Cooperation Between Businesses & Government Crucial For Total Infocomm Security

Mr Patrick Pailloux, Central Director for information systems security at the office of the Permanent Secretariat (Secretary-General) for National Defence and Member of the management board of the European Network and Information Security Agency (ENISA), shares his views on the challenges that governments are facing today and offers French insights to handling new cyber threats that are evolving.

Q. What are some of the common security threats facing governments and citizens today?


Mr Patrick Pailloux, Central Director for information systems security at the office of the Permanent Secretariat (Secretary-General) for National Defence and Member of the management board of the European Network and Information Security Agency (ENISA)

Patrick: The development of the information society remains a major contribution to modern society. It contributes to the development of knowledge and economy, simplifies administration processes and generates productivity gains. However, this new economy can only develop if citizens do not start questioning their confidence in new technologies. Therefore, threats to citizens – essentially financial threats – also represent threats to our societies and governments because they can undermine confidence in new means of telecommunication. In addition, the increasing financial weight of criminality on electronic networks is a major issue that cannot be ignored.


Q. How can a government ensure data security for both the government and citizens?

Patrick: While the object of threats can vary, the methods used for attacks are often the same. Individual behaviour does not change from the personal environment to the professional one and this is often the weakest link in the chain of protection mechanisms. First and foremost, the priority is therefore to develop individuals' training and awareness. This should apply to the entire population: the very young, school-aged children, information systems users in public and private sectors as well as senior citizens, who are increasingly inclined to use new technologies. Such training should take various forms like training programmes, public awareness campaigns, technical assistance and good practice guides.


Q. Profit is usually the main motive behind the hacking of websites and theft of confidential data in the commercial world. What is the motive then behind the hacking of government networks?

Patrick: Our permanent infosec operational centre (ITSOC), including the French governmental computer security incident response team (CERTA: www.certa.ssi.gouv.fr) collected information on 4000 ".fr" defaced web sites during 2006. Based on this data, we can divide attacks into three categories:

  • attacks known as opportunity attacks: the hacker conducts an attack where he has detected a weakness or a non-patched vulnerability;
  • attacks as signs of protestation: by defacements, hackers try to publish messages against national or international policies. In the wake of the French vote related to the Armenian genocide, around 50 web sites were defaced with a political message;
  • attacks seeking to steal confidential information such as banking data or in a more dangerous way, targeted attacks by e-mail aimed at high ranking authorities or staff members in order to steal strategic data. Don't forget that anti-virus products are always late compared to the virus propagation or they are not able to defeat completely dedicated attacks! In terms of in-depth defence, the end-user is basically the last defence line.

Finally, in some cases, there are also massive attacks against French governmental networks aimed to deny e-administration services, or access to a governmental web site. These kinds of attacks are very often launched by BotNets: the last Symantec report noted that France hosts 6% of all zombie machines.


Q. Where does a citizen's responsibility towards security end and the government's begin?

Patrick: Concerning security, the human factor remains, as always, a crucial element. While the State must take this "new" threat into account, each person should be aware that his/her individual behaviour can endanger information systems that are sometimes essentials. In France, the main administration responsibilities are:

  • To coordinate alerts, warnings and responses within the Administration;
  • To make sure that governmental and critical networks are appropriately protected. Some examples of appropriate protection are:
    – to define a procurement policy for IT-security products
    – to increase the security of the vital information systems
    – to remind the different actors of their responsibilities (inspections)
  • To cope with the rapid change of the nature of INFOSEC in the information society so as to reinforce the development of IT-security products and increase public awareness of cyber threats.


Q. What about enforcement? What is needed at a national and regional level?


Mr Pailloux feels that to build up credible defence, countries need to work together to address security issues

Patrick: It is important to have laws and regulations at our disposal in order to guarantee individual freedom and track down people who use information systems to commit crimes. France has developed a whole legal arsenal, built on both national and European measures.

Some of the major legal provisions that have been adopted to fight against cyber criminality are:

  • sanction in the Penal code in case of unauthorised intrusions within the networks, attacks on the banking smart cards, use of malicious software or virus, and attacks against the DRM (digital right management);
  • retention of traffic data by the Internet Service Providers and telecom operators;
  • access to the computer data on request of the judicial authorities; and
  • specific regulation regarding cryptology. For instance, release of crypto keys by any user to judicial and security authorities, and more serious penalties when using cryptology for committing crimes.

In addition, France has ratified the Convention on Cybercriminality of the Council of Europe and is thoroughly committed to cooperation in this field at European level. All these repressive measures are enforced within the framework of the protection of personal data on networks (privacy). A comprehensive lawful framework has been enacted for that purpose and in compliance with related European directives.


Q. As cyberspace is quite limitless, how should countries work together to address security issues?

Patrick: This is a key point. A credible defence capability cannot be built without international cooperation. We must be able to exchange information at all times concerning prevention and reaction. This is the reason why there is an agreement between Singapore (National Infocomm Security Committee) and France (direction centrale de la sécurité des systèmes d'information) to do so.


Q. How can businesses and the government work together to combat cyber threats?

Patrick: Cooperation between all players are essential. Cooperation with telecommunication operators, software publishers, and computer and telecom equipment manufacturers should ensure better network security. For example, when flaws are discovered, it is important for the players involved to be warned rapidly. Means of protection must also be disseminated as quickly as possible. In this area, close collaboration between the State and software publishers is crucial.

Similarly, in case of an attack on their network or information systems companies should not hesitate to contact specialised police services in order to stop pirating activities.