyberspace is playing an increasingly decisive role.

3.2.1. Attacks

During the past decade, many official reports have put the emphasis on modification of the international environment under the influence of cyberspace development and on the stakes involved in terms of security and defense of the nation, which have developed with this new space. These reports have often highlighted the nature of the threats and have taken the cyberattacks that France and industrialized countries have been the victims of as examples.

Among these official reports, we can mention:

– La Sécurité des Systèmes d’Information – un Enjeu Majeur pour la France, a report signed by Deputy Pierre Lasbordes¹⁴ that was published in 2005 [LAS 05];

– the Report of Information created for the Committee on Foreign Affairs, Defense and Armed Forces on cyber-defense and published by Senator Roger Romani in 2008 [ROM 08]¹⁵; and

– the White paper on security and national defense published in 2008 [LIV 08].

Depending on their release dates, these reports refer to the major incidents that have occurred over the past few years:

– the Estonian affair (spring 2007);

– cyber-attacks on the US since the middle of the 1990s;

– the wave of cyber-attacks in 2007 that affected many countries, such as New Zealand, Germany and the UK; and

– attacks suffered by France: the hijacking of the CEA “Commissariat �’Energie Atomique” (French Atomic Energy Commission) servers in 2006¹⁶; hacking into the e-mail accounts of French diplomats.

These incidents have “very concretely materialized a threat which was still not well identified on our continent and especially in France” [ROM 08]. Since 2007, France has not ceased to suffer from more or less visible and discrete or mediated attacks. There were notably the impacts of the malware Conficker¹⁷; and, more recently in March 2011, the hacking into the French Ministry of Finance computers.

The report of the deputy (politician) Pierre Lasbordes [LAS 05] specified that cyber-attacks aim to “destroy, alter and access sensible data, in order to modify them or to harm the good operation of the networks”.

French cryptology expert Eric Filiol¹⁸, meanwhile, defines a cyber-attack as an attack aiming at the real sphere:

– either directly by going through an information and communication system (ICS). In that case, the computer field is only a tool or a means (attack against people for example); or

– indirectly by attacking an ICS, on which one or more components of the real sphere depend (attack against a network of electronic voting machines)¹⁹.

Cyber-attacks can threaten national defense in peacetime.

“We have agreed to call ‘attacking’ any individual or corporate body (State, organization, service, reflection group, etc.) deliberately harming or seeking to harm an information system and whatever their motives” [LAS 05]. This broad definition of the attacker thus includes offenders, cybercriminals, hacktivists, terrorists, mafia networks, military attackers and any State or non-State actor. The decisive character is a priori not the identity of the individual or the group, but rather:

– the action was carried out intentionally; and

– the objectives of the attacker: deliberately misinforming, preventing access to a resource, taking control of the system, fetching information and using the system for “bounce” attacks. The attack can be motivated by ludic, grasping, terrorist and strategic interests (States and groups).

Senator Romani [ROM 08] draws the profile of the attackers. According to him, it would be individuals or groups that are:

– professionals: “evidently the current computer attacks cannot be imputed to simple amateurs” because they are highly targeted and use more sophisticated techniques;

– acting in networks;

– “organized groups or even […] intelligence services”;

– motivated by money, since they would sell back their services to States;

– cyber-terrorists²⁰ resorting to cyber-criminality services, even if “we know […] that terrorist organizations have acquired a significant mastering of computer tools”;

– mastering the use of the computer as a “weapon”;

– well-identified by the international press; and

– located in China²¹ and Russia.

Each line of this description is debatable.

– Would only “professionals” be able to use “sophisticated technologies”? Should the mark of professionals be the use of sophisticated methods and acting via networks?

– Who has proof showing the States resorting to mercenary networks, showing a connection between governments, terrorist groups and their armed forces? Could the press have some proof, since it has “stated the existence of such groups in Russia” [ROM 08]?

– Do the motivated States not have the means to develop their own devices of aggression and should they resort to a form of criminal subcontracting?

– Why is the concept of the computer as a weapon not defined even if it has serious consequences on how to comprehend the security measures and the means by which to face such threats? When does the computer as a tool become a threat?

– Isn’t the view of the distribution of the threat in the world conditioned by media and American speech, which designate China and Russia as major attacking States? Is the attacker no longer American? Are the large antennas intercepting the communications of satellites turned off? Are the submarines intercepting communications from submarine Internet cables remaining at port? Do the most respectful States not know how to use these technologies, which are “so little detectable as intelligence weapon” [ROM 08]?

There are many types of threats aimed at parts of the State. In Les Nouveaux Visages de la Guerre: vers le Champ de Bataille Virtuel [HOU 08], Colonel JeanMichel Houbre suggests a classification of actors in four categories: ludic, greedy, strategic or terrorist. A priori, we can subscribe to this rough typology. The first two categories are part of the cyber-criminality field and the last two are more closely connected to the aspect of conflict in cyberspace.

An article published in the French journal Défense Nationale in March 2009 [BUC 09], was suggesting a classification of the various actors and actions in function of the threat they represent for society. And yet, there is not here strictly speaking any measurement of the threat level, but simply a subjective judgment.

Table 3.1. List of the types and levels of threat that may affect States [BUC 09]

Threat spectrum	Threat level
Isolated pirate	Low
Small crime	Low to average
Use of the Internet for terrorist purposes	Low to average
Cyber espionage	Average
Organized crime	Average to high
Cyber-attackbyaState	High
Invasion of a State after a cyber-attack	Dangerous

These past few years, the two main types of attacker have been the spy (a foreign intelligence services agent) and the terrorist.

Most of the time, the spy is Chinese, on the evidence of the declarations of many victims worldwide. The Chinese spy is quite familiar to us. In 1765, Ange Goudar²² published a book in six volumes called L’Espion Chinois, ou L’Envoyé Secret de la Cour de Pékin, pour Examiner l’État Présent de l'Europe [GOU 65]. This is also found in a book by Georges Weulersse, published in 1902, called Chine Ancienne et Nouvelle, Impressions et Réflexions, which contains a few revealing chapter titles such as: “Le problème chinois”²³ (the Chinese problem), “Le Péril chinois” (the Chinese danger), “Le nationalisme chinois” (Chinese nationalism), “Les hommes d’Etat de la Chine – La jeune génération – La nouvelle armée chinoise”²⁴ (China statesmen – The young generation – The new Chinese army) or “Le péril économique chinois”²⁵ (the Chinese danger to economics).

This is in almost identical terms what we can speak nowadays of the ”Chinese threat”: the Chinese threat is always a “problem”, a “danger”, notably because of the rise of strong “nationalism” in the “younger generations”, without forgetting the ghost of the threat of the “Chinese army’s growth”, which is really worrying the US and without forgetting the extent to which the Chinese industrial renewal is a danger for the West²⁶. From one century to the next, we still have the same images, the same themes, the same vocabulary, the same threat, the same victim (the West) and the same denunciation and alert attitude²⁷.

Judging by the official reports, including the report by Europol on terrorism in Europe covering 2004, “no case of cyberterrorism has been listed in the Member States.” We speak of cyber-terrorism but, “we need to highlight the fact that it has never been reported” [LAS 05]. Cyber-terrorism is therefore the subject of scenarios. The Livre Blanc du Gouvernement sur la Sécurité Intérieure face au Terrorisme [LIV 06], a doctrine text in the continuation of the law of January 23, 2006 on the fight against terrorism, proposes a scenario entitled “Attentats diversifiés transfrontaliers” which registers attacks on its program: one of the terrorist team involved in attacks tries to disrupt rescue operations by attacking the computer systems.

More simply, the terrorist is perceived as an Internet user profiting from its anonymity. To fight against terrorism, “intelligence services must be able to identify and select interesting information from all the available information on the open part of Internet. They also must be able to access information under certain conditions on the closed part of the Internet” [LIV 06].

These measures, which some describe as ‘liberty killers’, perfectly fit within the broader construction of a surveillance system whose purposes are officially justified: authorizing intelligence services access to files from home offices (identification documents, passports, residence cards, car registration papers, driving licenses), airlines, shipping and railway companies. They also authorize the exchange of data between each organization or the capture of biometric data and video surveillance data and helping preserve them in a single file for greater efficiency, etc. The war against terrorism encompasses the control of information.

To these two main threatening figures, we must add hackers with unequal skills from all origins and nationalities that are able to disturb the economy by their actions. There are actors with projects or political demands, such as hacktivists or networks of anonymous hackers. For the authorities, the threat comes from protest from the street organized via cyberspace. The threat landscape is evolving.

3.2.2. The feeling of insecurity, the threat

The feeling of insecurity and the fear of attacks and of social destabilization were exacerbated by the cyberattacks against Estonia in 2007. This affair has become the symbol of the threat hanging over cyberspace. Although the threat seems enormous according to the official position, it is not completely new. For about 15 years, cyber-criminality has introduced a feeling of insecurity towards the networks. This threat is used by politicians to justify a more formalized control of the use of networks and was predicted in a visionary text by Anatole France published in 1905:

“Telegraphy and wireless telephony were then used all over Europe and were so easy to use that the poorest man could talk, when and how he wanted to someone anywhere in the world. […] This was the abolition of the borders. A critical hour amongst all! […] The French, German, Swiss and Belgian Republics […], each express by a unanimous vote of their Parliament and in huge meetings, the solemn resolution to defend the national territory and industry against any foreign aggression. Energetic laws were promulgated, […] strictly regulating the use of wireless telegraphs […] Our borders are protected by electricity. There is a lightning area around the federation. A small man with glasses is sitting somewhere in front of a keyboard. He is our only soldier. He just has to put a finger on a key to crush an army of five hundred thousand men.” [FRA 05]

Of course this text is not describing information warfare or cyberspace, but we can already see the formulation of concerns on security that we sometimes think to be modern. The attitude of the government in order to control the information sphere is also described in this text.

Several key ideas can be found in these few lines that also structure the positions of our contemporaries on matters of security or insecurity in relation to cyberspace:

– This is about the dissemination of a technology on all the continents.

– It is about governments worrying when facing a technology that leads them to lose control of people’s opinions and ideas. Individuals who are connected have access to a new freedom of expression, which ignores the borders. This freedom is also made possible thanks to the extreme facility of use of the media.

– Facing this loss of control, which would be a danger for all States, there is only one solution: regulating, supervising, controlling and limiting access to information. This legal prospect was outlined and foreseen in Le Vingtième Siècle by Albert Robida, as we have seen. And what are we doing nowadays besides putting these premonitory thoughts in practice?

– A technology is seen as a national defense tool: electricity protects the borders.

– The small man with glasses is equivalent to our 21^th Century hacker: he has become a soldier and he is almighty.

– The asymmetry is presented to the advantage of the solitary individual, who can, from his keyboard, slaughter half a million people. This is the fight of David against Goliath, but a high-tech David, who has swapped the sling for modern weapons resulting from new technologies.

‘Attacks are a reality’ [LAS 05] and the threat hanging over information systems and national security is ‘evident’ [ROM 08]. The daily attacks on information systems will increase and it is highly probable that there will be more ‘major cyber-attacks’ in the 15 years to come against national information systems [ROM 08]. These major cyber-attacks are registered in the six illustrative scenarios proposed by the 2008 White paper [LIV 08]. They are subject to the same consideration (and worries) as the threats that can involve NATO, massive high-lethality pandemics, natural disasters, crises in overseas departments, and the engagement of France in a major regional conflict. The scenario on the threats or conflicts that could involve the Atlantic Alliance²⁸ considers cyber-war as one of the means of attack enabling the classic defenses of the Allies to be circumvented.

On a hierarchical scale of the risks and threats, major cyber-attacks are supposed to be ‘highly probable’ (on the same level as terrorist attacks and organized crime) and of ‘low to high amplitude’ (thus never reaching the ‘critical’ level on this classification, which is usually kept for terrorism, pandemics, natural disasters and ballistic weapons) [LIV 08]. Attacks on information systems can thus be considered acts of aggression and subject of crises and/or major conflicts.

Do we have to fear the threat of chaos? Chaos, as François Bernard Huyghe²⁹ recalled in his book L’Ennemi à l’Ère Numérique published in 2001 [HUY 01], are:

– the final stage of disinformation or informational aggression;

– the result of infectiousness: an incident causes another and a chain of events could lead to chaos. We can also talk of avalanche effect [HAS 05]; and

– one of the aims of information warfare and cyber-war³⁰.

In science-fiction literature, chaos is the result of a disaster, and humans are always the cause of it: post-nuclear apocalyptic area and natural disasters that are the consequences of human activity, pandemics caused by biological manipulation, etc.

Chaos can be illustrated in the following terms:

“Accompanied with the airplanes of the Coalition strike force and escorted by a fleet of highly armed destroyers and frigates, the aircraft carrier boat has been sent to demonstrate to China that Great Britain is determined to protect its shipping lines. But before a single shot was being fired, the aircraft carrier and all the other boats were suddenly stopped by a general electricity failure. Motors and computer systems failed to operate […] In only one shot, the British battle group was overpowered by gifted hacker teams working for the Chinese army. At the same time, Chinese cyberwarriors were launching a ‘clickskrieg’ against United Kingdom.”

These few lines are an excerpt from a short article published in 2010. The action takes place in 2025 [COU 10].

The various phases of this scenario can be examined in parallel with the events happening in Ravage, the novel by René Barjavel published in 1943 [BAR 43]. The story unfolds in Paris. “You don’t know what happened yesterday? All the plane motors stopped yesterday at the same time, just when the electric current was giving out everywhere. All the planes which had started their approach fell like hail”. In the disaster scenario, planes are crashing, all the machines cease to operate and the lights are turned off plunging the city into the darkness, because electricity seems to have disappear from Earth. Electricity is a vital resource for all mankind (mankind in the city mankind, because the countryside seems less affected by the disaster) and there are immediate consequences of its disappearance:

– People are panicking, crowds are fighting and humans act like animals and kill each other.

– Politicians ask themselves who is guilty:

- they do not have an answer;

- soldiers speak about war and affirm that the culprit is France’s arch enemy (this enemy is not identified); and

- scientists say that it is nature, but nobody really knows. They need time to understand. And yet society does not have time: mankind needs to know immediately because their lives are suddenly disrupted. A shock has occurred. The social body is destabilized. Will it survive this ordeal?

– The crowd is wondering: what is happening to us? The crowd is ignorant, murderous and violent.

– There is a return to the age “before electricity”: the army take out weapons that they manufactured based on the models of those from the past centuries. Men are going into the countryside and they must fight, make fire, etc. It is a return to the Stone Age.

– Cascading disasters: the disappearance of electricity has immediate consequences, such as lack of access to cash ( the financial system is based on electricity), lack of access to water, etc.

In this picture of a mankind confronting its demons (dependence on technologies, end of the civilization), we find a few similarities with the positions, representations and behaviors of our contemporaries:

– Scientists and engineers are seeking explanations for extensive electricity failures (example: as in Brazil and North America), but cannot give any conclusive answers. The argument of the effect of nature on the system malfunctioning has been put forward (trees falling on electrical wires, human error in maintenance, snowfalls, heat, etc., explaining failures, fires and power outages of electric distribution systems). Others speak about cyber-attacks.

– Observers and other experts in security and defense put forward the argument of attack by hackers (the enemy) in order to explain general power outages. But as the engineers, they do not provide convincing proof. The army takes up the argument to justify the existence of threats and the necessity of preparation to fight against this unknown enemy (we speak about the Chinese, Russians and other cyber-terrorists without ever precisely identifying this enemy).

– The consequences of attacks on critical infrastructures are found in the same fields as those of the novel: no more computer networks would mean no more financial system and the stoppage of water, electricity, etc., distribution systems and transport (airplanes and trains).

“I don’t know yet if we are dealing with sabotage, strikes, acts of war or accidents.” [BAR 43]

These questions raised by a fictional character are the same as those that we hear nowadays when significant cyber-attacks occur. It is always difficult to say who is behind these cyber-attacks: saboteurs, armies, terrorists; or whether it is just technical hitches. The case of electricity failures in Brazil and in North America is a good example: are they due to intervention by hackers, hacktivists or foreign armies? The Stuxnet affair is another example: was it about destroying nuclear power plants (sabotage) or about committing an act of war (against Iran, for example)? It was impossible for the characters in Ravage to narrow down the act to any culprit in an acceptable timeframe; the situation is exactly the same nowadays in the case of cyber-attacks (it is sometimes difficult to distinguish accidents from attacks).

In Barjavel’s book, electricity is a vital resource, on which all facilities (transports, communication, water, etc.), and thus the entire society, depend. Let us replace ‘electricity’ with ‘computer networks’ and we might have a similar scenario, with consequences similar to those of the novel. The best way to paralyze computer networks would still be to cut off electrical distribution circuits. Electricity remains one of the most important resources. It is even more essential than cyberspace because cyberspace cannot exist without electricity. To durably affect the operation of computer networks, the best bet is to target electricity production and distribution systems. Most of the time, the threat is comprehended the other way around: as a cyber-attack against electricity distribution systems.

3.2.3. Potential vulnerabilities of States

France, in this information space, is according to some in a vulnerable situation³¹. There are several reasons for this:

– France would be unprepared to face these threats: France appears to be behind and neighboring countries seem to be better prepared and defended;

– in France the culture of security is supposed to be lacking;

– France does not have a national industry for hardware or software. France thus depends too much on technologies that it does not control;

– these policies, even if started early (from 1986³²) with a series of statutory texts organizing the security of information systems, and then in March 2004 with the adoption of a three-year plan of enhanced security of the State information systems³³ and finally with the creation of the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information, the French Agency for Information System Security)³⁴ in 2009 did not until now have the expected efficiency³⁵;

– a lack of means. This was the main argument of the report written by Senator Romani. However, the number of structures, actors, programs and operations dealing with the security of the information systems on various levels is quite large and the national security structure is relayed or coordinated through international initiatives: the works of the UN, the ITU, OECD, G8, NATO, EU, coordination of the CERTs via FIRST (forum of incident response and security teams) or ENISA³⁶.

By a lack of coordination of the existing means “Ensuring our defense and our security requires perceiving and then understanding dangers and threats”. Yet, despite this plethora of actors, it seems that “France is nowadays devoid of all the necessary tools to comprehend, analyze and deal with everything entailed by the expression “global security” [BAU 08].

The Romani report on Cyber-defense [ROM 08] establishes an inventory of the reasons common to all modern States:

– interconnection of systems;

– their relation to the Internet;

– the contaminant nature of the Internet (everything in contact with the Internet becomes fallible);

– dependence of society on information systems;

– permeability of information space because of mobile equipment (threat to network integrity);

– weaknesses of the Internet protocol;

– use of applications (off-the-shelf software) that add to the complexity and security breaches;

– contamination of the most solid bricks by the weakest ones;

– etc.

3.2.4. Evolution of the international environment

The White Paper on Defense and National Security, published in June 2008 [LIV 08], largely gives way to digital information and information systems³⁷. With a new era comes a new vision of the world, a new context and new constraints. A new world began with globalization that “does not create a better or a more dangerous world” but “a more unstable one” (hence the financial crash of 2008). This world remains controlled by the power of the US, but with a balancing to the benefit of Asia. This new period is also characterized by:

– The multiplication of threats (terrorism, ballistic missiles, attacks against information systems, espionage, organized crime networks and natural risks) that has also made the difference between internal and external security disappear and makes a global approach to this phenomena necessary.

– A higher degree of complexity and uncertainty that make our environment and its threats quite difficult to apprehend.

– The increase in military expenditure.

This new world is also the world of the affirmation of cyberspace as a vital system, as the nervous system of our model of society. In cyberspace, information is more broadly and quickly diffused. The consequences of this are an acceleration of action, an increase in the power of the media³⁸, an uncontrolled flow of ideas (notably ideas of ideological, religious and radical protest), an increased power of private actors and a reduction in the expression of the State’s ability to control things and a reduction in the sovereignty of States. “The sudden increase of the information flow […] weakens the autonomous intervention capacity of States” [LIV 08].

3.3. Reaction, position of France and choice: theories, political strategies and military doctrines

Caught in the turmoil of cyber-attacks over the past five years, France has elevated information system security to a national defense and security issue. Threats, as they are identified and perceived, justify a strategy based on the control of information, the systems and the implementation of computer means. This security strategy contributes to specifying the outlines of a French concept of information warfare.

On the basis of all the aforementioned statements, France thus adapts its reactions, position on the international scene, political strategies in terms of cyber-security and cyber-defense and military doctrines. The dimension of cyberspace relating to conflict is a new challenge for States and France is facing it by maintaining a defensive posture.

3.3.1. Information: a powerful weapon for those controlling it

Those controlling technology can, from their keyboard or their screen, control the opponent and lead to its destruction. The fact that only one individual or a small group can defeat an ‘army’ or a ‘State’, can destabilize or destroy it without seeing it, take it by complete surprise, ignoring the distances and with the sole power of technology, is one of the threat scenarios weighing on States. Fears of major attacks against critical systems are not of the ordinary cyber-criminality field but are acts of aggression. The Department of Defense has decided to describe operations to sabotage computers as acts of war and reserves the possibility to retaliate with conventional military force. The control of information space is thus a priority matter, since this control decides the state of the world: whether it is at peace or war.

3.3.2. Media information: beneficial if controlled

The position given to the concept of ‘information’ in the White Paper on Defense in 1994 [LON 94] is quite representative of French thought at the time. Information is indeed:

– placed at the center of the evolution of the world and at the core of the globalization of the exchanges, i.e. perceived as an economic tool;

– a tool at the service of decision processes;

– a tool at the service of republican values: “the position of information has beneficial effects for the transparency in decision-making and in the implementation of these decisions. It is an essential factor in the fight for human rights, in order to prevent conflicts and defuse tensions” [LON 94];

– But this is mainly in its ‘media’ dimension (more accurately we would say the ‘news’) which is “at the heart of any defense policy” where information is attacked and is worrying. The predominant information influencing public opinion “is henceforth at the heart of the functioning of our democracies”. Diffused by media, it can have a negative impact on society and the risk of misinformation is quite high. Henceforth, “it seems difficult to strike a balance between total freedom and information restriction” [LON 94].

3.3.3. Economic information as power, if controlled

The Intelligence Économique et Stratégie des Entreprises report³⁹, also published in 1994 [MAR 94], states in its preface that “the strategic managing of economic information has become one of the main drives of the overall performance of the businesses and nations”. This ‘economic’ information will be one of the main elements of the debate from now on (regarding business intelligence and economic warfare). We can find the same concerns for the control of economic information in the Carayon report⁴⁰ Intelligence Économique, Compétitivité et Cohésion Sociale published in June 2003 [CAR 03]. Business intelligence campaigns for a defense of the economic fabric through better control of information.

3.3.4. Information warfare

The new information society built around computer science, telecommunications and a newly born Internet just after the Cold War, was accompanied by an awakening: information, whose diffusion is now global in real-time and whose manipulation is easier than ever, is opening new prospects in terms of conflicts and confrontations. Following the works and reflections carried out on economic conflicts in the information society⁴¹, other works were published in 1996 on information warfare at the instigation of the Stratco/Intelco group⁴² on behalf of the DGA (Délégation Générale à l’Armement, the French General Delegation for Armament). The Cold War has just ended and the First Gulf War imposed American power. We progressively become aware of the possibilities of the defensive and aggressive use of information, notably in the economic and commercial fields. Information warfare was then defined by a formula that was quite successful in France: this is the war “by, for and against information”⁴³. This expression was taken up again in 2008 in the report on cyber-defense [ROM 08]. The French approach attempts to distance itself from the American approach. French information warfare then focuses on knowledge warfare, attacks on information (for example misinformation operations aiming to destabilize rival companies), in line with the theories developed within the EGE (Ecole de Guerre Economique, the Economic Warfare School) directed by Christian Harbulot, a French business intelligence specialist. This prospect is different from the American one; the latter putting computer piracy at the center of ‘infowar’ [HAR 99]. A conference on the theme of information warfare was organized in March 1999 at UNESCO by the EGE⁴⁴.

France does not have a reference document in terms of information warfare, which would define the concept, the issues, the tools and the respective roles of the civil and/or military actors at the same time. Therefore, everyone is using it at will. It is sometimes a synonym of economic warfare or business intelligence, information manipulation dealing with the role of the media, information in times of war, cyber-war and cyber-attacks, espionage, information operations, influence operations, or even cyber-criminality.

François Bernard Huyghe defines this concept as follows:

“Information warfare consists of hiding, destroying and corrupting information, from intellectual knowledge to computer data. Its aim is to produce damage or to win hegemony. Its motto: ‘Information, predation, destruction’. It also rallies symbols and affects in order to build a consensus and control passions. Information society would thus be subjected to a double danger: that of the always recurrent archaic violence, tormenting the bodies, and a new violence, ill-treating or altering brains, humans’ or computers’” [HUY 05].

In France, information warfare was for a long time a symbol of economic warfare. Also caught up in the turmoil of cyber-attacks in the past five years, France now more carefully considers the question of the “hacker war” and of the “cybernetic war”. They are two of the seven forms of information warfare, as defined by Martin Libicki [LIB 95].

3.3.5. Information warfare or information control

In January 2000, General Loup Francart proposed an exploration guide of the vast field of information control [FRA 00]. Information control is “a tool of knowledge, governance, influence and action, whose efforts we need to direct and whose activities we need to plan”. “On the strategic level, we can talk of a real information war, which conditions and is at the center of the other aspects of the conduct of conflicts: war for the mastery of the spaces, war of capacities and war for the decision”. This control or mastering is also defined as “the capacity… to access in due course information and to use it operationally and efficiently” [LIV 08]⁴⁵.

Information control could be the miracle recipe for power: it would guarantee the advantage, superiority, transparency, anticipation, speed, action and knowledge. But the theory is written as if we were alone in the game. Nowadays, some other variables must be taken into account: the actions suffered, the relative inefficiency of the fortress paradigm, the possibilities of bypass, are all obstacles for control. A rule-of-law State does not have the initiative of aggression and thus cannot have the advantage. It can only act in reaction to an aggression. Therefore, maybe it would be better to develop a theory of the mastering of reaction?

From the French point of view, ‘control’ enables us to supply useful information to decision-makers, to “have at our disposal reliable information at the right time and place”⁴⁶. This control also helps us to protect ourselves from the risk of not seeing, not knowing or not having the reliable information, of taking a decoy for reality, building wrong representations from exact information, etc. This form of control⁴⁷ is not from the field of the dream of absolute domination of information space that the US calls ‘info dominance’: the supremacy over the information space makes the world transparent and guarantees control of the world.

French information control is as much of the ‘hard power’ dimension of information warfare (defensive and offensive cyber-war, electronic warfare, physical attacks against the information systems, etc.) as of ‘soft power’ dimension (war of words, images, political and diplomatic discourse, control of the media, representation of France abroad, etc.).

3.3.6. The ANSSI

The matter of cyber-defense has been quite topical ever since the events that occurred in Estonia in 2007. Evidently, this affair has relaunched debates and raised some questions within the authorities and general staff. Since this time, we have witnessed the implementation of new national strategies, which are also accompanied by the creation of cyber-defense and cyber-security agencies and units. This no longer consists of just having monitoring and warning tools, but of organizations that are able to go further: for example to carry out investigations, be ready for aggressive actions in times of conflict, crisis or even simply of peace.

States are thus developing their capacities; officially from a strictly defensive aspect. For many years, the US has had specialized information warfare units within its armies. Cyber-war, or whatever name we give to the conflict or confrontation in cyberspace, is only a subset of information warfare. It is thus natural that American forces develop capacities in this new field. Americans then prefer to talk about units devoted to cyber-operations rather than cyber-war units.

The US Cyber Command was launched in May 2010. Within the US Cyber Command, the Army Cyber Command (ARCYBER) was created in October 2010. It employs 21,000 soldiers and civilians⁴⁸. The 24^th Air Force was created in August 2009 and has been fully operational since October 2010. It is in charge of protecting the Air Force networks against cyber-attacks⁴⁹.

Germany created a cyber-defense unit in 2009, which is located in Rheinbach⁵⁰. In February 2011⁵¹, it introduced a national cyber-security council, which is in charge of the coordination of the operations of a national defense center located in Bonn.

In March 2009, the UK announced the creation of a unit devoted to cyber-war⁵², the Cyber Security Operations Centre (CSOC) within the GCHQ (Government Communications Headquarters). Less than 20 people were said to be working in this center. In January 2011, General Sir David Richards expressed his wish to create a cyber-command, taking inspiration from the American model, in order to protect the country from cyber-attacks and to be able to launch its own cyber-attacks. This process is in line with the conclusions of the Strategic Defense and Security Review published in the UK in October 2010⁵³.

The Netherlands published a new cyber-security strategy and announced the creation of a National Cybersecurity Center in February 2011.

In 2010, South Korea created a center for cyber-war, in order to counter the possible North Korean and Chinese attacks⁵⁴. According to South Korean intelligence services, North Korea is reportedly equipped with specialized cyber-attack units.

In 2010, Switzerland was planning the creation of two cyber-war units within the “Centre des Opérations Electroniques de l’Organisation de Soutien au Commandement des Forces Armées” [CAV 10]⁵⁵.

In January 2011, the Estonian Defense Ministry proposed the creation of cyber-defense units on the basis of expertise of the country computer scientist communities. The activities of this unit will be carried out in consultation with the NATO center of excellence in Tallinn⁵⁶.

Israel is said to be equipped with Unit 8200, based in the Negev desert.

Iran will also be equipping itself with cyber-war capacities.

Australia announced the creation of a specialized unit within its intelligence services in March 2011⁵⁷.

China has reportedly had specialized units in this field for more than 10 years, according to several American reports. In May 2011, China declared that it had created a cyber-defense unit in the Guangzhou province. Beijing has also accused Taiwan of leading cyber-attacks with the help of dedicated military units.

NATO has 15 centers of excellence on this level, including one cooperative cyber-defense center of excellence in Tallinn (Estonia). In this international context – where States are strengthening their cyber-security and cyber-defense capabilities – France created by a decree on July 7, 2009 a national agency for cyber defense: the ANSSI. Its mission has then been strengthened by the decree of February 11, 2011. Some media have not hesitated to wrongfully compare the ANSSI to the US Cyber Command⁵⁸. Yet, the ANSSI is not a military organization with a mission to carry out acts of aggression. It ensures the security of the country’s information systems and is in charge of protecting them from all sorts of cyber-attacks.

3.3.7. Cyber-security and cyber-defense

The security of the information space is a political, strategic and national defense and security question. According to the Lasbordes report, information system security is “an issue on the scale of the entire Nation […] For the State, this is a national sovereignty issue. Its responsibility is indeed to guarantee the security of its own information systems, the continuity of the functioning of the institutions and facilities vital for the socio-economic activities of the country and the protection of the companies and citizens” [LAS 05]⁵⁹.

In France, the report by Senator Roger Romani [ROM 08] defined cyber-defense as all the means enabling us to protect ourselves from the attacks on information systems; these attacks are likely to question the security and defense of the country.

For the ANSSI, cyber-security is a “sought after state for an information system, helping it to resist events coming from the cyberspace; these events are likely to compromise the availability, the integrity or the confidentiality of the data, stored, discussed or transmitted and of the connate services that these systems offer or make available. Cybersecruity uses techniques of the information system security and relies on the fight against cybercriminality and on the implementation of a cyberdefense”. The latter is the set of technical and non-technical measures helping a State to defend the information systems that are considered essential in cyberspace [ANS 11].

The achievement of the French policies and strategies is accompanied by a development plan of its capacities. In addition, these projects comply with a system of logic, which is not specific to mainland France.

The research and development group within the prospective and technology subcommission of the Commission Interministérielle de la Sécurité des Systèmes d’Information, itself placed under the SGDN (Secrétariat Général de la Défense Nationale), published the update of a first report from 2006, entitled Orientation des Travaux de Recherche et de Développement en Matière de Sécurité des Systèmes d’Information in April 10, 2008⁶⁰. From this report, we note the issues that seem essential to the authorities in terms of information system security:

– accountability of the accesses (who is the attacker, how to go back to them);

– nomadism;

– evolution of the fortress security paradigm towards the living paradigm, with a wish to abolish all the borders; and

– the control of all the bricks constituting information systems.

The possibility of a dual use of security techniques for purposes other than strictly defensive ones: “knowing how to detect such steganography devices or conversely how to make them hardly detectable are thus the two complementary aspects of the sword and the armor”.

3.3.8. Army: Information operations, NEB (numérisation de l’espace de bataille/digitization of battlespace), info-development

3.3.8.1. The temple of information operations

If in the French military vocabulary the expression ‘information warfare’ does not appear, this is to the advantage of the expression ‘information operations’ (IOs), following the American model and that of the terminology adopted by NATO. IOs, (inter-army function) are influence operations and are not in this approach part of the coercion field, which is strictly exercised in the physical field. The French IOs doctrine strongly relies on the psychological dimension and the power of influence; the objective is always to limit the recourse to force by as much as possible, to limit violence by a weakened resistance, to shorten the duration of the conflicts and limit losses.

Doctrinal reflections on IOs began at the end of the 1990s. They consist of transmitting a coherent message and having a better reactivity, i.e. of endowing France with an efficient influence strategy. This focuses on the ‘soft power’ field than on the ‘hard power’ one.

The Concept Interarmées des OI (PIA 03.152) was published on March 11, 2005 and an inter-army doctrine of the IOs (PIA 03.252) on May 29, 2006. IOs are defined in the text of March 11, 2005 as a “set of actions carried out by forced armies, defined and coordinated on the highest level, aiming to use or defend information, information systems and decision processes, with the constant support of an influence strategy, and contributing in operations to the attack of the EFR⁶¹, in the respect of the values”. IOs are thus:

– military operations;

– actions with a purpose: to disturb the will to act against adversary. This purpose is pursued by aiming at two targets:

- the information collected by the adversary in order to alter their knowledge, and

- the adversary sensors, to alter, modify and disrupt their information acquisition capacities;

– operations fitting into a continuum, in coordination with the use of force and civil-military actions (CIMIC⁶² and COMOPS⁶³).

– “indirect strategies offering another path or an additional choice to the modes of action founded on the destruction”⁶⁴.

The components of information operations are generally represented in the form of columns supporting a temple. These components are as follows:

– Military influence operations (MIOs), an equivalent of the psychological operations (PSYOPS), are the key function of the IOs:

- they fit in the military continuum: intervention – stabilization – reconstruction. Their relevance is higher and higher as the kinetics operations decrease;

- they must be carried out in prevention, during and after the conflicts;

- they are exerted on info-targets, which are only adversaries⁶⁵ and are individuals or groups of individuals whose behaviors, attitudes, perceptions and will we want to modify and influence. The national public opinion is not the target of the MIO, but of the COMOPS;

- they rely on communication methods;

- they are only efficient if they are able to overcome the operations carried out by the adversary, to defeat counter-psyops operations if the conflict has a significant ideological dimension or if the info-targets operate as good receivers and do not oppose any resistance by unpredictable reactions, that could possibly turn the psychological maneuver against its instigator.

- military disappointment.

– Cyber-war is defined in the Glossaire Interarmées of 2004 as “In the computer field, actions carried out in order to paralyze the systems of an adversary, to disturb the data transmission flow and to deform them or take note of these data”. This field was still recently considered as ‘emergent’⁶⁶ and defined as ‘a guerilla of the information warfare’⁶⁷. This task is ‘exclusively defensive’⁶⁸ within the armies. The control of defense should also enable us to counter these attacks, but the aggressive use of cyberspace seems delicate because of the possible collateral effects, which are difficult or impossible to control, but also because of the legal issues. Finally, a new vulnerability appears: that of communication satellites. Eventually, the space will probably be fought over. We have to prepare ourselves to this fact. At the Ministry of Defense, the piloting of the information systems is ensured by the DGSIC⁶⁹ and the defensive cyber-war leans on its actions, while relying on OPVAR (organization of the watch, alert, and response) functions.

– Activities of information protection (OPSEC/INFOSEC): security of operations (protection of the force) and information. We need to ensure the good circulation of information within the armed forces, to offer efficient protection from the possibilities of attacks against information systems and to protect ourselves against the risks related to the vulnerability of the systems and personnel.

– Attitude and behavior of the forces. By their behavior, soldiers are conveying the representation of France and its determination.

– Electronic warfare.

These six pillars are the “dedicated domains” of information operations. We can add to them the CIMIC and COMOPS, which are the ‘associated domains’ and the destruction, which is “the use of force”.

These nine pillars thus support the “temple” of information operations⁷⁰.

There is no real hierarchy of the tasks between these pillars, which are the foundations of IOs. However, the psychological dimension is essential. IOs and the influence strategy support the six IOs pillars, but also the recourse to force and CIMIC and COMOPS operations.

3.3.8.2. Battlespace digitization

Battlespace digitization is in line with the process of transformation of the French armies. Digitization⁷¹ is an efficiency factor: it helps to accelerate the pace of operations and to improve the decision cycle⁷², to point where information is controlled (information of quality). Issuing this quality information on all levels of responsibility and in any place relies on the organization of a ‘system of systems’, which is a complex structure that must be interoperable with the systems of allies. This stage is still under development and we mention the impact of this new information structure on the doctrines and organization of general staffs in the future tense⁷³.

Battlespace digitization is organized around the networks, C4ISR systems, and implementation of the famous network-centric warfare and still goes on nowadays with the introduction of futuristic solutions (drones, robots, infantry equipment, etc.). It is not the only aspect of the introduction of new information communication technologies (ICTs) in the army. Internet, on the side of secured networks, is used by the armies and is taken right into the field of confrontation. Soldiers have access in their everyday life to the same technologies and the same communication means as any other member of the public. Soldiers express themselves, communicate with each other and exchange ideas. Soldiers are members of the public but they are exposed to prying eyes. Soldiers can come out of their “reserve” and talk openly online and then there are risks for the institution, army, State and for soldiers themselves, since they are not always aware of the importance of what they are saying and reporting.

The relationship of the soldiers to means of communication must be questioned. If we can find virtues in the freedom of expression of soldiers within the army [BIH 10], data theft, expression on blogs open to the general public, chat rooms or other social networks, are however debatable. The relationship of the military authorities to the freedom of expression of their soldiers, or even of the media, varies from one country to another. The French Code of Defense (Code de la Défense français) stipulates in article 4122-2 that soldiers must be ‘discrete’, which by default forbids any publication on the Internet likely to disclose military information.

3.3.8.3. Info-valorization

Information control and its simultaneous sharing on all levels gave birth to the concept of info-valorization, an equivalent of the American concept of NCW (Network Centric Warfare)⁷⁴. The model of the info-valorized maneuver is thus presented as the ideal solution, enabling us to integrate everything, deal with everything, see and know everything and to assess knowledge described as “a form of intelligence”, which “covers also the estimation of the strictly necessary lethality level”⁷⁵.

Info-valorization has been defined as one of the three fundamental concepts structuring the future land forces (info-valorization, operational versatility and synergy of the effects):

“Info-valorization aims at an optimal exploitation of the informational resources enabled by the new information and communication technologies”⁷⁶.

3.3.8.4. Cyber-war

The French inter-army glossary of operational terminology [MDF 07] (PIA 0.5.5.2.) of 2007 associates ‘cybernetic war’ with ‘cyber-war’. The two concepts are synonyms. Cyber-war corresponds to the set of “actions carried out in order to paralyze the systems of an adversary, to disturb data transmission flows and to deform these data or take note of them”. [MDF 07] The targets are the systems.

The White Paper on Defense and National Security published in June 2008 [LIV 08] introduced two major concepts: defensive cyber-war (DCW)⁷⁷ and offensive cyber-war (OCW)⁷⁸. Some States are significant threats because they have strategies of aggressive information warfare. Open or concealed attacks are in the realm of possibility. To face these threats, France is changing its strategy from a passive defense to an active in-depth one, which affects equally civil society and the military domain.

Passive defense consists of implementing automatic protection systems (firewalls, antivirus software). This consists of an essential protection level, which is insufficient because we can go around it. Active defense (DCW) consists of implementing surveillance systems and of adapting to the evolution of threats. For this mission, the White Paper of 2008 [LIV 08] predicts the creation of a detection center (in order to monitor the sensitive networks). The Romani report [ROM 08] notes that this protection level is not either a sufficient security despite this protection, the Pentagon is subjected to incessant attacks.

To this necessary but insufficient layer, the White Paper of 2008 [LIV 08] was thus suggesting to add a new one, “OCW”, which relies on the conviction that “in the computer domain more than in any other one, we will have to know how to attack in order to defend ourselves” [LIV 08]. This layer will probably enable us to contradict the assertion according to which “the defender must imagine everything without being able to respond… because there is no legitimate defense in ISS⁷⁹, whereas the attacker seems entitled to do everything possible” [LAS 05]. The development of these OCW capacities is not an innovation of the 2008 White Paper, since they were already present in the Law of Military Planning 2003–2008⁸⁰: “The model of the armies 2015 […] also includes the recognition of defensive and offensive cyberwar”.

According to the Doctrine of the Use of the forces of 2003⁸¹:

“The threats relying on the computer systems are quite unpredictable in their origin, their nature and their aims. The consequences of cyber-aggressions appear simultaneously in numerous places, because the networks are accessible by many points of entrance.

By taking into account the very specific nature of these threats, which are diffused, sometimes clandestine, often undetectable and unpredictable, cyberwar obeys to the following principles:

- permanence, reactivity, anticipation: cyberwar consists of “mastering time” by a surveillance function and a significant reactivity to computer events;

- interactions with the other fields: cyberwar is directly related to electronic warfare, of which it is probably only one aspect. The use of weapon systems is related to a computer science of action and research. The computer infrastructure which does not depend on weapon systems notably includes decision support computing, administrative data processing, etc.

The mastering of the OCW capacities must ensure the superiority of the engagements. The objectives are ambitious: identify the adversaries (and thus have the means of identification), know the operating processes of the adversaries, be equipped with capacities to neutralize the adversary (i.e. to be able to paralyze the opposite operation centers), implement retaliatory measures, develop specialized tools (notably digital network tools), and formulate a doctrine for the use of OCW capacities. The doctrine will notably reflect on the legal framework of the use of these new weapons (whose targets are authorized, which power of destruction can be used), on the threshold of actions of this new external intervention capacity (intelligence services, soldiers), and on the question of the proportionality of the possible retaliatory measures.

This project of offensive capacities is causing some significant problems in terms of feasibility:

– Using these capacities in a legitimate defense context or to apply retaliatory measures, after an act of aggression, implies knowledge of the precise identity of the attackers. Nowadays, the level of the technique does not enable us to do this. On a battlefield, the adversary is identified. When a cyber-attack aims at incapacitating a vital infrastructure, the perpetrators generally forget to sign their action, and assumptions are not proof enough.

– The time taken to carry out the investigation can be quite long. Legitimate defense can only be exerted in a short time. The time constraint in the context of an aggression is the same as in an investigation concerning an act of cyber-criminality.

– Respect of the proportionality principle of retaliation or of the response implies that we have an exact view of the extent of the damages suffered by our own side by an attack. What could the metric of these losses be?

– What will be the consequences of the use of network weapons? How can we control, for example, the collateral effects?

– OCW first assumes that we know about the attack. Detection capacities are not, however, ensuring that we can see everything. Attacks can be very discrete. Some sensitive machines seem to have been pirated for years before we realize it⁸². A DCW/OCW coordination is thus essential.

– If “the use of violence in war has never any other aim than producing psychological effects”⁸³ (an assertion that generally refers to physical violence), what level of violence will we authorize in cyber-war operations, which would give them the necessary force to convince, terrorize or dissuade the adversary?

3.3.8.5. Military point of views

In the absence of revolution, if some evolutions can be found in official texts and doctrines, they are foremost carried out by men, with their convictions and their approval. Yet, if the digitization process is progressing, caution, reluctance and resistance are often present in the technological race and the temptation is to yield to the influence of the American doctrine.

Thus, General Vincent Desportes wrote the following about the NCW concept [DES 08]:

“In the dream of the RMA (revolution in military affairs) […] is born this idea that war, the true war, must henceforth be ‘network-centered’ […] these operations in network should enable us to make the myth of the quick war become a reality […] This technical evolution, much more based on the wonder of new capacities than on the observation of the conflictuality, was soon going to show its limits […] the British […] have abandoned the idea of NCW to put technology back where it belongs, and speak about NEC, for Network Enabled Capacities […] After a first phase of wonder in front of NCW, the French doctrine has fortunately followed the British example and adopted the quite awful but realistic neologism of ‘infovalorisation’ (‘infovalorization’)”.

“Technology would not know how to change or transform the war. We will soon make war in space, but it will not be ‘the space war’”, continues General Vincent Desportes [DES 07]. Techno-skepticism (or salutary caution) is appropriate in many environments, including the military one. This position is a brake to that of the supporters of the technology, who see in technology the future, promising the perfection and solution to all our problems.

If there is a reticence or a strong caution within the army. This is mostly because:

– Chiefs are not trusting chimeras⁸⁴: “the predominant position of information and communication systems and the use of dematerialized information must not lead us to the trap of the virtual, which is completely disconnected from reality”⁸⁵.

– Chiefs do not always trust new technologies: “For a while, innovation remains a foreign body that disturbs an existing balance”⁸⁶. We should not yield to the “technological illusion” or to the “fascination with the new gadget and to the temptation for technophiles to exploit it at the maximum of its possibilities”⁸⁷.

– Chiefs do not always see the benefit of digitization, virtualization, computerization and of theories that have been developed on their basis:

- How will NICTs save the chiefs from reproducing the mistakes they have systematically made for centuries; and if it is not possible to avoid all these mistakes, how can they make fewer errors?

- How can NICTs help them to understand and act⁸⁸ (and especially not one without the other)?

- How will we be able to avoid the vulnerability resulting from the dependence of human actors on information systems? The attacks against Estonia are often taken as an example of vulnerability and dependence⁸⁹. The systems are subjected to the risk of attacks: for example cyber-attacks against NATO sites and the American defense department machines preparing the offensive in Kosovo in May 1999 [CDE 05]⁹⁰.

- An army must be strengthened and not weakened by the introduction of weak links.

– American doctrines cannot be the object of a simple copy and paste within the French model. The NCW concept has raised many questions and critiques.

– Systems do not always become a reality and fulfill all hopes because on the operational field, “the control of the information space” does not ensure the fluency and the success of operations:

- We have put in new information communication technologies (NICTs) and hope to see the enemy without being seen, to see them and reach beyond the horizon, etc. But on the field, the monitoring of enemy forces never seems to be as good as the monitoring of its own forces.

- The systems enable us to access more information more quickly. But we have to deal with the various speeds: an order can be given, transmitted and received with very short delays. However, the implementation of the order will still not be accelerated.

- Many communication technologies are relatively inefficient nowadays in the field of urban guerilla warfare.

- The capacities offered by NICTs enable us to always produce more documents and thus to complicate and slow down the processes: “a Wehrmacht battalion was taking at least about 30 minutes to conceive and diffuse an order. In 1994, the 3^rd British Division made an estimate of 12 hours for the duration necessary for the deployment of an order of operation”⁹¹.

- “The increase of the acquisition and processing capacities has not proportionally reduced the uncertainties of the battlefield since it has also created other needs”⁹².

General Desportes matches the certainties that were built at the turn of the 1990s on utopias (beliefs in the powers of technology) to the uncertainty appearing nowadays. “The adversary seems to be less and less detectable and thus less and less easily spotted. Henceforth, the only situations which are often asymmetrical, are characterized by the ‘surprise’; the chief on the field must thus quickly decide and react” [DES 07]. The fast decision can only count on the speed of the information processing by computer and telecommunication systems. More simply, the decision cannot rely on the technology alone. To partly compensate for the uncertainty, chiefs⁹³ must thus use their experience and knowledge. A military chief can partly rely on military history but chiefs of military cyber-operation have only a very short history and a limited experience at their disposal. In terms of cyber-war, for example, what is taught nowadays in defense universities and military schools? This teaching should train chiefs in the practice of uncertainty. The command is partly based on the knowledge of known realities from the past. In terms of cybernetics, the situation is a bit different. History is still young and remains to be written. Almost everything has to be invented. Chiefs must thus have invention and innovation capacities. But the conduct of cyber-war will partly be built on reasoning that is not specific to it but is borrowed from conventional war.

General Desportes is very critical of the position of ICTs within the field of military operations. “The battlefield ‘transparency’ seems more and more like a false good theoretical idea. Previously, we wanted to decide and fight ‘by’ information; we realize nowadays that we are condemned to fight in addition ‘for’ information before even deciding.” Information must be sought after, acquired, processed and analyzed. There is a great deal of information (even if the adversary is becoming less easy to spot), but it is not necessarily relevant and does not especially contain information enabling us to better know and understand the adversary and anticipate its actions. Information must thus be protected. The adversary also knows how to use it and how to attack ours. Information is a fully-fledged subject that is fought over. The efficiency of ICTs is at fault due to the nature of the ‘disputed areas’, where land engagements are conducted⁹⁴. “Informational supremacy is there reduced and communication systems have their limits as well in these areas” [DES 07]. The field and the reality of the fight remain major factors of the military fight that information technologies cannot ignore. How we make war and how we fight in the field will influence the strategy:

“tactics is taking again an increasing importance in comparison to strategy; […] this will be all the more true in the future with digitization possibilities inexorably leading to a ‘distribution’ of the fight in small distributed teams inserted within the adversary system: no more continuous front and thus no more continuous control”⁹⁵.

Conventional command (planning and a hierarchical system from top to bottom) is questioned, to the benefit of adaptability and flexibility: “therefore, the important element is not the planning and conception capacity, but the adaptation capacity”⁹⁶. This capacity must partially reduce the effects of uncertainty, which overly rigid organizations’ systems and structures cannot face.

Thus, we will need to be able to conduct wars of reaction (permanently knowing how to react); to quickly adapt equipment, methods, doctrines and decisions; to favor cultural and structural evolution; to increase the flexibility of men and systems (digitization must be a great help for this aspect); to trust men, because it seems that now more than ever “the science of action becomes first the science of decision in uncertainty situations”⁹⁷. Clausewitz is speaking of chance: nothing is completely predictable during war.

In cyber-conflict, one of the main uncertainties results from the difficult attribution of the attacks: it is very difficult or even almost impossible to know who has really perpetrated the attack (who is the attacker). This is a phenomenon inherent in cyberspace that goes totally against dreams of transparency (knowing and seeing everything about the world). If we do not know who we are fighting against, the duel (a characteristic aspect of war) is no longer possible. All the rhetoric of Clausewitz or of General Desportes relies on one main principle: to fight, we need to have an adversary who is known, seen and identified. Chance, the lack of information and, reactivity are all problems that can only appear if war is possible. When we have identified or seen an adversary, we cannot always predict its behavior, and we need to foresee its decisions and foil its plans. But when we do not see or know anything, there is no certainty.

Will the scenarios developed in response to cyber-attacks, tested during multiple exercises carried out each year, be able to encompass all the possible situations, configurations and combinations? Will the real attack catch defenders unprepared? Will they have all the necessary aptitude and flexibility to adapt to the unexpected? Nobody can be sure that the scenarios tested are the right ones and that the events will occur as imagined. The fate remains unsolved.

The cautious or even reticent attitude of some military chiefs with respect to RMA or even NEB is not specific to this technology (ICT).

The birth of aviation was a complete revolution for soldiers. This technological breakthrough took time to establish itself as a significant advance, which became useful in the art of war.

“The first aerial exploits of the Wright brothers were almost not known and we were only starting to consider them as real, when we started to be concerned in France of the possible use of airplanes as weapons of war. […] It was logical to examine if these new devices, with special operating and all different conditions, could be used in the future wars, either as fighters, or as scouts” [NAN 11]⁹⁸.

These few lines are from a text by Max de Nansouty published in 1911 and relate to the use of airplanes in war. This extract raises two questions:

– conditions of acceptance and of introduction of a new technology, whatever it is in military affairs and its conditions of transformation into an instrument of war; and

– the impact and position of this new technology among the existing weapons.

Skepticism, reluctances, indecisions, shy adoption of the technology, acceptance, discourse on the breakthrough, on the revolution in military affairs… the process is sometimes long and complicated from one extreme to the other. Confronted with the emergence of aviation, soldiers were very cautious and reserved. They had a technology in front of them that they did not know what to do with. The airplane was first seen as a pastime and not as a strategic military instrument. The use of this technology as tool of war was not obvious at first and came up against great resistance, as if the military machinery was so precise a clock that the introduction of a new cog would disturb it. This explains all the reluctances and caution that were exercised.

The Italian Giulio Douhet was one of those who contributed in making aviation a strategic instrument of war. At the beginning of the 1910s, he was assuring people that a new battlefield had opened: the sky⁹⁹. This position recalls that of French experts in contemporary military issues who think that cyberspace is a new field of battle and confrontations. At the beginning of the 20^th Century, the technological breakthrough of aviation seemed to open the doors to a revolution of the art of war. It was henceforth possible to imagine attacking the adversary beyond the front line, in-depth, in their own land (to hit where the civilians are). We can find this idea again nowadays in the new dimension: by resorting to cybernetic weapons, it is possible to strike a society at its core (to see and hit beyond the horizon). The capacities offered by cyberspace enable us, for example, to aim at the critical infrastructures that are quite sensible targets – such as banks, services of power distribution and vital industries. This strategy of striking the capacities of an adversary at their sources fits with the information warfare and cyber-war theories¹⁰⁰.

3.3.9. Cyber-war and other modalities of the cyber-conflict

3.3.9.1. Cyber-war

Sometimes not well adapted to the objects it is supposed to describe, this concept leads to many mix-ups. The attack of a few state or company servers by hackers – who are not always “Chinese” – is often classified as cyber-war. This is the same for some waves of defacement of sites, which can occur during specific events, such as a major crisis or an armed conflict. There are ordinary-time defacements and those during intense political periods. This is often described as cyber-war. We just have to browse international media websites to realize it.

In Cyberguerre et Guerre de l’Information: Stratégies, Règles, Enjeux” [VEN 10], we suggest a restrictive definition of cyber-war, by affirming that it is the technical dimension of information warfare; resorting to cybernetic capacities to carry out aggressive operations in cyberspace against military targets, a State or its society; a conventional war of where at least one of the components relies on the computer or digital field, in its implementation, motives and tools (weapons in the broad meaning of the word)¹⁰¹.

In accordance with this definition, acts of cyber-war are thus much less numerous than it seems. When the Georgian Ministry of Foreign Affairs had to ask foreign countries to host its official websites that have been victims of cyber-attacks, should we then have talked about cyber-war because of the context of the operation? Or simply have considered that it was the actions of opportunists with no link to the war in progress, and shifted the question on the field of confrontation in the information dimension or even of simple cyber-criminality?

The French inter-army glossary of operational terminology (PIA 0.5.5.2.) defines war as an “armed fight between social groups and especially between states, which is considered as a social phenomenon”, specifying that “it results in the confrontation zone in a state or a situation of war”. The state of war is specifically defined as a legal state “which results from a declaration of war or from an ultimatum with conditional declaration of war”. Cyber-war thus cannot be a war, according to this conventional approach.

“The war is born and with it the necessity to quickly transmit from afar the orders of the command and important news” [BEL 94]. Many essential principles, which are now applicable to the use of cyberspace in war, were already present in the implementation of telegraphy and telephony during war, as we can see, for example, in the study by Léon Poinsard published in 1894 [POI 94]:

“In times of war, the situation is quite different. The specific needs of the time, the frequent situation of a foreign authority which is an enemy of the sovereign, alter all the while the state of things. Here, as for Transport and Post, the state of war results in a condition in law and new legal relations. It is essential that we talk a little bit about this aspect… In times of war, the situation is characterized by these two principles which each are an urgent necessity for all the adversaries: firstly, we need to have at our disposal the telegraph and the phone as means of attack or defense, depending on the case; secondly, it is very useful to cut off as much as possible the telegraphic or telephonic communications of the enemy. This double requirement is very important and all the armies worthy of the name have therefore nowadays specialized troops for these actions: part of these troops are specialized in the destruction of the enemy lines, and the others in the restoration of these same lines or in the fast construction of temporary communication ways. Besides, it is not very useful to stress this aspect, because everyone knows more or less nowadays about the military role of the telegraph and telephone. Therefore, every belligerent will think of impeding enemy communications by all possible means; for example by seizing their lines or if needed by destroying them, or by intercepting their dispatches by all possible means. Therefore, belligerents will have no scruples if necessary to cut the wires, to destroy the devices, to scatter the staff or take them as prisoners… Sometimes, depending on the circumstances, the enemy seizes and uses the lines and installations, and this while always acting in the fullness of their right […]. In all cases, acts of war leading to the destruction of the lines or at least the stopping of communications, have very bad consequences for civilians. The transmission of communications is stopped and belligerents are also suffering from it: the private correspondence can be paralyzed on all the territory or can still partially survive. Let us observe that this break, result of the state of war, can be ordered by the local sovereign for the interest of their military preparations; this was the case in France in 1870. Moreover, when the service is stopped because of destruction, this break can last a long time because of the time necessary for repairing. It stands to reason that the movement of the business is also deeply affected and this, still a long time after the restoration of peace. The nationals of belligerent states are not the only ones suffering from this condition of things and neutral states are also suffering from it”.

The points discussed in this text are almost all topical nowadays in the developments relative to the use of cyberspace in conflicts:

– What is practiced in times of war is necessarily different from peacetime. War is a specific time. For example, legal relationships between the parties are deeply modified in war times.

– All means of communication must remain operational for offensive and defensive operations.

– Offensive operations mainly consist of attacks against facilities, but also against contents (interceptions).

– There are some specialized troops to carry out offensive and defensive operations in the field of communications. These troops are the forerunners of military cyber-units.

– Belligerents are authorized to carry out almost everything in offensive actions. The rule dictates its law. Nowadays, the legal framework is not defined in terms of cyber-war and it is quite likely that in the situation of war, belligerents are then authorized to do almost everything.

– The attacks carried out against telecommunications have consequences on the general public and on the economy.

– The authorities can decide to cut off communications, in the interest of war, even if the consequences may be detrimental for civilians. We can find this method for imperatives of security and defense of vital interests, which consists of cutting off the Internet, in some States.

– Offensive operations and all the defensive measures can have an impact on the neutral actors and neutral parties.

The text also discusses the legal dimension of telecommunications in times of peace and war. From this observation, it emerges that there were many questions that were not answered.

“Concerning land telegraphs, we must first set out that, in principle, war is a force majeure which releases administrations from the transmission obligation; an obligation resulting from international conventions. The State remains free in that case to exclusively use as long as it wants all the lines, even if they belong to private companies […] During the fall of 1869, the government of Washington took the initiative to organize a diplomatic conference with the aim to study the condition of the telegraphic transmissions in peace and war times. But other events attracted the attention of the public and the conference did not happen. Several years later, a congress organized in Brussels with the aim to write some rules of practices during war times, alluded to the condition of telegraph lines and their equipment, while comparing them to railway tracks. At that point, it was only about land installations and this was not studied in detail. They were simply proposing to set the rule that telegraphs could only be sequestrated and not confiscated in case of occupation. In 1871, during a conference in Rome of the Telegraph Association, the question was brought up again by the Norwegian delegate and the famous American financier Cyrus Field. The Norwegian delegate suggested that a committee was appointed within the conference, in order to prepare a project of convention with the aim to settle the condition of telegraphy in war times. The American financier was asking that the conference took the initiative to forbid, by a provision of the Act of Union, the destruction of the lines and of the equipment, by admitting the transmission of harmless dispatches notwithstanding the acts of war. The conference did not have the capacity to discuss these propositions and limited itself to send them for discussion to the various governments, by recommending them to their kind attention. Since then, things have not changed. This inertia of the governments can be explained by the difficulty of regulating such a delicate matter. Will we for example forbid a belligerent to send runners to cut off the telegraphic and telephonic wires of its adversary, in order to paralyze as far as possible the mobilization and the concentration of its troops or supplies? In addition, how will we convince the involved armies to allow the transmission of dispatches through their lines? Who does not know that the most insignificant telegram at first can have a hidden meaning and be used to transmit excessively valuable information for the enemy? […] Concerning submarine cables, the situation is not quite the same. First, the destruction of a cable is much more serious than that of a land wire, because of the material damage and of the significance of the cut off of communications. Indeed, the repair costs are much more significant and repairing requires more time. Moreover, there are fewer submarine than land cables and therefore one submarine cable serves a much larger area. In such conditions, we can easily imagine how the consequences of the destruction of a cable can have more repercussions than that of the cut off of a land line, including for the neutrals. Still, on the other hand, we can affirm that the cables are generally less completely in the hands of the belligerents than land wires. […] To simplify, they are to a lesser extent in the field of operations […] a cable establishes between a given country and its colonial possessions or between two points of its territory […] the enemy will be able to destroy it if they think this destruction would be useful for them […] the cable can still be established between the coast of a belligerent and that of a neutral State […] the interests of a country not engaged in the war are often challenged […] it seems that the enemy only acquires rights on the cable at the moment when they manage to block or occupy the landing point… It only remains the case where the cable is established between two neutral territories. In that case, the belligerents cannot say anything about the line, which is rightfully placed completely outside the scene of hostilities. Besides, the neutrals are the owners of the cable and have the duty to avoid any transmission with a visible aim to assist one of the fighting States”.

Ending his chapter with the rules that should be imposed on the States in order to salvage communication systems (i.e. a neutralization of the cables), forbidding the States to cut or destroy them in case of war, the author concludes: “This is not in a period of ‘armed peace’, i.e. in the preparation period of the war, that we should think to ask the countries to sacrifice one of their best attack and defense means”.

This very long quotation showed – if needed – the significant similarities between the way of comprehending problems with cyberspace nowadays and the problems of telecommunication space at the end of the 19^th Century:

– Question of the legal status that should be given to facilities in war times.

– Question of the law applicable to belligerents and neutral countries.

– Question of the protection of the interests of everybody, even in war times (we are not always in situations of total destruction, but are usually involved in conflicts that remain controlled by the law).

– Question of the relationships established between belligerents and between belligerents and neutral states.

What the armies can do:

– Get involved in international relations and the negotiation of international treaties and agreements, while facing the inertia of States.

– Address the issues surrounding the relationships between civilians and soldiers in war times: can the army requisition all the national facilities, including civilians for war purposes?¹⁰²

– Look at how to process the information flows: how can we distinguish the important information, intelligence services actions, etc?

The fragility of the physical facilities is probably the core of the problem of the use of telecommunication tools in war times. Cyberspace permanently gives us the image of a completely virtual world and probably makes us forget that it also relies on some facilities and that it is the first target in war.

So many questions that still are quite topical!

3.3.9.2. CID

“By (wrongfully) thinking of all the conflicts as wars, we suppose a bellicose nature for the entire social existence” [ARO 76].

Not all conflicts are wars. Yet, we are lacking words to describe some operations or events, borrowing the methods from the art of war. Such operations include conflicts in cyberspace, confrontations between individuals or groups, against or sometimes between States, but that are not wars, or even cyber-wars.

We are introducing the concept of confrontation in the information dimension (CID), which will designate conflicting acts carried out in cyberspace, without being completely in the domain of cyber-criminality.

CID encompasses all sociopolitical, ethnic and religious movements¹⁰³:

– the use of social networks by citizens who are opposed to the political regime. We could speak of cyber-revolts, cyber-demonstrations, cyber-revolutions, or simply of the cybernetic dimension of protest movements;

– site defacements or virus attacks for political purposes, involving nationalist hackers or hacktivists;

– any form of political activism, whatever the subject, cause, and targets attacked (businesses and institutions).

Intelligence operations carried out by the States or by private parties are also CIDs. There are numerous intrusions into information systems by major industrial groups, who contribute through the information they enable us to draw. This also includes the industrial and economic power of the actors (we speak about economic warfare). Interference in State systems (e.g. the French Ministry of Finances in 2011 and European Commission in 2011) for political, economic or industrial purposes will also be CIDs.

CIDs are often quite close to cyber-criminality. Their actors can be sued in the States where they act and this falls within the scope of the law. Let us think here about the hacktivists who, although motivated by political objectives, remain cryber-criminals in the eyes of the law; let us again consider the ‘anonymous’ hackers, who although self-proclaimed or declared warriors, revolutionaries, antiglobalists, alterglobalists or anarchists, are still cyber-criminals because of the methods they use.

3.4. Conclusion

Cloud computing, social networks, anarchist and terrorist threats on the Internet and cyberspace weaponization are all challenges that States (including France) must face in order to hold their position on the international scene. This is because it is from cyberspace that powerful and unexpected actors and destabilizing actions can emerge. We can also notice, however, that although technology leads to new behaviors and game rules, it also follows logic that has already been tried out. Not everything is new in the field of cybernetics, as we have been able to show during this chapter: the questions asked now are sometimes similar to those of the 19^th Century, with men confronted with challenges and the hopes of a new communication technology.

French thought thus does not consider cyberspace as a distinct element, but as a subset of the information space; digital data as a subset of all data. Digitized or not, information is still information. This thought also puts men at the center of the questions, the space and the processes. This is one of the reasons why the psychological dimension has such an important position in military doctrine, for example.

The French doctrine on information warfare is thus mainly contained in the military concept of ‘information operations’. But to the columns of the temple that are IOs, we must probably add civilian approaches (to control the economic warfare and the media), the concepts shared between civilians and soldiers (DCW/OCW), or even the fight against cyber-criminality in order to build a civilian–military protection continuum in the information space. In this approach, France still remains faithful to its defensive position. However, despite everything, we see the difficulty of a rule of law that we can use to protect and defend ourselves while forbidding ourselves from committing the same acts as our attackers and, facing new difficulties such as the invisibility of the attackers, the absence of a designated enemy, the permanent bypassing by the attackers of some of the security fortresses.

Will the cyber-war strategy be able to fit within the deterrence strategy of France, as stated by Senator Romani [ROM 08]? Let us moderate this argument, because deterrence works in only one condition: if the adversary is aware and convinced of the risks. The message contained in the last White Paper [LIV 08] seems clear: doctrine of information warfare or not, France is ready to fight to defend its information space. Maybe then France should refine its model? Because despite resistances, reluctances and critiques of American thought, the French model has sometimes some difficulty in distancing itself and hiding its references: the columns of the temple of information operations are still very similar to the stacking of the bricks of Libicki.

Thinking about cyber-conflict, cyber-security, cyber-defense amounts to rethinking the role and definition of the State. The Internet modifies the way in which the State should be managed. It has imposed new rules that citizens have appropriated faster than public administrations and leaders, in France and everywhere else. Mentioning the transparency brought by the Internet (everything is immediately known, information can cross the planet in a heart beat), during the opening of the e-G8 meeting in Paris on May 24, 2011 Nicolas Sarkozy declared: “[transparency] changes the management of our States and governments and in particular the reactivity. I am convinced that a head of State from 10 years ago would not recognize nowadays the control panel of their function”¹⁰⁴. Governments are also realizing the importance of the influence of the street via the Internet and the pressure it can have, even if this influence is not exactly measurable (what is the share attributable to the Internet or social networks in the eviction of some heads of State; and why do others resist despite the so-called importance of these tools in revolts and popular movements?).

Leaders, such as Nicolas Sarkozy during the e-G8, seem to be convinced of the importance of the role of Internet in the expression of democratic movements. “This is not because it did not work and this is not because M. Ahmaninedjad has not been overthrown by the street that the Internet did not have a major role (Iran)”¹⁰⁵. But these leaders must also wonder about the possible control of the same tools by non-democratic movements. Democracy does not have the monopoly when it comes to the use of Web 2.0.

According to the French president during e-G8, the Internet and the fate a State gives to its cyberspace conditions the position of this State on the international scene. States can be evaluated by the yardstick of the level of liberty given to the Internet: are they democratic or not? “In the name of stability, we have tolerated two German states and dictatorships. From now on, the freedom of Internet measures the scale of credibility of a democracy and of shame of a dictatorship. I add that henceforth it is difficult or even impossible for a dictator to muzzle the people in the silence of the international community”¹⁰⁶. The Internet alone cannot be a good way to measure freedom and democracy or even to decide on the positioning of a State internationally. As there are operational cyber-attacks, i.e. that simply come to accompany (preparation, continuation) the operations carried in the field in all other dimensions (land, air, sea, space, political, diplomatic, economic, etc.), there is an operational dimension of the Internet whose use by any actor, in a conflicting context, can support democratic (or non-democratic) movements. The levels involved in this are not yet well-defined or controlled. Any conflict can manifest itself in cyberspace, but this dimension alone is not sufficient for a conflict. A call to demonstrate supposes that individuals then go into the streets to physically demonstrate; launching cyber-attacks against critical systems supposes that the actors involved do not have any resiliency; launching cyber-attacks with the purpose of extending them to the real and tangible world, in order to give them meaning and to make the effects concrete. Cyber-conflict encompasses combinations of actions, strategies and tactics, whether it is a civilian or military conflict.

The balance of powers between the States seems to be partially conditioned by their respective levels of cyberspace control.

During a conference in October 2010, Patrick Pailloux, director of the ANSSI declared: “In the real world, States have the monopoly of the weapons and control their diffusion via anti-dissemination treaties or via the interdiction of sales of weapons, in order to keep an advantage over citizens. In the virtual world, this is exactly the contrary: citizens have developed weapons and States are for the most part helpless. And this without thinking that the control of their diffusion is almost impossible”¹⁰⁷. Rules are thus reversed. States are no longer major actors and it is difficult for them to preserve the monopoly on the use of violence. They no longer control it.

This prospect is of course debatable, because the rule is not absolute. It is quite probable that they are aware of the stakes and with respect to the measures taken in many countries (notably the creation of cyber units, cyber-forces and entities dedicated to cyber-war; deployment of significant capacities; public-private, civilian–military cooperation) States are regaining control. If there is a cyber-war, there will be cybernetic confrontations between State actors. We therefore need to know whether the States are able to regain control and keep it during cyber-conflict, or if they will be overwhelmed by actors and capacities they are unable to control and whose reactivity, adaptability and flexibility they cannot equal. (Here we are thinking about the networks built spontaneously or in the background, such as anonymous networks, hacktivist groups or other movements of the public using social networks to demonstrate against the State.)

Through the words of Pailloux, we can see a vision of the world appearing: there are States in inferior positions in comparison to other States or non-State actors. Asymmetry seems to be the rule and would by default be quite unfavorable to powerful States. This consideration also raises the question of the definition of the State: what is its area, what is a State, and what does the notion of power mean in this context?

The American Richard Clarke in his last book raised the same question. According to him, the current situation would be advantageous for States that are less dependent on cyberspace, those less developed in terms of technology and those that we would describe as weak. In this way of thinking, the most fragile, sensible, weak actor is the one that is seen as being the most dependent on cyberspace, the most economically powerful, i.e. the US. Roles are reversed. America and other great powers of this world, which are able to master technologies and cyberspace – i.e. the advanced cyber states – are the first targets for cyber-attacks. The most deprived have so little to lose that they are not very dependent on cyberspace and offer very few points of entrance for cybernetic attacks. For Jeffrey Carr [CAR 10], powerful States are also the most fragile ones and the favored targets and to find salvation, they must cooperate with the public who, with their actions, have the means to be the ‘guardians of the temple’. We must not let the responsibility for national cyber-security and cyber-defense (two critical infrastructures) weigh on State actors alone. The State must finance private actors so that they can contribute to securing and strengthening national sanctuary. The logic imposed by the nature of cyberspace thus seems to oppose the rules of the real world: the strong have become the fragile ones and the weak the most powerful ones. Logic, balance of power, everything seems to be reversed and cyberspace would thus be like a negative of the real world, reversing the basic principles of geopolitics.

The basic premise of geopolitics is not questioned: the world is a jungle and the States fight each other to survive but the premise that makes States the main actors of this jungle is discussed. The relationships are not only reversed between the States. Non-State actors seem to be able to challenge the States and to compete with them. The power of cyber-citizen communities is overcoming borders, challenging the outlines of the nation-state (border and sovereignty) and bringing about new variables: cooperation, communities, shared values beyond the borders, empathy, etc.

To face these new challenges, some are calling to reconquer a fragment of technological autonomy. This attitude maintains its conventional positions: the State is defined by its borders; it can only be defended by a return of the control of its boundaries and it needs national production and industry. This introversion strategy, designed to be protective and ideal, denies the realities of the present time: technologies are dominated by the US and the control of new solutions would require financial and human investment, which are unfortunately not accessible to European countries taken separately, or possibly even Europe as a whole.

Finally, we still have to affirm the presence and power of the State within cyberspace. “The time of a finite world is starting”, wrote Paul Valéry. This meant that everywhere where human settlement was possible, the State was already there. Thus, there was nothing to share and distribute to the States. It has all changed since then. Now there are spaces (extra-atmospheric space and cyberspace) that give the world the perception of infinite space again. They require us to consider the relations between the States and their positions. Nowadays, we wonder about the space: will it be American, if this is not already the case? We can ask the same question concerning cyberspace. The existence of a State is determined by three factors:

– a territory defined by fixed borders;

– a population established on this territory; and

– an organized and stable political power.

This does not exist in cyberspace, but we need to ensure its presence and mark its existence. The stakes are high. For now, it seems that the global State actors are above all concerned with the defense of their traditional borders.

3.5. Bibliography

[ANS 11] ANSSI, Défense et Sécurité des Systèmes d’Information. Stratégie de la France, ANSSI, Paris, France, February 2011

[ARO 76] ARON R., Penser la Guerre, Clausewitz, Gallimard, Paris, France, 1976

[ATT 97] ATTALI J., Le Septième Continent, August 7, 1997, available at: http://www.attali.com/ecrits/articles/nouvelle-economie/le-septieme-continent.

[BAC 27] BACON F., New Atlantis, 1626, Pennsylvania State University, USA, 1998, available at: http://www2.hn.psu.edu/faculty/jmanis/bacon/atlantis.pdf.

[BAR 43] BARJAVEL R., Ravage, Editions Denoël, France, 1943.

[BAU 08] BAUER A., “Déceler – Étudier – Former: une nouvelle voie pour la recherche stratégique, Rapport au Président de la République”, Les Cahiers de la Sécurité, no. 4, Paris, France, March 2008, available at: http://www.iris-france.org/docs/pdf/rapports/2008-03-bauer.pdf.

[BEL 88] BELLAMY E., Looking Backward, William Ticknor Publ., USA, 1988.

[BEL 94] BELLOC A., La télégraphie historique, Librairie de Firmin-Didot Paris, France, 1894, available at: http://gallica.bnf.fr/ark:/12148/bpt6k621150/f3.image.pagination.r=guerre+t%C3%A9l%C3%A9phonie.langFR.

[BIH 10] BIHAN B., Liberté d’Expression et Efficacité Stratégique, Défense et Sécurité Internationale, Paris, France, no. 63, October 2010.

[BUC 09] BUCCI S., POULAIN G., L’Alliance du Terrorisme et de la Cybercriminalité, Défense Nationale et Sécurité Collective, Paris, France, March 2009.

[CAR 03] CARAYON B., Intelligence Économique, Compétitivité et Cohésion Sociale, Rapport au Premier Ministre, La Documentation Française, Paris, France, June 2003, available at: http://lesrapports.ladocumentationfrancaise.fr/BRP/034000484/0000.pdf.

[CAR 10] Carr J., Inside Cyber Warfare, O’Reilly, USA, 2010.

[CAV 10] CAVELTY M.D., Cyberwar: Concepts, Status Quo, and Limitations, CSS Analysis in Security Policy, no. 71, Zurich, Switzerland, April 2010

[CDE 05] CENTRE DE DOCTRINE D’EMPLOI DES FORCES, “Des Électrons et des Hommes. Nouvelles Technologies de l’Information et Conduite des Opérations”, Cahier de la Recherche Doctrinale, CDEF/DREX, Paris, France, June 2005, available at: http://www.cdef.terre.defense.gouv.fr/publications/cahiers_drex/cahier_recherche/electrons_hommes.pdf.

[COU 10] COUGHLIN C., Gearing up to Face the Cyber Threat, October 22, 2010, available at: http://gulfnews.com/opinions/columnists/gearing-up-to-face-the-cyber-threat-1.699920.

[DEN 01] DENNING D., Is Cyber Terror Next? SSRC, November 1, 2001, available at: http://www.ssrc.org/sept11/essays/denning_text_only.htm.

[DER 95] DE ROSNAY J., L’Homme Symbiotique. Regards sur le Troisième Millénaire, Paris, Seuil, pp. 166–167, 1995.

[DES 07] DESPORTES V., Décider dans l’Incertitude, Editions Economica, 2007.

[DES 08] DESPORTES V., La Guerre Probable, Editions Economica, Paris, France, 2008.

[DIA 01] CICDE, Doctrine d’Emploi des Forces, Doctrine Interarmées, DIA-01, CICDE, Paris, France, November 2003.

[FLA 82] FLAMACHE V., L’art de la Guerre à l’Exposition d’Électricité de Paris en 1881, Imprimerie A. Lefevre, Brussels, Belgium, 1882, available at: http://gallica.bnf.fr/ark:/12148/bpt6k56985449.r=guerre+t%C3%A9l%C3%A9phone.langFR.

[FRA 00] FRANCART L., La Maîtrise de l’Information, Paris, France 2000, available at: http://www.infoguerre.fr/doctrines/la-maitrise-de-l-information-par-le-general-loup-francart/.

[FRA 05] FRANCE A., Sur la Pierre Blanche, L’Humanité, Paris, France, 1905.

[GAU 92] GAUTIER E., Les Étapes de la Science. Chroniques Documentaires, Paris, France, 1892.

[GOD 02] GODELUCK S., Géopolitique d’Internet, Editions la Découverte, Paris, France, 2002.

[GOU 65] GOUDAR A., L’Espion Chinois, ou L’Envoyé Secret de la cour de Pékin, Pour Examiner l’État Présent de l’Europe, Cologne, volumes 1 to 6, 1765.

[GUI 95] GUISNEL J., Guerres dans le Cyberespace, Editions La Découverte, Paris, France, 1995.

[HAR 99] HARBULOT C., Intelligence Économique et Guerre de l’Information, Les Cahiers de Mars, Revue des anciens de l’Ecole Supérieure de Guerre et du Collège Interarmées de Défense, Paris, France, 1999.

[HAS 05] HASSID O., La Gestion des Risques, Paris, Dunod, 2005.

[HOU 08] HOUBRE J.M., Les Nouveaux Visages de la Guerre: vers le Champ de Bataille virtuel, Télécom, no. 152, Telecom ParisTech, Paris, France, pp. 44–48, 2008.

[HUY 01] HUYGHE F.B., L’Ennemi à l’Ère Numérique. Chaos, Information, Domination, PUF, Paris, France, 2001, available at: http://fr.calameo.com/read/000005_128e245e296d11c?editLinks=1.

[HUY 05] HUYGHE F.B., Qu’est-ce que la Guerre de l’Information?, Paris, France, 2005, http://www.huyghe.fr/dyndoc_actu/4451ebfb7de54.pdf.

[JOS 09] JOSHI S., French Naval Rafales Grounded by Virus, March 2, 2009, http://www.stratpost.com/french-naval-rafales-grounded-by-virus.

[KEN 10] KENYON H., Army Cyber Unit Guards Computer Networks, Defense Systems, October 14, 2010, available at: http://www.defensesystems.com/Articles/2010/10/15/Cyber-Defense-Army-Cyber-Command.aspx.

[LAS 05] LASBORDES P., La sécurité des Systèmes d’Information - un Enjeu Majeur pour la France, 26 November 2005, available at: http://www.lasbordes.fr/IMG/pdf/rapport_Pierre_Lasbordes.pdf.

[LET 23] LETOREY H., Je vous Offre la Santé, la Gaieté, l’Économie, le bien être, je suis la Fée Electricité, Le courrier de l’Oise, Imprimeries réunies de Senlis, 1923.

[LÉV 97] LéVY P., La Cyberculture. Rapport au Conseil de l’Europe, Paris, Éditions Odile Jacob, 1997.

[LIB 95] LIBICKI M., What is Information Warfare, Strategic Forum Number 28, United States, May 1995, available at: http://ics.leeds.ac.uk/papers/pmt/exhibits/_1660/Libicki_What_Is.pdf.

[LIV 06] Livre Blanc du Gouvernement sur la Sécurité Intérieure Face au Terrorisme, La Documentation Française, Paris, France, June 2006, available at: http://lesrapports.ladocumentationfrancaise.fr/BRP/064000275/0000.pdf.

[LIV 08] Livre blanc sur la Sécurité et la Défense Nationale, La Documentation Française, Paris, France, June 2008, available at: http://lesrapports.ladocumentationfrancaise.fr/cgi-bin/brp/telestats.cgi?brp_ref=084000341&brp_file=0000.pdf.

[LON 94] LONG M., BALLADUR E., LéOTARD F., Livre Blanc sur la Défense, La Documentation Française, Paris, France, June 1994.

[MAR 94] MARTRE H., Intelligence économique et stratégie des entreprises, La Documentation française, Paris, France, 1994, available at: http://lesrapports.ladocumentation_francaise.fr/BRP/074000410/0000.pdf.

[MDF 07] Glossaire Interarmées de Terminologie Opérationnelle, Etat-Major des Armées, Ministère de la Défense, March 8, 2007, Paris, France, available at: http://www.cicde.defense.gouv.fr/IMG/pdf/PIA/CPIA/PIA_0-5-5-2.pdf

[NAN 11] NANSOUTY M., Actualités Scientifiques, Paris, France, Librairie Schleicher Frères, 1911, http://gallica.bnf.fr/ark:/12148/bpt6k5684032v/f000023.

[NOR 78] NORA S., MINC A., L'Informatisation de la Société, Seuil, Collection Points, Paris, France, 1978.

[PIA 10] PIA-00-100, Concept d’Emploi des Forces, Etat-major des armées, CICDE. No. 004, DEF/CICDE/NP, January 11, 2010, Paris, France, available at: http://www.cicde.defense.gouv.fr/IMG/pdf/PIA/PIA-00.100.pdf.

[POI 94] POINSARD L., PICHON F., Etudes de droit international conventionnel, Paris, France, 1894. available at: http://gallica.bnf.fr/ark:/12148/bpt6k56295720/f000333.tableDesMatieres.

[ROB 83] ROBIDA A., Le Vingtième Siècle, Georges Decaux, Paris, France, 1883.

[ROM 08] ROMANI R., Rapport d’Information Fait au nom de la Commission des Affaires Étrangères, de la Défense et des Forces Armées, sur la Cyberdéfense, Senate, report no. 449, Paris, France, July 8, 2008. The report is available at: http://www.senat.fr/rap/r07-449/r07-4491.pdf.

[SCH 94] SCHWARTAU W., Information Warfare: Chaos on the Electronic Superhighway, New York, Thunder's Mouth Press, 1994

[SEC 10] Securing Britain in an age of uncertainty: the strategic defence and security review, Presented to Parliament by the Prime Minister, October 2010, London, UK, available at: http://www.direct.gov.uk/prod_consum_dg/groups/dg_digitalassets/@dg/@en/documents/digitalasset/dg_191634.pdf?CID=PDF&PLA=furl&CRE=sdsr

[VEN 07] VENTRE D., La Guerre de l’Information, Hermès-Lavoisier, Paris, France, 2007.

[VEN 09] VENTRE D., Information Warfare, ISTE, London, John Wiley & Sons, New York, 2009.

[VEN 10] VENTRE D. (ed.), CHAUVANCY F., HUYGHE F.B., FILLIOL E., HENROTIN J., Cyberguerre et Guerre de l’Information. Stratégies, Règles, Enjeux, Hermès Lavoisier, Paris, France, 2010

[VEN 11] VENTRE D., Cyberespace et acteurs du cyberconflit, Hermès-Lavoisier, Paris, France, 2011.

[VEN 11_b] VENTRE D., Cyberattaque et Cyberdéfense, Hermès-Lavoisier, Paris, France, 2011.

[WAU 98] WAUTELET M., Les cyberconflits, Internet, autoroutes de l’information et cyberspace: quelles menaces?, Editions GRIP, Brussels, Belgium, 1998, available at: http://www.technolytics.com/Technolytics_Cyber_Warfare_Training.pdf.

[WEU 02] WEULERSSE G., Chine Ancienne et Nouvelle, Impressions et Réflexions, Armand Colin, Paris, France, 1902.

 

 

1 Chapter written by Daniel VENTRE.

1 http://atilf.atilf.fr/.

2 1848–1926, A. Robida was a columnist on the society of the future. He also illustrated Jules Verne’s books. Many of his works are available on the Internet. Let us point out the journal devoted to him, Le Téléphonoscope, which has been going since May 1998 and can be found at http://www.robida.info/telephonoscope.htm.

3 [ROB 83] p. 54.

4 [ROB 83] pp. 59.

5 In 1888, Edward Bellamy published the novel Looking Backward in the US [BEL 88]. This novel was very successful and was translated into several languages. The main character, Julian West, an American from Boston, falls asleep in 1887 and wakes up in 2000. Critical towards the contemporary society, Bellamy takes the excuse of a simple plot and time travel to state his ideas about socialism and to describe the ideal future society.

6 [GAU 92] pp. 255.

7 [GAU 92] pp. 256.

8 [LET 23] pp. 2. Translated from the original French.

9 Quoted in Caslon Analytics Guide, Cyberspace Governance, http://www.caslon.com.au/governanceguide2.htm.

10 French biologist, specialist on the origins of the living and of new technologies.

11 French economist, writer, high-ranking civil servant, and former adviser to the French President (François Mitterrand).

12 OCW: offensive cyber-war.

13 [PIA 10].

14 Pierre Lasbordes is a French politician, deputy, born in 1946.

15 Roger Romani is a French politician, senator, born in 1934.

16 http://www.zdnet.fr/actualites/internet/0,39020774,39363088,00.htm.

17 A computer worm that appeared at the end of 2008, using a breach in Windows. The worm is also known as Downup, Downandup and Kido. Almost 10 million of machines would have been infected across the world, including those of several defense ministries (notably the UK, France and US). The Conficker virus has affected hundreds of thousands of computers in the world. The French army, as well as many companies, has paid the price for it. Newspaper articles stated that some Rafale fighters were kept on the ground because of this virus attack [JOS 09]. The virus has probably affected the unsecure French Intramar network. The French army has declared that the virus did not have any effect on the availability of the forces.

18 French expert in computer security, specializing in cryptology and operational computer virology. Lieutenant-colonel of the French Army, director of the laboratory of virology and cryptology of the ESAT (Ecole Supérieure d’Application des Transmissions, military university with a technical emphasis), he is now director of the the ESIEA research center (Ecole Supérieure d’Informatique, Electronique, Automatique, engineering school in computer science, electronics and automatics). He has written books on virology and cryptanalysis, as well as on cyber-criminality. He has contributed to the collective work Cyberguerre et Guerre de l’Information published in 2010 [VEN 10]. Eric Filiol declares himself as a cyberspace “corsair”.

19 Eric Filiol, in [VEN 10]

20 Eric Filiol, in [VEN 10].

21 [ROM 08] pp. 18.

22 French adventurer and literary figure, 1708–1791.

23 [WEU 02] chapter 5, pp. 333.

24 [WEU 02] parts of chapter 5.

25 [WEU 02] chapter 1, pp. 191.

26 [WEU 02] chapter 1, pp. 191.

27 http://intelligencenews.wordpress.com/2011/11/10/01-863/.

28 [ROM 08] Chapter 5.

29 Researcher at the IRIS (Institut des Relations Internationales et Stratégiques - the French Institute of International and Strategic relations), specialized in information and communication sciences. He is the author of many books on information, on the relations of information towards war and on the role of the media in war times. http://www.huyghe.fr/biographie.htm.

30 Here reminding us of the title of the book by Winn Schwartau: Information Warfare, Chaos on the Electronic Superhighway [SCH 94].

31 These arguments are found in reports on the security of information systems and on cyberdefense published since 2006.

32 Decree no. 86-316 of March 3, 1986 creating the directory of the information system security; decree no. 86-318 of March 3, 1986 creating the central service of information system security, and then Decree no. 87-354 of May 25, 1987, Decree no 87-864 of October 26, 1987, and Decree 87-865 of October 26, 1987.

33 http://www.ssi.gouv.fr/site_documents/PRSSI/PRSSI.pdf.

34 http://www.ssi.gouv.fr/.

35 Recent cyberattacks against French ministries servers, including those of the Finance Ministry in 2011, recall the difficulty of this task.

36 The European Network and Information Security Agency, which was created in 2004. www.enisa.europa.eu/.

37 This was not the case in the previous White Paper in 1994 [LON 94].

38 The White Paper speaks about the “CNN effect” (pp. 24).

39 The report was written by a work group presided over by Henri Martre. Born in 1928, he was general delegate for Armament (DGA) from 1977 to 1983, then CEO of the Aérospatiale society from 1983 to 1992 and President of Afnor from 1993 to 2002.

40 Bernard Carayon is a French politician born in 1957 in Paris. He has written many reports on industrial policy, business intelligence, intelligence services and information technologies. He advocates a certain form of economic patriotism.

41 Particularly the works of a group presided over by Henri Martre between 1992 and 1993.

42 Stratco is a French consulting and auditing company that is involved in matters of defense and security. It was created in 1991.

43 War ‘by’ information uses new ICTs as vehicles of propaganda and misinformation. War ‘for information’ consists of penetrating the systems to recover the information. The war ‘against’ information aims to disturb the operation of the systems.

44 http://www.infoguerre.fr/evenements/colloque-la-guerre-de-l-information-a-l-unesco/.

45 Page 147 of the 2008 White Paper [LIV 08]. We must note that the expression ‘information warfare’ appears only once in this voluminous report.

46 Les fiches du CESA. Fiche n^o18. Armée de l’air. April 2006. “La maîtrise de l’information dans l’armée de l’air”.

47 Also see http://www.cesa.air.defense.gouv.fr/DPESA/FCG/Fc18.pdf.

48 [KEN 10].

49 http://www.signonsandiego.com/news/2010/oct/01/air-force-declares-cyberwarfare-unit-operational/#.

50 http://benmazzotta.wordpress.com/2009/02/11/new-german-cyber-warfare-unit/.

51 Cyber Security Strategy for Germany, Federal Ministry of the Interior, http://www.cio.bund.de/SharedDocs/Publikationen/DE/IT-Sicherheit/css_engl_download.pdf?__blob=publicationFile.

52 http://www.theregister.co.uk/2009/11/12/csoc_date/.

53 [SEC 10].

54 http://www.theregister.co.uk/2010/01/12/korea_cyberwarfare_unit/.

55 Units with a defensive role. The first unit must take the form of a military CERT and must be coordinated with the GovCERT. But the Centre des Opérations Electroniques must also implement a CNO (computer networks operations) unit. From a legal point of view, CND are lawful, but CNA and CNE are only lawful in an aggression state. This means that Switzerland forbids itself to use CNA other that in war times, if these systems are attacked.

56 http://www.defensenews.com/story.php?i=5556484.

57 Australian Security Intelligence Organization.

58 ANSSI, Naissance du CyberCommand Français, February 15, 2011. http://www.linformaticien.com/Actualit%C3%A9s/tabid/58/newsid496/10342/anssi-naissance-du-cybercommand-francais/Default.aspx.

59 [LAS 05] The report: 1) identifies the threats towards information systems; 2) the current security devices; 3) and the critical points in order to; 4) conclude with a lack of coordination between public and private actors.

60 http://www.ssi.gouv.fr/fr/sciences/fichiers/rapports/rapport_orientation_ssi_2008.pdf.

61 EFR (Effet Final Recherché), final sought-after effect.

62 CIMIC (Civil-Military Cooperation).
http://www.giacm.com/index_fichiers/Page316.html.

63 COMOPS (Operational Communication of Armies).

64 Fiche no. 217/DEF/EMAA/GMG/CESAM. October 19, 2006. Les opérations d’information et l’armée de l’air.

65 Generally, we consider that “psychological warfare” is directed against the enemy and ‘psychological actions’ towards friendly troops.

66 “ Opérations d’information dans la troisième dimension” by the work group Air 2 of the XIII^o clas of the Collège interarmées de défense. www.cesa.air.defense.gouv.fr/DPESA/PLAF/PLAF_N_11?pdf October 2006.

67 Ibid. Page pp. 70

68 Ibid. Page pp. 70.

69 Created in 2006.

70 “Les opérations d’information: mythe ou réalité ?”, Penser les Ailes Françaises. no. 17, April 2008, pp. 114.

71 Also see the Principes d’Emploi de la FOT Numérisée de Niveau 3, July 8, 2004. http://www.cdef.terre.defense.gouv.fr/doctrineFT/doc_trans/FOT_niv3.pdf.

72 “Place de la fonction SIC dans les crises actuelles et futures”, Doctrine Numéro Spécial, May 2008, pp.37.

73 Ibid. pp. 38.

74 See the special issue of Doctrine journal, February 2005. pp. 17.

75 See the special issue of Doctrine journal, February 2005. pp. 18

76 http://www.air-defense.net/Forum_AD/index.php?topic=4945.20;wap2.

77 In French lutte informatique défensive (LID).

78 In French lutte information offensive (LIO).

79 Information system security.

80 http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000234154&dateTexte=.

81 [DIA 01] Chapter 7.

82 The Moonlight Maze and Titan Rain affairs in the United States, nominative data thefts that are sensible in the servers, etc.

83 “La violence psychologique dans la guerre au XX^o siècle”. Revue Historique des Armées, no 238, 2005. http://www.servicehistorique.sga.defense.gouv.fr/04histoire/articles/articles_rha/violencepsychologie.htm

84 Also see “Les opérations d’information: mythe ou réalité?”, Penser les Ailes Françaises, no. 17, April 2008. pp. 112.

85 “Place de la fonction SIC dans les crises actuelles et futures”, Doctrine, Special issue, May 2008, pp. 39.

86 “Des électrons et des hommes”, “Nouvelles technologies de l’information et conduite des operations”, Cahier de la recherche doctrinale. CDEF/DREX. June 2005. pp. 4

87 Ibid. pp. 26

88 See some reflections on the art of command on the Collège Interarmées de Défense webpage: http://www.college.interarmees.defense.gouv.fr/spip.php?article917.

89 “Place de la fonction SIC dans les crises actuelles et futures”, Doctrine Special issue, May 2008. pp. 39.

90 Also see the CNN article “Cyberattacks spur talk of third DOD network”, June 22, 1999, http://edition.cnn.com/TECH/computing/9906/22/dodattack.idg/.

91 Ibid. pp. 40.

92 Ibid. pp. 44.

93 The command by objective considers that war is unpredictable: it is a reign of uncertainty. It favors trust in the adaptation capacities of individuals, their initiative, the decentralization of communications and networks. The command by order considers that war is predictable. This mode of command is more rigid, averts initiative and opts for a centralized approach and a vertical mode of communication from top to bottom.

94 [DES 07] pp. 3.

95 [DES 07] pp. 4.

96 [DES 07] pp. 8.

97 [DES 07] pp. 7.

98 Utilisation des aéroplanes à la guerre, p. 15.

99 Quoted in Aux Origines de la Stratégie Aérienne, Histoire et Stratégie, La puissance aérienne, no. 2, Paris, France, September 2010

100 International law is then undermined and the attacks against critical infrastructures have direct consequences on civilians.

101 Definition proposed by Eric Filiol in his chapter in [VEN 10], entitled Aspects opérationnels d’une cyberattaque: renseignement, planification et conduite.

102 For this specific question of the relations between civilians and the army, we also refer the reader to a previous text by Victor Flamache published in 1882 [FLA 82]: “The application of electricity to the art of war is establishing itself more and more every day. Since the example of the Civil War in 1862, which used electrical agent in the lighting of passes, in the firing of submarine mines, of torpedo, above all in telegraphy, military science has registered to its curriculum the perfect knowledge of the multiple uses of electricity. […] The study of electricity applied to the art of war is divided in four parts…” The first part includes “a) telegraphy; b) telephony; c) optical telegraphy […] The question of the type of wire to use is quite important: indeed, we are seeking to hide them from the enemy, and thus the army whose bodies will be in continuous contact, will evidently put more chance of victory on its side. For this, there are two means: establishing a permanent secret communication in peace times or using flying telegraphy even organized in times of war. The first means would be excellent if we could operate without the public knowing it; but the situation is unfortunately not like that…”

103 Athina Karatzogianni [KAR 06] identifies two main types of cyberconflicts: sociopolitical and ethno-religious.

104 Mentioned in http://www.linformaticien.com/actualites/id/20737/n-sarkozy-l-internet-libre-est-un-marqueur-d-une-societe-democratique.aspx.

105 Nicolas Sarkozy, Paris, e-G8, 24 May 2011, mentioned in http://www.linformaticien.com/actualites/id/20737/n-sarkozy-l-internet-libre-est-un-arqueur-d-une-societe-democratique.aspx.

106 Nicolas Sarkozy, Paris, G8, 24 May 2011, quoted in http://www.linformaticien.com/actualites/id/20737/n-sarkozy-l-internet-libre-est-un-marqueur-d-une-societe-democratique. aspx.

107 Quoted in http://www.securityvibes.fr/cyber-pouvoirs/la-geopolitique-de-la-ssi-selon-patrick-pailloux-anssi/, October 4, 2010.