Istanbul '09 Workshop
Promoting Trust and Security in the Digital Economy
Mr. Henri Serres
Director General for Information and Communication Systems
French Ministry of Defense
Information and communication technologies and the digital economy are a driving force of growth and development in modern societies. They have a major impact not only on industrial competitiveness and the distribution of resources but on promoting social cohesion, health, education, culture, transport, security, and, more generally, the development of knowledge and the new economy.
The French planning agency reporting to the Prime Minister recently carried out a study on the digital economy’s structure and evolution, which I contributed to on behalf of the Ministry of Defense. It used a model based on six components: socio-economic context; users; companies as well as public and private organizations; technologies; markets; and the regulation-rule-governance triple factor. After conducting an analysis of these components, the study recommended five measures in order to help further the development of the digital economy over the next fifteen years: 1) Educate and train, 2) Work at the European level, 3) Innovate, 4) Reinforce confidence, and 5) Promote a secure critical infrastructure.
EDUCATION AND TRAINING
- Allow everyone to access digital tools and share in the culture which results from this, so that they can use them efficiently in both personal and professional capacities
- Provide training so that everyone can acquire the necessary skills to develop digital tools
- Put digital systems (hardware, tools, and content) at the heart of early education
- Develop new digital tools for the training and management of pedagogical projects
- Increase exemptions on copyrights for multimedia documents used for pedagogical purposes
WORKING AT THE EUROPEAN LEVEL
- Build a European market, which means adapting the laws of trade and labor for digital products, contents and services, and information technologies
- Give high priority to information and communication technologies, in order to develop applications for the great challenges that our society will face, including access to primary resources, sustainable development, population aging, security, and competitiveness
- Adapt the protection of intellectual propriety to a society based on knowledge sharing and the new economy
- Foster and sustain innovation, both technological and non-technological, notably in organizations
- Implement innovation-friendly public policies by creating a demand for products that meet societal targets such as sustainable development, health, transport, and defense
- Encourage the creation of digital enterprise through active measures on the public market and also by promoting exportation
- Favor the rise of e-democracy (including cooperative creation) and e-administration (simplifying procedures and reducing costs)
In order for these measures to have maximum impact, users must have a high degree of trust in the tools and networks of the digital economy. Trust is engendered by providing proper regulation and governance-some of which already exists and some of which needs to be created-at the national, European and world levels. This requires precise knowledge of vulnerabilities and critical installations, especially in times of crisis.
A) Establish effective world governance of the Internet that is based on a clear understanding of national responsibilities and the rights and duties of all involved parties
B) Rely on a governance body for networks and information systems whose main goal is to coordinate the responsibilities of public and private actors and to ensure the complete security of those connected to the network, be it for their belongings, images, identities, or commercial relationships
A) Put in place a governance authority for the digital world
- Allow public authorities to ensure, through dialogue with all public and private actors, the controlled and responsible development of the digital world
- Oversee the security of people, their identities, their properties and use, and also provide service continuity
B) Modify the laws necessary to manage personal data and electronic identities, including the “right to be forgotten,” and respect the requirements of individual and national security
- Define a legal status of the digital identity at the European level (or even worldwide) in order to guarantee every citizen the right to be forgotten and to control his digital personal capital
- Regulate the practice of online profiling at the European or worldwide level
- Implement technical measures that guarantee protection of private data and continuous monitoring of the evolution of the state of the art in the area of technique and societal practices
PROMOTING A SECURE CRITICAL INFRASTRUCTURE
The security and reliability of communication and information systems is crucial in crisis situations. The network failures which occurred during Hurricane Klaus in southwestern France in early 2009 and in conjunction with the propagation of the Conflicker virus highlight the importance of network security.
Defense against cyber attacks is also a key priority. According to a French white paper on defense and national security, “the current daily level of cyber attacks, whether from state or other sources, points to a very high potential for the destabilization of everyday life, paralysis of critical networks for the life of the nation, or denial of access to certain military capabilities. Society and government are still ill-prepared for the risks of massive attacks, and these should therefore be the subject of fresh attention, both in terms of strengthening defenses and enhancing our capacity to hit back.”
A) Guarantee the security of the main communication and information systems used by governments in crisis situations
B) Identify critical digital infrastructures for 2025 and list areas considered strategic in the scope of the European defense and security technological and industrial base
A) Put in place quickly and with all necessary means an information security agency as envisaged in the white paper on defense. This agency’s responsibilities should include:
- Identifying critical infrastructures and their Internet dependence
- Updating the list of areas regarded as strategic in the scope of the European defense and security technological and industrial base, ensuring that information systems are included
- Identifying and preventing potential cyber attacks and coordinating joint responses with our European partners
B) Implement a highly secured infrastructure dedicated to critical sensitive needs, including deploying a specific network (with a very high data rate and highly secured) for critical fix and mobile communications
C) Allow identification of hardware and software objects circulating in digital networks by means of a digital signature
Policies aimed at fostering the digital economy should follow a systemic approach: A combination of measures must be used within the areas of education and training, European cooperation and the creation of a European market, innovation, the reinforcement of confidence amongst users of digital tools, and the securing of critical infrastructures. If successful, the resulting increase in industrial competitiveness will combine with the human, financial, and industrial capacities in France and Europe and allow us to meet major societal goals with regard to transportation, the environment, healthcare, and culture.
Information and communication networks have become the nerve center of our society, without which it would cease to function. The economy; operations of public authorities; major energy, transport and food producers; and the organization of our defense all rely upon information systems. This has thus rendered our society vulnerable to accidental breakdowns or intentional attacks on computer networks.
The current daily level of cyber attacks, whether from state or other sources, points to a very high potential for the destabilization of everyday life, paralysis of networks that are critical for the life of the nation, and denial of access to certain capabilities. Society and government are still ill-prepared for the risks of massive attacks, and these should therefore be the subject of fresh attention, both in terms of strengthening defenses and enhancing our capacity to hit back.
Guarding Against the Unique Challenges of Cyberspace
Yet cyberspace, which consists of the networking of all networks, is radically different from physical space in that it has no frontiers, is constantly changing, and is anonymous, making it hard to identify an aggressor with certainty. The threat takes many forms, ranging from malevolent blocking and physical destruction (e.g., of satellites or infrastructures for crucial networks) to neutralization of computer systems, data theft and distortion, and even taking control of a system for hostile purposes.
Over the next 15 years, the proliferation of attempted attacks by non-state actors, computer pirates, activists, or criminal organizations is a certainty. Some of these could take place on a massive scale; covert attempted attacks are also highly probable. To deal with such attacks from state actors, several countries have already mapped out offensive cyber warfare strategies and are effectively putting in place technical capabilities with the aid of hackers.
Technological developments and the interconnection of networks are rendering simple passive and perimeter defense strategies less and less effective, even though they remain necessary.
The transition from a passive defensive strategy to an active defensive strategy, combining intrinsic systems protection with permanent surveillance, rapid response, and offensive action, calls for a strong governmental impetus and a change in mentalities. The state must develop, maintain, and disseminate its information systems security expertise among economic actors, and particularly among network operators. The instantaneous, nearly unpredictable nature of attacks also calls for a crisis management and post-crisis management capability able to maintain the continuity of activities, and to prosecute and punish attackers.
The Way Forward
Cyberspace has become a new area of action in which military operations are already taking place. But Internet regulation appears to be a particularly difficult topic due to:
- The wide variety of actors
- Lack of borders, as opposed to mainly national legislation
- The extremely rapid evolution of technology
Systemic questions arise:
- What role is there for governments, and for international organizations? This is a major question for the European Parliament.
- What rules will be actually enforced by powerful non-governmental players and user groups?
Regardless, all experts agree that security is the foremost issue in Internet regulation:
- Governments are afraid of cyber terrorism
- Companies rely more heavily on their networks and on e-commerce than ever before
- Users are concerned about privacy issues, in addition to network reliability
Answers cannot be technical only:
- Governments have failed to find a fully satisfactory solution, even if an agreement has been achieved within the Council of Europe on cyber criminality
- Companies, in a global economy, need to reduce vulnerabilities on their transactions
- Individuals are also direct actors in these security issues: they need to ensure that they correctly protect their own PCs, otherwise they may unwittingly allow their PCs to become part of a botnet and to attack other users
Trust is the master word of an efficient economic development in a digital economy and it must be addressed globally. This International Workshop on Global Security is certainly the right place to address these issues.