In October 2015 the French Prime Minister Manuel Valls launched the national cyber security strategy.
The strategy is built upon 5 strategic objectives:
Obj.1 - Fundamental interests, defence and security of State information systems and critical infrastructures, major cybersecurity crisis. This includes reinforcing the security of its critical networks and resilience in case of a major cyberattack by expanding co-operation with private stakeholders at national and international levels. No specific sectors are cited but the strategy pays special attention to 5G.
In this respect, the national strategy will remain attentive to the type and capabilities of equipment and software installed within communication networks, to protect the privacy of correspondences, that of citizens and the resilience of these infrastructures, and will continue to adapt its regulatory framework to new emerging technologies.
Obj.2 - Digital trust, privacy, personal data, cybermalevolence.
Obj.3 - Awareness raising, initial training, continuing education.
Obj.4 - Environment of digital technology businesses, industrial policy, export and internationalisation
Obj.5 - Europe, digital strategic autonomy, cyberspace stability
The new strategy calls for the government to establish the means to protect its fundamental interests on the internet, to guard national information and defend critical infrastructure from cyber-attack. The government recognises that this will depend on having sufficient scientific, technical and industrial capabilities.
NATIONAL CYBER SECURITY STRATEGY - NIS Capacities
|Year of adoption||
October 2015, French National Cyber Security Strategy
|Updates and revisions||An initial cyber security strategy was first launched in 2011, focusing on internal co-operation and on active contribution to the development of cyber security policies in within international orgnisations such as European commission, NATO, UN, OCSE.|
|Operational capacity building||
The national agency of IT security (ANSSI) is the officially recognised agency responsible for implementing a national cybersecurity strategy, policy and roadmap in France.
The French Internet Resilience Observatory, www.ssi.gouv.fr/en/strategic-committee/the-french-internet-resilience-ob..., established in 2011 aims at identify and measure relevant and representative indicators of resilience, and to make their results public.
|Other capacity-building measures: research and education||The CyberÉdu, https://www.cyberedu.fr/index.html, initiative launched in 2013 by ANSSI aims to strengthen the consideration of digital security in all French higher education courses in computer science. To date, the association is still being structuring, but several activities are being considered and discussed to be further developed.|
France has enacted specific legislation and regulation on cyber security through the following:
-White paper on Defense and National Security 2008 (French), http://archives.livreblancdefenseetsecurite.gouv.fr/2008/information/les...
The two White Papers highlighted the potentially enormous impact of cyber attacks on the life of the nation and stressed the need for an early detection capability for cyber-attacks.
The 2013 White Paper on Defense and National Security also stated that the the Operators of Vital Importance (OVI) would have to:
Business and Public Private partnership
In 2016, ANSSI was elected for 3 years at the Board of Directors of ECSO (European CyberSecurity Organisation), the European association created in June 2016 as part of the launch of the Public Private Partnership for European cybersecurity (cPPP).
12 areas of activities has been identified as Vital Importance Operators (OIV) by a national decree in 2006, including Space and Research, Health, Water management, Food, Energy, Electronic Communications, Transport, Finance, Industry, Istitutional and Military activities.
To avoid a large-scale cyber attack, ANSSI and SGDSN (General Secretariat for Defence and National Security) jointly announced the release of three decree on sectoral water management, health products and food. These three sectoral law determines the rules for computer security OIV (Vital Importance Operators) under Article 22 of the LPM (Military Programming Act) of 18 December 2013. These rules provide in particular identification of vital systems (IVIS), notification of security incidents to ANSSI and controls to monitor the implementation of the device.
|Overall assessment/best practices||
Training and international co-operation are the main foundations of the French cybersecurity strategy. Central to successful implementation is a collective, multi-stakeholder approach: government, public sector (national and local levels), businesses and citizens.
Training (part of Obj. 2) is key to filling current gaps in awareness about the risks associated with the digitisation of society. The strategy therefore places emphasis on raising awareness among schoolchildren and students, as well as meeting the increasing demands from the public and private sector regarding cybersecurity by enhancing training in this area.
The content and number of training and higher education programmes for cybersecurity need to meet the real needs of businesses and public administrations. In addition, it is important to integrate cybersecurity training into all higher education that includes some information technology.
Another related objective is the establishment of a Expert Panel of Digital Trust to define training objectives in the short to long-term and to ensure continuing education for businesses through the support of trade unions.
|Implementation & Monitoring||The national cyber security strategy is led by Agence nationale de la sécurité des systèmes d’information (ANSSI). ANSSI sets out the rules and policies for protecting state information systems and for monitoring and verify the implementation and adoption of all such measures. It provides a monitoring service, as well as detection and warning systems and is responsible to leading the response to computer attacks on any critical infrastructure or state networks. The Ministry of Defense is also contributing to fight cybercrime; lastly, the Ministry of Foreign Affairs and International Development ensures the coherence of France’s positions internationally as regards cyber security.|
|Latest WISER update||October 2017|
GDPR and NIS Directive: Compliance and Notification
|National Computer Security Information Response Team (CSIRT)/Computer Emergency Response Team (CERT)||
Notification obligations in the event of a cyber-attack/data breach
CERT-DEVOTEAM - Commercial CSIRT
Cert-IST - dedicated to the Industry, Services and Tertiary (IST). It was created in late 1998 by four partners:
CERT Bank of France - the internal CSIRT of the Bank of France;
|Guidance and Updates||
ANSSI regularly reports best practices and recommendations to different stakeholders.
In 2013 the guide 40 essential measures for a healthy network was released. It sets out 40 essential IT measures to safeguard the security of information system and explains how to implement them.
In 2014 ANSSI released a document called Managing Cyber Security for Industrial Control System which aimed at elaborating concrete and practical proposals to improve the cybersecurity of critical infrastructures.
As a result two document were produced:
- Classification Method and Key Measures describes a classification method for industrial control systems and the key measures to improve their cyber security. This document contains the cyber security classes for Industrial Control Systems, Control measures and a number of classification methods.
- Detailed Measures contains a detailed list of vulnerabilities, and describes Organisational and technical security measures, mapping and event logs.
|Latest WISER update||October 2017|