In a cybersecurity context, paranoia is necessary but not sufficient. But since cybersecurity is a recursive approach, it is in fact a bit like convincing someone with paranoid tendencies. This is the whole paradox of the cybersecurity problem, which requires both an attitude of doubt and suspicion, and the ability to… trust others. Let’s see why, and how it can work.
1. The principle of the culture of proof
Cyberparanoia left to its own devices would simply result in forcing organizations to shut down entirely. No connection, no risk of cybersecurity! But since organizations need openness and agility, this extreme approach is not appropriate. These qualities are too valuable to be eliminated from organizations in the name of a fundamentalist view of cybersecurity. Paranoia alone is therefore not enough to guide your cybersecurity choices.
So how do you find the right balance between agility and security? As Olivier Kempf, Fellow Presans specializing in cybersecurity and cyber strategy explains, it is through the culture of proof that an organization can build a shared cybersecurity standard that meets the expectations of users and customers. The culture of proof is not incompatible with agility, speed, and openness, as opposed to the constraint.
2. Building Circles of Trust
2.1. Why build circles of trust
As Olivier Kempf says, the paradox of cybersecurity lies in the fact that the solution to the problem lies in the decisive part in the ability to look at each other in the eye and believe what the other says. Because, since there is no such thing as 100% security, and since the goal is always to become more robust after each attack, we must at some point be able to report attacks on our organization. But who can we talk to about this type of problem in a world of great conflict? Revealing this type of sensitive information to the wrong people tends to aggravate the cybersecurity problem.
In other words, cybersecurity involves building circles of trust. But then the question arises as to who is part of your circle, and with what role?
2.2. Sectoral and intersectoral circles
The first orientation to consider for a circle of cyber confidence and that of its own sector, or its own industry. Typically, principals seek to encourage their suppliers throughout their value chain to become more robust. Another common practice in industries such as nuclear power is the sharing of feedback.
A second functional orientation aims to bring together the experience of several sectors or channels: for example, an R&I cyber security circle bringing together a bank, a nuclear player, and an industrial group in the beauty sector (other combinations are obviously possible). This type of structure also has the vocation of an influential group.
Is it however at this level that it is possible to share with complete freedom the details of a cyberattack that one would have suffered? To ask this question is to note that it is appropriate to add an additional dimension to any reflection on the constitution of circles of cyber trust: that of sovereignty.
3.1 National origin of cybersecurity
Let’s take a step back in history. In France, the appropriation of the issue of cybersecurity has its historical origins in the security of state and military information systems. The key players in the cybersecurity of state and military systems are thus well known.
Cybersecurity then spreads to industrial groups in the defense sector, and then to their suppliers. Beyond this perimeter, a seemingly fuzzy zone (but only apparently) is determined by the notion of the defense industrial and technological base.
Within this national system, the partner of companies with whom the sharing of sensitive information can be envisaged is the National Agency for Information Systems Security (ANSSI).
3.2. Cyber-sovereignty in today’s world
The geopolitical configuration seems to have entered a phase of increased rivalry and uncertainty in recent years. Under these conditions, access to the defense industrial and technological base is becoming a major issue. The old certainties no longer hold, and everyone tends to be more and more on their guard.
This point is in line with the questions about Europe’s status as a digital colony, brilliantly evoked by Nathalie Brunelle at DYSTOPIA 2019. How can we transform this colony status in order to regain control, and the ability to benefit from our data? Many interesting, but uncertain, projects are underway to provide a concrete answer to this question.
Conclusion: the future of cybersecurity
Building circles of cyber trust could contribute to the future liberation of the European digital colony. But the horizon of digital sovereignty may seem distant. The same is true for disruptive technologies such as quantum networks. To restore perspective and regain momentum, shouldn’t the priority be to use our industrial synergies to build a technological roadmap for tomorrow’s cybersecurity?