This article follows on from European cyber defense, a sovereignty issue (part 2)
WHAT CAN BE DONE AT EUROPEAN LEVEL?
⁂ In terms of sovereignty.
European Commissioner Thierry Breton has spoken of the next decade as a digital or cyber decade. We're entering the realm of sovereignty, which is a subject that has yet to be precisely identified.
What could be the major constituents of sovereignty?
- Autonomy of assessment and action in cyberspace,
- Respect for European liberal values and the protection of our intangible assets (data protection in the EU, for example),
- Infrastructures that we consider critical, such as 5G orthe cloud, for example.
We can identify four or five major issues surrounding this sovereignty:
- Balancing security and sovereignty at European level, since the most secure is not necessarily the most sovereign,
- A highly dynamic technological fabric, for example via the Campus Cyber project at La Défense, due for completion in autumn 2021, a national hub capable of attracting European companies, -Protecting our own infrastructures (networks, telephone cables, satellites, 5G equipment)
- Define a position vis-à-vis GAFAM.
In industrial terms, EDF, for example, takes a pragmatic approach to sovereignty. Certain processes, information and data must not be accessible to foreigners, even through extraterritorial laws.
⁂ In terms of Strategy around Public Cloud and 5G
With the arrival of the public cloud and mobility tools 10 years ago, it's becoming increasingly difficult to work in a controlled perimeter environment. Unless we enclose everything in closed, watertight industrial networks, exchanges will have to take place in a climate of generalized mistrust, especially with the imminent arrival of 5G, whose aim is to connect everything. With 5G, we have complete virtualization, virtually all software. On top of the 5G layers, we could have developed a trusted cryptology overlay at European level. You can't control everything, but you have to control a few things. We could have issued a European invitation to tender, because we have the expertise. There have been three cloud initiatives in France: one launched by the CFS (Comité de Filière Stratégique), one based on the work of CIGREF, on the famous circles of trust, the second close to the Ministry of the Armed Forces, and finally the Franco-German GAIA-X initiative, in which EDF is participating.
As far as the cloud is concerned, the EU has a good level of certification and qualification. Two systems are mature: one in France and one in Germany. We need dynamic qualification. Software systems are never static, and qualification should not be based on a "snapshot" at a given moment. We have to deal with the problem of suppliers who no longer exist in Europe or have been bought out by the US. We need European-level control over equipment.
⁂ In terms of priorities for the EU ,
The European NIS directive on activities of essential importance is all well and good, but the question is whether the responses are up to the challenge. We need an industrial policy to create champions. We're making progress, thanks unfortunately to COVID, but there's still a long way to go. Investment in GAIA-X amounts to 600 million euros, and Europe is also planning to spend 1.7 billion euros on cyber between 2021 and 2026. The USA, on the other hand, spends 20 billion dollars a year on the public cloud, while we are spending our resources elsewhere, for example this year 10 billion on the automotive sector, which is not a sovereign technology. We're not going to make a European cloud on the same level as the USA or China; so the challenge is to do things differently, to use these existing clouds differently, by turning them to our advantage.
Europe isan opportunity because it's the biggest market.
You need :
- regulation and recognition of product safety, to create the market,
- of startups in these markets, so that they can grow a willingness on the part of politicians and industrialists.
Why are there so many outside players in the European cloud: Alibaba, Google, IBM?
The diversity of the 27 Member States doesn't make the task any easier. What's needed is cooperation between a few States (France, Germany, the Netherlands, Sweden), with compromise, and the formation of a European hard core. In France, it depends on the sector: we're good at technology and skills, but not at organization or marketing. There's a strong complementarity with the Germans.
Why not create a Franco-German cyberforce by merging BSI and ANSSI?
We should also mention the Joint European Disruptive Initiative (JEDI), a kind of DARPA, a private organization in the form of an association of around forty volunteers, with only two salaried employees. It's an agency for programs on identified themes, with limited resources of its own. There are 50 innovative cyber projects in France, which should be merged into a critical mass, with a flexible, responsive organization like JEDI. We need to create a single funding window instead of 10. A good model was EUREKA, which was piloted by industry, but was very poorly received by Bercy and the European Commission, which had no decision-making power.
We'd be able to replicate Israel's TEAM 8, which has raised $800 million. For a given project, its managers bring in around fifty experts for a limited period. The Israeli government funds 50% of projects using a top-down approach. What's needed is a synergy between academics and operational experts. TEAM 8 has a lot of funds at its disposal and has just achieved 3 major successes.
There's also a Californian example that federates researchers, funds and experts: the "Y Combinator". State experts should be encouraged to launch startups by paying their salaries for 3 years. We need ideas and financial, tax and other advantages. The men have it.
Sovereign European terminal
It's a utopia. Open source is no more secure. OPEN SSL was flawed for 10 years. Securing software is extremely complex. You'd need 7,000 engineers on an Operating System. The same goes for components.
What's the point if they're bought out by the Americans as soon as they start up? The difficulty lies in raising the second 100 million euros, which is still very difficult in Europe. We need a European purchasing policy. There should be some kind of link between buyers and producers. It's contrary to free competition, but it would be good if we could have the facility to buy what we've invested in, but not on an ad hoc basis.
In conclusion, awareness of the threat at strategic level is still slow, sometimes too late. Responses at European level are relevant. They must be based on innovation, on the creation of ecosystems bringing together all stakeholders, around cyber campuses and cyber forces, as the Americans and the British are doing. This can't be done at 27, but around a few countries, in particular France and Germany.
Article taken from the EuroDéfense-France / Association Minerve videoconference
With the participation of :
- Oliver Ligneul, Director of Cybersecurity, EDF Group
- Bernard Barbier, CEO of BBcyber
- Marc-Antoine Brillant, Deputy Director Strategy, ANSSI
- Thierry Leblond, IGA (2s), Chairman of Scille, Board member of EuroDéfense-France