On January 25, Le Parisien published an interview with Guillaume Poupard, the Director of the French Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) (National Cybersecurity Agency). Last week, at the International Forum on Cybersecurity (FIC) in Lille, France, Poupard raised the possibility of a “cyber-Pearl Harbor.”
In the interview, Poupard explained his concerns about that prospect:
We fear and wish to avoid a succession of massive surprise attacks. All the technical elements are available, it remains only to have the will and to light the first fuse. There are two threats: theft of intelligence and sabotage. We have seen that many countries have developed capabilities to sabotage computer systems. All that is missing is the trigger. With the geopolitical context degrading, some countries may one day be tempted to attack us with cyberattacks. (All translations informal)
With regard to the April 2015 cyberattack against TV5Monde, which has since been ascribed to a group of Russian hackers, Poupard characterized it as sabotage, adding,
and there was an explicit message. [Note: The hackers called themselves the Cyber-Caliphate and made threats against France, only a few months against the Charlie Hebdo terrorist attack.] We have since detected attacks from state, private, or terrorist actors who are not yet aiming to destroy but to insert themselves into and especially to study the computer systems of three of our critical sectors: energy, telecommunications, and transportation. For example, it is necessary to anticipate terrorist attempts that in 10 years would involve a plane whose system was hacked.
When asked whether French companies are prepared for large-scale cyberattacks, Poupard tactfully replied:
The awareness is heterogeneous, to remain politically correct. There are sectors like the banking sector, where security is part of their DNA. But there are other areas such as heavy industry, that used to protect themselves with simple fences and is surprised to have attacks on their digital tools connected to the Internet. But leaders talk to each other and are more aware of the risks.
Poupard also explained that ANSSI
only does defense, not intelligence or attacks. We have considerable resources, even if I always ask for more like any good director. We have around 600 people who are high-level experts. The new laws have allowed us to work with vital operators, whether they are ministries or transport companies or in energy, to mandate strengthening their cybersecurity. We have the ability to detect attacks in ministries, and tomorrow we may have the possibility to detect them directly upstream from the [Internet] hosts and telecom operators. But we cannot be the sole security of France, which is why we certify and qualify private companies to cover everyone.
When asked how we can know who is responsible for an attack, Poupard called the attribution of an attack to a particular person or entity
a very complicated extreme sport. In France, we are more cautious than our allies before pointing the finger. This is because we have more fear of repercussions or we have less information. There is always a doubt about responsibility. Attributing an attack is good for preventing an attack. Instead, we have the feeling that with some actors, large states that I will not name, it is more efficient to have a frank discussion in a private and secret context.
Note: Poupard’s remarks should be of interest to information-security officers in general, and certainly to those in companies and government agencies with operations and interests in France. Although his basic message is already well-recognized in cybersecurity circles, his statements provide some indication of the approach that ANSSI is taking to improving cybersecurity.
With regard to his reference to “cyber-Pearl Harbor,” that metaphor has been in vogue for some time – albeit sometimes as a straw man for commentators to dismiss as hyperbole. It is worth remembering, however, that the real Pearl Harbor did not involve the full global range of U.S. military might, but rather the targeting of a specific regional concentration of naval power that at that time represented a perceived significant threat to Japanese military interests in the Pacific.
A cyber-Pearl Harbor, in other words, need not leave an entire society in smoldering ruins to have vital military or geopolitical value for the attackers, or the state actor for whom they are working. Nor need it be a single, limited-duration attack. Poupard’s use of the phrase “a succession of massive surprise attacks” may suggest where his greatest concern lies in anticipating and preventing future cyberattacks.