7:25 a.m., June 26, 2017. Two hours after the launch of the air-land operation, a wave of panic spread through most positions at the Tactical Command and Joint Theatre Command (JTTC) level. The majority of workstations and servers shut down abruptly and reboot, leaving only an error message indicating the absence of a disk boot address.

The concomitance and magnitude of the incidents are such that a simultaneous and collective failure is quickly ruled out. The system suffers the consequences of a computer attack. The command must react quickly. The operation is under way but neither the tactical command posts nor PCIAT are able to conduct it in the optimal conditions learned during training. The SIC capability point, quickly established by the joint units of the SIC module, indicates that only telephony, radio links and a few isolated workstations and systems remain operational. Furthermore, the systems affected by these incidents should no longer be considered operational because despite the agility, the competitiveness of the system is still very low.Despite the agility, competence and versatility of the administrators, it is not possible to envisage remedying this state within a timeframe compatible with the initial phases of the current operation. Worse, the first data saved online on the dedicated servers have suffered irreparable damage. All the data saved on the affected machines have been permanently lost.

The Force Commander decided to switch to the "Phoenix" plan planned in the order of operations, in the event of a "cyber" crisis. The reconfiguration of the C21 is rapidly implemented and the operation is continued in very degraded mode with the remaining operational systems until the nominal situation is restored.

The Cyber Defence Command is alerted and deploys a CALID2 Rapid Intervention Group (RIG) within 48 hours. It then conducts the first "forensic" investigations and defines remedial measures in the framework of system reconstruction in liaison with the theatre's Command of Information and Command Systems (COMSICIAT). Analyses quickly show that operational information systems have indeed been subject to a targeted computer attack. Malicious code spread to all connected workstations, servers and objects, using a 0-day3 vulnerability to install and then activate at a specific date and time by encrypting all data on the disk (including system data) on the fly. The main remediation measures consist of reinstalling all workstations, servers, compromised or uncompromised systems, cleaning all storage spaces while integrating specific measures to prevent the loss of data.The main remediation measures consist of reinstalling all the workstations, servers, compromised or not, and cleaning all the storage spaces while integrating specific filtering measures until a securitypatch is developed within a few weeks by the manufacturer responsible for maintaining the system in operational condition.

Investigations revealed that the system was compromised by a file containing malicious code activated when it was opened. The first traces go back to a data insertion station and make it possible to identify a USB key through which the file would have transited. An antivirus scan, which was active during the incident and updated its signature database, did not reveal any suspicious files. The interconnection of information systems, a necessary condition to allow the tactical elements deployed in the field to be directly subordinated to PCIAT, facilitated the spread of the malicious code to all vulnerable systems. A second code was also discovered. The latter is believed to have migrated from a surveillance camera monitoring control station. Analysis of the code revealed a modus operandi and a vulnerability allowing an attacker to compromise an isolated computer system by sending infrared signals to surveillance cameras at a distance of ten to several hundred metres4.

This disaster scenario, although fictitious, nevertheless highlights a probable reality 5 whose consequences could have a strong impact on operational capabilities.

Information systems have become indispensable tools that make a major contribution to improving the effectiveness of our defence tool, both in the day-to-day running of the Ministry of Defence and in the missions of the armed forces. They are one of the keys to operational superiority. However, they are also the source of new vulnerabilities as our dependence on them has increased. Data, for its part, constitutes the essence of any information system and by association of any military operation or activity.

These information systems, whether or not they are connected to other systems, are part of a larger environment known as the "data environment". cyberspace6 and whose inherently permeable borders, even when physically separated, no longer guarantee a sufficient level of protection against the cyber threat7. Whether they originate from hacktivist, mafia or state-run groups, the modes of operation are being reinforced, specialized, industrialized and shared. Moreover, collateral effects are difficult to control.

The White Paper on National Defence and National Security defines it as an environment in its own right, in the same way as air, sea, land and outer space. However, it has its own characteristics and is the substrate without which no activity can be conducted in other environments today. In the context of military operations, cyberspace has become a field of confrontation. As such, the Ministry of the Armed Forces must be able to act safely in an increasingly digitised environment and ensure operational commitments even under cyber aggression.

Data and information systems are assets which, like any other assets of the Ministry of Defence, have value and must be protected from dangers and threats, both internal and external, in terms of confidentiality, integrity and availability, in accordance with the requirements.

Among all the areas responding to the challenges of protection, resilience and defence of data and information systems, backup is a major issue.

What is backup? It's the guarantee of preserving something against any damage to it. It is a concept often likened to a procedure for protecting the information contained in a computer system11 by copying this information to external resources (disk, magnetic tape, cloud12 , etc.). It is nevertheless a matter of cyber-protection, a set of means, technical or legal, which contribute to ensuring cybersecurity, the state of an information system that is resistant to cyber-attacks and accidental breakdowns occurring in cyberspace.

What needs to be safeguarded?

• "Nothing" would be a particularly suicidal choice in view of the Department's stakes. The accidental or deliberate loss of some sensitive data or equipment could engage the responsibility of the command but above all disrupt the ability of the force system to carry out the mission. To a lesser extent, remember the frustration you feel when you have not been serious enough, in circumstances that could have been avoided by applying a few backup principles, when your mind realises that important data has been permanently lost as a result of an operating error or a technical defect in your computer or smartphone. It's always when you least expect it that the disaster happens.
  

• "Everything" must be a well-considered choice, as the cost and nature of technical solutions can quickly get out of hand. The increasing digitization of the battle space and the number of connected objects in all the force systems (weapons systems, on-board sensors: geolocation, health, logistics, etc.) leads to an exponential increase in the volume of data produced. According to the firm IDC13, the digital data created in 2020 should represent a global volume of 44 000 billion gigabytes, i.e. 10 times more than in 2013. Nevertheless, the advent of Big DATA14 technologies and artificial intelligence, facilitated by the increase in storage and computing power of computers, is an opportunity for Defence to exploit this huge wealth of data in order to improve the quality of data.improve not only the efficiency of its organisation but also its operational performance, particularly in terms of planning and conducting operations, intelligence, cyber security, training, human resources management, logistics flow management and health.

The trade-off is at a level adapted to each information system. The response that constitutes the backup strategy is the result of a risk analysis approach in a context of specific employment and threats.

Four types of data should be put into perspective in this analysis:

1. system configuration data (installation software, configuration documentation, etc.) necessary for reinstalling the information system in its initial state;
2. security data (security logs) necessary for any a posteriori analysis in the event of an incident;
3. contextual data (directories, mapping, mission data, etc.) necessary for the recovery of the pre-incident situation;
4. other data, particularly data collected during operation.
   

Backup is a regulatory and sometimes legal obligation. The Armed Forces Information Systems Security Policy (PSSI-A15), which applies to all armed forces information systems, contains a set of rules whose application can guarantee a satisfactory level of confidence.

The development of the safeguarding strategy begins as early as possible in the life cycle of the information system through the security objectives set at the initialization phase of a project or armament operation. The absence of a backup strategy must be considered as a critical vulnerability of the information system.

An effective backup strategy is based on technical protection measures reinforced by an organization and operational preparation adapted to the dangers and threats identified. Indeed, the response to an incident cannot be limited to technical measures, but to scenarios that take into account all the facets of the capabilities involved (human, doctrine and tools).

There are several imperatives to any backup strategy. It is a question of defining, at the very least:

• the data deemed necessary to restore the activity before In other words, it is a question of determining which data could be lost without putting too much strain on the activity;
• the technologies and types of backup (online or offline, media, etc.). The technical means are numerous but can be complex. They must be considered upstream of any design of an information system in line with the operational needs expressed;
• the frequency of backups. It characterizes the acceptable rate of loss of backed up data;
• the procedure for administering and executing backups necessary to organize the action of the SIC technical staff;

• Source IDC (International Data Corporation - IDC is a global player in studies of the Information Technology and Telecommunications markets).
• The science of data analysis.
• Joint publication PIA-3.20.2_CYBER-EN(2016)N°D-16- 007151/DEF/EMA/SCOPS/CYBER/DR of 08 July 2016. Through the PSSI-A, the qualified authority CEMA sets out the principles and rules intended to define the actions relating to the organisation, techniques and procedures enabling the effective countering of identified threats and thus to preserve the interests of the armed forces. This document is the highest level reference in the field of ISS, directly applicable within the armed forces.

• Safeguard protection measures. It is important that backups are not subject to the same risks as data in production;
• recovery test procedures. The reactivity of an ISS centre is based on an advanced state of readiness to back up an information system ;
• the procedure for destroying the media that contained the

However, reality shows that not all information systems are equal in terms of backup strategy despite the requirements imposed by the ISSP-A. Beyond the regulatory aspect, the command that uses information systems, particularly in operations, must control the state of readiness of its men but also its technical resources. A sound approach consists of asking a certain number of questions directly to the system's SIC manager:

• what data is stored?
• Are they sufficient to guarantee, at the very least, an a posteriori analysis of security events and a return to a satisfactory state of operation and security?
• when will my system crash, which organization has been defined and tested to restore it and in what time frame?
• where are the backups?
• how are they protected?
• are they subject to the same risk as the system being backed up?
• when was the last restore test performed and what was the result?

Finally, all the questions that are mostly common sense to understand the state of the backup capacity should be asked.

The ransomware threat.

Ransomware 1 ^is a threat that is considered very serious. The Ministry of the Armed Forces is not immune to being infected by "crypto-ransomware" not known to the various security toolpublishers . Moreover, the probability of recovering data in case of infection remains particularly low.

Nevertheless, it is possible to protect against such a threat and is based on a few common sense principles:

• Regularly backing up data remains the most effective preventive measure to limit the effects. If there are no automated procedures, it is strongly advised to regularly back up your most sensitive data on an external and disconnected medium. Only allow the external hard drive to be connected at the time of the backups and mainly use a USB key for regular transfers. Caution : it will be necessary to check the safety of the backup, as the restoration can restart the infection;
• be wary of attachments received from suspicious emails: if the sender is not clearly identified and the text shows a flagrant inconsistency, it is essential not to open the attachments or click on links in the message but to immediately report the error.diately to the SSI correspondent and/or, if possible, contact the sender displayed in the suspect e-mail to confirm his identity, the sending of the e-mail, the presence of the attachment and, if applicable, the nature of the associated macro.

Generally speaking, compliance with the fundamental rules inherent in good IT hygiene remains an effective bulwark against already known threats. At the very least, reporting as quickly as possible when symptoms appear helps to limit the spread of malware.

Ransomware is malicious code (malware)that denies a user access to his files. To recover them, the attacker often offers the victim a ransom, usually in Bitcoin. The term crypto-ransomware is used when the malware encrypts the files.

Once confronted with the loss of the information system and its data, realizing too late the inability to restore them is an unacceptable risk. Therefore, the result of monitoring the efficiency of the backup organization and procedures is a capability indicator for any component manager in terms of cyber resilience, i.e., the ability to recover data in a timely manner.This is the ability of an information system to withstand cyber attacks and accidental breakdowns, and then to return to a satisfactory state of operation and security.

The effort to focus on backups is necessary but not sufficient. Indeed, the situation in which any restoration of a system is no longer possible (compromise - in other words, the output data or even the system itself is compromised) is not sufficient.The situation in which any restoration of a system is no longer possible (compromise - in other words, the output data or the system itself is no longer trusted - or destruction - physical or data encryption - of the backups and the system) must be considered a probable hypothesis. This "cyber" crisis situation should lead the command to imagine a degraded mode of operation, with or without the compromised system. Whether it is called a Business Continuity Plan (BCP), contingency plan, or other, it is an organizational and non-technical response to an event that seriously disrupts our operating procedures. Figure 1 shows the overall disaster handling process applied to a cyber crisis. This plan involves specific preparation and training in order to switch from one modus operandi to another as quickly as possible so as not to add a crisis to a crisis. The technical means implemented as well as the associated data within the framework of this business continuity plan will also have to be backed up. They will constitute a necessary source enabling, at the end of the defensive IT response processing (LID) by the mandated experts, to ensure a resumption of activity within the nominal operating framework of the compromised IS(es).

Complying with backup procedures is not so constraining and the advantages are infinitely greater when you find yourself in the very uncomfortable situation of a loss of data or, more broadly, of your system. It is not only virtuous, it is an obligation. Certain threats can disrupt it. Nevertheless, it is a bulwark that helps reduce the risk of total loss of military capabilities to operate. Anticipation, capability monitoring and adaptation are principles that must guide the military leader on operations in taking into account the cyber danger or threat.

1 Command and Control.

2 Centre d'Analyse en Lutte Informatique Défensive or CALID is the operational centre in charge of the defence of the Ministry's information systems. It implements a wide range of functions such as anticipation, conducting cyber operations, cybersurveillance, forensic analysis and assistance in rebuilding compromised systems. It provides the hard core of the permanent intervention capability in metropolitan France and in theatres of operations. CALID performs the functions of CSIRT (Computer Security incident Response Team)/CERT (Computer Emergency Response Team) for the Ministry.

3 Vulnerability not public and by effect not subject to instructed circumvention measures.

4 https://arxiv.org/ftp/arxiv/papers/1706/1706.01140.pd

5 A family of malicious codes, one of which is called REDBoot, which would be able to replace the disk's boot zone and modify the hard disk partition table. It would have been designed for the sole purpose of destruction.

6 The space formed by interconnected information technology infrastructure, including the Internet, and the data processed within it.

7 The fact that a person or entity has the capability or intent (whether or not displayed) to inflict injury, death or property damage on another person or group of persons. Without intent, it is referred to as danger.

8 Reserved nature of information to which access is restricted to those with a right and need to know.

9 Guarantee that information is only changed by voluntary and legitimate action.

10 Access to information under defined conditions of time, deadlines, performance and location.

11 The function of storage in an information system does not fit into the concept of backup.

12 Backup can use complex online technologies to avoid material risks.

13 Source IDC (International Data Corporation - IDC is a global player in research on the Information Technology and Telecommunications markets).

14 The science of data analysis.

15 Joint publication PIA-3.20.2_CYBER-EN(2016)N°D-16- 007151/DEF/EMA/SCOPS/CYBER/DR of 08 July 2016. Through the PSSI-A, the qualified authority CEMA sets out the principles and rules intended to define the actions relating to the organisation, techniques and procedures that enable the effective countering of identified threats and thus preserve the interests of the armed forces. This document is the highest level reference in the field of ISS, directly applicable within the armed forces.