France Says 'No' To Company Hack-Backs Following Online Attacks -- But Wants To Keep The Option Open For Itself

Ten years ago, Techdirt was warning about the hype surrounding the concept of "cyberattacks", and after that "cyberwar", both of which were routinely presented in apocalyptic terms. As we now know, the real online battles are being fought much more subtly in the form of low-profile foreign organizations subverting nations in sophisticated ways. Unlike the predicted take-downs of an entire electricity grid, these kind of attacks by foreign states and their proxies have already happened, and with troubling effects.

Governments have a responsibility to consider all possible attacks that may be conducted via the Internet, which means that drawing up policy documents in the field is important. The French government has just published its "Revue strati(C)gique de cyberdi(C)fense (pdf)" -- that is, a Strategic Review of Cyberdefense. It was written by the General Secretariat for Defense and National Security, which operates under the authority of the French Prime Minister, and assists the head of government in designing and implementing security and defense policies. It's extremely thorough and well worth reading, but it's also rather long (and in French). Fortunately, Lukasz Olejnik has put together a post discussing some of the main highlights of the document, which is much shorter -- and in English. As he notes, in France, cyberdefense and cyberoffense are two separate domains, and the strategy document lays out six main approaches to the former: prevention, anticipation, protection, detection, attribution, and reaction (remediation). On the offense side:

France strongly opposes giving private companies the rights to retaliate following a cyberattack. In the French view, such actions would constitute a point of instability in cyberspace. Especially when considering retaliation against actors located in a different state. France wants to put forward the issue of hack-back on the international level.

Notable thing. The fact that the strategy mentions these concepts should probably be interpreted as an indirect response to the ideas discussed in the US, where certain proposals considered giving companies the powers to hack-back.

As far as offensive actions are concerned, the review may not want companies to unleash hack-backs after an online attack, but it does want to keep that option open for the French authorities:

Annex 7 considers retaliatory actions following a cyberattack. Although the text points out that such actions should be considered provided that all the other approaches (prevention, cooperation, negotiation) fail, it acknowledges that a response can be made using cyber or non-cyber means. The strategy also highlights that major cyberattack can be interpreted as an armed aggression, in line with the Article 51 of Charter of United Nations.

Olejnik points out the following interesting idea from the document:

France apparently suggested a desire to put the security liability in hands of product suppliers. In other words, making companies responsible for the security of products they put on the market -- as long as the products are commercially available. The strategy then mentions that one of the solutions could be to release source code and documentation after an end of support date. The strategy itself mentions taking this discussion to the international level.

France's Strategic Review offers a good starting point for thinking about these issues. It would be great if somebody could translate it into English for even wider appreciation.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+