French president François Hollande this week officially received the whitepaper that will set the country's strategy for defence and national security for 2014-2019, and serve as a framework for the upcoming military planning law to be put before parliament next summer.
While the previous whitepaper on the subject, published back in 2008, made reference to cyber-threats, the latest document puts the spotlight firmly on such online attacks, whether they're assaults "on systems resulting from intentional acts, or accidental disruptions that threaten the operation of critical digital infrastructure".
Consequently, cyberspace is now considered to as a "a field of confrontation in itself", with cyber-attacks now rated as the third most important threat to be addressed by the forthcoming defence and national security strategy, behind "aggression against national territory by another sate" and "terrorist attacks".
As a result, France is to "develop its intelligence activities" in the area of cyberdefence, as well as "corresponding technical capabilities", particularly in order to be able to "identify the origin of threats". France is also to develop "offensive capabilities", the whitepaper says, which must be "proportionate" to any attacks.
The document lacks precise details about the nature of what France's cyber-offence capabilities might be, but the document describes a "cyberdefence organisation tightly integrated with [army] forces, [and] with defensive and offensive capabilities to prepare for, or support, military operations."
An "operational chain of cyberdefence" is planned, to be overseen from the operations planning and command centre of the joint services office of France's defence staff. The technical part of that organisation will be handled by the French Defence procurement agency. And, while France has recently set up a crack team of so-called civilian cyberdefenders that may bear a resemblance to a talking shop, the country will later get an operational group of cyberdefence reservists.
The role of the French national agency for IT systems security (Anssi) in ensuring public-private cooperation with critical infrastructure providers is also to be stepped up. Anssi is to get auditing powers and, as a result, private companies may have to notify the agency of security breaches. According to French newspaper Le Monde, a bill that would bring in such powers is already being prepared.
The whitepaper also stresses on the need for France to have the "capability to autonomously produce security systems, especially for cryptography and attack detection", as it is seen as "essential component of national sovereignty."
The goal seems to be within reach: Anssi actually conducts internal research and development efforts on cryptography, and a team of engineers from the agency presented their work earlier this year at the RSA Conference in San Francisco. And, after Cassidian CyberSecurity (part of EADS group) agreed last Friday to buy French network security company Arkoon, the list of network security, endpoint and server security, and cryptography products certified for use by French government agencies now appears to be dominated by French and European companies.