“France sucks at cyber” says person who has never heard of ADM
This War on the Rocks article about France’s cyber capability is disappointing. The author correctly notes that France has been very sluggish at developing a coherent cyber policy and accompanying bureaucracy. Unfortunately there are a lot of incorrect or irrelevant points which lower the signal to noise ratio considerably.
The author appears to be under the misconception that France lacks good cyber security talent. Absolutely not true. France lacks capacity to take advantage of their talent pool. After all, this is the country that made Zerodium relocate to more hospitable climes.
You don’t want to bring up 2015 hacks, trust me
There are a couple paragraphs about the 2015 TV5 hack performed by APT28. Granted, this tells us who would win in a cyber conflict between a TV station and a hostile military intelligence service. But… you know another big hack in 2015? OPM. That says something about the security of the US government’s security clearance agency vs an individual Chinese script kiddie. Neither example is relevant to understanding a nation state’s cyber capacity, but one is far more embarrassing. The French shouldn’t feel too bad about getting trounced by APT28, the US was as well.
Internet giants are not a metric of cyber capacity
The author conflates having a giant Internet company with being good at cyber conflict. France lacks big companies like Google or Facebook… both of which were decisive elements in the cyber conflict between Russia and the US in 2016. For Russia though.
Having an Internet media platform in a country is tangential to whether that country has an effective cyber capability. Look at how relevant those Internet giants were in the 2016 Russia vs US cyber conflict. Russia was able to successfully exploit the platforms they provided, the US was incapable of defending against those information operations. This is because the US lacks the right bureaucracy to handle defensive IO (the USIA, which would be the correct agency, was disbanded in 1999.) Indeed, even now the US is still not prepared for a rematch.
Having an Internet giant can be very useful for passive and active cyber operations, but is not a decisive element of cyber power. China’s Tencent is far more integrated into Chinese national cyber security posture than Facebook in the US. Cyber power is not simply a matter of having large Internet companies. Cyber conflict is not like manoeuvre warfare — there is very little to produce, overwhelm or stockpile.
In cyber conflicts an information delivery system is a weapon, and like most weapons it is only as effective as the user wielding it. Facebook and Google are like a straight razor without a handle, extremely dangerous in the wrong hands. Simply having one does not provide cyber security.
Not all wrong
The one point in this article that is both accurate and relevant is that France’s bureaucracy for handling cyber has been completely terrible. As I’ve said, bureaucracy is a key enabler of cyber capacity. If the French can sort that out (I’m skeptical), they will be well positioned to develop credible cyber capacity.
There is no shortage of skilled French hackers, but France lacks a mechanism to exploit that talent resource. It is the same in Germany, the U.K., and the US. The countries that are able to best utilise their private sector talent pool so far are Russia and China.
Creating new bureaucracies and issuing white papers is fine and dandy, but it has very little relevance for effective national cyber capacity. Issuing a white paper on cyber strategy is meaningless. What matters is how the nation is able to organise, fund, develop, and direct cyber operations.
This is why bureaucracy is so critical for effective cyber. Can France recruit skilled hackers, retain them, utilize them effectively, and operate successfully in the cyber domain? They have the talent, but they don’t have a way to deploy and use it. I don’t see how that fundamental issue has been resolved.