Cyber-security : analysis of a French success

!

Master Thesis Political Science: European Security Politics

Cyber-security: Analysis of a French Success

Thibault Wetzel 11699817

First Reader: Dr. R. Bellanova Second Reader: Dhr. Dr. D. Bouris Date: 2018-08-31

Abstract

France has identified the cyber-threats long time ago and that is why it represents one of the leader states in the cyber-security sector. This thesis is going through a long analysis process in order to present the presence of France and the successful choices and actions that it has made over the years. The goal of this thesis is to show that France has clearly seen before other countries that cyber-space would be the challenge of the future. By assuming this, it has let France the possibility to develop a secure state that can pretend to welcome companies, groups or investors that are looking for a good cyber-security.

2015 has been a tough year for France, with two terrorists’ attacks that have killed hundreds of people, the piracy of TV5 Monde passed unnoticed, but like the two other events, it has been a turning point for France and its cyber-security politics.

This thesis will present research regarding the questions: How and why is it possible to consider that France succeed in cyber-security? How France’s leaders are understanding the French cyber-security as a success?

Through discourse analysis, it has been demonstrated that France has made some important choices before the important development of cyber-space and all these choices made France one of world leaders of cyber-security. The findings of this research indicate that Political leaders and institutions during several years with different governments have all follow the same will of security and that by this co-operation France is successful and ready for the future challenge of cyber-space.

Acknowledgment

I would like to acknowledge and thank the following important people who have supported me, not only during the course of the project, but through my master’s degree.

Firstly, I would like to express my gratitude to my supervisor Rocco Bellanova, for this unwavering support, guidance and insight throughout this research project.

I would also like to thank Hamid Abdi from Archi’founder. Without access to his network and knowledge, this research would not have been possible. Hamid’s encouragement and belief in what he does has inspired me.

Then, I would like to thank all my close friends and family. You have all supported, encouraged and believed in me. You have all helped me to focus and on what has been a hugely rewarding and enriching process.

And Finally, I would like to thank all the persons from UvA and Loughborough University that have supported me during this year with all the hardships I have been through.

Table of contents

Abstract ...2

Acknowledgment ...3

Chapter 1. Introduc;on ...6

Introduction ...6

Background of the Study and Historical background ...6

TV5 Monde ...10

Statement of the Problem ...11

Who? ...11 What? ...12 When? ...13 Where? ...13 Why? ...14 Definition of Terms ...14 Cyber-security: ...15 Cyber-defense: ...16 Cyber-attack(s): ...16 Cyber-criminality: ...17 Cyber-terrorism: ...17 Conclusion ...18 Chapter 2. Theore;cal Framework ...20 Introduction ...20 Securitization theory ...20 Cyber securitization ...23 Conclusion ...26 Chapter 3. Research Design ...27 Introduction ...27 Design ...27 ‘Assemblée Nationale’ ...29 ‘Sénat’ ...30 ANSSI: ...30 Speeches ...31 Discourse Analysis ...31 Coding ...33 Conclusion ...35 Chapter 4. Analysis and Result ...36 Introduction ...36

Laws and decisions ...36

Political discourses ...41

ANSSI and before ...50

Conclusion ...51 Chapter 5. Conclusion ...53 Bibliography ...56 Appendix 1 ...65 Appendix 2 ...70 Appendix 3 ...76 Appendix 4 ...79 Appendix 5 ...84

CYBERSÉCURITÉ, QUELS ENJEUX ET QUELLES RÉPONSES POUR VOTRE ENTREPRISE ? . 84

Elle sera pire, pour plusieurs raisons. ...85

Face à ce trend à la hausse des attaques informatiques, que craindre ? ...86

Que faire pour contrer ces menaces ? ...87

Appendix 6 ...90

Appendix 7 ...98

Chapter 1. Introduction

Introduction

In this first chapter, the main goal will be to present several important notions that will be essential to understand the following study. Cyber-security is for France one of the major challenges it has ever had, and for all the different governments that have been in place, it has always been really important to anticipate, and consequently, prevent any problem that the cyber-space could cause. This chapter is essential as it is the foundation of all the study. To understand the following thesis, it is essential to identify the past history of France and cyber-security and how the situation has changed. Subsequently, this chapter will be separated into several parts. The first section is created to present the background of the study. By doing this, it can be interesting to see what has been done about the subject and therefore understand why this subject is interesting. This part will also present the different and principal events that have touched France during the last few years concerning cyber-space and cyber-security Then, the second part of this chapter will present the case of TV5 Monde and why it can be considered as a turning point for the French society and government. The third part is the one concerning the statement of the problem. It is set to be the chapter that present clearly and concisely the issue. To do so, it will answer to five questions: Who, What, When, Where and Why. The research question will also be identifying following this part. After the third section, it will be easier to understand why this study is unique and interesting. Finally, before concluding this first chapter, there will be a last part that aim to present different important terms. All these different terms will be explained as best as possible as it is crucial to understand all the terms that will be used across this thesis. Finally, as it has been said above, a conclusion will close this chapter and present the following one.

Background of the Study and Historical background

Cyber-security is one of the biggest challenges for any states around the world. With the expansion of the cyber-space and the important part that it has in the society, it has become one of the most important things to take care about. Moreover, because of its quick

evolution and place in the society, the cyber-world has been one of the major targets for criminals, terrorists, other states, enemies, etc. The main important thing about the cyber-space is that is stills something really recent for every society, and therefore, it is essential for all the States to understand its importance and why it is important to look at it as quick as possible to anticipate any bad behavior on this platform that could challenge the sovereignty of a State. The quick evolution of the cyber-world needs to be understood by the states because a quick reaction is needed if they want this section of the society to be securitized. Consequently, States are reacting and progressively, they are adapting and creating their own policies to secure the cyber-space. France is one of these countries, it has been present on the cyber-security sector since many years, but in the last few years, its actions have increase to propose a better-protected cyber-space (it will be seen later in the thesis). In 2011, the French Ministry of the Economy and Finance has been the target of an important cyber-attack (The Telegraph, 2011), according to François Baroin, former minister of this ministry, at least 150 computers have been hacked, “it is probably the first time it has been so spectacular” (Ibid, 2011). Some documents have been stolen and the Internet connection to the Internet has been stopped. According to some elements of the investigation following the attack, the goal was to directly touch the events relating to the G20. The G20 is a major event for the top 20 Nations on the planet, and in 2011, it has taken place in France. François Baroin has also stated that the folders that the hackers were looking for had something to do with this event (Le Monde, 2011). This attack was, for France, the first important event that was directly targeting France and linked to cyber-security. It can be considered as a major date for French cyber-security. Effectively, as it will be seen during the thesis, since 2011, some major decisions have been made concerning the cyber-security. In 2015, another important attack has touched France. ISIS has targeted the international French Channel TV5 Monde and it has represented the most powerful cyber-attack that France has ever known nowadays. In a documentary for France 2, the second most important channel in France, (France 2, 2017), former defense minister, Jean-Yves Le Drian said that “Cyber-space has become a fighting area, it has become a sovereignty issue for France”. This documentary is also identifying a potential future threat that can directly impact the French Army. All the different French armies are using different ways of communication, and all these systems are using connections via

connectivity between the services, thus, it is possible to say that it is sensitive to cyber-attack(s). In the documentary cited above, an army representative is saying that ‘France does not stop to improve its cyber-defense” (France 2, 2017) but it is also possible to learn that every day, France and French armies are the victims of numerous attempts of intrusion. All this intrusion can have many sources. It can be an isolated person, but it can also be a bigger group. Therefore, the threat is real for France; cyber-defense will become more and more important and essential for France in order to protect its institutions and citizens.

Another important aspect of this documentary is the notion of defense and counter-attack that France is able to make. To the question “Does France give itself the ability and right to conduct its own cyber-attacks?” former Minister Le Drian to answer, “if it is necessary, it can happen” (France 2, 2017).

This answer implies many important things for France and its method. First, that France is able to potentially lead cyber-attacks against anyone, then that these attacks, if needed, can easily target individuals, groups, or states. The last major cyber-attack that has been made against a French movement is the one that has been made against the political party “En

Marche!” (Created by Emmanuel Macron). In 2017, during the French presidential campaign,

a Russian group named ‘APT 28’ has made the choice to attack the office of the movement during one of the most important periods of the campaign. Effectively, there is one period during the French presidential election in which both final candidates have not the possibility to talk or intervene by anyway on social media, television, etc. According to the Emmanuel Macron, simple candidate at the time, his political party has been the target of cyber-attack and cyber-spying via the party website (Dearden, 2017).

To complete this historical background of the major cyber-attacks and cyber-event that have impacted France during the last few years, a background of the study relating to the subject is needed to situate this thesis into the different researches that have been done before.

There have been few interesting researches made on French cyber security that can help to identify the vision on cyber-security and cyber-space by French citizens.

The researches made by French researchers are focusing on several things. First, the history of French cyber-security and its definition (Arpagian, 2010; Haddad, 2017, Aghroum, 2010) is

analyzed a lot as it is a way to understand what has been done by France and what is its vision on the cyber-space and how to secure it. This analysis of the past event concerning is very important as it has been seen above. It lets the possibility to understand the position of France about the cyber-security and what is its vision on the future. By looking to the past, it is not possible to predict the future, but it is useful as any future decision can take all these different events as a basis.

Then, other researcher makes a more technical vision, as it is the other great aspect of the subject. Therefore, different analysis on how it is possible to secure the cyber-space. Tisserand offers an opportunity to understand how, concretely, it is possible to secure the Data present on the different sector relating to the Internet and Phones (Tisserand, 2017; Mocanu & Kabir-Querrec, 2015). This aspect of cyber-security is essential for researchers as it offers a possibility to see how it is possible to secure these types of things. Moreover, it is a representation of the first point, the history of cyber-security actions. Marquez is adding to these aspects, the type security that France has chooses to secure the nuclear power plants. With 58 nuclear power plants in work in the country, France is one of the countries in the world that use the most these types of electricity creator. But, as nuclear power plants are something really dangerous if the level of security is not good enough. Moreover, all these centrals are using data, the Internet, etc. it means that the risk of attacks on these power plants is a major challenge for France due to its dangerousness in case of failure. As Marquez is mentioning in its research, security in these installations are crucial and it represents a major challenge for France (Marquez, 2016).

Finally, the last major notion that is analyzed by different French researchers is that cyber-security, is something that needs to be done by the State to secure the citizens and the Nation in a more general way. For France of any other state, it is a big challenge to propose a secure network, and it means that security needs to be proved and approved by institutions to be trust by investors, foreigners, or any companies. Danilo D’Elia is analyzing it right by showing that in 2008, with the creation of the ‘livre blanc’ has proposed a secure cyber-area, and that today, it needs to be analyzed to see if the capacity of France to do so was right (D’Elia, 2014).

TV5 Monde

To understand why the piracy of TV5 Monde is defined as an important event for France. It is important to understand its context and the challenge that it has created. Therefore, in this part, the section will be split into two small sectors. Firstly, it will present simply the situation of France in 2015, then it will present the TV5 Monde piracy with some details that are important to be explained for the following thesis.

2015 is for France an important year in its history. Effectively, during this year many events have touched France and its citizens, and they have all impact the vision that French people and politicians have on their society. In 2012, the French presidential election has seen the victory of the left wing with François Hollande with 51,64% of the votes (L’Express, 2012). Since this date, President François Hollande has faced many decisions concerning external politics, terrorism, etc. But in 2015, the position of France concerning terrorism has changed drastically. In January 2015, the attack of the satirical newspaper ‘Charlie Hebdo’ is victim of a terrorist attack followed by another one in a kosher supermarket, both in Paris. It will let 17 people dead, and 22 injured. This first attack has created a sensation of terror in France as it has been one of the most murderess and violent for France. On August 2015, a terrorist attack was supposed to take place in the train ‘Thalys’ but, thanks to some passenger of the train, it has been possible to stop it on time. Finally, during the night of the 13th November 2015, the most murderess terrorist attack took place in different places of Paris. During that night, 130 persons have found death, and more than 350 others have been injured. This night has been for France and around the world a terrible event as it represents the new type of terrorist attacks that can target any places, at any time, with weapons that can be easily hide.

With all these terrible events, it has been forgotten that France has also been victim of a terrorist cyber-attack. Effectively, between the 8th _{and 9}th _{April 2015, a cyber-attack has} been registered against the international French Channel: TV5 Monde. This channel is an important channel as it diffuses French-speaking programs all around the world, it can be considered as prism of what the French TV is. This cyber-attack has result into an immediate stop of all the programs that were diffused on the channel for two days, and a loss of control

on the social media in which it has been possible to see messages relating to the terrorist group Daesh. Thus, this attack has been claims by Daesh, and it represent for France another important attack made by Daesh directly on its territory. This event has present for France another essential challenge has it has proved that Terrorist organizations and other cyber-attackers, were able to attack France directly with a certain power. Therefore, as it has been mentioned above with the nuclear power plants, the challenge for France is to clearly stop and secure these types of areas as it can lead to terrible event. 


Therefore, the TV5 Monde attack is really important for France has it has displayed the failure that France had on cyber-world and that it was essential to resolve it as soon as possible to prevent any important terrorist actions on the French territory made by the cyber communication.

Consequently, this event is interesting for France as the attack has not been physically dangerous for French population and it has showed failure that France could repaired. It can be now interesting to see what a good cyber-security is, and how it is possible to consider that France has a good cyber-security politic.

Statement of the Problem

This fourth section of the first chapter is indispensable, as it will show why this thesis is interesting and what the research question will be.

So, as it has been said in the introduction part of this chapter, it will be split into five different parts, all responding to one question: Who, What, When, where and Why.

All these questions will help to define the subject and then help to define and propose the research question of this thesis.

Who?

This part aims to find out who are the different actors and who are the persons or group of persons affected by the issue. To do so, this part will present one by one the different actors and explain why they are impacted by the problem.

only one that can propose solutions, and therefore put them into application. It is always against or for the government that the other actors are refereeing. In this case the government is the center of the research as it is by analyzing its action and decision that it will be possible to see the efficacy of the French policy concerning Cyber-security.

The French President (From Nicolas Sarkozy to Emmanuel Macron) is the next important actor as it represents the most powerful place in France, and its speeches and decisions are always analyzed and put into practice. He is the one that is supposed to lead France, and his decision will impact the rest of the Nation. In this case, the decisions of different President concerning the cyber-area will be analyzed to see the vision of different presidents from different political parties.

Following all the actors of the executive power is the legislative power. So, the ‘Assemblée

Nationale’ represents the institution of France that is making laws and decide or not if

changes are needed on certain law already present. It will be possible to see later in the thesis that this actor is really important and that the law made by it are the basis of the French action concerning cyber-security.

The last, and certainly one of the most interesting to look at is the ‘Agence Nationale de La

Sécurité des Systèmes d’Informations’ (National Cyber-Security Agency of France), or

ANSSI. This agency has been created in 2009, but it is simply the evolution of many French agencies present since 1943, supposed to protect the digital data relating to the state. Today ANSSI mission is to protect and secure the French cyber-space.

This is an important actor for this study as it represents the one that can directly identify threat and react and propose concrete solution to a cyber-menace.

What?

This question aims to put the boundaries of the research in place. Thus, this research is focusing on France and especially on the faculty of France to have a good cyber-security either for its institutions, companies or individuals. This is a major issue for France or any

country in the world because, as it has been said above in the text, the challenge of cyber-security is and will be one of the most important problem for any society. Terrorist groups, foreign countries, etc. can cause some problems to France. With the evolutions of the new technologies it will become harder to secure this area and the objective is to reduce the gap between the secure part and the non-secure part. It is why France has to keep focus on this problem and need to prove that its choice to secure the cyber-world is a good one. If these types of actions are not made, the problem is that France will be vulnerable on this area, and it can cause a lot of trouble on the cyber-space but also physically as we have seen above that France is a developed country with advanced technologies present from the individuals to the secret subjects of the Nation. The protection of all data is essential to secure the sovereignty of the Nation.

When?

As it has been said above about ANSSI, France is present on the security and cyber-security since many decades. Franc has understood the importance of protection of sensible data, and with the evolution of the new technologies, the real challenge is to be ready to develop its security as fast as the development of the technologies is going. The real challenge is here, and it is important for this State to stay focus and propose actions that are directly responding to the actual threat. It is not useful to secure something that has been a threat. The importance of this challenge is to anticipate and to propose something in advance to secure the possibilities of attacks that evolution can bring with it.

So, to the question “when does it need to be fixed?”, the answer is daily. It is not important for France to secure only one sector and to be certain than nothing is going to happen. It is more significant to propose something that will secure the future threat and therefore prevent any similar events.

Where?

The real defy with this is that it is something really hard to define and each states, companies or individuals have to create and define its own limits. For France, it is important to limit its action, as the cyber-space is too large to secure totally. Therefore, by creating laws and political decisions the limitations of the French actions onto the cyber-space is made.

Why?

This issue is essential for France because as it has been said beyond, the real deal with this issue is that it needs to be done for the present but also for the future. This new type of security is also made by anticipation. Cyber-security will be one of the most important tasks to do for the states, as it will represent more and more power on society according to its expansion today. It can have impact on every part of the population, not only citizens, but also companies, institutions, governments, stock exchange, etc. Cyber-threats can be seen in many places, made by many different groups with all a different goal. The impact can concern physical security, money, blackmail, lack of independence, etc. Consequently, this issue concern France in general but also individuals; thus, the maximum of efforts needs to be made to propose at every level the best security as possible.

All these different questions have allowed the possibility to understand who the actors are, what are the different challenges, who it is concerning and where it is taking place.

With all these notifications, it is easier to identify an issue and hence, define a research question. How and why is it possible to consider that France succeed in cyber-security? How France’s leaders are understanding the French cyber-security as a success?

Definition of Terms

In this study there are many different essential terms that need to be defined for a better understanding of the following thesis. Therefore, terms such as Cyber-security, Cyber-defense, cyber-attack(s), cyber-criminality and cyber-terrorism.

All these different terms can be considered as different parts of the study and will be really important for the following chapters and especially the theoretical one.

Cyber-security:

This is one of the most important notions of this study, and a clear knowledge of what it is will help the understanding of the thesis.

A simple analysis would say that cyber-security can be understand as the security that is created on the cyber space in general. This is a general description of all the different actions and systems that are created to secure the cyber-space. Cyber-security is something that is created to secure and protect the cyber-space for the citizens, institutions or companies that can be targeted by cyber-threat.

Arpagian (2010) is presenting cyber-security as a general protection of the cyber-space and that it is affecting different technical devices such as “network, phones, satellites” as they can be targeted for infiltration(s) or interruption(s).

“Cyber-security also covers the protection and attack of computer equipment, in order to monitor or control it, as well as information available on the Internet, with possible damage to reputation, the theft of sensitive date, digital hacking or other smear campaigns.”

In addition to Arpagian definition of cyber-security it is possible to add the definition of the International Telecommunication Union (ITU, United Nations specialized agency for information and communication technologies), which one is really complete.

“Cyber-security means all the tools, policies, security concepts, security mechanisms, guidelines, risk management methods, actions, training, best practices, safeguards and technologies that can be used to protect the cyber-environment and assets of the organizations and users. The assets of organizations and users include connected computing devices, personnel, infrastructure, applications, services,

cyber-space. Cyber-security seeks to ensure that the security properties of organizations ‘and users’ assets are assured and maintained in relation to security risks in the cyber-space. The general security ambitions are: Availability, Integrity and Privacy”

Cyber-defense:

Cyber-defense is similar to cyber-security, but it is less global. This term is more relating to the security of citizens inside a State in the cyber-space. This security is assured by internal state agencies. For the French State, this role is assured by the Agence nationale de la sécurité

des systèmes d’information (ANSSI) and is also supported by the military domain and army

(ies). Ventre (2011) is showing that, in France, “cyber-defense is all the different methods that are used to protect from the attacks on information systems that could jeopardize the security and defense of the country”. This Statement is a lesson created from the report of Senator Roger Romani in 2008.

Cyber-attack(s):

This is another key aspect of this chapter. A cyber-attack is malicious action(s) made by individual(s) or group(s), in order to attack a website, a network or a computer with different techniques, in order to steal, destroy of spy different types of data.

Martin & Martin (2001) are presenting cyber attack(s) and piracy as following:

“It is the main driver of crime and the most worrying danger. It is a phenomenon that is not recent, but whose proliferation is worrying. Yesterday reserved for an elite, it is democratized and is now within the reach of anyone with a computer connected to the Internet, because multiple tools of hacking are available on the network. […] It is in fact the act of accessing and/or remaining fraudulently in an information system, of knowing software, files, data, possibly altering the functioning of the system, delete or modify data, introduce viruses, worms, logic bombs or Trojan horses (virus)”

In addition to this statement, Ventre (2011) is presenting the vision of France by notifying the Lasbordes Report (2005) stating that cyber-attacks were created to “destroy, alter, access

sensitive data for the purpose of modifying them or harming the proper functioning of the networks”.

Filiol (2011) has identified cyber-attack as an attack targeting the ‘real sphere’:

“Either directly through an information and communication system (ICS). In this case, the computer field is only a tool or a means (attack on people for example). Either indirectly by attacking an ICS that does not depend on one or more components of the real sphere (attack against an electronic voting machine network).”

Cyber-criminality:

Cyber-criminality represents all the actions that are leading to a crime that could be detrimental (identity theft). It is an important aspect of the subject as it means that actions relating to cyber-criminality are directly against the law and that it is possible to find a concrete way to fight it (investigation, trial…). Again, Martin & Martin (2001) are providing an analysis of cyber-criminality:

“Any unlawful action in which a computer is the instrument or object of the offense; any offense whose means or purpose is to influence the function of the computer; any intentional act associated in any way with computer technology in which a victim has suffered or could have suffered harm in which the perpetrator has or could have made a profit. […] Since 1986, the Organization for Economic Co-operation and Development (OECD) guidelines have laid down basic principles of computer crime: fraudulent access, interception of systems, violation of security rules with dishonest or harmful intent, violation of the exclusive right the owner of a program, entry, alteration, erasure or deletion of data, obstruction or operation of the systems.”

Cyber-terrorism:

The last important notion that needs to be defined is cyber-terrorism. It represents the malicious actions of terrorist organizations (ISIS, Al-Qaeda…) through cyber-environment. These different groups launch cyber-attacks to individuals, organizations or governments.

terrorist organizations are taking place into the cyber-space to share their ideology(ies) to the world. By using the Internet and the cyber-space for propaganda, these groups are enjoying the possibility of being anonymous and by the size of the cyber space, enjoying a large scale of affected population. As an example, according to the Guardian, 125,000 twitter accounts relating to ISIS have been deleted in 2015 (Yadron, 2016).

“Terrorist Organizations have been using computers for several years now to store and transmit data concerning their actions and also to carry out propaganda relating to the cause they defend. […] The Internet is a privileged and effective vector for conveying ideas. Terrorists and sects have understood that they can use servers located outside France and escape the harassment of national authorities. […] Given the means available on the market, over-the-counter, with ridiculous investments, compared to those corresponding to conventional armaments, it is quite possible for virtually anyone to attack or destroy the information systems of a country, to kneel a big power or a multinational.” (Martin & Martin, 2001)

In addition to Martin & Martin statement, Ventre (2011) assumed that “cyberspace is linked to modern wars, since the early 90’s, Terrorism is an active part of these wars”.

Conclusion

With these different parts it has been possible to understand the different events that happened in France during the last few years. Furthermore, it was also really interesting to see the vision of the French researchers on the subject as it can represent the vision of the French citizens. Finally, doing a process of different question it has been possible to identify a research question and propose a question that suggests something new: How and why is it possible to consider that France succeed in cyber-security? How France’s leaders are understanding the French cyber-security as a success?

Lastly, the definitions of all the different terms are essential for the analysis as it is easier to understand this thesis if all the important terms, actors and essential notions are defined before it all start. This section was important for this thesis as it presents the basis of the research.

With this basis, it will be easier to analyze the theory in the following chapter and propose a good research design for the rest of the study.

Chapter 2. Theoretical Framework

Introduction

This second chapter is essential for the thesis as it represent one of the most important parts of this thesis. The ambition of this part is to present different theories that are directly relating to the subject and that will help the development and the ability to answer the research question. The researchers that have worked on these theories are closely linked to the subject of this thesis even if the cyber-security is not the core subject. This thesis will then focus on two different theories. First part of this chapter will present the securitization theory. Then the cyber-securitization theory will be seen in the second part. Both of these theories will be useful to understand the decisions made by the government and by the different actors of the subject. It will be easier to base the analysis on these theories and it will help to give a precise analysis.

It will end with a conclusion that will resume this section and open on the next chapter to present the link between both chapter as a continuity.

Securitization theory

In this thesis, the main theory that will be used is the one presented by Buzan et al. on securitization (Buzan et al., 1998). According to them, “‘Security’ is the move that takes politics beyond the established rules of the game and frames the issue either as a special kind of politics or as above politics. Securitization can thus be seen as a more extreme version of politicization” (Ibid, 1998). Moreover, if a better comprehension of the problem is wanted, it is important to also identify what kind of issue(s) can be processed with the securitization theory. This answer is also given by Buzan et al. later in the text: “In theory, any public issue can be located on the spectrum ranging from non-politicized (meaning the state does not deal with it and it is not in any other way made an issue of public debate and decision) through politicized (meaning the issue is part of public policy, requiring government decision and resource allocations or, move rarely, some other form of communal governance) to securitized (meaning the issue is presented as an existential threat, requiring emergency measures and

justifying actions outside the normal bounds of political procedure). […] Depending upon the circumstances, any issue can end up on any part of the spectrum” (Ibid, 1998). By saying that any issue can take part in a securitization process, Buzan et al. Are showing that securitization has no limit, and that if governments and, or, political leaders are able to convince citizens and people that a certain situation is an issue, then, it can be agreed as such. These types of actions can be a good thing for the society as it can be understood as a prevention, but it can also be understood as an excess use of the power that are put into leaders’ hands.

Waever mentions that the main facet of this theory for him is: “the securitization approach points to the inherently political nature of any designation of security issue” (Waever, 2011). The ‘inherently political nature’ cited by Waever presents something interesting as it shows that the securitization theory cannot be dissociate from a political act. It is an essential notion of the theory as it means that securitization moves made by political leaders are only relating to them, and that they are the only persons that have the possibilities to do so. It means that they have a strong power and that if the citizens follow their vision, it can be considered as a political ‘victory’ for them and their political wing.

To complete the vision of Waever, Taureck, inspired by Waever analysis is adding that “the main argument of securitization theory is that security is a (illocutionary) speech act, that solely by uttering ‘security’ something is being done. ‘It is by labelling something a security issue that it becomes one’” (Taureck, 2006). This statement is completing the vision of Waever. And it is interesting to link it to the subject of this thesis as it is presenting a securitization move as a decision that is made by someone base on nothing, just to prevent or secure an area or something that can present a certain threat either to a group or a person.

This theory is presenting something interesting. The goal of any public figure is to present something as a threat, and not to prove that, in fact, it is a concrete and real threat. Balzacq is showing this by saying that “securitization is a sustained strategic practice aimed at convincing a target audience to accept, based on what it knows about the world, the claim that a specific development (oral threat or event) is threatening enough to deserve an immediate policy to alleviate it.” (Balzacq, 2005) This statement is resuming what has been said above, but it is also showing that the actions of the French government following terrorist attacks with the emergency state can be identify as a securitizing move, or de-securitizing (in

such” (Buzan et al., 1998). It is an important part of the challenge for France and its government as it means that it is essential to present evidence to the French citizens that area is a threat and that it needs to be secure. France has known some episode of cyber-threat, but nothing, except the TV5 Monde piracy, has been really impacting the life of citizens. Therefore, for the government and other important actors issue mentioned upper in the text, it is important to convince people that cyber-area needs to be securitized even if the audience does not seem to see any problem(s).

The evolution of all the works around securitization show that this notion is not easy to define, but furthermore, that it is based on expectation. The fact that, government or political leaders are choosing this type of theory to increase their influence or to convince people that there is a new, unknow threat, show the power and importance of this theory in politics and international relation.

If we look at France, it is possible to see that some decisions that have been made by its political leaders can have some influence of securitization theory. As every society around the planet, the will of leaders is to increase their power on their citizens in order to do the political decisions they want the citizens to follow. Therefore, in France, Following the terrorist’s event of 2015, the state of emergency that has been created by François Hollande present some aspect of securitization theory. By showing that terrorism is a real threat, François Hollande has decided to let the police force intervene without the approbation of a judge show that, because of the wish of total security, French citizens have accepted and let the government let whatever they think was useful for France in order to secure the place. It is interesting to see that this ‘state of emergency’ was impacting everyone and was directly reducing the liberty of everyone just because of security.

Another important aspect of the securitization theory, as it has been cited above by Taureck, is the ‘speech act’. “A speech act is interesting because it holds the insurrecting potential to break the ordinary, to establish meaning that is not already in the context. It reworks or produces a context by the performative success of the act” (Stritzel, 2007). Buzan et al. are also adding that “the speech act reduces public influence on this issue, but in democracies one must legitimize in public why from now on the details will not be presented publicly (because of the danger of giving useful information to the enemy and the

like).” (Buzan et al., 1998) For any governments reducing the influence of the public on an issue is increasing their power and letting them do more things. It is possible to agree with Buzan et al. as they are presenting the situation with an interesting point of view. The wish for group to reduce the public influence is most of the time a major objective, and in the situation of France, by making the decision to create an emergency state, it let to the government the opportunity to have more power on the population without too much communication on what the emergency state really is. Accessing direct data without permission, accessing home without mandate, etc. all these types of actions have been legitimized by the government because of the emergency state to respond to the potential future terrorist threat(s). Securitization theory is a complex notion, but if it represents a political power directly on the life of citizens and on their security, it is also interesting to see that it can impact their personal life directly but in an aspect that does not seem direct. Here is the cyber-space importance. With the development of our society into the cyber-space, the liberties onto the cyber-space are beginning to be a real importance for the government, because as it has been seen up in the text, cyber-attacks can impact citizens physically. Therefore, the use of securitization move by the political leaders into the cyber-space will become more present, and important for leaders. With the impact of cyber-space before and post-terrorist attacks, it is evident to see that the securitization affects more things, like the digital world.@&é

Cyber securitization

Cyber-securitization is a concept that is mainly supported by Hansen and Nissembaum. In their research they are planning to “identify and locate cyber-security as a particular sector on the broader terrain of security studies” (Hansen & Nissembaum 2009). To do so they have planned to answer a certain number of questions that will help the theorizing cyber-security. By asking “What threats and referent objects characterize cyber-security; what distinguishes it from other security sectors; how may concrete instances of cyber securitizations can be analyzed; and what may critical security scholars learn from taking cyber discourse seriously?” (Ibid), both of the researchers are concluding that cyber-securitization is a particular discipline and that “cyber security stands at the intersection of multiple disciplines and it is important that both analysis and academic communication is

is not really surprising as it is something that is quite recent and not many researches has been done on the subject. Like the research of Hansen & Nissenbaum, the other important researches on the subject are contained between 2013 and 2016. Like the speeches and laws that have been selected for the analysis later in the text, everything is present between 2013 and 2018. This notion of time presents the recent aspect of cyber analysis. All the documents concerning the securitization theory are older than any documents concerning the cyber-space. Like Hansen & Nissenbaum, every research that have been made are recent and therefore it is hard to see the veracity of their analysis. More time will be needed for researchers to complete the securitization theory into the cyber-space. But today, with all the notions and events that have took place during the last ten years, it is possible to start to identify some aspect of it and then, regroup different visions of authors that can present a clear notion of what cyber-security is, and how it can be linked to the securitization theory. In their research Bauman et al. are identifying an important aspect of cyber-security and its relationship with the state. “The digitized geopolitics assumes that cyber-space is a battlefield and that states must build up their own cyber-capabilities in order to defend themselves and/or must engage in international collations in order to face the challenges posed by mass surveillance and digital espionage” (Bauman et al. 2014). This statement is really interesting as it is presenting exactly the vision of France on the subject.

As it will be seen late in the text, many of the French Political leaders have identified the cyber-space as new types of battlefield and that action needs to be made to counter-attack any types of threats. Also, it is really interesting to see that the idea of co-operation between the states is advanced. Effectively, in the modern world, and especially in cyber-security states are trying to work together as maximum in order to preserve their sovereignty but also to learn and share their knowledge with the other. The example of European Union is perfectly representing that. The will for the different countries to work together even if the cultural, religious or political ideologies are not the same, in order to present a security against any types of intrusion by stranger. The cyber-security area can force this co-operation because of the links that there are between the different countries.

In addition to this Dunn Cavelty is also showing that cyber-security is often really close to cyber-crime, cyber-terrorism or cyber-war (Dunn Cavelty, 2013), and that it is important to

keep in mind that these are part of it and also that cyber-security is part of another international relations theory.

Dunn Cavelty is showing that cyber-security has become a proper part of international relation and that it now needs to be analysed as such. Moreover, she is also highlighting the fact that cyber-security is not something clear, it is not something physical and therefor it is hard to define it “without drawing on language used to describe the environment in which it operates” (Ibid). This type of statement is interesting as it shows the particularity of cyber-security and why it is hard to explain or present it. Moreover, it can join the vision of Bauman et al. And the fact that it is a mix of several other things. In France, it is possible to consider that the cyber-security has become a real challenge in 2013 with the creation of ANSSI (Appendix 1). This agency is supposed to propose solution to the present and future threats of the cyber-space, therefore it is a support for the government and it can base its decision on ANSSI because of its expertise. With the creation of ANSSI, France has shown its ambition into the creation of a secure cyber-space, but also into the security of its own institutions and neuralgic areas such as the nuclear plant as it has been seen above. The emergence of cyber-security in France has not stop since this date as it is possible to see through all the different speeches later in the text. This challenge is new, and France has made the choice to react quickly. If France is considering itself as a good nation in cyber-security it is interesting to understand why, and how it has been possible.

Finally, Collins is trying to give a clear analyze of what cyber-security is: “Cyber-security is both about the insecurity created by and through this new place/space and about the practices or processes to make it (more) secure” (Collins, 2016). This sentence resumes it all, and moreover, it with the word ‘more’ Collins is implicitly saying that the cyber-area is like any other aspect that are relating to humans, and that it is not possible to fully secure it. This statement made by Collins show the difficulty for political leaders to propose a security as threats are complicate to identify. Therefore, it can be interesting to link it to the securitization theory and to the speech act. As it will be seen later in the text, in the different speeches made by the different French’s political leaders, the will is to present the potential threat and to propose solution to it, it can be considered a securitization move. The securitization theory is something that has been identified onto the ‘classic’ political decisions that were directly

types of potential threats are taking place, and finally all these threats, are presenting a potential new wave of securitization moves.

The emergence of cyber-security around the world is showing that it has become one of the most important challenge for the different nations around the world (Appendix 8). The ranking of the cyber-security efficacity between different states is showing that it is an important challenge and that States are really considering it as a challenge and a future national security challenge. The fact that the states are considering it as an important notion means that there is a risk for the sovereignty of the states. By doing this, France and other states are anticipating the future threats, and therefore prevent any impact on their sovereignty.

The challenge of cyber-security is well resume by Collins; because cyber-space is something quite new for the society, it is a new challenge to secure it and to propose proper theories, analysis, etc. on the subject, as it is not old enough to be analyzed.

Conclusion

This chapter has let the opportunity to understand what are the main theories that will be helpful for the rest of this thesis. Moreover, it has permit to identify key notions that are present and used by the different actors of this case. Finally, these two important notions have showed some difficulties to be defined and to be analyzed. But it will be seen in the rest of this study that it is perfectly matching the current situation of cyber-security. It stills something new for the states and for the analysts, and that is why the notions needs more time to find its perfect definition. With this done, it will be easier to create a research design that is matching the key points of these key terms, and therefore create an analysis that will be based on these theories.

Chapter 3. Research Design

Introduction

The chapter bellow seeks to explain how the research process will be done step by step in order to give the best presentation of what the analysis will be. The section will start with an overview of the different methods that will be used. Hereafter it will show the different types of documents that have been chose for the analysis. And finally, it will show the technique that has been chosen to analyze these documents. It will be argued that different policies, speeches and decisions form the best possible option in measuring the impact and presence of France on cyber-security.

Design

By this research design the goal is to present the research methods and the kind of analysis that will be use in my thesis. First, it will quickly present the essential theoretical approaches and the key researches relating to it. Then it will present all the different actors and types of documents that will be useful and use for the research. Finally, it will introduce some of the chosen materials, what they are talking about and how it is linked to the subject.

For this thesis, a qualitative methodological approach has been selected. As this research will use different types of discourses concerning the cyber-security. By using a qualitative approach, it will let the possibility to use different types of documents such as laws and speeches made by important French politicians. The main ambition is to collect useful data and to analyze it. The plan for this thesis is to do a discourse analysis that will then match the qualitative research mentioned above.

As it has been mentioned in the theoretical framework the concepts of ‘securitization’ and ‘cyber-security’ are essentials in the research. As these two concepts are important in the research project, academic literature will be needed in order to understand the two notions and to guide the discussion into the good track.

Securitization mentioned by different researchers (Buzan et al, 1998; Hansen, 2011, Waever, 1995, Watson, 2012) is a concept that is mainly understood as how a person, or a group of persons can be convinced that an issue can be considered as a direct threat and that it needs reaction and policy to counter attack. By doing so, the issue migrates from politics labelled as ‘normal’, to an “extreme version” (Buzan et al, 1998). This opportunity let the possibility for a state to increase its power by making decisions that were not formerly acceptable.

To link this directly to the subject, it is possible to see that state of emergency following terrorist events in France as securitization process. The extension of the French State power on citizens in order to assure security is directly relating to the definition stated above (Gouvernement, 2015).

The second key notion of the research is the ‘cyber-security’. With the main doctrines of cyber-security (Hansen & Nissenbaum, 2009; Bauman, 2014; Collins, 2016; Dunn Cavelty, 2013), it is possible to understand what cyber security really is, all the technologies and process that are created to protect the network, programs, or different data against cyber-attacks. It is essential for my research to develop what is cyber-security in order to have a concrete view of the concept and join it to securitization theory. Several events directly relating to cyber security have been perpetrated in France during 2015; they have direct impact on the securitization process that have took place in France in 2015. As it has been said upper in the text, the event of TV5 Monde has not been has mediatized as the physical terrorist attacks, but it is also part of the event of 2015, and therefore, part of the reaction made by the different actors.

To complete these two concepts, some important scholarly resource relating to the thesis will be added (France’s Cyber-security). Some subjects have concerned the cyber security in France have already been discussed (Tisserand, 2017; Lakia-Soucalie, 2017; Arpagnan 2010; Ghernaouti & Dufour, 2017, Guitton, 2013), it has helped to develop the literature review and

understand what has been done and what is the situation of cyber-security in France. The subject of cyber-security in France is not discussed a lot, and it is often an explanation of what is cyber-security and how it is impacting France. Understand the cyber-attack that took place in France in 2015 (TV5 Monde Piracy: ISIS have attacked TV5 Monde Channel and reduces it to silence for several hours) is essential to develop this research and understand what has been done and how this research is unique and new. The ISIS cyber-attacking group, ANSSI and the different cyber-notion developed by Lakia-Soucalie, will help me to understand how cyber-terrorism can impact France (Lakia –Soucalie, 2017).

To complete the analysis that have been done before with the theoretical framework and the state of the art, the analysis that will be done by having a look to different laws, speeches, and ANSSI actions, will show the actions of France concerning cyber-security.

‘Assemblée Nationale’

As it is possible to see many documents concerning the cyber-security are available online, and the use of Atlas.ti will be more than needed to sort the different texts, with the help of coding. To complete all these documents, it is also possible to have access to the debates (discussions) that are made inside the Assembly between the different representatives. Effectively, in the French National Assembly, it is possible to see that some important texts are discussed into the ‘hemicycle’, but most of the interesting and constructive discussions (for me) are made into smaller group(s) with politicians from different political parties (Assemblée National, 2018). The debates that are made and the project(s) of law that are discussed into these rooms are important and useful to see the different visions of the political parties of France.

Moreover, the assembly role is to propose law. And the most interesting thing to analyze will be the different law that have been proposed and adopt by the ‘Assemblée Nationale’ in accord with the ‘Sénat’.

‘Sénat’

Similar to the National Assembly, there are different types of documents that can be useful with the ‘Sénat’. As the two French institutions are working in parallel, it is important to see the counter-vision of the Sénat on the Cyber-world. Moreover, the Sénat has recently adopted a law project concerning the reinforcement of the Network & Information Security (NIS). Therefore, like the Assembly, there are different forms of documents that can be really useful for this thesis. But the main goal will be to analyze the concrete thing, and therefore see the law that has been adopted and validated by the ‘Sénat’

As the Assembly, the documents are discussed between the different political parties present in the ‘Sénat’. What is really interesting in the case of the ‘Sénat’ is that the political forces in presence are really different from the Assembly. The most important thing to understand about the ‘Sénat’ and the ‘Assemblée Nationale’ is that even if both of the institutions have different political forces in places into the hemicycles, when a law is published and validated it means that both institutions have found a deal. The detail of the different laws that will be analyzed will be partially explained later in this chapter. The objective will be to present the different laws and what they do have in common and how the complete each other.

ANSSI:

ANSSI is another of the essential actors of this thesis as it has a direct implication in the subject. It is important to focus on the mission of ANSSI with the ‘Cyber-security objective’ (ANSSI, 2014) paper edited in 2014 by the organization. This document is the most important one as it is representing the objectives that have been given to ANSSI. To complete this document the evolution of ANSSI will be analyzed and the declaration of M. Poupard as well (Poupard, 2015). He is the head-manager of ANSSI and he has identify how ANSSI is impacting the subject: “ANSSI is part of this community [...] it supports the development of digital, we are not there to curb this digital development, we are here to support, to continue to make it possible, for the perpetuate, to ensure that the digital is not a flash of fire that falls under these attacks” (Ibid). Finally, this section will be crossed with the other important materials to show that all the different actors are working separately but with the same goal.

Speeches

The government is a major actor of this research. Its actions are observed by many people that are waiting from it to take good measures and concrete actions to solve the Nation problems. The creation in 2008 of the ‘livre Blanc’ ant its evolution in 2013 are essentials documents relation to the French National security and therefore the Cyber-security (Premier Ministre, 2009). This ‘book’ is a group of decisions and measures that the different governments have chosen to secure the Nation. It concerns many aspects of the French security, by making these different decisions evolve in 2013 it has shown that the French government was aware that the situation, and the questions of security was evolving fast and that actions need to be make as fast.

Then, following the ‘Livre Blanc’, there are all the speeches made by different main French political actors. Effectively, in every state, certain persons make the political power, and the only way to be alert of what they think or will do is by these types of communication.

So, in the analysis chapter there will be a big section concerning seven different speeches made on a period of four years, between 2014 and 2018. Important head of both governments present during this period has done all these speeches. It will be really useful to see the evolution of mentality and even if the political wing is not the same, can the vision on security be constant.

Discourse Analysis

In the following section, the presentation of the different process of the discourse analysis will be presented. To do so, laws made by both ‘Assemblée Nationale’ and ‘Sénat’, and seven discourses made by different important representatives of the different governments between 2014 and 2018. During this period, it is essential to know that two governments have took place, first a left-wing government lead by President François Hollande between 2012 and 2017 and secondly a center-right government lead by President Emmanuel Macron Since

Firstly, the two laws have been selected because they are directly concerning the decision of France to improve its performance in cyber-security, and furthermore because they are made in two different years, and in two different institutions. The two laws first in 2013 and second in 2018 shows that France has a real will to develop its defense in matters of cyber-security. Both laws have been selected because of their importance in the politics of France in cyber-security, they represent the decision that France has made to create a real cyber-security, or the best as possible, for its institutions and citizens. These laws are essential for this analysis as they represent the legislative power of France and how it is possible to concretely act on France’s citizens and institutions. Both of these laws are essential for this thesis as they are completing all the different speeches that will be analyzed. They represent the basis of the analysis as they envelop all the different discourse analyzed above, and therefore show that the evolution asked by the different political leaders are effectively happening.

Following the analysis of the different laws made by the two most important French institutions, an analysis of different speeches made by some of the most important French political leaders between 2013 and 2018. Therefore, the speeches of: Jean-Marc Ayrault in 2013, Manuel Valls in 2014, François Hollande in 2016, the Secretary to minister of defense in 2016, and finally Gérard Collomb in 2018; have been selected. All these different speeches are of course concerning the cyber-defense of France, but they are also interesting for different reasons. First, it is interesting to see the evolution of mind and ideas for political leaders concerning the cyber-defense for five years. Then, all these different speeches made by these persons have been selected has they represent the vision of France concerning the subject and how France is planning to answer the growing threat that cyber-space is representing. All these different discourses are linked to each other as they are all concerning the same subject but also because they represent the evolution of vision concerning the subject. It can be interesting to see how all the different persons cited above are using the past speeches and visions to construct their vision and make the situation evolved.

It is relevant for the analysis to do so as it will be useful to see the evolution of cyber-defense in France and therefore link it to the two different laws cited above as one has been made before these speeches, the other after. With all these speeches it will be interesting to see if the speeches have influenced the laws, and all the process of creation of laws.

So, to do the discourse analysis will be split in two parts, first the one concerning the two laws, and then another part concerning the speeches. In each of the section, it will be made chronologically, thus, it will be easier to see the evolution and similarities between the different texts. All these different data are linked to each other in a certain way, but it is also possible to see that they are influenced by different events and evolutions of the society.

The selection of all the documents and the discourse analysis that have been cited overhead will be useful to understand and help to find an answer to the research question of this thesis.

Coding

In this chapter, there will be a presentation of the coding process and how the research has been processed with the different types of documents. By coding all the different documents that have been added to this research, the goal is to find similar ideas and objectives. It will be an easy way to show that France no matter the government is following the same idea and goal for security and that it is responding to the current threat.

To present the process, the following table is a sample of different documents (laws, speeches, ANSSI’s documents).

Title Speaker(s) When Topic(s) Message(s) Code

L a w n°2013-1168 A s s e m b l é e Nationale/Sénat 2013 S e c u r i t y a n d cyber security Prevent and punish the cyber-crime L a w , Threats, C y b e r -c r i m e , punishment

Text n°104 A s s e m b l é e Nationale/Sénat 2018 Security, cyber security Follow the first laws concerning security and develop the m i s s i n g points Law, Punishment, Anticipation Déclaration de M. François Hollande, Président de la République, sur la coopération franco-indienne dans la lutte contre le terrorisme et dans le domaine technologique, à Delhi le 25 janvier 2016. F r a n ç o i s H o l l a n d e (Former French P r e s i d e n t 2012/2017) 2016 C o - o p e r a t i o n between France and the other s t a t e s f o r increasing its security Proposing a c o -o p e r a t i -o n b e t w e e n d i f f e r e n t s t a t e s a l l concerned b y t h e c y b e r -security and c y b e r -terrorism in o r d e r t o fight it as b e s t a s possible C y b e r -Security, Future, C y b e r -crime, C y b e r -terrorisme, co-operation

Conclusion

All the processes of research design presented above will help analyzing as best as possible the different available documents. With the different process cited above the plan is to find out the position of France concerning cyber-security and how it plans to continue the fight for security. In the following chapter, all the things that have been said will be put into practice to offer the best analysis as possible and therefore make a result an provide an answer to this thesis.

Discours du ministre au Forum international de la Cybersécurité Gérard Collomb (Minister of the Interior)

2018 Lessons from the p a s t a n d acknowledgment for the future of cyber-security. Analysis of the past of France in the sector of c y b e r -security and presenting the plan for the future. ANSSI, France, EU, C y b e r -Security, C y b e r -t h r e a -t s , c y b e r -terrorism

Chapter 4. Analysis and Result

Introduction

This chapter will present an analysis of the different documents that have been chose. By looking to them, the goal will be to offer the best analysis as possible and to offer the results wanted for finding an answer to the research question(s). This chapter will then be split into three different sections each one analyzing one type of document. The first part will be analyzing different laws and decisions that have been made by France over the last few years in order to preserve the sovereignty of France and its security. Secondly, there will be an analysis of different political discourses made by some of the leaders of France between 2014 and 2018. This part aim to find out what has been similar and how the political leaders have used theories cited above to support their actions and decisions. Moreover, it will help to identify if the vision of France on cyber-security is a good one and if something needs to be change. 


Finally, the last section of this part will present the different the history of ANSSI and some documents that are explaining it in order to understand why ANSSI has been created and how it is representing a possible success of France when looking at its cyber-security.

This chapter will offer the possibility to give the best response as possible to the research question.

Laws and decisions

In this section, there will be a presentation of different laws and decisions made by the different French governments that will show similarities and concrete actions made by France to fight cyber-criminality.

The idea is to show that France is present in the cyber-space since many years and that even if the governments are changing, the wish to increase the high security standards still present.

In 2013, the French assembly adopted an important law concerning cyber-security. On the 18th _{December 2013, chapter III, article 14 of the law n°2013-1168 stipulate that:}