Expert Opinion – Matthieu Bonenfant – CMO Stormshield
The notion of confidence finds itself at the centre of many current debates in the cybersecurity sector. Its strategic dimension ties it to a wide variety of ongoing issues, and geopolitical tensions, which were clearly visible in 2018, have had significant repercussions in the world of cyberspace. There is certainly no shortage of examples.
In addition to suspicions surrounding the presence of nation states behind major cyberattacks, and the opening of cyber-espionage ‘schools’ in certain countries, 2018 was marked by the announcement of an embargo against certain suppliers following concerns over espionage-related activities, as well as new suspicions regarding the introduction of back doors into foreign technologies. Huawei in particular has experienced the costs associated with this. Such issues raise doubts concerning the reliability and integrity of software products, particularly in terms of cybersecurity solutions. In fact, these solutions are particularly sensitive due to their function as ‘guardians of the temple’: maintaining control over protection systems means direct access to protected resources. The choice of cybersecurity partner has never been such a crucial issue for companies and institutions.
Positions taken by nation states on thorny issues such as back doors and the weakening of encryption mechanisms vary. Russia has already introduced legislation to force publishers to provide authorities with a means of accessing encrypted communications. The member states of the Five Eyes alliance* also wish to impose the implementation of weaknesses in software. The primary, and official, objective is to be able to decipher exchanges that could be tied to terrorist activities, and to share information between the various intelligence services.
Of course, the fight against terrorism is a priority. Yet we can question the appropriateness of creating back doors, which might in fact provide an indirect way of accessing sensitive information belonging to private companies or individuals. All kinds of scenarios then become conceivable: nation-state espionage, access to trade secrets, infringements on civil liberties, and so on. Entirely separate to the war on terror, these developments could seriously undermine the ability of businesses and institutions to protect their information assets.
As has been mentioned, these back doors have not received universal approval. Europe in particular is clearly opposed to their implementation and advocates end-to-end encryption in communications in order to guarantee complete security. In 2017, the Vice-President of the European Commission stressed this position by highlighting the threat posed by the use of back doors that might eventually be exploited by cybercriminals. Weaknesses in protection or encryption systems could well be discovered and exploited for malicious purposes, providing the perfect opportunity for criminal activity.
This demonstrates once again that the notion of digital confidence goes well beyond purely technological and functional considerations, often taking on a highly geopolitical nature. An understanding of the origins of digital technologies, particularly those used to manipulate or protect sensitive data, is central to digital confidence. Businesses must also incorporate this strategic information into their reasoning before entrusting suppliers with the keys to securing their information systems. In this sense, continuous awareness-raising efforts among private and public organisations is required. European publishers, for their part, must be more transparent in terms of their positions and adopt a common posture. We should also welcome the work carried out to support digital confidence on a European level and by various governmental agencies such as ANSSI. The French agency’s system of qualifying security products, for instance, requires a review of source codes to ensure that the protection functions are sufficiently robust and that back doors are not present. We would wager that this initiative will be taken up more broadly within the future European certification framework, for which ENISA has recently been mandated.
* An alliance that brings together the intelligence services of the United States, Australia, New Zealand, the United Kingdom and Canada.