France Says 'No' To Company Hack-Backs Following Online Attacks -- But Wants To Keep The Option Open For Itself

from the French-have-a-word-for-it dept

Ten years ago, Techdirt was warning about the hype surrounding the concept of "cyberattacks", and after that "cyberwar", both of which were routinely presented in apocalyptic terms. As we now know, the real online battles are being fought much more subtly in the form of low-profile foreign organizations subverting nations in sophisticated ways. Unlike the predicted take-downs of an entire electricity grid, these kind of attacks by foreign states and their proxies have already happened, and with troubling effects.

Governments have a responsibility to consider all possible attacks that may be conducted via the Internet, which means that drawing up policy documents in the field is important. The French government has just published its "Revue stratégique de cyberdéfense (pdf)" -- that is, a Strategic Review of Cyberdefense. It was written by the General Secretariat for Defense and National Security, which operates under the authority of the French Prime Minister, and assists the head of government in designing and implementing security and defense policies. It's extremely thorough and well worth reading, but it's also rather long (and in French). Fortunately, Lukasz Olejnik has put together a post discussing some of the main highlights of the document, which is much shorter -- and in English. As he notes, in France, cyberdefense and cyberoffense are two separate domains, and the strategy document lays out six main approaches to the former: prevention, anticipation, protection, detection, attribution, and reaction (remediation). On the offense side:

France strongly opposes giving private companies the rights to retaliate following a cyberattack. In the French view, such actions would constitute a point of instability in cyberspace. Especially when considering retaliation against actors located in a different state. France wants to put forward the issue of hack-back on the international level.

Notable thing. The fact that the strategy mentions these concepts should probably be interpreted as an indirect response to the ideas discussed in the US, where certain proposals considered giving companies the powers to hack-back.

As far as offensive actions are concerned, the review may not want companies to unleash hack-backs after an online attack, but it does want to keep that option open for the French authorities:

Annex 7 considers retaliatory actions following a cyberattack. Although the text points out that such actions should be considered provided that all the other approaches (prevention, cooperation, negotiation) fail, it acknowledges that a response can be made using cyber or non-cyber means. The strategy also highlights that major cyberattack can be interpreted as an armed aggression, in line with the Article 51 of Charter of United Nations.

Olejnik points out the following interesting idea from the document:

France apparently suggested a desire to put the security liability in hands of product suppliers. In other words, making companies responsible for the security of products they put on the market -- as long as the products are commercially available. The strategy then mentions that one of the solutions could be to release source code and documentation after an end of support date. The strategy itself mentions taking this discussion to the international level.

France's Strategic Review offers a good starting point for thinking about these issues. It would be great if somebody could translate it into English for even wider appreciation.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, france, hack backs


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 20 Feb 2018 @ 8:58pm

    mistaken hackbacks

    It isn't hard to make it look like someone else hacked you, so hackbacks are a bad idea in every sense, as one mistaken hackback could cause a cascade of damage.

    But leaving a batch file or simple virus that deletes the user's C drive labled "Company President Passwords" or such in a root folder on your server would be fair game if you ask me.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Feb 2018 @ 12:41am

      Re: mistaken hackbacks

      Yeeesss, theoretically. That does seem a bit much, though.

      link to this | view in chronology ]

    • icon
      ECA (profile), 21 Feb 2018 @ 12:55pm

      Re: mistaken hackbacks

      i FIND IT INTERESTING THAT the Old ways have not pervaded Current computer system protections.
      Mis- labeled files that are traps.
      Making a system look SIMPLE, but isnt..
      Honey traps, that isolate hackers, make it SEEM they are inside. But them Ping, locate their system with From multiple locations.
      ALWAYS split files, that are important, and hide them in diff locations. And have 1 Main program that could/would combine them Properly.
      1 remote system that is backing up the data, ALL day long..and has multiple copies, 2 weeks worth, and 1 ORIGINAL BACKUP..
      OS, separate from DATA, and never written to.
      MULTIPLE sections and password requirements..
      Only specific systems allowed, and they have CODES that allow access, to the system, TO Sections of the system, To Data sections.

      PHYSICAL PERSONS monitoring Client connections. its called a SYSOP/ADMIN.. Seeing incoming persons, and What they are doing, and HOW LONG THEY HAVE BEEN ONLINE...(sending/receiving TB of data is NOT a fast thing. Jumping section to section, means someone has Passwords, ...
      EVERY SYSTEM SHOULD be Unique..They should NOT be Copycats/Specific designs based on 1 FORM...its stupid, and makes it easy for anyone to get into, and find what they want. as well as the Same failures are the Same for each server system.

      link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 21 Feb 2018 @ 4:26pm

      Re: mistaken hackbacks

      This, exactly. Or claimed mistaken hackbacks. Or claims there were hacks to hack back against.

      Having the concept so formed, it makes it easier to think of doing it, and doing it faster than actual evidence can be produced.

      They were stockpiling weaponized hacks, and moving them around so no one could find them, i swear.

      link to this | view in chronology ]

  • identicon
    carlb, 20 Feb 2018 @ 9:27pm

    but aren't corporations above the law?

    Look up DreckTV and "Black Sunday".
    Look up DiSH Net and "America's Top One".
    Look up "sony rootkit".

    There is a long history of this sort of thing, with seeming impunity. Only in America?

    link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 21 Feb 2018 @ 4:58am

    "subverting nations" -- Yup, as predicted you Techdirt clowns are ACTUALLY claiming that 13 Russians with a couple million bucks swayed the election! -- You pack a lot of lies into few words, you low-profile foreign influencer, YOU.

    "low-profile" -- FOUR-THOUSANDTHS OF ONE PERCENT TOPS!

    "foreign" -- You only think bad when Russia or other designated ginned-up enemies.

    "organizations" -- Just like thousands of public-relations and corporate-funded lawyers and "think-tanks" (such as "Copia", to be explicit) in US and Europe.

    "subverting nations" -- Again: HA, HA! Ever heard of the Cold War, sonny? Tens of thousands of ACTUAL commies in the US actively trying to influence, variously "Fifth columnists" and "hidden persuaders", all easily spotted because promoting "gun control".

    "in sophisticated ways" -- HA, HA! With rather wacky posts on Facebook? We'd better shut down that weapons systems entirely!

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Feb 2018 @ 8:43am

      Re: "subverting nations" -- Yup, as predicted you Techdirt clowns are ACTUALLY claiming that 13 Russians with a couple million bucks swayed the election! -- You pack a lot of lies into few words, you low-profile foreign influencer, YOU.

      At least wait for them to post something on the topic before having your mental breakdown....

      link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 21 Feb 2018 @ 4:21pm

      Re: "subverting nations" -- Yup, as predicted you Techdirt clowns are ACTUALLY claiming that 13 Russians with a couple million bucks swayed the election! -- You pack a lot of lies into few words, you low-profile foreign influencer, YOU.

      Yeah it was just those thirteen, and yeah, they totally swayed the election. @@

      God, i hope there are communists somewhere, that would be great for all sorts of reasons.

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.