The gathering of information related to the scientific and technological activity of a nation undermines its stability and competitiveness. Discussed at the last Five Eyes summit, protecting the scientific and technical potential of nations requires maximum cybersecurity measures.
Definition of Scientific and Technical Potential
The nation’s scientific and technical potential comprises “all the tangible and intangible assets related to fundamental scientific activity and applied to the technological development of the French nation.” In other words, it involves highly strategic knowledge and skills and sensitive technologies, produced and developed within public and private establishments on national territory. Access to and protection of these are thus strictly regulated.
A Primary Protection: The PPST Scheme
Since 2011, France has implemented the Protection of Scientific and Technical Potential (PPST). This regulatory security mechanism, inter-ministerial in level, led by the General Secretariat for Defence and National Security (SGDSN), is distributed across 6 different ministries:
- Ministry of Agriculture
- Ministry of Defence
- Ministry of Sustainable Development
- Ministry of Economy and Finance
- Ministry of Health
- and Ministry of Higher Education, Research, and Innovation
It aims to prevent any leakage or attempt to capture these sensitive pieces of information, notably through the creation of Restricted Regime Zones (ZRR). In these areas, such as research or production sites that are of great interest to the nation, strict control over physical or virtual access to sensitive information is enforced. The PPST complements other security systems like those for the protection of Vital Importance Organisms (OIV) or national defence secrecy.
What are the risks if these sensitive pieces of information are exposed?
If captured, this information related to the technical and scientific potential of the nation can be diverted for purposes of destabilization or criminal activities. The risks are classified into 4 categories:
- Damage to the nation’s economic interests
- Development of military arsenals
- Proliferation of weapons of mass destruction
Various scientific and technical sectors are therefore covered by the PPST:
- Agronomic and ecological sciences,
- Earth, universe, and space sciences,
- Information and communication science and technology,
- Engineering sciences…
Thus, research laboratories, companies, and universities must be protected from the risks of data interception.
Protecting Scientific and Technical Potential from Cyber Espionage
Access to ZRR can be physical but also virtual. Therefore, the security of information systems is a major challenge in protecting the scientific and technical potential from cyber espionage.
Securing Restricted Regime Information Systems (SIRR)
A Restricted Regime Information System (SIRR) transmits Restricted Regime Information (IRR), i.e., sensitive information whose disclosure would present one or more of the previously mentioned risks. Therefore, their access constitutes virtual access to a RR zone. It is noteworthy that SIRRs are subject to the inter-ministerial instruction no. 901 on the protection of secrecy and national defence.
The ANSSI’s guide on the digital protection of the nation’s scientific and technical potential lists security measures to be implemented by organizations with a SIRR. Among these, the deployment of an information systems security policy (PSSI), listing all the good practices and computer security procedures to be followed by employees and other stakeholders.
Indeed, SIRR encompasses all types of supports and electronic equipment such as laptops, USB keys, or servers and therefore assumes parallel cybersecurity awareness for users.
Examples of Security Measures to Implement:
- Encryption of communications
- Encryption of hard drives of workstations
- Access control
Ensuring the Security of Workstations
Workstations contain a number of sensitive pieces of information that must be protected. ANSSI, through its guide, emphasizes the importance of deleting all the data present on a workstation before reallocating equipment. Similarly, it is crucial to revoke access rights to information systems as soon as a user’s employment period ends.
Using End-to-End Encryption Technology for Communications
Communication tools deployed in companies, especially in RR zone establishments, must meet the highest level of security. Firstly, the solution used must be Secure by design and thus meet a number of security criteria, from its design to its deployment in the organization. This significantly reduces or nullifies its impact on the company’s network security. Moreover, communications exchanged over online messaging or video conferencing are targets of computer and industrial espionage. Only end-to-end encryption technology for audio, video, and data communication flows can prevent the retrieval of this data.
Demonstrating the Utmost Reactivity in Case of Attack
In the event of a cyber crisis, a secure and emergency communication solution is also essential to ensure the continuity of the establishment’s activities. It should allow employees to continue their exchanges through an “out of band” communication channel, i.e., different from the one usually used.
The secure video conferencing software Tixeo meets this need. Thanks to its sovereign end-to-end encryption technology and its highly secure deployment in on-premise version, it supports establishments in their crisis management and cyber resilience.
First Five Eyes Summit on the Subject in 2023
On October 16 and 17, 2023, the first-ever Five Eyes summit on the theme of protecting the nation’s scientific and technical potential took place. At this summit, the five countries of the coalition (United States, United Kingdom, Canada, Australia, New Zealand) alerted to the threats weighing on innovation and research. In particular, the Chinese government was targeted as the main danger to innovation and the interests of nations.
“The Chinese government is engaged in the most sustained and sophisticated theft of intellectual property and acquisition of expertise in human history,” stated Mike Burgess, director-general of Australian intelligence services. Indeed, industrial espionage operations, originating from China, are experiencing an unprecedented increase. “The sectors of artificial intelligence, quantum computing, and synthetic biology are particularly targeted at the moment, according to senior officials.” A resurgence of state-sponsored cyber espionage that also spares no European countries. The document “Five Principles for Securing Research and Innovation” was published at the end of the summit and presents several recommendations to maximize the protection of scientific and technical potential. Among them: knowledge and management of cyber risks, protection of the work environment, awareness of collaborators, and securing partnerships, suppliers, and service providers.