France Says 'No' To Company Hack-Backs Following Online Attacks -- But Wants To Keep The Option Open For Itself
from the French-have-a-word-for-it dept
Ten years ago, Techdirt was warning about the hype surrounding the concept of "cyberattacks", and after that "cyberwar", both of which were routinely presented in apocalyptic terms. As we now know, the real online battles are being fought much more subtly in the form of low-profile foreign organizations subverting nations in sophisticated ways. Unlike the predicted take-downs of an entire electricity grid, these kind of attacks by foreign states and their proxies have already happened, and with troubling effects.
Governments have a responsibility to consider all possible attacks that may be conducted via the Internet, which means that drawing up policy documents in the field is important. The French government has just published its "Revue stratégique de cyberdéfense (pdf)" -- that is, a Strategic Review of Cyberdefense. It was written by the General Secretariat for Defense and National Security, which operates under the authority of the French Prime Minister, and assists the head of government in designing and implementing security and defense policies. It's extremely thorough and well worth reading, but it's also rather long (and in French). Fortunately, Lukasz Olejnik has put together a post discussing some of the main highlights of the document, which is much shorter -- and in English. As he notes, in France, cyberdefense and cyberoffense are two separate domains, and the strategy document lays out six main approaches to the former: prevention, anticipation, protection, detection, attribution, and reaction (remediation). On the offense side:
France strongly opposes giving private companies the rights to retaliate following a cyberattack. In the French view, such actions would constitute a point of instability in cyberspace. Especially when considering retaliation against actors located in a different state. France wants to put forward the issue of hack-back on the international level.
Notable thing. The fact that the strategy mentions these concepts should probably be interpreted as an indirect response to the ideas discussed in the US, where certain proposals considered giving companies the powers to hack-back.
As far as offensive actions are concerned, the review may not want companies to unleash hack-backs after an online attack, but it does want to keep that option open for the French authorities:
Annex 7 considers retaliatory actions following a cyberattack. Although the text points out that such actions should be considered provided that all the other approaches (prevention, cooperation, negotiation) fail, it acknowledges that a response can be made using cyber or non-cyber means. The strategy also highlights that major cyberattack can be interpreted as an armed aggression, in line with the Article 51 of Charter of United Nations.
Olejnik points out the following interesting idea from the document:
France apparently suggested a desire to put the security liability in hands of product suppliers. In other words, making companies responsible for the security of products they put on the market -- as long as the products are commercially available. The strategy then mentions that one of the solutions could be to release source code and documentation after an end of support date. The strategy itself mentions taking this discussion to the international level.
France's Strategic Review offers a good starting point for thinking about these issues. It would be great if somebody could translate it into English for even wider appreciation.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, france, hack backs
Reader Comments
Subscribe: RSS
View by: Time | Thread
mistaken hackbacks
But leaving a batch file or simple virus that deletes the user's C drive labled "Company President Passwords" or such in a root folder on your server would be fair game if you ask me.
[ link to this | view in thread ]
but aren't corporations above the law?
Look up DiSH Net and "America's Top One".
Look up "sony rootkit".
There is a long history of this sort of thing, with seeming impunity. Only in America?
[ link to this | view in thread ]
Re: mistaken hackbacks
[ link to this | view in thread ]
"subverting nations" -- Yup, as predicted you Techdirt clowns are ACTUALLY claiming that 13 Russians with a couple million bucks swayed the election! -- You pack a lot of lies into few words, you low-profile foreign influencer, YOU.
"foreign" -- You only think bad when Russia or other designated ginned-up enemies.
"organizations" -- Just like thousands of public-relations and corporate-funded lawyers and "think-tanks" (such as "Copia", to be explicit) in US and Europe.
"subverting nations" -- Again: HA, HA! Ever heard of the Cold War, sonny? Tens of thousands of ACTUAL commies in the US actively trying to influence, variously "Fifth columnists" and "hidden persuaders", all easily spotted because promoting "gun control".
"in sophisticated ways" -- HA, HA! With rather wacky posts on Facebook? We'd better shut down that weapons systems entirely!
[ link to this | view in thread ]
Re: but aren't corporations above the law?
[ link to this | view in thread ]
Re: "subverting nations" -- Yup, as predicted you Techdirt clowns are ACTUALLY claiming that 13 Russians with a couple million bucks swayed the election! -- You pack a lot of lies into few words, you low-profile foreign influencer, YOU.
[ link to this | view in thread ]
Re: mistaken hackbacks
Mis- labeled files that are traps.
Making a system look SIMPLE, but isnt..
Honey traps, that isolate hackers, make it SEEM they are inside. But them Ping, locate their system with From multiple locations.
ALWAYS split files, that are important, and hide them in diff locations. And have 1 Main program that could/would combine them Properly.
1 remote system that is backing up the data, ALL day long..and has multiple copies, 2 weeks worth, and 1 ORIGINAL BACKUP..
OS, separate from DATA, and never written to.
MULTIPLE sections and password requirements..
Only specific systems allowed, and they have CODES that allow access, to the system, TO Sections of the system, To Data sections.
PHYSICAL PERSONS monitoring Client connections. its called a SYSOP/ADMIN.. Seeing incoming persons, and What they are doing, and HOW LONG THEY HAVE BEEN ONLINE...(sending/receiving TB of data is NOT a fast thing. Jumping section to section, means someone has Passwords, ...
EVERY SYSTEM SHOULD be Unique..They should NOT be Copycats/Specific designs based on 1 FORM...its stupid, and makes it easy for anyone to get into, and find what they want. as well as the Same failures are the Same for each server system.
[ link to this | view in thread ]
Re: "subverting nations" -- Yup, as predicted you Techdirt clowns are ACTUALLY claiming that 13 Russians with a couple million bucks swayed the election! -- You pack a lot of lies into few words, you low-profile foreign influencer, YOU.
God, i hope there are communists somewhere, that would be great for all sorts of reasons.
[ link to this | view in thread ]
Re: mistaken hackbacks
Having the concept so formed, it makes it easier to think of doing it, and doing it faster than actual evidence can be produced.
They were stockpiling weaponized hacks, and moving them around so no one could find them, i swear.
[ link to this | view in thread ]