Opening conference - "Let’s anticipate to no longer endure"

This conference was led by Guillaume Poupard, Director General of the French National Cybersecurity Agency (ANSSI). He presents the authority’s new working method to anticipate cybersecurity risks.

(*video in french)

Review of the conference

Why does cybersecurity require collective anticipation?

Security is at the heart of the issues facing French society today. ANSSI is tasked with finding solutions in a complex world where some authoritarian states are increasingly making themselves heard, and where certain of the largest nations and organisations are engaging in an aggressive and bellicose game of one-upmanship.

Digital security is a global and complex topic related directly to digital development and the digital transition. French structures and organisations need to be able to protect themselves against others that are more aggressive, more competent and more dangerous.

That is why cybersecurity has to go hand in hand with collective anticipation. While we need to be able to react to and deal with crises, prevention is paramount. The bulk of digital security is upstream of critical situations.

ANSSI wants to include cybersecurity in risk management and return to the fundamentals of risk analysis. This must involve not only experts, but also decision makers and business managers who are facing digital security issues, despite lacking the necessary expertise.

What is the EBIOS Risk Manager method?

The EBIOS Risk Manager method assists organisations in targeting and understanding the cybersecurity risks they are exposed to. It helps them identify digital security measures they can take against these threats.

This new approach doesn’t try to anticipate all risks and all angles of attack, because it just is not possible. Instead, it combines the cornerstones of compliance (basic hygiene rules and standards) and attack scenarios, by involving the people who know information systems, and the business units that do not. Anticipation method is based on the following points:

  • The role of regulations: The transposition of the Network and Information Security (NIS) directive was completed on 29 September 2018. This reference text establishes the security rules that apply to operators of essential services. It includes 23 digital security rules and establishes application deadlines ranging from a few months to three years.
  • In the field of cybersecurity, anticipation includes products, services, service providers and an industry of excellence. While some digital security rules are the responsibility of institutions, others depend on expertise, skills and elements that require preparation. The French government needs to identify trusted and competent partners. Today, there are about one hundred trusted companies and 500 products and services.
  • EBIOS is setting up a service provider qualification process, and awarding labels establishing a certain level of quality and competence. ANSSI is about to create a new repository of secure administration and maintenance providers in order to establish a relationship of trust with service providers having access to their clients’ networks with high rights and that are capable of avoiding being the primary target of attackers.
  • Basically, there is no such thing as perfect digital security. So, security has to be generated at the right level, based on a good risk analysis and by rapidly detecting anomalies. This is one of the priorities that ANSSI aims to meet in 2019.
  • Expecting the worst doesn't mean it will happen. In fact, the opposite is true. It is essential to prepare for a crisis in technical, organisation, the resources and communication terms.
  • Cybersecurity requires teamwork. ANSSI promotes sharing and openness through the open source approach. Recently, it published version 4 of the source code for its SLIP OS secure operating system. It is hoping for major open source collaborative work in version 5 so that a high-quality operating system can be developed.

And so, anticipation requires the awareness of all players, and especially small players (SMEs and citizens) and non-experts. ANSSI has put in place an open approach with the public administration and the private sector to raise the awareness of everyday victims and offer concrete solutions.

Speaker: Guillaume Poupard, Director General, ANSSI