Industrial espionage targets sensitive companies, in sectors like energy or technology, against a backdrop of geopolitical tensions and economic instability. Certain secret information of these organizations is particularly sought after.
Industrial Espionage: the biggest cyber threat
Definition of Industrial Espionage
Industrial espionage, or economic espionage, refers to a set of espionage activities conducted for economic or commercial purposes. It involves intrusions into organizations by individuals, companies, or governments. The aim: to collect confidential data to gain various advantages, such as competitive ones. These can employ different methods of cyber espionage, like phishing or social engineering, depending on the chosen target. Finally, the financial consequences of industrial espionage for companies are significant and can even jeopardize their activity. They also disrupt the economic stability of a nation.
The most cutting-edge sectors are predominantly victims of industrial espionage. This includes companies in artificial intelligence, quantum computing, or biotechnology. Industrial espionage attacks concern defense and energy organizations but also strongly their supply chain. But what information is targeted?
Types of information targeted by Industrial Espionage
Technical and technological information
Information related to the technical design of products or technology development represents a competitive advantage. Thus, in the computing sector, machine learning algorithms or electronic chip design schemes are coveted. In the energy sector, renewable energy production processes or advanced battery production techniques are a goldmine for spies. In the defense and aerospace sector, industrial espionage can target advanced weapon system plans or navigation and communication systems for spacecraft. In these cases, beyond mere financial loss, industrial espionage disrupts national defense security.
Corporate strategies detail all the innovation, development, and financing axes of organizations. Thus, in the Finance sector, details on merger and acquisition plans or proprietary investment analysis models are highly sensitive. Their loss can harm the competitiveness of companies. In the pharmaceutical sector, data on clinical trials or manufacturing processes also face espionage risks.
Example of strategic information espionage
In 2023, within NVIDIA, a software developer is suspected of having disclosed secret information related to the source code of a parking assistance software, retrieved from his former employer, Valeo. The latter ensures that these data could benefit NVIDIA’s development.
Information on Personnel and Talent
Indeed, industrial espionage also involves the detection of key individuals who can provide sensitive information. Some strategic poachings in organizations aim to harm the smooth operation of the company by attempting to recover its knowledge. At a time when economic competition is increasingly strong, the leakage of skills affects the sustainability of a company.
How to Protect Your Information from Industrial Espionage?
Highly sensitive information, which should not be widely communicated, usually carries a “restricted distribution” protection mention. They are sometimes even classified under national defense secrecy.
However, in addition to legal and technical measures, collaborators have the responsibility to adopt good cybersecurity practices to limit the risk of information leakage.
Ensuring Confidentiality of Exchanges
Exchanges between collaborators, even trivial ones, can constitute key data for spies. To exchange sensitive information in a meeting, collaborators ensure to close the door of the room properly. However, remotely, collaborators use video conferencing, even for sensitive meetings. It then becomes more difficult to ensure that all doors are properly closed and that no one outside the company can listen to the exchanges. Only end-to-end encrypted video conferencing, from client to client, GDPR compliant, guarantees total confidentiality of exchanges.
Organizations must plan a number of defense measures in case of infiltration. These can be part of a crisis management or business continuity plan. In this context, the use of a highly secure video collaboration solution is recommended. It takes over the main compromised communication tool and ensures business resumption as soon as possible while facilitating the work of crisis management teams.
The gathering of information related to the scientific and technological activity of a nation undermines its stability and competitiveness. Discussed at the last Five Eyes summit, protecting the scientific and technical potential of nations requires maximum cybersecurity measures.
Since 2011, France has implemented the Protection of Scientific and Technical Potential (PPST). This regulatory security mechanism, inter-ministerial in level, led by the General Secretariat for Defence and National Security (SGDSN), is distributed across 6 different ministries:
Ministry of Agriculture
Ministry of Defence
Ministry of Sustainable Development
Ministry of Economy and Finance
Ministry of Health
and Ministry of Higher Education, Research, and Innovation
It aims to prevent any leakage or attempt to capture these sensitive pieces of information, notably through the creation of Restricted Regime Zones (ZRR). In these areas, such as research or production sites that are of great interest to the nation, strict control over physical or virtual access to sensitive information is enforced. The PPST complements other security systems like those for the protection of Vital Importance Organisms (OIV) or national defence secrecy.
What are the risks if these sensitive pieces of information are exposed?
If captured, this information related to the technical and scientific potential of the nation can be diverted for purposes of destabilization or criminal activities. The risks are classified into 4 categories:
Damage to the nation’s economic interests
Development of military arsenals
Proliferation of weapons of mass destruction
Terrorism
Sectors Affected
Various scientific and technical sectors are therefore covered by the PPST:
Biology,
Medicine,
Health,
Chemistry,
Mathematics,
Physics,
Agronomic and ecological sciences,
Earth, universe, and space sciences,
Information and communication science and technology,
Engineering sciences…
Thus, research laboratories, companies, and universities must be protected from the risks of data interception.
Protecting Scientific and Technical Potential from Cyber Espionage
Access to ZRR can be physical but also virtual. Therefore, the security of information systems is a major challenge in protecting the scientific and technical potential from cyber espionage.
Securing Restricted Regime Information Systems (SIRR)
A Restricted Regime Information System (SIRR) transmits Restricted Regime Information (IRR), i.e., sensitive information whose disclosure would present one or more of the previously mentioned risks. Therefore, their access constitutes virtual access to a RR zone. It is noteworthy that SIRRs are subject to the inter-ministerial instruction no. 901 on the protection of secrecy and national defence.
The ANSSI’s guide on the digital protection of the nation’s scientific and technical potential lists security measures to be implemented by organizations with a SIRR. Among these, the deployment of an information systems security policy (PSSI), listing all the good practices and computer security procedures to be followed by employees and other stakeholders.
Indeed, SIRR encompasses all types of supports and electronic equipment such as laptops, USB keys, or servers and therefore assumes parallel cybersecurity awareness for users.
Examples of Security Measures to Implement:
Encryption of communications
Encryption of hard drives of workstations
Access control
Ensuring the Security of Workstations
Workstations contain a number of sensitive pieces of information that must be protected. ANSSI, through its guide, emphasizes the importance of deleting all the data present on a workstation before reallocating equipment. Similarly, it is crucial to revoke access rights to information systems as soon as a user’s employment period ends.
Using End-to-End Encryption Technology for Communications
Communication tools deployed in companies, especially in RR zone establishments, must meet the highest level of security. Firstly, the solution used must be Secure by design and thus meet a number of security criteria, from its design to its deployment in the organization. This significantly reduces or nullifies its impact on the company’s network security. Moreover, communications exchanged over online messaging or video conferencing are targets of computer and industrial espionage. Only end-to-end encryption technology for audio, video, and data communication flows can prevent the retrieval of this data.
Demonstrating the Utmost Reactivity in Case of Attack
In the event of a cyber crisis, a secure and emergency communication solution is also essential to ensure the continuity of the establishment’s activities. It should allow employees to continue their exchanges through an “out of band” communication channel, i.e., different from the one usually used.
The secure video conferencing software Tixeo meets this need. Thanks to its sovereign end-to-end encryption technology and its highly secure deployment in on-premise version, it supports establishments in their crisis management and cyber resilience.
First Five Eyes Summit on the Subject in 2023
On October 16 and 17, 2023, the first-ever Five Eyes summit on the theme of protecting the nation’s scientific and technical potential took place. At this summit, the five countries of the coalition (United States, United Kingdom, Canada, Australia, New Zealand) alerted to the threats weighing on innovation and research. In particular, the Chinese government was targeted as the main danger to innovation and the interests of nations.
“The Chinese government is engaged in the most sustained and sophisticated theft of intellectual property and acquisition of expertise in human history,” stated Mike Burgess, director-general of Australian intelligence services. Indeed, industrial espionage operations, originating from China, are experiencing an unprecedented increase. “The sectors of artificial intelligence, quantum computing, and synthetic biology are particularly targeted at the moment, according to senior officials.” A resurgence of state-sponsored cyber espionage that also spares no European countries. The document “Five Principles for Securing Research and Innovation” was published at the end of the summit and presents several recommendations to maximize the protection of scientific and technical potential. Among them: knowledge and management of cyber risks, protection of the work environment, awareness of collaborators, and securing partnerships, suppliers, and service providers.
Security certification for digital products and solutions is a hallmark of reliability. What does this certification entail, and how does it ensure a high level of cybersecurity?
Definition of a Security Certification
Security certification for computer solutions and software involves evaluating a product according to specific cybersecurity standards. This process is now crucial for ensuring the protection of data and systems in the face of increasing cyber threats. Security certification also supports businesses in their search for secure digital solutions for their strategic and sensitive uses. It ultimately helps to harmonize the security levels of solutions and contributes to the creation of a trusted digital system.
Types of Security Certifications
Product Certifications: Focus on the security aspects of a specific product. They assess whether the product meets the required security standards and can resist potential cyber attacks.
System Certifications: Evaluate the security of an entire system, including the products, processes, and people involved. This type of certification is broader and considers the systemic aspects of cybersecurity.
There are various security certifications internationally and in Europe. Here’s an overview:
International Cybersecurity Certifications
Common Criteria (CC)
Common Criteria is the international standard for cybersecurity certification of information technology. Also known as “Common Criteria for Information Technology Security Evaluation”, this international standard (ISO/IEC 15408) allows for the assessment of IT product security by accredited and independent laboratories based on demanding technical and organizational criteria. The certificates are internationally recognized by the signatories of the Common Criteria Recognition Arrangement (CCRA), which includes ANSSI in France.
FIPS 140-3
Developed by the National Institute of Standards and Technology (NIST) in the United States, the FIPS 140-3 standard is specifically concerned with verifying the security of encryption modules. Essential for products used in government and sensitive environments, the standard analyses in particular :
– the features and capabilities of the encryption module
– interactions with other systems
– management of access and authorised operations
– software component security
– secure maintenance and updates
– measures against various forms of potential attack.
This standard proposes four qualitative levels of security (basic to very high), adapted to different applications and IT environments.
European cybersecurity certifications
The European Cybersecurity Certification project
The EUCC certification scheme is based on the international Common Criteria scheme for certifying ICT products, their hardware and software (firewalls, encryption and electronic signature devices, routers, smartphones, bank cards, etc.). In October 2023, a first draft implementing act for the EUCC was published by the European Commission and opened for comments.
EUCS (European Certification Scheme for Cloud Services) under study
In the same vein as the EUCC, EUCS certification is aimed specifically at approving the security of products and services hosted in the cloud. The proposed text is now being studied by the European Cybersecurity Certification Group (ECCG) and will help to strengthen the security of cloud computing in Europe.
As part of the NIS 2 directive and the Cyber Resilience Act, these European certification projects aim to harmonise the security levels of IT solutions.
In France: ANSSI security certification
The security certification issued by ANSSI (Agence nationale de la sécurité des systèmes d’information) is a benchmark in France and throughout Europe. Based on the Common Criteria international certification standard, this national certification scheme assesses the robustness of a specific version of a product at a given time, based on the state of the art of cyber attacks. To award it, the approved laboratories and experts analyse a number of security criteria, including :
– Compliance with current national and international information systems security standards and regulations
– Technical and organisational security measures
– Resistance to attacks, including attempted intrusions, hacking and exploitation of vulnerabilities.
– Access management and authentication to control access to data and resources.
– Encryption and data protection
– Resilience and incident management
– Security maintenance and updates, to respond to new threats and vulnerabilities.
The ANSSI is also offering security qualification for digital products and services intended for critical and strategic sectors (OIV and OSE). This qualification will meet specific regulatory requirements, such as the French military programming law. The ANSSI’s security qualification attests to the suitability of the solutions for the sensitive needs identified by companies. The publisher must prove that it can meet its commitments over the long term.
Which products are eligible for security certification?
A wide range of IT products and solutions are eligible for security certification if they expose data and/or are used by sensitive organisations. Here are some of the types of products covered by security certification:
IT hardware: servers, routers, firewalls and other network equipment, etc.
Software: operating systems, applications and databases, etc.
Cloud Solutions: Cloud computing services, storage and cloud-based applications…
Mobile Security Solutions: Security applications and infrastructures for mobile devices…
Industrial Control Systems (ICS) and Internet of Things (IoT): connected devices in various industrial sectors…
Tixeo, certified and qualified by ANSSI for over 5 years
Tixeosecure video conferencing software has been certified and qualified by ANSSI for over 6 years. Thanks to its end-to-end encryption and its on-premise version, it offers businesses in critical sectors total confidentiality for their exchanges and, above all, a high level of operational resilience. Through its certification and qualification, the French government recommends its use for sensitive applications. Other European labels confirm the security of its solution.
To prove their dependability, IT solutions may acquire a security certification. This becomes a significant advantage in the IT market, especially in an era where cybersecurity is a key concern for organizations. However, how can one ensure the credibility of a security certification across different countries?
What is a Security Certification?
Security certification for IT solutions and software involves appraising the product based on specific cybersecurity standards. These standards can vary depending on the industry and the regulations in effect within the issuing country. Therefore, certifications from different countries may not meet the same cybersecurity requirements, underscoring the importance of analyzing the criteria that establish the credibility of a cybersecurity certification.
Criteria for determining credibility
The Cyber Power of the Nation
A nation’s cyber power plays a role in its international influence. It encompasses the ability to utilize digital technologies and cyberspace to achieve national and international goals through government strategies, defensive operations, and resource mobilization. Various global indices help in determining a nation’s level of cyber power.
The Harvard Belfer Center’s NCPI Index
The National Cyber Power Index (NCPI) from the Belfer Center is a measure of nations’ cyber power. This index uses qualitative and quantitative data models to assess the capabilities and objectives of states. It includes 29 indicators, divided into two categories:
Intent indicators
Intent indicators reflect a country’s priorities and motivations in terms of cybersecurity. In other words, it shows how the country plans to use its cyber capabilities, in line with its strategic and political objectives. These can range from defence, espionage and information control to influencing the definition of cyberspace norms and offensive operations.
Capacity indicators
Capability intent indicators assess a country’s technical capabilities and cyber resources, regardless of how it chooses to use them. This includes technical expertise, infrastructure, available tools and technologies, and qualified human resources in cyber security.
The 2022 NCPI Report Findings
In the NCPI 2022 report, the authors assessed the cyber power of 30 countries around the world. In the top 10 are the United States, China, Russia, the United Kingdom and France in 9th position. Germany and the Netherlands are lower down the ranking.
France achieves a capability score of around 40 for the objective of “influence in defining cyberspace norms”, putting it in 4th place. In terms of intention score, France is in the top 4 of nations most involved in the defence objective.
The Internal Institute for Strategic Studies (IISS) Assessment
IISS has also developed a methodology for determining a nation’s cyber capabilities and how these contribute to its power. The institute classifies these capabilities into 7 distinct categories:
France is also said to be more transparent on the issue of cyber security. Indeed, the report states that the country “maintains a clear separation between defensive and offensive cyber operations“. Thus, the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Informations) is exclusively dedicated to defensive operations and is not part of the intelligence community, unlike the National Security Agency (NSA) in the United States or the Government Communications Headquarters (GCHQ) in the United Kingdom. “This distinction is important to some in France, based on the assumption that the objectives and remit of an intelligence agency, including its disposition towards secrecy, may interfere with some of the objectives and practices necessary for civilian sector cybersecurity, including the need for greater transparency regarding cybersecurity breaches.”
A nation’s cyber power is therefore one of the essential criteria to be taken into account when assessing the credibility of a security certification issued by a country. Indeed, when a country is highly ranked, it demonstrates its high standards and capacity in terms of cybersecurity. Another decisive criterion is the national certification scheme.
The national certification scheme
Common Criteria (CC) is the only international standard for assessing the security of IT products and systems. This analyses technical criteria, as well as organisational criteria and criteria relating to company processes, in order to assign a more or less high level of security (7 levels).
These criteria are very demanding and require organisations to put in place significant resources. As a result, only large companies or groups can afford to apply for CC certification. This difficulty in awarding certification runs counter to the desire to develop a trusted digital system, bringing together organisations of all sizes, from multi-nationals to smaller businesses.
To facilitate this certification process, France and Germany, drawing on their experience as certifying countries, have created national certification schemes focusing on the technical evaluation of products:
These schemes have made it possible to extend certification to a wider range of IT solutions, boosting their visibility while guaranteeing their high level of security. Indeed, the credibility of these national certification schemes rests above all on that of the issuing country.
The nation’s experience in issuing certification
Number of CC certifications issued in 2022 by country (Common Criteria Statistics Reports 2022)
The nation’s experience in issuing certifications is a major factor in the credibility of its certification scheme. And for good reason: the number of certified products demonstrates expertise and a particular commitment to cybersecurity.
In 2022, according to the Common Criteria Statistics report, France, via ANSSI, is the world leader in the number of Common Criteria certifications issued, with 74 certified products. Over the last 5 years, France is the second country to have issued the most certifications, just behind the United States.
To sum up, the credibility of a safety certification is based on three main criteria:
The cyber power of the nation issuing the certification
The country’s commitment to developing a trusted digital system, through its national certification scheme
The nation’s experience in certification
France, one of the most credible cyber powers
France appears to be one of the most credible and experienced cyber powers. Firstly, because of the various “cyber power” indices and because of its experience in evaluating IT products.
ANSSI-certified solutions offer significant security guarantees and greater confidence.
Tixeo, the only secure video conferencing solution certified and qualified by ANSSI
Thanks to its sovereign end-to-end encryption technology and secure on-premise videoconferencing offering, Tixeo has been certified and qualified by ANSSI since 2017.
With three ANSSI security certificates received in 6 years, the company marks continuity in its commitment to security. A high level of cyber requirements that goes beyond the purely “marketing” aspect of certification.
Cyber espionage attacks by state or para-state entities are on the increase, targeting European companies. They mainly target organisations that are essential to a country’s functioning or economy.
Consequences of geopolitical instabilities
An upsurge in state and para-state attacks
Since the war in Ukraine, conflicts in cyberspace have continued to intensify and the typology of cyberattackers has diversified. More and more state actors are using traditional cybercrime methods, such as ransomware, to target private or public organisations. As a result, it is becoming increasingly difficult to identify precisely the perpetrators of these malicious activities. What’s more, the techniques used are more sophisticated and therefore more effective, as they mobilise more resources and cause more damage. In fact, the fight against cyberespionage has been made one of the ANSSI‘s main missions for 2022. Cyber espionage can affect information systems for months without being noticed by organisations.
In 2022, 150 cyber-state attacks were recorded, 77% of which involved espionage operations. In 2023, the percentage has already risen to 83% of all state cyber attacks, even though the year is not yet over.
Mainly of Chinese or Russian origin, these state and para-state espionage attacks pursue different objectives, depending on the case:
the collection of confidential data,
computer or physical sabotage of a critical infrastructure
or political destabilisation.
Sensitive sectors particularly targeted by cyber espionage
Government organisations, businesses, public authorities and research institutes are among the prime targets of cyber espionage. It is from these organisations that cyber attackers can gather sensitive data linked to a nation’s economic, industrial or scientific activity. This can start by hacking into employees’ e-mail accounts to retrieve confidential information.
Cyber espionage has a significant economic impact on companies. Firstly, the attack is generally discovered several months after the infiltration and is immediately publicised in the media. This damages the organisation’s image and leads to a loss of confidence on the part of its customers and partners. Industrial espionage can also lead to the loss of markets and the theft of data relating to the organisation’s intellectual property. All these factors can destabilise companies financially.
Damage to national interests
Moreover, spying on companies operating in critical sectors can pursue interests other than financial ones. For example, when it comes to infrastructures linked to the energy, ICT or health sectors, cyber espionage contributes to the destabilisation of a country in economic, social and even security terms.
Against a backdrop of war and the threat of terrorism, government agencies are targeting strategic sectors. In 2023, it was discovered that Mirage, a Chinese cyberthreat, had infiltrated the networks of the German Federal Agency for Cartography and Geodesy in December 2021. Although the type of information compromised is not yet known, this clearly demonstrates that these attacks can deeply corrupt a system and potentially take hold over time.
Strengthening European cyber security is more essential than ever
With the NIS 2 or DORA Directive, Europe is now preparing to strengthen the cyber security of the most sensitive organisations, particularly in the face of cyber espionage.
State cyber-attacks also fall within the scope of national cyber-defence. Military cyber defence players are mobilising to defend the information systems of critical organisations, in order to prevent state or private organisations from being paralysed. Similarly, the DGSI contributes to cyber defence by detecting and identifying cyber interference by the state as early as possible.
The 2024 Olympic Games: a favourable context for destabilising companies
On the eve of the 2024 Olympic Games in Paris, the authorities are already warning of an “unprecedented level of risk of cyber attacks“, which could also target businesses, again with the aim of destabilising the host country.
Organisations in all essential and critical sectors need to be prepared for a potential cyber crisis. Technical cyber protection measures are expected, particularly to protect confidential communications and data. But it is also advisable to step up in-house training in good cybersecurity practices. Employees and managers are generally the first point of entry into a company’s IS in the event of cyber espionage.
Complementing the NIS2 directive, the DORA (Digital Operational Resilience Act) regulation adds another layer of cybersecurity to the financial sector. To protect their assets and the economic interests of European nations, financial institutions must strengthen their digital operational resilience.
The financial sector is heavily affected by cyber threats
Cyber attacks on the increase
Massive cyber attacks target financial sector infrastructures. Cyber risk now represents a major risk to financial stability. In its Financial System Risk Assessment report published in June 2023, the Banque de France notes that “the financial system remains exposed to a very high level of risk from cyber attacks“. This is due to the geopolitical context and also to artificial intelligence, which opens the way to highly sophisticated attacks that are harder to counter.
The very rapid digitisation of companies in the finance sector also explains this massive exposure to cyber risk. While the digitisation of banking services began very early on, information systems were not secured as quickly. In addition, employees of banking organisations make greater use of mobile devices and are more exposed to the risk of cyber attacks.
Because of the many risks and challenges involved, the European Union has classified the banking sector as highly critical under the NIS2 directive. As a result, organisations will need to strengthen their cybersecurity and train their decision-makers. Furthermore, DORA regulations are forcing financial institutions to redouble their efforts to better manage their cyber risk and become more agile.
Key points of the DORA regulations
Which organisations are concerned?
DORA is relevant to most organisations operating in the financial sector, such as :
Credit institutions,
Investment, payment and electronic money companies,
Management companies,
Insurance and reinsurance companies,
Insurance and reinsurance intermediaries.
Objective: strengthen digital operational resilience
Better mapping and management of cyber risks
Like the “all-risks approach” in the NIS2 directive, the DORA regulation aims to improve risk awareness in the financial sector. Financial institutions must take into account the risks inherent in their operations. The regulation therefore calls for these risks to be identified and their level of impact on the organisation to be quantified, both internally and externally. In this way, organisations will have better visibility of the measures to be put in place and will be more agile.
Risk management also helps to reassure the company’s ecosystem. This is the case for customers, whose assets and personal data must be fully protected.
ICT service providers covered by the regulations
Today’s banks and financial institutions are dependent on information and communication technologies. If they are not sufficiently secure, these technologies expose the sensitive data they transmit.
Under the DORA regulations, the financial sector will have to be resilient in the face of operational disruptions linked to these technologies. Organisations will be responsible for identifying and classifying ICT-related risks and developing incident management processes.
Moreover, supervisory authorities will carry out checks on ICT compliance with risk management measures. Sanctions may be imposed in the event of non-compliance.
Choose ANSSI-qualified service providers
The French National Agency for Information Systems Security (ANSSI) recommends highly secure products and service providers, thanks to its security visa. It helps organisations in sensitive sectors, such as finance, to assess the reliability of communications solutions.
In the event of a cybersecurity incident, teams need to be able to continue exchanging information in a highly secure environment. This will guarantee business continuity and ensure operational resilience.
ANSSI has published a guide to the operational and strategic management of a cyber crisis.
ANSSI security approval: a guarantee of reliability
For over 5 years, Tixeo has been the only secure videoconferencing solution in France to be certified and qualified by ANSSI, thanks to its Secure By Design approach and end-to-end encryption technology.
DORA regulation came into force in the European Union on 16 January 2023. Implementation of the regulation is therefore already underway. The deadline for transposing the regulation in all Member States is 17 January 2025.
“Cyber stress test” campaigns in the pipeline
Banking system regularly undergoes stress tests linked to social and economic conditions. Soon, it may also have to undergo cyber stress tests. The ECB (European Central Bank) has announced plans to test the cyber resilience of financial institutions from 2024. This will be done through cyber security stress tests. Increasing cyberthreats, teleworking and the use of the cloud are increasing the severity of cyberattacks and have therefore motivated this initiative.
A good way for organisations in the finance sector to put their DORA preparations to the test.
