This article is a follow-up to European Cyberdefense, a matter of sovereignty (part 1)
Cyber opens the way to a new theater of war, giving the attacker a decisive advantage. The subject will be dealt with in three parts, first by assessing the threat, then by proposing responses, at French level, and finally at European level.
THE THREAT
In 2017, the ANSSI, historically more focused on the upper end of the spectrum, observed attack campaigns with strategic, systemic effects, through the dissemination of destructive codes, hence for sabotage. It has also observed attacks targeting subcontractors, the weakest link in a supply chain, in order to reach the major end-user, the key account, which is better protected. Finally, she has observed cyber attacks aimed at destabilizing certain democratic processes.
In 2018, these were more stealth computer attacks, seeking to anonymize the modus operandi via public tools.
In 2019, the trends observed over the last two years have increased, with the rise of “ransomware” in particular, less massive attacks, more targeted at large players, capable of paying the ransom (for example, the high-profile one on the M6 group).
In 2020, it faced the generalization of ransomware, but also the return of strategic attacks, targeting major players, with data exfiltration before encryption, whose aim is not only lucrative, but sometimes also economic and political.
The manipulation of information, in the context of elections for example, is becoming a structuring trend, but is not followed by the agency, which deals with cyber technology.
We need a global vision. The Russian CEMA (Chief of Staff) expressed it very well in 2013 that the use of non-military means to achieve strategic and political goals would increase and surpass the effectiveness of weapons. This is what is happening in the digital and cyber fields, where the situation is deteriorating.
A major threat is that of “cyber-corsairs”, young “geek hackers” who are more effective than if they were acting as public servants. One example is a Russian crook, a Putin protégé. These privateers are protected and return the favor when necessary. Iran also does this. This “Ransomware plus” hides espionage. Why attack a hospital if not to put pressure on a country? This is cyber-coercion. And it’s up to governments to react.
Cyber is also a tool for disinformation and influence, as in the case of the hacking of Mrs. Clinton’s e-mail account. Many companies, with the exception of those classified as “Opérateurs d’Importance Vitale” (OIV – Operators of Vital Importance), have a very low level of security, in particular due to the poor integration of subsidiaries from all over the world. The security level is that of the weakest link. There is no State/Industry ecosystem, as was the case for PALANTIR in the USA. The DGSE’s priority is to fight terrorism, not to transfer its tools to the DGSI or to industry. The good surprise is that a reaction is getting underway.
In industrial terms, if we take the example of EDF (168,000 employees, 60 billion in sales, 900 subsidiaries, one million connected objects excluding Linky), it’s a very vast perimeter to manage. EDF has regulatory contracts to protect its information systems. The company is also subject to the directive on the protection of scientific and technical heritage. It is also subject to extraterritorial laws, both in the USA and in Asia. The threat affects not only workstations and servers, but also industrial machines. Naturally, EDF pays a great deal of attention to all aspects of nuclear safety, a major source of electricity in France. But it also faces attacks from anti-nuclear activists. EDF is up against states that have no qualms about it. Iran and Russia are very active. In 2019 and 2020, the number of security breaches has doubled. Those who demand ransom steal data before encrypting it, and one wonders what they do with the information gathered (e.g. prison plans in the case of the Bouygues hack).
EDF counts 1,200 incidents per year, from 130 to 600 threats detected per month. 50 vulnerabilities require an urgent response, and a hundred or so major incidents take place per year, such as the foiled attack on SOPRA, where the attacker managed to penetrate the information system and it took 15 days, 24 hours a day, to resolve the problem. EDF is trying to be a cyber leader in the energy sector, and is on the board of ECSO (European Cyber and Security Organisation). There are regulatory initiatives that have an impact at European level.
RESPONSES IN FRANCE
Cyber is a powerful tool. An agency cannot respond alone, but must work interministerially within the framework of public policies. The State must ensure that Operators of Vital Importance (OIV) have the means and skills to deal with attacks.
The first lever is regulatory, to protect critical activities and infrastructures, for example in terms of the reference frameworks to be applied, or the certification schemes to be followed.
The second lever is cultural: although things are improving, decision-makers are still not sufficiently aware of the effects of attacks. Cyber security is seen as a constraint, not as protection. Unfortunately, companies often understand this too late, after an attack.
The third axis is defense, which requires a better understanding of the threat, detection systems, security incident response systems and crisis management practices. At the end of the day, when it comes to cyber issues, we have to deal with “zeros and ones”, and make sure that individual practices don’t endanger the whole system.
In terms of tools and organization, ” defense alone is not the best defense “.
⁂For tools, we need to create ecosystems like the CEA LETI (nanotechnology laboratory) in Grenoble has done around more than 60 startups, with a success story like SOITEC, for example. Yes, France knows how to create innovative startups.
But there is no European cyber tool, and major customers don’t want one. In what we call “bastioning”, i.e. the protection of privileged accounts, there is WALLIX, but major customers more often want CyberArk . The question is to understand why WALLIX hasn’t managed to establish itself in the major European groups.
The state services, ANSSI and DGSE, Comcyber, have a good cyber level and develop excellent tools, which are unfortunately not transferred to industry. A very large defense company was approached for this purpose, to ensure its leadership, and replied that there was no market, and that it therefore did not want to invest in this transfer mission. The USA has a remarkable industrial vision. France failed to understand this in 2008 – 2009. The problem is to transform a concept into a product that can be used by industry, and therefore sold. It’s a complex business.
The Israelis are very good at creating “unicorns”. This is not the core business of Orange or Thales, where cybersecurity is marginal. We need ” pure players “, companies whose core business is cybersecurity. But our engineers are very good at it. At government level, we are on an equal footing with the USA. At this level, French tools are recognized. We need a highly innovative research campus. We have a lot of startups that are only French. That can’t work. The world-class examples of ALSID and TEHTRIS are remarkable; the founders came from ANSSI or DGSE.
Our sovereignty depends on innovation.
We don’t need to remake PALANTIR (that’s a thing of the past), but PALANTIR++, with artificial intelligence. We need to export these tools to the USA so that our companies can grow. The American market is fundamental.
⁂In terms of organization, we need to create a national cyber force like the British, with a GCHQ, and 5an MI6, and so on. Cyber is an area where we no longer need a separation between civilians and military, between armies. We don’t need a cyber army just for armed conflicts. We are not attacked by an army, but by political will. We need to bring all the players together. The Americans understood this when they reformed the NSA. In France, we need to bring together the defense section of the ANSSI (COSI), ComCyber, part of the DGSE’s Technical Directorate (DT), the human intelligence section of the Military Intelligence Directorate (DRM), and the Gendarmerie. The Gendarmerie recently simulated an offensive cyber attack, which is commendable, but which was not coordinated with other administrations.
Our organization dates back to 2009, and we need to rethink it. Just defending is not enough. It’s a Maginot Line that can be circumvented. Western Europe must take extreme measures, i.e. counter-attack, to avoid becoming a “soft underbelly”. Our adversaries are not going to attack the USA or the British because they know that there will be an immediate reaction that will destroy them.
The influence of lobbies is considerable. The Defense Cyber Campus in Rennes and the planned Campus Cyber in Bordeaux are a relevant strategic response. Rather than Paris, we should concentrate our resources in Rennes, around major state players such as Comcyber, the DGSE’s DT, a large, multi-disciplinary university, an industrial zone and conference facilities. It would be a complete ecosystem, like in Israel. But half the major players in the cyber sector are based in the Paris region and are calling for the center to be built in La Défense, which is not incompatible with the possibility of setting up in the provinces.
Continuation of the article ” European cyberdefense, a sovereignty issue (part 3)”.
Article taken from the EuroDéfense-France / Association Minerve videoconference
With the participation of :
- Oliver Ligneul, Director of Cybersecurity, EDF Group
- Bernard Barbier, CEO of BBcyber
- Marc-Antoine Brillant, Deputy Director Strategy, ANSSI
- Thierry Leblond, IGA (2s), Chairman of Scille, Board member of EuroDéfense-France
