Building French and European digital resilience is a fundamental issue of sovereignty that goes far beyond digital issues alone.
In our "Digital Resilience" thematic dossierwe offer you 6 articles to define the framework of our Digital Resilience as well as its challenges and components. Let's start with cybersecurity and supply issues.
According to theANSSI (Agence Nationale de la Sécurité et des Systèmes d'Information), cyber attacks are the #1 threat to businesses and local authorities. With a 4-fold increase in ransomware processed by the ANSSI between 2019 and 2020 in a variety of sectors, despite the strong prominence of healthcare, telecommunications and local authorities, which account for 46% of attacks (source: ANSSI - Cybersecurity, facing up to the threat: the French strategy). In addition to the financial cost of ransomware, even when brought under control, cybersecurity incidents are costly for companies, with temporary business interruptions (at least once a month for 54% of companies - source: Splunk - État de la cybersécurité 2022).
French and European regulations: towards greater anticipation of cybersecurity risk
The NIS (Network & Information Security) Directive and its update in 2022
Europe has opted for an open, free, stable and secure cyberspace. This choice is embodied in the 2022 update of the NIS (Network & Information Security) Directive. Initially adopted in 2016, this legislation aims to ensure a substantial level of security for the networks and information systems of the critical and sensitive infrastructures of EU member countries. The expansion of the directive provides for an increase from 19 to 35 sectors of activity (source: Decree no. 2018-484). Indeed, in addition to the energy and healthcare sectors, postal, waste management, agri-food, ... sectors have been added.
The review, which will begin in 2022, will step up coercive measures to prevent cybersecurity attacks:
- setting up security audits ;
- fines of 1.4 to 2% of sales for non-cooperation;
- the executive's liability.
Most of the measures, however, concern remediation, and accentuate reporting obligations and requirements in terms of vulnerability disclosure (72h) - source: Stormshiel - Expert voice
France wishes to position itself as a leading player on a European and global scale, and has defined a national cybersecurity strategy.
This proactive strategy aims to move up the vulnerability chain, from remediation to prevention and anticipatory technological solutions.
1 billion euros were allocated, of which 72% came from public funding for :
- revitalize the industry by doubling the workforce and tripling sales by 2025;
- create 3 cybersecurity unicorns;
- spreading the culture of cybersecurity;
- stimulate public-private partnerships to accelerate industrial R&D.
A global cybersecurity and data protection context in which the race for data ownership and espionage is accelerating.
In the case of the United States, the enactment of the C.L.O.U.D Act in 2018 (accelerating access to electronic information held by providers under U.S. jurisdiction in the event of an investigation for serious offenses) raises the question of dependence on U.S. technology providers, and calls for a rethink of an increasingly protectionist European framework.
The evolution of Chinese legislation also raises the question of security, in particular with regard to "Day-0" vulnerability declarations, which require companies operating on Chinese territory to declare their vulnerabilities "as soon as possible", thus encouraging the exposure of security flaws that could benefit "Chinese attackers" (source: NSSI - Panorama de la menace informatique 2021).
The cybersecurity vulnerability chain: between technological dependence and human failure
The application development, maintenance and use cycle leaves French companies vulnerable on several levels. While numerous standards, principles and best development practices are published by ANSSI (e.g. Agilité & sécurité numériques : Méthode et outils à l'usage des équipes projets) , the number of applications published every day raises fears that these recommendations may not be followed exactly.
- For example, in 2020, 90,000 mobile applications for the health sector alone were published, representing an average of 250 applications per day (source: Meditup - Les applications de santé en 2021).
- One of the causes of vulnerability lies in the development methods themselves, which can lead to serious flaws. What's more, the majority of tools used to publish applications/websites can themselves reveal vulnerabilities that expose the application (e.g. Drupal cited as a vulnerability vector by ANSSI and CISA).
Technological dependence on American leaders
As with any system, the Cloud is vulnerable to attack, and its infrastructure and security rules are dependent on (American) suppliers, sometimes beyond the vigilance of users.
While many initiatives are underway to create trusted Clouds in partnership with the public and private sectors, the majority are still linked to multinational tech giants (e.g. Bleu by Orange and Capgemini, based on Microsoft solutions, NewCo by Google and Thalès, etc. - source: Devoteam - Trusted Clouds: State of play and outlook).
Current regulations, such as SecNumCloud, aim to guarantee data integrity and non-portability, particularly when data is published on different Clouds. However, they do not ensure that systems are non-violable (source: ANSSI - Update of the SecNumCloud repository).
What's more, the hegemony of the American market tenors (AWS, GCP, Azure) is consolidating their dominant position, with 71% market share in France, and 80% of growth captured by 2021 (AWS in the lead with 46% market share - source: Les Numériques - Cloud, panorama du marché).
This dependence is largely due to the technological and commercial lag of French and European solutions. The offerings of the 3 American giants :
- cover all business sectors and all types of company (VSEs, SMEs and large groups);
- provide turnkey solutions for the entire French economic fabric.
User vulnerability
The 3rd vulnerability link in the cybersecurity chain affects all businesses and individuals. The risk is above all human, with the human factor accounting for up to 95% of security breaches (source: Les Numériques - Cloud, panorama du marché).
In other words, 19 out of 20 security flaws are the result of poor human handling. The risk of phishing is the main vector of cyber-malware, accounting for 1.3 million requests for assistance in 2021 on the dedicated cybermalveillance.gouv organization.
The main barriers to human error remain :
- prevention;
- pedagogy ;
- cooperation between different teams within the same organization, to ensure that all employees have a good grasp of security tools and issues.
Regulation at the highest level, while raising awareness among all users
99.9% of the French economy is made up of small and medium-sized businesses, which account for 49% of employees. The use of collaborative tool suites (mostly of American origin - Google, Office) has soared in the wake of the Covid crisis (+12% to 33%) - source: Independent.io - Statistiques TPE / PME 2022.
The key challenge is to develop large-scale, low-cost awareness-raising solutions, while maintaining a nationwide mapping of essential/critical activities.
To guard against data leakage to the American giants, France and Europe should continue to apply a proactive policy of compartmentalization, while restoring a place of choice to "local" players in projects of strategic interest on a national and continental scale, and accelerating the development of their expertise to make them European and global leaders.
In a context of globalization of cybersecurity activities, security is becoming a major issue for French and European companies. However, the strong dependence on foreign (mainly American) technologies, resulting from many years of use, does not allow us to envisage 100% French legislative power, as the size of the market does not justify it.
Control therefore requires more protectionism at European level to prevent data leaks, and an industrial and efficient remediation capability at national level.
All articles in the "Digital resilience" section
Digital resilience: France's connectivity and the resilience of our digital networks
Internet service providers, clouds, operating systems and online platforms are all digital services that have become indispensable. The vast majority are offered by
Digital resilience: Cloud, data and AI
End-to-end control and management of the data collection, storage, processing, analysis and exploitation chain for data collected on
Digital resilience: training and retaining digital talent
Profiles with expertise in strategic digital areas such as Cloud services, Artificial Intelligence (AI) and Cybersecurity are very important, both in terms of the quality of our services and the quality of our products.
Digital resilience: Web3, the future of the Internet
Web3 is presented as a Web of trust, based on key principles (decentralization, community sovereignty, new ownership models, etc.). In our
Digital resilience: definition, key components and challenges
Building French and European digital resilience is a fundamental issue of sovereignty that goes far beyond digital issues alone. It also concerns
