Destabilization of democracies, cyber-attacks on our companies, exploitation of sensitive personal data and, at the extreme end of the spectrum, war in cyberspace: the digital environment is undergoing a revolution.
At the same time, the digital transformation of organizations is gathering pace, against a backdrop of physical distancing amplified by the Covid health crisis. While examples show that the political will at national level is not yet there, concrete, hopeful European projects are just waiting to be encouraged.
European digital sovereignty can only be achieved through strong political will, which is the only possible response to the exponential growth in multi-faceted cyber threats.
European digital sovereignty, control of sensitive data and cybersecurity are first and foremost a question of political will.
The threats to European sovereignty are fourfold:
1. Information operations (information ops (1) ) against democratic and European values .
Europe is open and transparent, since freedom of expression is protected by article 10 of the European Convention on Human Rights. This gives an advantage to those who use Big Data technologies (2) and social networks to destabilize our institutions through subversion and disinformation. There is no shortage of examples of large-scale manipulation or information warfare: the "Cambridge Analytica" scandal surrounding the American election is just one revealing example of this phenomenon, from which France is obviously not immune.
2. Cyber threats to strategic infrastructures and activities.
IT tools of foreign origin, whether software (OS, IaaS, PaaS, SaaS, etc.) or hardware (hardware, software, etc.). (3) ) or terminals (smartphones, PCs), are widely distributed throughout the European Union, particularly within administrations, government agencies and critical infrastructures.
They are largely controlled by multinational or foreign digital empires, which are generally reluctant to be transparent, and some of which are notoriously harmful in terms of destabilization or espionage: these are further threats to the data and strategic activities of European institutions and economic players. The latter are subject to export controls or extraterritoriality laws that threaten the security of our vital systems, our confidential data, and the peace of mind of our fellow citizens.
3. Collection of citizens' personal data and spying on company data
The General Data Protection Regulation (RGPD) and the Network Security Directive (NIS) of July 6, 2016 represent a significant and indisputable legal step forward in resolving the data confidentiality problems of certain critical national infrastructures. They have clearly attracted the attention of political players and information industries outside Europe's borders. The RGPD has even become a vector for profound cultural change within organizations, which will make data a genuine "collective asset" in relation to which everyone will feel invested and accountable at their own level, if only at the level of their terminal(s); this also constitutes, as we shall see, a factor in the sound management of cloud projects (4) and Big Data.
At the same time, GAFAM (5) are facing massive leaks of personal data, the Patriot Act allows US government security agencies to obtain information as part of an investigation into acts of terrorism, and the Cloud Act of March 23, 2018, a political rejoinder to the RGPD, allows, "in the context of judicial investigations" rapid access to data by going directly to cloud computing providers rather than through a request for mutual legal assistance treaties (MLAT).
National and a fortiori European digital sovereignty remains a myth today, even if the RGPD is a world first in terms of regulation. However, the European Court of Justice's "Schrems 2" ruling on July 16, 2020 invalidated the international "Privacy Shield" agreement allowing the transfer of European citizens' data to the USA, thus sending out a strong signal of a desire for European sovereignty.
4. Cyber: the permanent war
Unveiled on December 5, 2018 in Paris, Jean-Louis Gergorin and Léo Isaac-Dognin's book, "Cyber - La guerre permanente", presents digital as a strategic revolution in the history of offensive means. Cyber" becomes a second alternative means, after war, of "continuing politics by other means", to refer to Clausewitz.
The offensive use of cyberspace can take place at :
- From the "physical and hardware" to the "logic and application" layers: cyber-espionage, cyber-sabotage (Stuxnet attack on Iran's uranium enrichment centrifuges), cyber-intimidation (non-sabotage intrusion into the control systems of numerous US power generation and distribution facilities);
- Semantic and cognitive" layers: informational attacks digitally disseminate or manipulate information; publication of hacked e-mails concerning Hillary Clinton, spying by our allies in the European Union, Chancellor Angela Merkel or the Élysée Palace.
Cyber is a new theater of war. It gives a decisive advantage to the attacker, who can use economical, dissymmetrical and stealthy means (it is impossible to find the source of an attack, which raises the question of the nature of the military response to an aggression of this type).
This book proposes concrete responses to these challenges, including the creation of an international cybersecurity agency and the regulation of anonymity on social networks.
In this context, the social and digital working environment is undergoing a revolution, characterized by :
- An irreversible process of digital transformation and physical distancing
The Covid19 health crisis has accelerated the process of digital transformation of organizations, initiated by the advent of the Cloud and mobility tools. The physical distance brutally imposed is profoundly and durably changing the way work is organized.
Telecommuting, favored by the younger generations, is becoming the norm, while the open-plan office, or even the office building, is the exception. The personal physical workstation ("Bring Your Own Devices" or BYOD) becomes the default tool for accessing company IT, and the old business desktop joins the typewriter in the museum of tools of the past.
Internet access is becoming the norm, while intranets and private networks are becoming mobility handicaps. What's more, with 5G and the Public Cloud, the internet is becoming a giant corporate network. Data circulates in clear text and can be accessed and manipulated by anyone: governments, hackers, etc. The Internet is becoming a playground for hackers: confidentiality and integrity are the new challenges for data sharing.
Public clouds and low-cost SaaS applications are becoming the norm, thanks to their agility and scalability, on condition that the security of exchanged data is kept under control, as mobile adaptation situations are becoming less and less predictable. Proprietary or dedicated infrastructures will become the exception.
This new secure collaboration ecosystem has to do better for less, while providing ergonomics and ease of use: security must not come at the price of increased complexity, or be immediately rejected by the layperson.
This new organization of human relations via the Internet increases the scope of threats. Data security in this new ecosystem must increasingly be built on the principle of "Zero Trust" with a micro-perimetric protection approach. The RGPD further reinforces this requirement.
Extraterritoriality laws threaten the sovereignty of States and create legal uncertainty for managers. Sensitive exchanges must now take place with a "Null Trust" paradigm on potentially hostile networks and servers, and on the Public Cloud.
Finally, we don't know who we'll be working with in the future, but we need to be prepared. Exchanges of sensitive data will increasingly have to be structured like resistance networks: centralized data management will have to be banned, and groups of people and organizations will have to be compartmentalized. At the extreme, the directory becomes invisible.
- Zero Trust Security" or trusting only yourself
The security model no longer relies solely on the perimeter protection of a fortified network. Given that the threat is both inside and outside the network, and that it is present everywhere on the public cloud and at info-grids, what alternatives are available to SMEs for sharing sensitive data from any terminal with Internet access?
The concept has a name: "Zero Trust Security" or "Zero-Trust Security". It's all about minimizing exposure to third-party players such as public clouds, privileged administrators or networks, while using their services for their cost-effective benefits.
(1) Information ops: the use, combined where appropriate, of electronic warfare, computer network operations (CNO), psychological operations (PSYOP), subversion (MILDEC) and operations security (OPSEC), with the aim of influencing, disrupting, corrupting or usurping human or automated decision-making.
(2) Big Data, or mega data or massive data, refers to information resources whose characteristics in terms of volume, velocity and variety require the use of specific technologies and analytical methods to generate value.
(3) OS: operating system; IaaS: Infrastructure as a Service; PaaS: Platform as a Service; SaaS: Software as a Service.
(4) Cloud or "cloud computing" refers to access to IT services (servers, storage, networking, software) via the Internet (the "cloud") from a provider.
(5) GAFAM is the acronym for Web giants-Google, Apple, Facebook, Amazon and Microsoft-which are the five major American firms that dominate the digital market, sometimes also referred to as the Big Five.