PARIS – A clear and rising danger of large scale digital attacks called for broad international cooperation and observance of the rule of law, with a special role for IT companies such as Microsoft and Huawei, said Guillaume Poupard, director general of the French national cybersecurity agency, ANSSI.
The digital world is moving fast and the leading security concern is that unnamed states or terrorist groups are probing critical systems such as transport, energy and telecommunications, to be able one day to crash networks and leave a nation in distress, he said.
"This digital world, which is developing, is very fragile," Poupard told FifthDomain. "If we consider the digital world only as a place of combat, then obviously we will all fight each other.
"The large majority of actors want to avoid that," he said. "If we want stability, if we want to regulate all that, we have to get the states to get together, all the states. We cannot do that with just a few Western states – that would not work. We have to talk to the Americans, Russians and Chinese. It is absolutely indispensable."
Poupard was speaking on the sidelines at the start a two-day conference on building international peace and security in the digital society held at Unesco.
Louis Gautier, France's secretary general for defense and national security, organized the international conference, which gathered speakers from Huawei of China, Information Security Institute of Russia, and Microsoft. That high-level gathering is intended to boost cooperation and seek a legal framework as a response to a threat of "electronic weaponization," the organizer said.
Associate professor Karine Bannelier and professor Theodore Christakis of Grenoble University were keynote speakers, exploring the application of international law, a key aspect to countering the cyberattack threat.
Facebook, Google, Huawai and Microsoft have a vital role in international cooperation, Poupard said. The digital companies, along with governments, should talk to institutions such as the UN and Nato.
The real question was how to apply international law to these actors, both in the public and private sector, he said. "That is the aim of the conference."
Potential consequences of a cyberattack could be seen in 2015 with the crashing of all 12 television channels of TV5 Monde, an overseas broadcaster, he said.
That hacking and crashing was seen as "hitting the French image in the world," he said, as there is a large worldwide audience. There were claims of responsibility from Islamic groups but these were not credible and it was unclear what the motive might have been.
"Maybe the signal was, 'I am capable of destroying a media company,'" he said. That amounts to a capability to block a system and provoke a catastrophe.
A key role of ANSII and its 500 engineers is to track and block the intrusion into computer networks of critical sectors, but the government cannot put a data shield over the whole economy, he said.
It is up to the private sector, namely IT companies and commercial companies, to conduct security audits, equip themselves with protective programs and notify the agency when they detected hacking attempts.
Airbus and Thales are among French companies that offer cyber protection products, which ANSII evaluates and certifies, he said. The market is growing and the agency seeks to encourage sales.
The agency can stop an attack but perhaps the intent of the hacker was now not to steal information but to understand a system, perhaps to prepare for a future combat, he said.
The defense minister, Jean-Yves Le Drian, in December pledged to increase a capability to counterattack in computer networks, when he was visiting the ministry's cybersecurity center in Rennes, northern France. That capacity was in the 2008 and 2013 defense white papers, but has grabbed greater attention in the wake of recent events, notably the computer hacking in the U.S. presidential election.
Under the French approach, the role of intelligence gathering and digital counter-attack is assigned to the defense ministry and the task of cyber protection to ANSII, which reports to the prime minister's office. "We are not a classic model," Poupard said.
That split of defense and civil missions differs from the approach of the U.K. Government Communications Headquarters and U.S. National Security Agency, he said.
"It is difficult to do attack and defense," he said. "It is not the same trade." There is common expertise but "to have the same mission in one's head is rather complicated."
ANSII, which reports to the secretary general for defense and national security, works closely with the French intelligence agencies and the ministries, each of which has its cybersecurity engineers.
The French Air Force, Army, Navy and Space command each has its own cyber team and they work closely together, he said. There is a move toward setting up a centralized command, but the creation of that fourth service has yet to occur, he said.
For now, the cyber intrusions are highly discreet, with time to respond and there is no major impact, he said. The fear is that one day a state or terrorist group might stage a cyberattack that shut down transport, telecommunications and electricity. That may not be a military threat but could pose a national security threat.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
