Could a logical succession of 0 and 1 within a binary computer code tomorrow cause as much damage as a naval cruise missile or a shell fired from a Caesar gun by rendering military equipment, materials or infrastructure unusable? Will a virus with systemic effects, through the massive disruption it will cause, lead to the death of human beings, including civilians? As highlighted in the Strategic Review of Cyber Defence published in February 2018 by the General Secretariat for Defence and National Security (SGDSN) : "It is likely that a cyber attack of this nature [acts of blocking or sabotaging computer systems] will one day have lethal consequences. »

What might yesterday have been science fiction, or at least disaster scenarios that were difficult to envisage being feasible in the foreseeable future, now appears to be a distinct possibility.What was once a science fiction, or at least a disaster scenario that was difficult to envisage being feasible in the foreseeable future, now appears to be a serious possibility, a tangible threat and a strategic contingency to be taken into account in terms of military doctrine, the conduct of operations and, more generally, the organisation of the protection and resilience of society as a whole.

The interest and competence of the National Defence and Armed Forces Commission for the "cyber subject" is legitimate, since the foundations of our cyber defence system have been laid mainly within the framework of the various military programming laws (LPM) adopted since 2009. The next LPM 2019-2025, passed on 27 and 28 June successively in the National Assembly and the Senate, is no exception: a specific chapter, Chapter III of Title II, is devoted to cyber defence.

It was therefore natural for the committee to take up this subject in a longer-term project than the one carried out, under inevitably constrained deadlines and on targeted devices, during the examination of the draft Military Programming Law 2019-2025. However, two introductory remarks should be made.

Firstly, this report does not claim to be exhaustive, for several reasons:

• Cyberspace is by its very nature a "universal", global reality that affects more or less all areas of social activity, at local, national, European and international levels. It therefore goes beyond the scope of a single commission;
• it is an extremely moving field, in perpetual evolution;
• as the Rapporteurs have been able to see very quickly and very directly, the analyses carried out in this field quickly come up against the obstacle of national defence secrecy;
• The Strategic Cyber Defence Review mentioned above has already provided a very comprehensive overview of the issue and there was obviously no point in "duplicating" the work already done in this area.

Faced with an inexhaustible subject, the Rapporteurs have therefore chosen to focus their analysis on a number of points that have particularly caught their attention.

Secondly, this report is naturally not intended to be a reference vade mecum for the perfect cyber-attacker or the perfect cyber-defender. The rapporteurs will therefore not enter into excessively technical considerations, since this is neither the vocation nor the interest of their work.

As this is an information report drawn up on behalf of the Defence Committee, the Rapporteurs will certainly focus more particularly on the issues involved in the fight against terrorism.defence, but not exclusively, given that cyber technology permeates all areas and blurs the traditional boundaries between states, actors and sectors.

Indeed, cyberspace is essentially composed of non-military elements. Proportionally, only a small number of specific systems and equipment are exclusively military in nature, characterizing them as legitimate targets under the law of armed conflict. In cyberspace, the relationship between military and civilian targets is reversed, at least in quantitative terms. This is a reality that must be taken into account.

Nevertheless, cyberspace has become an additional field of confrontation, on top of the traditional fields of land, sea, air and space. Its specificity is that it exists as such, but is also present within these traditional fields, since a cyber attack can produce effects not only in cyberspace, but also in physical theatres.

The cyber dimension is therefore now a fully-fledged dimension of the defence field. As the report appended to the LPM 2019-2025 reminds us: "In the area of offensive cyber warfare, new capabilities for action, integrated into the chain of planning and conducting operations, will be systematically deployed in support of the manoeuvres of armies. »

(1) Military, Baron of the Empire, historian and theoretician of military strategy.

SYNTHESIS OF RECOMMENDATIONS

Develop a "cyber" law

● Draw up a "cyber" law covering all issues and actors.

Recovering our digital sovereignty

● Create national and European sovereign storage areas to repatriate and store sensitive data in territories under national or European jurisdiction.

● Encourage the emergence of trusted national and European technical solutions.

Strengthen the resilience of all national players

● Strengthen public authorities' prevention and protection systems and disseminate culture and awareness of cyber risk through ad hoc actions.

● Develop the use of bug bounties within public authorities.

● Raise the awareness of economic players, primarily SMEs, of the need to protect themselves against cyber threats.

● Strengthen the ANSSI regional network for the benefit of public and private territorial players, both in metropolitan France and overseas.

● Set up "cyber referents" within local authorities, public establishments and companies, according to their size and sector of activity.

● Educate citizens from an early age about cyber hygiene:

- raising awareness among adults in the workplace;

- Teaching "IT" subjects in schools;

- create a CAPES in digital education.

● Draw the attention of the general public to the dangers inherent in the use of digital products by marking their packaging and expanding on their instructions for use.

Consolidate a cyber defence industrial and technological base.

● Encourage "cyber solidarity" between large groups and subcontractors.

● Finance the rise of subcontractors to cyber status through a cyber fund fed by DTIB actors and part of the revenues from arms exports.

● Establish a regularly updated mapping of companies and critical skills within the DTIB.

● Improve regulation of certain products to limit the proliferation of offensive technologies and systemic cyber risks.

● Support the development of cryptography and encryption and invest in the development of "cyber-offensive" solutions.

● Ensure that old generation equipment is kept in a secure condition. Adjusting the "cyber human resource".

● To increase awareness of cyber professions and training.

● Increase the number of places in the cyber sector.

● Strengthen the ANSSI's budgetary and human resources.

● Adapt the State's human resources management methods to improve staff loyalty.

● Strengthen COMCYBER's own capacities in terms of digital expertise.

● Create a Cyber Defence School to develop a shared culture among the various actors in the cyber chain.

● Further develop the links between the Cyber Defence Operational Reserve and the Cyber Defence Citizen Reserve.

Ensuring the conditions for collective cybersecurity

● Supporting efforts to harmonise certification at European level.

● To develop France's normative influence at the international level.

● Promote the development of a common international legal corpus.

● To support international cooperation, through the sharing of data and threat analysis, the deepening and conclusion of alliances.