The French government has exhibited a rare showing of truthfulness and clarity and has admitted in a national security planning document published this week that cyber deterence doesn’t work and government officials should plan accordingly.
“There is no way to envisage a cyber shield that would thwart any cyber-attack on France, but strengthening its level of cyber security is essential to prepare the country for more cyber threats. Similarly, the application of a deterrent approach in cyberspace that would force any attacker to restrain himself against France is illusory,” the French president’s office said on Wednesday, in a document titled the National Strategic Review 2022.
Instead, French officials believe that while full deterrence isn’t possible, a coordinated and harsh reply could make attacks more costly for an attacker—may it be from a cyber-criminal or intelligence/espionage background.
Officials suggest this could be done by “adopting response strategies that mobilize all the levers of the State, both European and international.”
As a result, French officials propose a plan of action centered around cyber resilience of the French ecosystem—which the French government sees as “a condition of sovereignty”—rather than one focused on the deterrence of external threats, one it clearly doesn’t see succeeding in any way or form.
In hindsight, it also doesn’t take a genius to see that deterrence doesn’t actually work beyond producing some cool headlines and academic papers. Over the past few years, we’ve seen sanctions and public exposés (doxxings) of both cybercrime and APT groups merely slow down some operations. Cybercrime groups disbanded or rebranded, but members continued their “careers,” while APT groups trudged on regardless of the international blow-back. Deterrence will never work if the other party doesn’t give a s**t—and APTs and ransomware gangs are experts at that, especially the ones in countries with no extradition treaties.
