To prove their dependability, IT solutions may acquire a security certification. This becomes a significant advantage in the IT market, especially in an era where cybersecurity is a key concern for organizations. However, how can one ensure the credibility of a security certification across different countries?
What is a Security Certification?
Security certification for IT solutions and software involves appraising the product based on specific cybersecurity standards. These standards can vary depending on the industry and the regulations in effect within the issuing country. Therefore, certifications from different countries may not meet the same cybersecurity requirements, underscoring the importance of analyzing the criteria that establish the credibility of a cybersecurity certification.
Criteria for determining credibility
The Cyber Power of the Nation
A nation’s cyber power plays a role in its international influence. It encompasses the ability to utilize digital technologies and cyberspace to achieve national and international goals through government strategies, defensive operations, and resource mobilization. Various global indices help in determining a nation’s level of cyber power.
The Harvard Belfer Center’s NCPI Index
The National Cyber Power Index (NCPI) from the Belfer Center is a measure of nations’ cyber power. This index uses qualitative and quantitative data models to assess the capabilities and objectives of states. It includes 29 indicators, divided into two categories:
- Intent indicators
Intent indicators reflect a country’s priorities and motivations in terms of cybersecurity. In other words, it shows how the country plans to use its cyber capabilities, in line with its strategic and political objectives. These can range from defence, espionage and information control to influencing the definition of cyberspace norms and offensive operations.
- Capacity indicators
Capability intent indicators assess a country’s technical capabilities and cyber resources, regardless of how it chooses to use them. This includes technical expertise, infrastructure, available tools and technologies, and qualified human resources in cyber security.
The 2022 NCPI Report Findings
In the NCPI 2022 report, the authors assessed the cyber power of 30 countries around the world. In the top 10 are the United States, China, Russia, the United Kingdom and France in 9th position. Germany and the Netherlands are lower down the ranking.
France achieves a capability score of around 40 for the objective of “influence in defining cyberspace norms”, putting it in 4th place. In terms of intention score, France is in the top 4 of nations most involved in the defence objective.
The Internal Institute for Strategic Studies (IISS) Assessment
IISS has also developed a methodology for determining a nation’s cyber capabilities and how these contribute to its power. The institute classifies these capabilities into 7 distinct categories:
- Strategy and doctrine
- Governance, command and control
- Essential cyber espionage capability
- Empowerment and dependence on cyberspace
- Cybersecurity and resilience
- Global leadership in cyberspace affairs
- Offensive cyber security capability
In its “Cyber Capabilities and National Power” published in 2021, the IISS analyses France’s position in these areas. It states that “In many respects, France leads the EU in cybersecurity and resilience planning.”
France’s transparency on cybersecurity
France is also said to be more transparent on the issue of cyber security. Indeed, the report states that the country “maintains a clear separation between defensive and offensive cyber operations“. Thus, the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Informations) is exclusively dedicated to defensive operations and is not part of the intelligence community, unlike the National Security Agency (NSA) in the United States or the Government Communications Headquarters (GCHQ) in the United Kingdom. “This distinction is important to some in France, based on the assumption that the objectives and remit of an intelligence agency, including its disposition towards secrecy, may interfere with some of the objectives and practices necessary for civilian sector cybersecurity, including the need for greater transparency regarding cybersecurity breaches.”
A nation’s cyber power is therefore one of the essential criteria to be taken into account when assessing the credibility of a security certification issued by a country. Indeed, when a country is highly ranked, it demonstrates its high standards and capacity in terms of cybersecurity. Another decisive criterion is the national certification scheme.
The national certification scheme
Common Criteria (CC) is the only international standard for assessing the security of IT products and systems. This analyses technical criteria, as well as organisational criteria and criteria relating to company processes, in order to assign a more or less high level of security (7 levels).
These criteria are very demanding and require organisations to put in place significant resources. As a result, only large companies or groups can afford to apply for CC certification. This difficulty in awarding certification runs counter to the desire to develop a trusted digital system, bringing together organisations of all sizes, from multi-nationals to smaller businesses.
To facilitate this certification process, France and Germany, drawing on their experience as certifying countries, have created national certification schemes focusing on the technical evaluation of products:
- The Certification de Sécurité de Premier Niveau (CSPN), issued by ANSSI in France
- and the Beschleunigte Sicherheitszertifizierung (BSZ), issued by the BSI in Germany.
These schemes have made it possible to extend certification to a wider range of IT solutions, boosting their visibility while guaranteeing their high level of security. Indeed, the credibility of these national certification schemes rests above all on that of the issuing country.
The nation’s experience in issuing certification
(Common Criteria Statistics Reports 2022)
The nation’s experience in issuing certifications is a major factor in the credibility of its certification scheme. And for good reason: the number of certified products demonstrates expertise and a particular commitment to cybersecurity.
In 2022, according to the Common Criteria Statistics report, France, via ANSSI, is the world leader in the number of Common Criteria certifications issued, with 74 certified products. Over the last 5 years, France is the second country to have issued the most certifications, just behind the United States.
To sum up, the credibility of a safety certification is based on three main criteria:
- The cyber power of the nation issuing the certification
- The country’s commitment to developing a trusted digital system, through its national certification scheme
- The nation’s experience in certification
France, one of the most credible cyber powers
France appears to be one of the most credible and experienced cyber powers. Firstly, because of the various “cyber power” indices and because of its experience in evaluating IT products.
ANSSI-certified solutions offer significant security guarantees and greater confidence.
Tixeo, the only secure video conferencing solution certified and qualified by ANSSI
Thanks to its sovereign end-to-end encryption technology and secure on-premise videoconferencing offering, Tixeo has been certified and qualified by ANSSI since 2017.
With three ANSSI security certificates received in 6 years, the company marks continuity in its commitment to security. A high level of cyber requirements that goes beyond the purely “marketing” aspect of certification.