Collaborative, automated and trusted

“Our systems are becoming more complex. Attacks come from everywhere and everyone trusts no one.” So begins ITEA Vice-Chairman Philippe Letellier, who recently coorganised a cybersecurity workshop alongside Atos, Bosch, Airbus and KoçSistem. The aim of this was to understand the most pressing issues for international customers, from which new R&D projects can be generated. Given ITEA’s focus on industry over policy, French Ambassador for Digital Affairs Henri Verdier provides a government perspective on the themes which emerged.

Collaborative security

Broadly speaking, collaborative security was the main trend to emerge from the workshop. “How do you manage multiple partners who are not at the same level of security?” asks Philippe, pointing to the rise of multi-platform technologies. “In areas like sustainable energy, there are now thousands of producers and even more users. When you exchange information on the electricity load, you can analyse where you need energy – but as a terrorist, it’s an ideal platform to attack. Actors therefore want to push R&D in the direction of collaborative security and propose a methodology and framework to build this.”

“That’s very important, of course,” Henri agrees. “The more we diversify the system, the more emerging properties occur, the more difficult it becomes to protect it with traditional walls and authorisation. A lot of neurons make a mind and a lot of people make a society. I was trained as a biologist so I can analyse one neuron, but I can’t predict the mind. With so many different strategies, policies, frameworks and silos, I feel that we don’t yet have enough knowledge to analyse systemic risks. In a catastrophe, everybody will say that they did their job correctly.”

As an analogy, he points to the Vasa, a Swedish warship which sank minutes into its maiden voyage in 1628. Each individual involved in its construction did his job correctly but failed to discuss the overarching design flaws. “A similar issue can be seen in cybersecurity,” Henri explains. “Emerging properties in complex systems cannot be dealt with alone, but trust must be developed if actors are to comfortably and effectively collaborate on defence, and we probably need specific research on those systemic issues.”

Generating trust

In short, collaborators must be able to validate the quality and security of one another’s software, yet this often provokes a backlash from companies. “In India, for example, they’re required to give access to source code,” Philippe explains. “They’re in a very competitive market, so we must find a way to describe a quality assurance framework that protects intellectual property.” This could take the form of a maturity model or a certification which is audited annually. Another possibility is a rating agency, which could score companies on cybersecurity à la credit agencies for banking.

As former French State CTO and the founder of three companies, Henri views trust as something to be earned. “When I was CTO, I needed to be able to check the code myself. To be frank, some software is a mess, so we need more progress on security by design. I’m not saying that you should forget IP and business models, but you should invest in open source and understand their culture of sharing code and accepting comments. The sociology of security could also be something to research: why do CEOs think that the quality of code doesn’t matter? Don’t forget, trust is also about attitude.”

Philippe: “We have two worlds: propriety and open source. Both are welcome, but testing could be part of the methodologies we develop so that technology providers have access to the APIs to test their code. We can stress that ‘zero trust’ means ‘I want to test’.”

Automating security

Despite their mutual need for collaboration, governments and companies do differ in their relationship to cybersecurity. For a country at war, for instance, cyberattacks are not carried out on a cost-benefit basis – success is priceless. “It’s difficult to be in defence,” notes Henri. “Like in chess, white attacks and wins.” However, this mentality sometimes carries over to the private sector through concepts like ‘hack-back’. “Protecting yourself through AI and automation is okay, but some companies also want to destroy the machine attacking them. The position of France is avoiding private warfare. Basically, we need a clear regulation framework. Part of a programme could be to give more funding to police and justice so that it doesn’t take three years to be sure of who attacked you.” In the workshop, says Philippe, “the analysis was that there is no solution besides security automation that does not impair the business model. If you react too drastically and block a customer’s business, you lose them. We had a project which developed an ROI concept that modelled the costs of counteractions, for example. If you cut your server, how much do you lose? You make the decision to counterattack or allow the attack to happen, depending on the level of threat.”

A culture of progress

Throughout the discussion, cultures of progress and frugality repeatedly emerged. These refer to a recognition of the never-ending nature of cybersecurity and an understanding that greater complexity increases the risks of error. Such a culture can exist at a national level, as shown by the French law on all government-developed code being public. “The ANSSI (National Cybersecurity Agency of France) can prevent the use of code which is too bad or dangerous,” says Henri. “This has never happened because if we find an error, we correct it! Plus, if you know that your code will be read by somebody else, you’ll do a better job.”

He continues: “Some security officers say that you first need to buy secure infrastructure, but we developed an agile methodology for security with the ANSSI. In this kind of project, we have a continuous improvement policy. We agree to test the product with false data, so we don’t need to invest from the first day in very secure infrastructures and organise ourselves for a continuous improvement. Maybe we’ll then test with just a hundred volunteers. They’ll need reassurance, so we should publish a clear methodology and do more research into clear concepts, strategies and prototypes. It can’t just be ‘buy and receive’…” “…because that kills innovation,” finishes Philippe. “Another dimension is how innovation occurs in a grey zone of maximum risk. If you want to innovate, you must be frugal in such a way that you don’t need to ask the CEO. You can then ask for more investments when you have a result. The culture of progress appears everywhere in security. Perhaps it’s something we could push.”

Four types of knowledge

In conclusion, Henri summarises their discussion into four types of knowledge, all of which are needed for the effective mobilisation of cybersecurity:

• Technological – keeping Europe near the top on issues like quantum computing and AI
• Strategic – defining concepts, maintaining good practices and providing education
• Human science – the sociology of organisations, such as why security experts are often not contacted until the end of a project
• Policy – international cooperation on cybercrime and the definition of cyberconcepts

Because ITEA is currently concentrated on the first three areas, Philippe is interested in the idea of a Policy Advisory Board, which may provide a connection between government and industry on the creation of much-needed methodologies. As for Henri, the benefits of such an approach are clear.

“In this attack and defence game, those who try to protect their data alone will lose. This is a global threat which needs a global solution, and we need to act together: big companies, start-ups, research and government. If you only try to stop attacks when they happen, you’re just a goalkeeper. At some point, you’ll miss.”