French Cyber Security and Defence: Strategy, Policy-Making and Coordination

Abstract

From Ministries to national agencies and cyber commands, the amount of public institutions involved in cyber security and defence matters is multiplying in most states, in a trend that reflects the pervasive nature of the domain. France is no exception, and it has in a few years conceptualized and adopted a comprehensive framework involving dozens of institutions and policy documents. Who does what? How are decisions made? How can we make sense of it all? The foundational work of Allison and Zelikow (1999) on decision-making adopts, for a specific set of events, three distinct models analysing respectively the state as a rational entity, its institutions, and their decision and policy processes. Applying these models to the current apparatus of the French government, the paper seeks to provide a preliminary toolkit for future case-studies. Although incomplete and imperfect, it would provide scholars, practitioners or journalists with a better understanding of: 1) the current French cyber security and defence apparatus and its funding political principles, 2) how policy-making in this area happens in practice, and 3) why policy decisions in that domain were taken. To do so, we combine an extensive review of the literature with a series of interviews with senior officials.