Article taken from the EuroDéfense-France / Association Minerve videoconference
With the participation of :
- Oliver Ligneul, Director of Cybersecurity, EDF Group,
- Bernard Barbier, CEO of BBcyber,
- Marc-Antoine Brillant, Deputy Director Strategy, ANSSI,
- Thierry Leblond, IGA (2s), Chairman of Scille, Board member of EuroDéfense-France
Answering the question of the sovereignty of European cyber defense means tackling 4 themes:
1) At European level, how can we protect our democratic values and guard against “PsyOps”, psychological operations designed to manipulate democracy?
The manipulation of the 2016 US elections around the “Cambridge Analytica” scandal, the de-fiability of electronic voting, the rise of “deep fakes”, hatred on the internet protected by network anonymity are all questions that need to be answered. The recent sacking of Chistopher Krebs, the director of the US cybersecurity agency who, in accordance with ethics, did not agree to relay the allegations of electoral fraud denounced without proof by President Trump shows that the temptation of dictatorship is never far away.
2) How can we protect our country’s vital infrastructures and strategic companies from cyber attacks?
Here are a few examples:
- November 16, 2019: Rouen University Hospital, crippled by ransomware was forced to revert to “the good old paper-and-pencil method”,
- July 27, 2020: ransomware victim Carlson WagonLit was blocked for two days and had to pay $4.5 million in ransom to recover its data.
- On October 20, 2020, Sopra Steria, a company with 46,000 employees and sales of €4.4 billion, very quickly stopped a Ryuk ransomware attack that affected the authentication system and led to the encryption of part of its data,
- On April 12, 2012, the Élysée revealed an espionage operation formally attributed to our allies the United States,
- On December 23, 2015, a hack of industrial SCADA systems based on the “BlackEnergy” program and “KillDisk” malware caused a major power cut on December 23 in the Ivano Frankivsk region of western Ukraine.
The threat is both endogenous and exogenous to the network, the worldwide cost of which is estimated at $4 billion in 2020, with annual growth of 50%.
3) How can European citizens be protected against the collection of personal and sensitive data by foreign powers? How can European companies be protected against cyber espionage?
There have been undeniable legal advances at European level in this area:
- Like Parliament’s adoption of Regulation 2016/679, the General Data Protection Regulation (GDPR) applicable throughout Europe since May 25, 2018,
- Like the European Court of Justice’s invalidation of the misnamed “Privacy Shield” transatlantic agreement, which authorized the transfer of sensitive data from European citizens,
- Like the European Cyber Act, which created ENISA, the European cybersecurity agency,
- And like the future Digital Services Act currently in preparation, which should provide a legislative framework for the information space over the next 20 years.
But despite this, France’s current political will in terms of digital sovereignty is still not there, as we can see with the “Data Health Hub” project, a one-stop shop for access to all healthcare data, entrusted to Microsoft to develop artificial intelligence applied to healthcare. Although these data belong to all French citizens and concern all the computerized systems of French healthcare players, this research project, described as being in the “public interest” – a legally vague concept – opens the door to our healthcare data and the financial power it represents to GAFAM.
4) Finally, the military subject of permanent war in cyberspace
It is the fifth medium after land, sea, air and space. Cyberspace opens the way to a new theater of war, giving the attacker a decisive advantage.
In the remainder of this article, the subject will be dealt with in three parts.
Firstly, by assessing the threat, then by proposing responses that can be applied at the
French level, and finally by proposing responses that can be applied at the European level.
Continuation of the article see European cyberdefense, a sovereignty issue (part 2).
