3.4


Organizing and Regulating Cyber Space

Guillaume Poupard and Juhan Lepassaar

Dr. Guillaume Poupard

Dr. Guillaume Poupard is the Director General of the National Cyber Security Agency of France (ANSSI) since March 2014. He graduated from École Polytechnique then obtained his PhD in cryptography from École Normale Supérieure in 2000. He became Head of the Cryptography Laboratory at the Central Network and Information Security Directorate which formed in 2009 the basis of ANSSI. He joined the Ministry of Defence in 2006 and was appointed Head of the Cyber Security Division within the Technical Branch of the National Defence Procurement Agency (DGA) in 2009. (©Patrick Gaillardin)

From espionage to ransomware to critical infrastructure interference, cyber threats disrupt the welfare of individuals and companies and the security of states and democracies.

How does cyber warfare compare to previous types of wars? Is it building a new balance of power?

Guillaume Poupard: The term “war” is adequate for cyber conflicts but different from what we knew in the past. In cyber-crime, there are a variety of attacks, attackers and victims. Some states aim to spy on each other, while some others want to start actual wars, albeit in the digital space. Leading a cyber war nowadays is relatively cheap, as a cyber army can amount to just a few hundred people. However, powers such as the US, Russia or China, invest massively on both offensive and defensive cyber arsenals, and one of their first goals is to make sure that they remain the strongest forces in this domain. Both new types of attacks and renewed strategies from the past are within the immense range of possibilities offered by cyber-attacks.

Juhan Lepassaar: In the case of cyber warfare, if several players — including sovereign nations, corporations and individuals — don’t take steps to change their behavior, the number of cyber-attacks will increase indefinitely. New vulnerabilities and their impacts appear frequently in climate change issues. It is similar in cyber as we haven’t yet fully realized the impacts of all the vulnerabilities that can be exploited. The behavior of people, processes, legal systems and political frameworks that we build around cyber matter a lot. Everyone can do something that may seem tiny but absolutely necessary about this global problem.

How can we build a global framework to avoid cyber wars?

GP: The mechanisms we use to control traditional wars do not apply to cyber. For example, as a computer program can simply be sent by email for legitimate purposes as well as warfare, our previous arrangements to limit arm exportations become irrelevant in this case.

International efforts are underway to account for this new situation. For example, the United Nations Group of Governmental Experts and the Open-Ended Working Group discuss laws and regulations for cyber space. States disagree on many things but agree that discussion on cyber is necessary and that this new space cannot remain without rules. The issue is therefore, as often, to confront different cultures and political approaches. In France, for example, we talk about the ‘security of information systems’, and never use the terms ‘security of information’ because, to us, that leans too closely towards the ‘control of information’: we prefer to focus on the infrastructure rather than on the content. However, other countries make direct links between the security of information systems, the security of information and the control of information. This has been a major limit on international discussions so far.

JL: The machinery used to power the cyber realm is often owned by the private sector and isn’t controlled by states, so we need to look at global binding frameworks that not only bind nation states, but also the private sector. However, the states and alliances like the EU are responsible for ensuring that the regulatory frameworks they design are applicable in real life.

It is important to understand that cyber space is not operated and controlled by a small and well-defined number of players but by an immense multitude: we need to look at these actors holistically. We also need a better understanding of the ‘duty of care’ in cyber space: what are the responsibilities of each actor within the cyber space?

The machinery used to power the cyber realm is often owned by the private sector and isn’t controlled by states, so we need to look at global binding frameworks that not only bind nation states, but also the private sector.

J. Lepassaar

Juhan Lepassaar

Juhan Lepassaar is the Executive Director of the European Union Agency for Cyber Security (ENISA) since October 2019. Prior to joining ENISA, he worked for the European Commission in multiple capacities including Head of Cabinet of Vice-President Andrus Ansip responsible for the Digital Single Market. In this capacity, he led and coordinated the preparations and negotiations of the Cyber Security Act. Juhan Lepassaar started his career in EU affairs with the Estonian Government Office, leading the national EU coordination system as the Director for EU affairs and EU adviser to the Prime Minister.

What is Europe’s approach towards a more cyber secure world?

JL: We have a prudent risk-based approach in trying to build up a more resilient cyber space. So far, our work has focused on critical sectors looking at the minimum requirements that everybody should follow. However, as we observe with global warming, that might not be enough. So, we start thinking about cyber products and services, about sharing information within Europe, and about setting up common standards for all the cyber actors: what is expected, how to reassure the society. Another important area is the security of our supplies: in some areas, we should have stronger digital autonomy, stronger industrial and research capabilities and better investment, to ensure that we can build a resilient environment.

GP: Cyber security is everybody’s problem. From individuals to states, industrial alliances and consumer groups, we need to raise awareness and set up regulations. Regulations can be part of the solution, if done correctly.

In practice, how do states and alliances organize their cyber offense and defence capabilities?

JL: The main goal of the European Union Agency for Cyber Security (ENISA) is to ensure that the internal market remains functional and is not affected by cyber-attacks. This goes through capacity building for example, so that actors are mature enough to respond, or through establishing synergies between the different union-level actors that deal with cyber security. In June 2021, we set up the ‘Cyber Security Competence Center for Research and Industry’ because research, innovation and investment are paramount for the sector to function smoothly.

GP: The best way to organize national cyber capabilities differs from one country to another depending on the political organization, on its history and on many other factors. In France, the National Cybersecurity Agency (ANSSI) was created 12 years ago with goal to have a national agency in charge of cyber, which would be neither an intelligence service nor a law enforcement team. As such, we work with many different ministries and agencies: justice, the army, intelligence services, the police, foreign affairs, economy, education. Both the Prime Minister as the head of the government and the President as the head of national defence are directly involved in cyber security and cyber defence matters. They set the priorities and allocate necessary resources. In other countries, "cyber czars" have been appointed to coordinate and represent cyber security efforts. But in France, with ANSSI being an inter-ministerial organization, I don't believe having such a "czar" would be efficient.

In some sense, the best defence is defence: we need all the entities connected through cyber space to protect themselves, as anyone can be the entry point of a cyber-attack. But if we merely try to detect and react to the attacks, we are constantly one step behind.

G. Poupard

Is there a good balance between cyber defence and cyber offense capabilities?

GP: In some sense, the best defence is defence: we need all the entities connected through cyber space to protect themselves, as anyone can be the entry point of a cyber-attack. But if we merely try to detect and react to the attacks, we are constantly one step behind.

At European level today, we are working to develop a framework to certify products and services from a cyber security standpoint. The European scope, which offers an attractive market to suppliers, is indeed the relevant one to protect consumers.

At the national level, it is necessary to develop both cyber intelligence and offense capabilities. In France, we have a strict separation between offense and defence, because they are too different and one should not be prioritized over the other. For the defence part, we need a cyber industry that can provide performing and state-of-the-art products and services. For the offensive capacities, it is the public sector that develops the full cyber weapons while private companies should work only on certain components. But for now, developing offense capabilities remains the realm of nation states only at both European and national levels: we are fully against counterattacks by private companies.

Beyond regulations and international frameworks, beyond defence and offense strategies, how can we make the world more resilient to cybercrime?

JL: When we go out on the streets, we adapt our behavior: we pay attention, we look left and right, we don’t take unnecessary risks when driving a car or walking around. It should be the same in the cyber domain, as good defence starts with being resilient. We absolutely need to apply the principles of ‘security-by-design’ and ‘security-by-default’ not only to critical infrastructures, but also to new products and services for individual uses and to individual behaviors.

Cyber security is everybody’s problem. From individuals to states, industrial alliances and consumer groups, we need to raise awareness and set up regulations.

G. Poupard