National Scientific and Technical Potential: How to Preserve it from Espionage?

National Scientific and Technical Potential: How to Preserve it from Espionage?

The gathering of information related to the scientific and technological activity of a nation undermines its stability and competitiveness. Discussed at the last Five Eyes summit, protecting the scientific and technical potential of nations requires maximum cybersecurity measures.

Definition of Scientific and Technical Potential

The nation’s scientific and technical potential comprises “all the tangible and intangible assets related to fundamental scientific activity and applied to the technological development of the French nation.” In other words, it involves highly strategic knowledge and skills and sensitive technologies, produced and developed within public and private establishments on national territory. Access to and protection of these are thus strictly regulated.

A Primary Protection: The PPST Scheme

Since 2011, France has implemented the Protection of Scientific and Technical Potential (PPST). This regulatory security mechanism, inter-ministerial in level, led by the General Secretariat for Defence and National Security (SGDSN), is distributed across 6 different ministries:

  • Ministry of Agriculture
  • Ministry of Defence
  • Ministry of Sustainable Development
  • Ministry of Economy and Finance
  • Ministry of Health
  • and Ministry of Higher Education, Research, and Innovation

It aims to prevent any leakage or attempt to capture these sensitive pieces of information, notably through the creation of Restricted Regime Zones (ZRR). In these areas, such as research or production sites that are of great interest to the nation, strict control over physical or virtual access to sensitive information is enforced. The PPST complements other security systems like those for the protection of Vital Importance Organisms (OIV) or national defence secrecy.

What are the risks if these sensitive pieces of information are exposed?

If captured, this information related to the technical and scientific potential of the nation can be diverted for purposes of destabilization or criminal activities. The risks are classified into 4 categories:

  1. Damage to the nation’s economic interests
  2. Development of military arsenals
  3. Proliferation of weapons of mass destruction
  4. Terrorism

Sectors Affected

Various scientific and technical sectors are therefore covered by the PPST:

  • Biology,
  • Medicine,
  • Health,
  • Chemistry,
  • Mathematics,
  • Physics,
  • Agronomic and ecological sciences,
  • Earth, universe, and space sciences,
  • Information and communication science and technology,
  • Engineering sciences…

Thus, research laboratories, companies, and universities must be protected from the risks of data interception.

Protecting Scientific and Technical Potential from Cyber Espionage

Access to ZRR can be physical but also virtual. Therefore, the security of information systems is a major challenge in protecting the scientific and technical potential from cyber espionage.

Securing Restricted Regime Information Systems (SIRR)

A Restricted Regime Information System (SIRR) transmits Restricted Regime Information (IRR), i.e., sensitive information whose disclosure would present one or more of the previously mentioned risks. Therefore, their access constitutes virtual access to a RR zone. It is noteworthy that SIRRs are subject to the inter-ministerial instruction no. 901 on the protection of secrecy and national defence.

The ANSSI’s guide on the digital protection of the nation’s scientific and technical potential lists security measures to be implemented by organizations with a SIRR. Among these, the deployment of an information systems security policy (PSSI), listing all the good practices and computer security procedures to be followed by employees and other stakeholders.

Indeed, SIRR encompasses all types of supports and electronic equipment such as laptops, USB keys, or servers and therefore assumes parallel cybersecurity awareness for users.

Examples of Security Measures to Implement:

  • Encryption of communications
  • Encryption of hard drives of workstations
  • Access control

Ensuring the Security of Workstations

Workstations contain a number of sensitive pieces of information that must be protected. ANSSI, through its guide, emphasizes the importance of deleting all the data present on a workstation before reallocating equipment. Similarly, it is crucial to revoke access rights to information systems as soon as a user’s employment period ends.

Using End-to-End Encryption Technology for Communications

Communication tools deployed in companies, especially in RR zone establishments, must meet the highest level of security. Firstly, the solution used must be Secure by design and thus meet a number of security criteria, from its design to its deployment in the organization. This significantly reduces or nullifies its impact on the company’s network security. Moreover, communications exchanged over online messaging or video conferencing are targets of computer and industrial espionage. Only end-to-end encryption technology for audio, video, and data communication flows can prevent the retrieval of this data.

Demonstrating the Utmost Reactivity in Case of Attack

In the event of a cyber crisis, a secure and emergency communication solution is also essential to ensure the continuity of the establishment’s activities. It should allow employees to continue their exchanges through an “out of band” communication channel, i.e., different from the one usually used.

The secure video conferencing software Tixeo meets this need. Thanks to its sovereign end-to-end encryption technology and its highly secure deployment in on-premise version, it supports establishments in their crisis management and cyber resilience.

First Five Eyes Summit on the Subject in 2023

On October 16 and 17, 2023, the first-ever Five Eyes summit on the theme of protecting the nation’s scientific and technical potential took place. At this summit, the five countries of the coalition (United States, United Kingdom, Canada, Australia, New Zealand) alerted to the threats weighing on innovation and research. In particular, the Chinese government was targeted as the main danger to innovation and the interests of nations.

The Chinese government is engaged in the most sustained and sophisticated theft of intellectual property and acquisition of expertise in human history,” stated Mike Burgess, director-general of Australian intelligence services. Indeed, industrial espionage operations, originating from China, are experiencing an unprecedented increase. “The sectors of artificial intelligence, quantum computing, and synthetic biology are particularly targeted at the moment, according to senior officials.” A resurgence of state-sponsored cyber espionage that also spares no European countries. The document “Five Principles for Securing Research and Innovation” was published at the end of the summit and presents several recommendations to maximize the protection of scientific and technical potential. Among them: knowledge and management of cyber risks, protection of the work environment, awareness of collaborators, and securing partnerships, suppliers, and service providers.

Cyberspace: European companies faced with international cyber espionage

Cyberspace: European companies faced with international cyber espionage

Cyber espionage attacks by state or para-state entities are on the increase, targeting European companies. They mainly target organisations that are essential to a country’s functioning or economy.


Consequences of geopolitical instabilities

An upsurge in state and para-state attacks

Since the war in Ukraine, conflicts in cyberspace have continued to intensify and the typology of cyberattackers has diversified. More and more state actors are using traditional cybercrime methods, such as ransomware, to target private or public organisations. As a result, it is becoming increasingly difficult to identify precisely the perpetrators of these malicious activities. What’s more, the techniques used are more sophisticated and therefore more effective, as they mobilise more resources and cause more damage. In fact, the fight against cyberespionage has been made one of the ANSSI‘s main missions for 2022. Cyber espionage can affect information systems for months without being noticed by organisations.

In 2022, 150 cyber-state attacks were recorded, 77% of which involved espionage operations. In 2023, the percentage has already risen to 83% of all state cyber attacks, even though the year is not yet over.

Mainly of Chinese or Russian origin, these state and para-state espionage attacks pursue different objectives, depending on the case:

  • the collection of confidential data,
  • computer or physical sabotage of a critical infrastructure
  • or political destabilisation.

Sensitive sectors particularly targeted by cyber espionage

Government organisations, businesses, public authorities and research institutes are among the prime targets of cyber espionage. It is from these organisations that cyber attackers can gather sensitive data linked to a nation’s economic, industrial or scientific activity. This can start by hacking into employees’ e-mail accounts to retrieve confidential information.

ANSSI recently stated that several cyber espionage attacks, targeting French companies in particular, had been carried out by the APT 28 (or Fancy Bear) hacker unit, which is close to the Russian military intelligence services. The attackers are said to have exploited several security flaws to infiltrate Outlook e-mail accounts between March 2022 and June 2023.

What are the consequences of cyber espionage?

Financial impact on businesses

Cyber espionage has a significant economic impact on companies. Firstly, the attack is generally discovered several months after the infiltration and is immediately publicised in the media. This damages the organisation’s image and leads to a loss of confidence on the part of its customers and partners. Industrial espionage can also lead to the loss of markets and the theft of data relating to the organisation’s intellectual property. All these factors can destabilise companies financially.

Damage to national interests

Moreover, spying on companies operating in critical sectors can pursue interests other than financial ones. For example, when it comes to infrastructures linked to the energy, ICT or health sectors, cyber espionage contributes to the destabilisation of a country in economic, social and even security terms.

Against a backdrop of war and the threat of terrorism, government agencies are targeting strategic sectors. In 2023, it was discovered that Mirage, a Chinese cyberthreat, had infiltrated the networks of the German Federal Agency for Cartography and Geodesy in December 2021. Although the type of information compromised is not yet known, this clearly demonstrates that these attacks can deeply corrupt a system and potentially take hold over time. 


Strengthening European cyber security is more essential than ever

With the NIS 2 or DORA Directive, Europe is now preparing to strengthen the cyber security of the most sensitive organisations, particularly in the face of cyber espionage.

State cyber-attacks also fall within the scope of national cyber-defence. Military cyber defence players are mobilising to defend the information systems of critical organisations, in order to prevent state or private organisations from being paralysed. Similarly, the DGSI contributes to cyber defence by detecting and identifying cyber interference by the state as early as possible.

The 2024 Olympic Games: a favourable context for destabilising companies

On the eve of the 2024 Olympic Games in Paris, the authorities are already warning of an “unprecedented level of risk of cyber attacks“, which could also target businesses, again with the aim of destabilising the host country.

Organisations in all essential and critical sectors need to be prepared for a potential cyber crisis. Technical cyber protection measures are expected, particularly to protect confidential communications and data. But it is also advisable to step up in-house training in good cybersecurity practices. Employees and managers are generally the first point of entry into a company’s IS in the event of cyber espionage.


How do you raise employee awareness of cybersecurity?

How do you raise employee awareness of cybersecurity?

Spearphishing, ransomware, downloading malicious software… These cybersecurity threats affect employees in all businesses, particularly those working from home. Raising awareness of cyber security is now essential.

Economic and political risks

Cyber attacks on businesses and public authorities are driven by economic and sometimes political interests, depending on the sector targeted.

The hackers’ objectives may be :

  • To steal money from an individual or a company
  • Capture a company’s customers
  • Damage the reputation of a company or a political player/party
  • Set up industrial, political or military espionage

An organisation’s employees are on the front line when it comes to these ever-increasing cybersecurity risks. Raising awareness of cybersecurity is therefore essential if they are to become aware of them and react accordingly.


Cybersecurity awareness campaigns :

Schedule regular training sessions

Cybersecurity training involves all the company’s employees and should be offered on a regular basis. It is preferable to organise them in small groups to encourage discussion and, if possible, to adapt them to the profiles of the various professions.

Training accountants or human resources professionals in cybersecurity is different from training developers or salespeople. Segmenting training courses by profession also enables specific, concrete subjects to be addressed for each professional issue (wi-fi networks when travelling, fraudulent e-mails, etc.). Ideally, training modules should be short, no longer than 1 hour. Beyond that, there is a risk of generating fatigue and impairing understanding of the message.

It may be a good idea to conclude each training session with a practical summary document. This will serve as a memo for the employee. On the fun side, offering quizzes after training courses, with rewards at the end, encourages employees to take an interest in the subject.


Using gamification

Still aiming for a more entertaining approach, gamification as part of a cyber-security awareness campaign is proving effective. Various organisations offer escape games or cyber games on the theme of IT security, during which employees put themselves in the shoes of a hacker, for example. These role-playing games and interactive training courses raise awareness of the risks, while reducing the anxiety associated with the subject.


Calling on key players

For larger-scale training courses, bringing in a recognised cybersecurity expert is a good way of grabbing the audience’s attention. In this way, employees benefit from in-depth expertise. These may be organisations specialising in IT security, university researchers or cyber defence experts, depending on the company’s sector of activity and the issues at stake.


Strengthening internal communication

Employees need to be regularly informed about news relating to cybersecurity, whether it concerns their company directly or not. Giving concrete examples of incidents and their consequences is a good way of raising awareness.

For example, spearphishing attacks are currently on the increase and are affecting more and more organisations. This type of cyber attack specifically targets a company employee with access to sensitive information. It is generally based on identity theft and strong social engineering. The hacker’s aim is to send an e-mail that is consistent with the activity of the targeted person or company, by encouraging them to click on a malicious link or open an infected attachment. In this way, the employee’s data can be understood. The success rate of spearphishing is high and worrying. It is necessary to communicate this type of information to employees by e-mail, via a corporate social network or in an internal repository. These communications can be accompanied by a number of practical steps that can be taken to avoid being caught out.

Furthermore, in the event of an incident, employees need to react quickly, especially if their workstation is infected and therefore unusable. To help them do this, it is useful to distribute “SOS sheets” covering a range of issues (e.g. “I clicked on the wrong link, what should I do?”). Employees will find the contact details of the support service and a few simple actions to take while they wait for help. These sheets are particularly recommended for teleworkers, who are more on their own when it comes to security issues.


Read more:

5 tips to secure teleworking from Julien, System and Security Admin at Tixeo

Carry out test campaigns

Finally, there’s nothing like a (fake) cyber attack to raise awareness of cybersecurity. Cyber security test campaigns involve the whole company and have a dual objective. They show employees that attacks can affect them, and so measure their level of vigilance. Generally, phishing campaigns are organised, since this type of email attack is still the most common. At the end of these test campaigns, and depending on the results, additional training modules will have to be offered to employees.


3 essential precautions for raising awareness of cyber security

Leveraging the diversity of our actions

Freeing up time for training is not always easy, and most employees drag their feet when it comes to cybersecurity training. So the key is to diversify your training courses, so that you can tackle the subject from different angles, providing concrete, practical information. Not forgetting the educational and fun aspects!

Tailoring awareness-raising campaigns to specific professions

It is important for employees to learn techniques to protect themselves, but also and above all to realise that everyone is a target in their own right for hackers today. The overall awareness of the workforce must be raised at the same time as the awareness of the different business profiles.

Stepping up training for teleworkers

While all employees need to be trained in IT security, this is even more the case for teleworkers. Since the advent of teleworking, cyber-attacks have soared, and so has the cost to the company. It is in companies’ interests to maximise training for teleworkers, as well as their remote support in the event of an incident.


Find out about other good safety practices for teleworking:

white paper on teleworking security