By Bernard Barbier, Jean-Louis Gergorin and Admiral Edourd Guillaud
“Cyber-coercion” calls for putting together intelligence, protection, international action and retaliation capabilities, three former senior national security officials point out.
Op-ed. At the beginning of the year 2020, in a world that was yet to imagine how much it would be disrupted by the Covid-19 pandemic, we warned about a series of cyber threats and called for reflection and action against what we called “cyber-coercion”: any computer exploit aimed at intimidating State or corporate leaders, in order to gain political and strategic benefits from the former or a financial ransom from the latter.
The open letter published by the Club informatique des grandes entreprises françaises (Cigref – IT club of French major corporations) on November 18 2020, addressing Prime Minister Jean Castex, was a warning cry. The number of successful cyberattacks, including those using ransomware which block an organisation’s IT system until a ransom is paid, increased fourfold in a year’s time. Attacks are more and more sophisticated, and they’re aimed at companies and public utilities. Almost all of them originate in a criminal ecosystem blooming in those countries which have not ratified the 2001 Budapest Convention on cybercrime.
A profitable criminal activity
Free from any form of prosecution, powerful groups may engage in direct cyberextortion as well as in the sale of those tools making such actions possible to any criminal customer: « ransomware as a service ». Self-serving tolerance by official services in those States harbouring them and the magnitude of earnings have turned cyberpiracy into the most profitable, and least risky criminal activity in human history, which accounts for its exponential growth.
News, published in December 2020, that a thousand private and public organisations including all major federal executive departments, the NSA, Microsoft and the very effective cybersecurity company FireEye were compromised by cyber intrusion, represent a real departure from the previous state of strategic affairs. It all happened with an undetected modification of a network management software update.
The addition into software updates unrolled between March and May of a Trojan called “Sunburst” prepositioned at the heart of the most critical IT systems an implant which, to this day, seems to have been used only for espionage purposes. It could very much as well have been used for sabotage.
Until Sunburst was discovered and precisely identified, only recently, the State which created it – i.e. Russia, as almost every US official except Donald Trump believes – enjoyed “digital first strike capability” against civilian and military infrastructure in the US. Sunburst was only found when its perpetrators stole FireEye’s offensive technical tools. It is probable that this capacity to include an undetectable Trojan in a software update has already been used elsewhere. The threat is therefore critical.
A four-pronged action plan
In this context, cyber-coercion, of criminal as well as of governmental origin, must be fought with a national, integrated and comprehensive, anti-coercion strategy. It would include four tightly connected parts: intelligence, protection, international action, and retaliation capability. Intelligence services must identify who is responsible for the attacks, and the technical signature of these attacks. In order to achieve this aim, cooperation between official intelligence services, cybersecurity agencies and reliable cyberthreat intelligence companies is paramount.
Protection is a necessary, yet not sufficient condition for security. Incidentally, the Sunburst attack is a major warning about the necessity to no longer rely on the initial certifications of software products only. Software update screening technologies must be found. Finally, it’s abnormal that France, as an exporter of digital brains, cannot stimulate the creation and development of cybersecurity software companies more efficiently, and put an end to the US-Israeli duopoly in the European market.
International action must not only aim at regulating cyberspace, following president Macron’s call on November 12th , 2018 in Paris [speech for the inauguration of the Internet GovernanceForum, at the Unesco], but also use all bilateral and multilateral means available to push those governments perpetrating or protecting cyberattacks to amend their ways. But individual sanctions are only one type of tools, the effectiveness of which is rather limited ; conversely, the commercial weight of the EU offers important perspectives.
“Ambitious and achievable goals must be set. It’s an illusion to believe that cybercrime can be wiped off; it’s within our grasp to curb it.”
Finally, the French cyberdefence doctrine must include the capability to engage in retaliations which would be proportionate to any attack against civilian as well as military infrastructure deemed essential. Following the impetus of Thierry Breton [EU commissioner for internal market], the European Commission has significantly announced a new cybersecurity strategy.
In order to fight at the appropriate level, ambitious and achievable goals must be set. It’s an illusion to believe that cybercrime can be wiped off; it’s within our grasp to curb it.
The fight for cyber could draw an inspiration from the Atalante operation against piracy, implemented in the Indian Ocean since 2008, in which the European Union relied on a first contributing country (France), to bring together speed and effectiveness. Retaliation against cyber-coercion could be piloted by the ComCyber [joint military cyber command, which was formed in 2017] or the direction générale de la sécurité extérieure (DGSE – Foreign Intelligence agency), or by an integrated common team, as is the case in Great Britain, at the national level or in cooperation with allies.
Without any change in the doctrine already mentioned regarding the comprehensive nature of cyber-defence, there will be no deterring effect whatsoever, and nothing will prevent events such as the massive cyberattack against the Rouen university hospital in November 2019 to multiply and become more and more serious.
Faced with milestones represented by the exponential growth of ransomware and the Sunburst operation, our country must very quickly start to engage in a strategic reassessment and abandon the incremental logic which has been guiding our cyber=defence until now, and which is no longer suited to the current context. More than ever, it seems indispensable to us that the President of the Republic should rely on a national cyber coordinator [coordonnateur national cyber (CNC)], comparable with the national intelligence and anti terrorism coordinator [coordinateur national du renseignement et de la lutte contre le terrorisme (CNRLT)], who has already demonstrated his effectiveness.
Bernard Barbier, former technical director at DGSE. A former director of the Information Technologies and Electronics laboratory [Laboratoire d’électronique et de technologies de l’information (LETI)], he is a member of the Académie des technologies.
Jean-Louis Gergorin, senior lecturer at Sciences Po. Former head of policy planning at the French Ministry of Foreign Affairs, he is a co-author of «Cyber. La guerre permanente » (Les éditions du cerf, 2018).
Admiral Edouard Guillaud, former Chief of the General Staff of the French armies.
OP-ED. Published in French on Le Monde, dated 5th of January, 2021.