Recently I was dispatched to Lille to attend the 8th International Cybersecurity Forum to report live, and shortly after I shared some key insights from the top keynotes focusing on the political agenda around cyber-security, including copies of keynote speeches at the event from European Commissioner Günther H. Oettinger, French Interior Minister Bernard Cazeneuve, and Security Minister at the UK Home Office John Hayes.
[easy-tweet tweet=”ANSSI’s GM Guillaume Poupard spoke with @BillMew about France’s approach to #cybersecurity” user=”comparethecloud”]
In addition to interviewing France’s top Cyber-cop (Francois-Xavier Masson, Chef de l’ OCLCTIC), I also met the man who heads up L’Agence nationale de la sécurité des systèmes d’information (ANSSI). Effectively the French national agency for computer security, ANSSI is responsible for defining the French National Digital Security Strategy. ANSSI sets out the rules and policies for protecting state information systems and for monitoring and verify the implementation and adoption of all such measures. It provides a monitoring service, as well as detection and warning systems and is responsible to leading the response to computer attacks on any critical infrastructure or state networks. At a time when France has been the target of a series of brutal terrorist attacks and like all modern economies is under constant cyber-attack from hackers and scammers, the role of ANSSI has never been more critical.
ANSSI has been lead since March 2014 by, its general manager, who was kind enough to give us an interview.
Like all French agencies ANSSI works to a strict brief. It only focuses on cyber-defence – and doesn’t conduct intelligence or cyber-attacks. Protection of all of the nation’s ministries and its critical infrastructure is core to its role. It coordinates the activities of government agencies and departments as well as those of key public and private sector entities – such as the finance or power companies.
ANSSI focuses on cyber-defence for France
Between 2009 and 2016 its headcount grew from 80 to 500 as its staff’s remit extended to rules and policies cover all critical national infrastructure, providing legal protection, defining mandatory controls and recording and reporting attacks.
It sees its role in two main areas:
- Data theft prevention
ANSSI has a primary focus on protecting economic intelligence, but it also seeks to cover technical and personal information as well. Often incidents are hard to detect with thieves not wanting their presence to be visible so that they can return time and again for more and more data.
- Attack and sabotage prevention
ANSSI works with firms in the transport and finance sector as well as utilities to ensure that all systems are resilient and all infrastructure is protected from attack or sabotage.
While it is directly responsible for defining the rules and motoring their adherence, it finds that real effectiveness is built on more than just rules and it finds that constructive dialogue with the firms it liaises with is critical. For example internet service providers (ISPs) play a pivotal role, providing support with audit, detection and reaction.
ANSSI also runs a national accreditation and certification program. It publishes a list of rules for companies (including those in the traditional IT hosting and cloud sectors), and then conducts independent evaluation on their performance before providing the appropriate certification. Almost unique to France, Guillaume Poupard admits that this process isn’t necessarily cheap for the firms that take part, but he argues that it is definitely worthwhile – not only for the firms themselves that need a set of standards to apply and benefit from the ability to show that they are up to standard, but also to their clients who have the peace of mind knowing that they are working with a firm that has met such high standards.
[easy-tweet tweet=”#ANSSI is seeking to align its rules and standards with similar regimes emerging elsewhere in Europe” user=”comparethecloud”]
ANSSI also need to work with many foreign companies – such as the global internet firms that span the globe. It is also seeking to align its rules and standards with similar regimes in Germany and emerging ones elsewhere in Europe. It’s aim is to find a set of rules that can be applied fairly to all, but that are stringent enough to provide the right level of protection. In working with firms both within France and elsewhere Poupard finds that it essential to have a high level of mutual trust and that this means being based on a real understanding of the situation – even if this means access to source code.
We asked Poupard how cloud has changed things in his industry he told us;
When cloud first arrived ANSSI advocated caution, but we are aware that cloud has become part of the way that organisations operate now – we tell firms that they probably need cloud, but not all clouds are the same and neither are all CSPs and MSPs. We believe that in terms of security our standards and our accreditation and certification program are therefore as important as they have ever been. We have therefore started a new certification program specifically for CSPs and MSPs. Poupard argues that SMBs that use these CSPs and MSPs find that the certification program provides a valuable mark of safety and provides them with peace of mind.
So what’s the next big challenge we asked Poupard?
He sees the Internet of Things (IoT) as the next area of focus.
we’ve seen a huge amount of innovation and ballooning volumes of data from IoT
He said we’ve seen a huge amount of innovation and ballooning volumes of data from IoT, but there hasn’t been enough focus security. Indeed Poupard believes that for IoT security to be effective it needs to be baked in right from the start.
Do you believe that other countries need to follow France’s lead with a national cyber-security accreditation and certification program? Get in touch and let us know what you think!