The Pegasus Affair: Shaping a French Approach to Cyber Combat

These days, France and more generally Europe are targeted by massive cyber aggressions. Some of these attacks fall into the category of cyber espionage, including exploits using Pegasus, a spyware, sold by the Israeli company NSO, outside its legal scope of usage, cyber theft of technologies, for example with the APT31 organization (Advanced Persistent Th­reat, a permanent group of hackers, more often than not hired by national governments like China, as has been the case recently); while other attacks rely on cyber coercion, namely ransomware attacks launched by cybercriminals enjoying some sort of impunity in Russia.

­The Pegasus affair perfectly pinpoints Europe’s weaknesses. ­is sophisticated application allowing its users to “actively” tap into communications made with consumer market phones by injecting malware which uses an unknown vulnerability of the Apple (iOS) and Google (Android) operating systems. Systems like Pegasus therefore “bypass” the now widespread smartphone messaging app encryption technologies, like those on which WhatsApp or Signal rely.

It became known that as early as 2015, in relation with their terror attacks, Daesh used this kind of encryption technology which makes court-ordered telephone tapping inoperative. National governments then started to develop tools which were indispensable to fight terrorism, but their purpose was quickly corrupted by some other governments so that they could be used to surveil political opponents, journalists or politicians, from France and other countries. Such a corruption of purpose is exactly what happened after Pegasus, a tool originally designed by Israel to fight terrorism, was released to the global market by NSO.

It is plain to see that faced with this threat, many States, especially in Europe, have not developed any tool of this kind, which new waves of terror attacks may make indispensable. In this context, it’s in its national and European interest for France to master this type of technology. First because it would help France detect and neutralize them, then because France would need to use it if a major terrorist threat would make it necessary – it would then use it only for the specific purpose of countering this threat, in a strict legal framework.

THE PILLAGING OF OUR INDUSTRIAL SECRETS

It is also essential that the European Union should react to one of the revealing aspects of the Pegasus affair: the Israeli government has unofficially revealed that it has forced NSO to block any use of its software against phone number using the +1 (United States) international prefix; some specialized forums also suggest that the same clemency could apply to +7 (Russia) and +86 (China) numbers. Citizens of the world’s top superpower, as well as those of its two authoritarian challengers with considerable cyber warfare capacity, could then be protected from Pegasus.

The European Union should react immediately and compel the Israeli government to force NSO to block any use of Pegasus against European mobile phones, except when ordered by courts of law of a member State. Europe should also pass a directive to widen the scope of GDPR [General Data Protection Regulation] so that it takes into account any tapping of a European mobile phone not authorized by courts of law, with heavy financial penalties for the perpetrators or their accomplices.

Guillaume Poupard, General Director of Anssi [Agence nationale de la sécurité des systèmes d’information, the French national agency for the security of information systems], significantly raised an alarm on Wednesday, July 21st, when he implicitly mentioned the country responsible for APT31: China. What’s going on here is a serious espionage campaign against French companies for the purpose of pillaging our industrial secrets.

Our country, and even more importantly Europe, must react very firmly against this massive espionage campaign, accept the notion of balance of power, and finally dare to retaliate, and by doing more than going at Huawei, a symbolic and so convenient target.

In the nine weeks preceding the Pegasus affair, the world had already witnessed a bewildering series of news related to cyber: the partial paralyzing of fuel distribution in the U.S. by ransomware, Biden taking a martial stand and talking about retaliations, the self-proclaimed disbandment of a first group of pirates, the FBI seizing a ransom, the Biden-Putin summit which mostly focused on cyber, a major attack against a thousand SMBs in the world which triggered a Biden-Putin discussion, the disbandment of a second group of pirates, and finally, the temporary closure of the Russian ministry of Defence, officially because of a DDoS attack [Distributed-denial of Service, an attack aimed at disrupting of paralyzing a computer server]. And we’re only mentioning news released to the general public.

At the beginning of this year, we proposed a strategic mobilization based on four principles: intelligence, protection, action against countries harboring the perpetrators and direct retaliation. Admittedly, President Macron announced on February 18 a national plan for cyber security with a €1bn budget; the U.S. President signed on May 12 an ambitious executive order. But these are national measures, and they fail to tackle the key issue: the quasi-impunity enjoyed by the engineers of these criminal attacks.

U.S. PRESSURE

On June 16, Joe Biden announced a major shift following his meeting with Vladimir Putin: sixteen types of critical infrastructures would from then on be “off limits. “Any cyber-attack against these infrastructures would trigger “cyber” retaliation. As a matter of fact, on May 14, the group of cybercriminals DarkSide admitted it had ceased all activity “under U.S. pressure”: all its sites were blocked. On June 14, U.S. courts ordered the seizure of the main part of the ransom paid by Colonial Pipeline [the firm had paid US$ 4.4bn to the pirates who had paralyzed a network of pipelines on the East Coast].

­The July 3 major ransomware attack, which used a vulnerability of the Kaseya supervision software, showed how Russians could respond. ­is attack allowed the Russian ransomware group REvil to infect over a thousand companies worldwide. President Joe Biden raised the issue with President Putin as early as July 9, firmly asking him to put an end to the business of REvil. On July 13, all websites used by REvil suddenly disappeared. Maybe this was caused by a U.S. cyberattack, maybe they were spontaneously taken offline, or maybe the Russian State services ordered it: the fact is that the retaliation strategy undeniably starts to have a significant impact.

France and its EU partners must take this new strategic deal into account. In June, during his tour of Europe, Joe Biden made it clear that the cyber response to an attack against critical infrastructure would be taken care of by the U.S., even though the U.S. would notify its allies. i.­e., the U.S. may share some intelligence with its allies, but it will not allow them to take cover under its “cyber umbrella.”

Cybercriminal groups will logically draw their conclusions from this changing context, reduce their operations against the U.S. and as a compensation intensify their raids against the wealthy European Union, as it does not enforce any effective retaliation doctrine even if it’s being discussed – nor do its individual members. France finds itself in situation reminiscent of that which led General De Gaulle to start the development of a national, autonomous, full-scale nuclear deterrence capacity.

Our country is today faced with a permanent, and growing, cyber guerrilla, evidenced by ransomware attacks, data breaches, surveillance exploits like the Pegasus affair of by the prepositioning into critical infrastructure of remotely controlled malware.

ELABORATING A STRATEGIC DOCTRINE

Such actions always fall below the threshold of open warfare, as defined by the NATO treaty. States merely suffer and repair. Th­is is how such attacks as the one which targeted Belgian internet provider Belnet [a public service on which many Belgian institutions rely], paralyzing several public structures including the Walloon Parliament for days, just a few hours before a planned debate on the situation of the Uyghur people, or the Russian-originated ransomware attack which greatly disrupted the Irish health system in May.

France does have the scientific, industrial and operational potential to answer the challenge of peacetime cyberspace confrontation. If France is to meet this challenge, it is indispensable to first elaborate a strategic doctrine, which makes it clear that our country will retaliate, by using cyber means if necessary, against any attack against IT systems of public or private infrastructures deemed essential, whatever the perpetrator – government or criminal organization. ­The implementation of this doctrine should rely on prioritized intelligence efforts so as to improve national attribution capacities, as was successfully done in the field of space observation.

­This will fulfill the national plan for improving cyber security with the development of a technological and scientific innovation program the extent of which should be on par with those which allowed us to achieve strategic nuclear autonomy. It is no less indispensable to create a cyber coordination office, directly answering to the Head of State, as he also is the Commander-in-chief of the Armed forces, in accordance with existing operational structures.

Empowered with such a doctrine and organization, relying on a resolution to effectively take action and on dedicated human and financial resources, France will be able to cooperate on an equal footing with its allies and develop specific partnerships with its partners who do not want to be the victims of cyber escalation anymore. It will also be able to entertain a more direct and respectful dialogue with the other major actors of cyber confrontation, starting with Russia and China, but also with those who harbor or use the services of these cyber-privateers: the companies selling personal surveillance software without any sort of restriction.

This article was published first in French in Le Monde on July 27, 2021 and the English translation was provided by the authors and is published with their permission,

Bernard Barbier (former technical director at DGSE), Edouard Guillaud (former Chief of Staff of the French armed forces) and Jean-Louis Gergorin (former Head of policy planning at the French Ministry of Foreign Affairs).

See also, the following:

The Permanent War in Cyberspace: Shaping an Effective Response by the Liberal Democracies