On July 8th, 2008, a
report called "Cyberdefense: a national security challenge" has been
published by M. Roger Romani (member
of the Senate and of “Foreign affairs,
Defense and Military Forces” commission). This report aims at
underlining the France
insufficiencies regarding the threats related to information systems.
The present article analyses the key points of this document.
This report starts from the fact that threats targeting information
systems have seriously increased that they have become a "national
security challenge". This point fully matches the conclusions made by the
Cert-IST in its French article "Bilan 2007 des
failles et attaques", specifically regarding the two main events
of a major scale mentioned in this report: the distributed denial of service
attacks (DDoS) against Estonia
and the Chinese attacks. We also indicated that attacks had moved to more
targeted and more sophisticated attacks. According to M. Romani, potential
targets for these attacks are "individuals, organizations, public
institutions (more specifically concerned those working on defense or national
security, government services, critical operators and companies involved in
strategic or sensitive areas)". Last, we also insisted on the attackers’
professionalism, point also noted in the report, which also talks about cyber
terrorism threats, and even the participation of countries in the “cyber-warfare”
(case of China).
Concluding this report, M. Romani forecasts that this threat will necessarily
be growing and this for three reasons: the increasing part of information
systems and Internet in day to day life, the accessibility and the low cost of
the technologies used for the attacks and the difficulties to identify the
attackers.
According to M. Romani, France
is still insufficiently prepared, and the conclusions made in a previous report
released by M. Lasbordes (see the article in the Cert-IST
security bulletin of February 2006 - in French) are unfortunately always true. Even if efforts have been made (creation of
the COSSI - "Centre Opérationnel de la
Sécurité des Systèmes d'Information", modernisation of the
RIMBAUD network, inauguration of ISIS "Intranet Sécurisé
Interministériel"), France is still behind, in particular
compared to its European neighbors. On the international scale, the importance
of FIRST (http://www.first.org) and of the EGC (European
Government Computer Security Incident Response Teams) structure is emphasized. More
recently (Praha conference in 2002), NATO also made of cyber defense a
priority. M. Romani is more reserved about the role played by European
organizations and the action of the ENISA (European Network and Information
Security Agency), created in 2004.
The last part on this report is devoted to the
measures that, according to M. Romani, must be taken by France to be
able to react on computer attacks as quickly as its neighbors. The protection
of information systems is now a priority of the White book on defense and
national security. This White book also schedules the creation of an interoffice
agency responsible for information system security. The report indicates that
capacities, not only defensive (detection and protection) but also offensive (identification
and neutralization of attackers), must be developed. Last, the orientations
defined in this White book must be associated with very concrete measures, on
three directions: putting France
on the level of its European partners, enhancing the coordination of the
various actors involved in information systems security and developing a
partnership with the industrial sector.
As a conclusion, M
.Romani insists on the fact that it is very urgent for France to catch
up other countries on cyberdefense, in order to face the sophistication and
increased expertise level of recent and upcoming attacks. The Cert-IST, which
is mentioned in this report as a monitoring and response structure, strongly
advises to read this document.
For more information
