While the White Paper announced the creation of a new cyber defence force as early as 2013, little information has been disseminated since then. This force could play a role well suited to the concept of the defence-security continuum, but its rise to prominence brings with it many challenges.

The Snowden affair[1] reminds us almost daily that cyberspace is an arena where strategic issues are at stake. Some States are making significant financial efforts to develop their computer capabilities, including offensive ones. For several years now, France has been taking the measure of these new threats and has been trying to find a place among the major cyber defence powers. The efforts made are significant, but the means remain limited by the necessary reduction in public spending. The creation of a branch of the operational reserve dedicated to cyber defence makes it possible to have access to specialised resources on an ad hoc basis without having to bear the excessive additional cost of permanent recruitment. The phase of setting up this force is only just beginning, which explains the very general nature of the information disseminated about it, as in the military programming law, for example. It is therefore legitimate to look at the nature of the missions likely to be entrusted to it, and then to outline the challenges that the force might face as it grows in strength.

Admittedly, the digital revolution continues to change our habits and offers extraordinary opportunities in terms of social development, access to culture and information. However, the exponential growth of networks of all kinds and of traffic on the Internet makes information control even more complex. The publicity of the Prism programme has triggered a collective awareness of the potential threats to the widespread interconnection of information systems. In particular, cyberspace is a breeding ground for economic and industrial espionage, an area in which Europe shows major weaknesses. Indeed, while the majority of computer hardware is of Asian origin, the United States retains a stranglehold on software products and applications. In this strategic game, the dice are stacked to the disadvantage of the European nations, which are now unable to catch up.

France is not spared by the cyber threat that could seriously harm its national interests. Beyond the daily attacks on institutions and large companies, a major IT crisis, far from being unlikely, could have potentially disastrous consequences for the country. Without a strong, organised and coordinated defence of information systems, access to institutional sites, energy and water supply, the functioning of hospitals, telecommunications and banking transactions, for example, could be severely disrupted. Estonia's experience in 2007 shows the growing dependence of developed societies on information and communication technologies. Senator Jean-Marie Bockel reports that the attacks "dramatically disrupted the functioning of everyday life in the country, depriving users of access to some essential online services" [2].

2] In this context and since the 2008 White Paper, France has significantly increased the resources dedicated to defending its interests in cyberspace, acknowledging that it is lagging behind in this area and conceding that "the stakes have been underestimated". The ANSSI[3] acts as a recognised national authority and now has extensive power over all the players concerned.

Of course, the Ministry of Defence plays a leading role in achieving the strategic objectives[4] set as early as 2009. Defence naturally has the vocation to protect sovereign information and to contribute to placing France among the world cyber defence powers. The new military programming law also confirms the global and interministerial approach to the prevention and response to major crises: "The action of the armed forces is envisaged jointly with that of the entire State apparatus (...) and the operators, public and private, of vital infrastructures and networks" [5]. 5] The defence-security continuum is particularly relevant in a cyberspace with uncontrollable borders. The specific means of defence could therefore reinforce those of the ANSSI in the event of a computer crisis on national territory. The unified and centralised organisation of the cyber defence chain offers an additional asset in terms of responsiveness, an essential quality when a crisis occurs.

This context of intervention on the national territory is perfectly adapted to the operational reserve. Based on regularly maintained training, reservists are able to respond rapidly to a temporary need for qualified manpower. In terms of cyber defence, the 2013 White Paper refers to a dedicated component within the operational reserve, which "will be planned and organisede specifically to enable the Ministry of Defence to have an enhanced cyber defence capability in the event of a major computer attack" [6]. The 2014-2019 Military Programming Law confirms the need to develop this new component, without, however, detailing the timetable for its ramp-up or the projected numbers of personnel.

The use of reservists, who by their nature serve both civil society and the armed forces, is justified by the dual nature of the missions likely to be entrusted to them. Indeed, these units of technicians could reinforce the security of institutional sites, but also contribute to the resilience of vital operators (VIOs). Behind this acronym lie several hundred companies ensuring the security and satisfaction of society's main needs, against which an attack on their information systems could have serious consequences. The Military Programming Act imposes on these operators an obligation of means contributing to the security of information systems and henceforth obliges them to declare the attacks they have suffered.

Furthermore, any international assistance in the management of a large-scale crisis seems difficult to envisage. Without mentioning the very real risk of compromising information relating to State sovereignty, access to confidential industrial data would not be controlled. Consequently, any foreign intervention could involve at the very least an additional burden of surveillance, or even constitute a threat of economic and industrial espionage. The lack of debate within NATO about the applicability of Article 5 in the event of a cyber attack illustrates the weakness of international defence cooperation in cyberspace.

The new Cyber Defence Operational Reserve Force thus represents a specialized workforce designed to contribute to the resilience of vital information systems in the event of a major crisis. Its gradual increase in strength over the next few years brings with it many challenges that need to be addressed.

Firstly, the employment framework of these units needs to be clarified. In the event of a cyber crisis, it is likely that the authorities will initially seek to manage it with their own resources, possibly assisted by ultra-specialised rapid intervention teams led by the ANSSI and the Ministry of Defence. Faced with multiple incidents threatening national cybersecurity, reservists would then be called upon as a second line of defence and always in addition to the resources of the first circle. Their main mission could be to participate in the maintenance in operational condition of the information systems of critical military or civilian infrastructures.

The relative urgency associated with the mobilisation of the reserve must not overshadow the need for a strict framework for its activities. While the teams involved will have privileged access to the system to be protected, it will be necessary to ensure that the actions undertaken are purely defensive in nature. The desire to demonstrate its capabilities could encourage one of the members to exceed its prerogatives and move into the offensive domain. In order to prevent this "cyber corporal" from amplifying the crisis, specific measures should be implemented: clear definition of the tasks entrusted to each one, recording of the actions carried out, ethics training, threat of disciplinary and legal sanctions. In addition, the organisations supported will be particularly attentive to maintaining the confidentiality of their sensitive industrial data, even classified defence data if necessary. Measures to reduce the risk of leaks will have to be introduced in addition to the filters inherent in the authorisation procedures.

The step prior to its deployment consists in progressively setting up such a force, probably composed of several hundred men. Recruited first and foremost from the student population, these computer technicians will have to be assessed beforehand on their technical skills but also on their human skills. Given the sensitivity of the conditions of engagement, it is undoubtedly preferable to give priority to quality over quantity of the personnel selected. As with the strong enthusiasm generated by the Cyber Defence Citizens' Reserve, applicants should apply in large numbers, attracted by the unusual and exclusive nature of the missions that could be entrusted to them. Indeed, the prospect of intervening in a crisis situation to defend or restore a computer system to operational condition can trigger many applications. The quality of operational reservist also offers an undeniable additional asset when looking for a job.

Nevertheless, the main challenge to be taken up will undoubtedly be that of building loyalty. The initial motivation of this predominantly young resource must be regularly maintained, in particular through realistic and attractive training conditions. Even if virtualisation offers very extensive simulation possibilities, the material resources required for training and coaching will require a substantial budget. In this context, the future cyber defence centre of excellence located in the Brittany region, within a particularly developed network of schools and companies, can offer a favourable ground for major computer manoeuvres.

Finally, the personnel retained will have to be available in case of solicitation so that the reserve can fully play its role of assistance and reinforcement of specialised means. If availability does not raise questions about the student population, doubts are more likely to be raised about company employees. In the event of a major crisis, the latter will no doubt be reluctant to separate, even temporarily, from their technicians. Consequently, the increase in the strength of the force must be accompanied, at the very least, by a communication effort towards companies, emphasizing the effectiveness of centralized management of resources in the settlement of a national crisis.

The exponential growth of cyberthreats combined with the low priority given by companies to protecting their information systems makes it necessary to strengthen the resources dedicated to cyberdefence on a national scale. The highly constrained public expenditure calls for the employment of temporary labour, which can be deployed at short notice. The operational reserve provides a framework of employment well suited to national engagement, complementing conventional forces. Recruiting and retaining a pool of competent technicians is a real challenge, while much remains to be done. The satisfaction of manpower requirements will depend in particular on the resources allocated for training and education. In any case, it will probably take several years to fully integrate the operational reserve into the overall national cyber defence system.

Response measures to cyber attacks contribute to the management of the risk of a national crisis occurring. They are complemented by a posture of protection of information systems aimed at preventing and detecting the early signs of such a crisis. This global approach to cyber defence does not exclude the possibility of having an offensive IT capacity, which is now openly assumed by the 2013 White Paper. Even if the deterrent aspect is not mentioned in the official doctrine, a carefully balanced communication on this attack capability could help to deter potential aggressors.

1] Edward Snowden, a former NSA employee, has revealed details of several American and British surveillance programs, including the Prism Internet eavesdropping program. Source en.wikipedia.org

2] Senate Information Report of 18 July 2012 on Cyber Defence

3] Speech by Jean-Yves Le Drian, Minister of Defence, June 3, 2013

4] Defence and security of information systems, strategy of France. ANSSI, 2009

5] Military Programming Act 2014-2019 of 18 December 2013.

6] White Paper on National Defence and National Security, 2013.

An officer in the Navy, the author spent the first part of his career in information and communication systems, before joining the 20th class of the War School. He is currently following a master's degree in cyber security at Télécom Bretagne and Supélec Rennes.