DEFNET: immersed in the annual cyber defense exercise of the Ministry of the Armed Forces

As soon as we arrived under the Breton sun in the Margueritte district of Rennes, the tone was set. Journalists present are asked not to ask impromptu questions during the visit, not to take photos or make videos when moving around the military compound, and above all, not to ask questions relating to the Ukraine and Russia. Yet the ninth edition of the joint cyber defense exercise DEFNET, in many respects, seems to refer directly to the specifics of the war in Ukraine.

The exercise, which takes place from March 14 to 25, 2022 on several military sites in France (Paris, Satory, Rennes, Brest, Mont-de-Marsan, Istres, Toulon and Hyères), puts all the corps of the French army on the alert from the problems generated by cyberattacks. The context of the scenario chosen for the training of the armed forces and their cyber defense systems is intriguing. Imagine that the Olympic Games have just started in France, and that a country expelled from the planetary event, which has already annexed the province of a neighboring country, threatens to completely invade the latter. Any resemblance to recent events is of course coincidental… And it’s not as if Paris were to host the Olympics in 2024 and Russia annexed Crimea in 2014 before invading Ukraine in February 2022.

A battle between three poles

In Rennes, this fictitious cyberwar is being played out between three major poles. The great master of the game is the direction of animation. It is at the origin of the scenario of the exercise and is therefore responsible for triggering a succession of incidents lasting around ten days. It is therefore within this center that decisions are taken aimed at testing the resistance and reaction capacities of the French armed forces under high pressure. To make the simulation as close as possible to reality, a fake social network, similar to Twitter, was created for the occasion. This adds an informational dimension to the exercise. The cyber struggle for influence is indeed a critical aspect of conflicts in the 21st century, as currently illustrated by the war in Ukraine, where disinformation and propaganda are permanent.

As soon as the attacks are launched by the management of the animation, it is up to the SOC (Security Operations Center), which ensures the supervision of the networks and systems simulated during the exercise, to give the alert. In this context, this division strives to detect illegitimate DNS requests. If it turns out that an incident is indeed in progress, it has the heavy responsibility of warning the chain of command and providing it with solutions to put an end to this threat.

It is then up to the cyber defense operations center to come into action. Its role is critical, since it must “characterize the incident, organize the response and resolve the incident”. To achieve this, it seeks in particular to link certain incidents to better understand the threat, and thus have the fastest and most coordinated response possible. In this sense, the operations center can rely on liaison officers for each corps of the French army, since the knowledge specific to their profession is invaluable for organizing the response to an attack. In real life, the cyber defense operations center is based in Balard, at the Paris headquarters of the Ministry of the Armed Forces. But for the purposes of the exercise, it is located in Rennes.

Rennes, bastion of French cyber defense

This explosive fictitious conflict materialized in particular in the exercise by a frigate attacked via a USB key connected to a white station. Such an incident made it possible to affect the frigate’s weapon systems, and it was therefore necessary for the French Navy to work hand in hand with the ComCyber ​​in order to regain control of the situation. Beyond the cyber aspect, the DEFNET represents a godsend for testing the synergistic capacities of the various components of the French army. Although it is an exercise, almost all the incidents are actually activated, and when this is not possible, simulations are carried out to operate certain types of weapons, in particular with the help of manufacturers. who are part of the exercise.

As part of the latter, 200 cyber combatants and nearly a thousand soldiers in all, but also students from twelve schools, were mobilized for ten days. Although the exercise takes place throughout France, it is piloted from Rennes. And for good reason, since 2017 the Breton city has hosted ComCyber, for Cyber ​​Defense Command, which brings together the cyber activities of the French army. Today, a total of 2,500 people work in the cyber center of the French army, including a thousand in Rennes. This figure is expected to double by 2025.

Ten months of preparation

These cyber combatants, as well as the soldiers of the other French armed forces, are under strong pressure within the framework of the DEFNET. At 24 hours from the end of the exercise, no less than 25 incidents had been detected, but the direction of the animation, a kind of control tower of the exercise which has the power to trigger the incidents, probably still had a few surprises under the elbow to end this 2022 edition in apotheosis. To test the response capabilities of the military in the face of cyberattacks, ten months of preparation were necessary.

If the scenario was established six months before the start of the exercise, it is difficult not to imagine that some topical elements could have been added at the last minute after the Russian invasion in Ukraine, when only 2200 km separate Paris and kyiv. It is no coincidence that the next DEFNET will be integrated in 2023 into Orion, a large-scale military exercise that will involve the three branches of the army (land, air and navy). Objective: to simulate a high intensity conflict. In the meantime, Army General Thierry Burkhard, Chief of the Defense Staff, recalled the three priorities of the French army in cyberdefence: “Anticipate, detect, react”.