National Scientific and Technical Potential: How to Preserve it from Espionage?

National Scientific and Technical Potential: How to Preserve it from Espionage?

The gathering of information related to the scientific and technological activity of a nation undermines its stability and competitiveness. Discussed at the last Five Eyes summit, protecting the scientific and technical potential of nations requires maximum cybersecurity measures.

Definition of Scientific and Technical Potential

The nation’s scientific and technical potential comprises “all the tangible and intangible assets related to fundamental scientific activity and applied to the technological development of the French nation.” In other words, it involves highly strategic knowledge and skills and sensitive technologies, produced and developed within public and private establishments on national territory. Access to and protection of these are thus strictly regulated.

A Primary Protection: The PPST Scheme

Since 2011, France has implemented the Protection of Scientific and Technical Potential (PPST). This regulatory security mechanism, inter-ministerial in level, led by the General Secretariat for Defence and National Security (SGDSN), is distributed across 6 different ministries:

  • Ministry of Agriculture
  • Ministry of Defence
  • Ministry of Sustainable Development
  • Ministry of Economy and Finance
  • Ministry of Health
  • and Ministry of Higher Education, Research, and Innovation

It aims to prevent any leakage or attempt to capture these sensitive pieces of information, notably through the creation of Restricted Regime Zones (ZRR). In these areas, such as research or production sites that are of great interest to the nation, strict control over physical or virtual access to sensitive information is enforced. The PPST complements other security systems like those for the protection of Vital Importance Organisms (OIV) or national defence secrecy.

What are the risks if these sensitive pieces of information are exposed?

If captured, this information related to the technical and scientific potential of the nation can be diverted for purposes of destabilization or criminal activities. The risks are classified into 4 categories:

  1. Damage to the nation’s economic interests
  2. Development of military arsenals
  3. Proliferation of weapons of mass destruction
  4. Terrorism

Sectors Affected

Various scientific and technical sectors are therefore covered by the PPST:

  • Biology,
  • Medicine,
  • Health,
  • Chemistry,
  • Mathematics,
  • Physics,
  • Agronomic and ecological sciences,
  • Earth, universe, and space sciences,
  • Information and communication science and technology,
  • Engineering sciences…

Thus, research laboratories, companies, and universities must be protected from the risks of data interception.

Protecting Scientific and Technical Potential from Cyber Espionage

Access to ZRR can be physical but also virtual. Therefore, the security of information systems is a major challenge in protecting the scientific and technical potential from cyber espionage.

Securing Restricted Regime Information Systems (SIRR)

A Restricted Regime Information System (SIRR) transmits Restricted Regime Information (IRR), i.e., sensitive information whose disclosure would present one or more of the previously mentioned risks. Therefore, their access constitutes virtual access to a RR zone. It is noteworthy that SIRRs are subject to the inter-ministerial instruction no. 901 on the protection of secrecy and national defence.

The ANSSI’s guide on the digital protection of the nation’s scientific and technical potential lists security measures to be implemented by organizations with a SIRR. Among these, the deployment of an information systems security policy (PSSI), listing all the good practices and computer security procedures to be followed by employees and other stakeholders.

Indeed, SIRR encompasses all types of supports and electronic equipment such as laptops, USB keys, or servers and therefore assumes parallel cybersecurity awareness for users.

Examples of Security Measures to Implement:

  • Encryption of communications
  • Encryption of hard drives of workstations
  • Access control

Ensuring the Security of Workstations

Workstations contain a number of sensitive pieces of information that must be protected. ANSSI, through its guide, emphasizes the importance of deleting all the data present on a workstation before reallocating equipment. Similarly, it is crucial to revoke access rights to information systems as soon as a user’s employment period ends.

Using End-to-End Encryption Technology for Communications

Communication tools deployed in companies, especially in RR zone establishments, must meet the highest level of security. Firstly, the solution used must be Secure by design and thus meet a number of security criteria, from its design to its deployment in the organization. This significantly reduces or nullifies its impact on the company’s network security. Moreover, communications exchanged over online messaging or video conferencing are targets of computer and industrial espionage. Only end-to-end encryption technology for audio, video, and data communication flows can prevent the retrieval of this data.

Demonstrating the Utmost Reactivity in Case of Attack

In the event of a cyber crisis, a secure and emergency communication solution is also essential to ensure the continuity of the establishment’s activities. It should allow employees to continue their exchanges through an “out of band” communication channel, i.e., different from the one usually used.

The secure video conferencing software Tixeo meets this need. Thanks to its sovereign end-to-end encryption technology and its highly secure deployment in on-premise version, it supports establishments in their crisis management and cyber resilience.

First Five Eyes Summit on the Subject in 2023

On October 16 and 17, 2023, the first-ever Five Eyes summit on the theme of protecting the nation’s scientific and technical potential took place. At this summit, the five countries of the coalition (United States, United Kingdom, Canada, Australia, New Zealand) alerted to the threats weighing on innovation and research. In particular, the Chinese government was targeted as the main danger to innovation and the interests of nations.

The Chinese government is engaged in the most sustained and sophisticated theft of intellectual property and acquisition of expertise in human history,” stated Mike Burgess, director-general of Australian intelligence services. Indeed, industrial espionage operations, originating from China, are experiencing an unprecedented increase. “The sectors of artificial intelligence, quantum computing, and synthetic biology are particularly targeted at the moment, according to senior officials.” A resurgence of state-sponsored cyber espionage that also spares no European countries. The document “Five Principles for Securing Research and Innovation” was published at the end of the summit and presents several recommendations to maximize the protection of scientific and technical potential. Among them: knowledge and management of cyber risks, protection of the work environment, awareness of collaborators, and securing partnerships, suppliers, and service providers.

The Surveillance Industry or Europe’s Dangerous Paradox

The Surveillance Industry or Europe’s Dangerous Paradox

Excerpt from the Digital Violence platform (https://www.digitalviolence.or)

Opinion piece by Jean-Philippe Commeignes, Commercial Director @Tixeo

Europe, struck by the war in Ukraine for nearly two years, has been experiencing an intensification of the terrorist threat for several weeks following the outbreak of war between Israel and Hamas. In this extremely tense geopolitical context, the statement by the Minister of the Interior in a recent interview about access to data and encrypted messaging conversations has put back on the table the binary question of balancing privacy protection and the need for security.

The fundamental issue is not so much the debate on the unlikely negotiation of access to public encrypted messaging, but the strict control of the use, sale, and export of cutting-edge surveillance technologies. These technologies, beyond circumventing the encryption problem, represent a dangerous temptation within the European Union, as highlighted by Sophie in ‘t Veld, a Member of the European Parliament, in her latest opinion piece on the risks of this industry.

Global War on Terror and Mass Surveillance

After September 11 and the launch of the war on terror by the USA and its allies, the demand for surveillance and intelligence solutions exploded. A 2017 Privacy International report counts several hundred companies in this sector created between 2001-2013, 75% of which are from NATO countries. The approach, tinged with American techno-solutionism to address the threat, led to the implementation of mass surveillance programs revealed by whistleblower Edward Snowden in 2013, then employed by the famous NSA agency. This also revealed the role of major American platforms in this data collection.

Uncontrolled Changes in the Post-Snowden World

These revelations had two major effects:

• The gradual generalization of encryption, even in consumer solutions, making authorities more “blind” in technical collection, and prompting states to have means of circumvention;

• The tightening of data protection regulations, through the General Data Protection Regulation, positioning Europe as a standard-bearer for privacy protection worldwide.

Concurrently, the rapid adoption of smartphones, messaging, and social networks facilitated the coordination of social movements like the Arab Spring, creating a stronger demand from authoritarian countries for solutions to contain them.

“The Cyber Surveillance Industry Has Adapted Across the Entire Value Chain”

The cyber surveillance industry has adapted across the entire value chain to meet both domestic and export markets, in a mix of business and foreign policy. It’s a market with layers.

industrie de surveillance
Extract from the Digital Violence platform

The first is the research and acquisition of unknown computer vulnerabilities to publishers, called 0-day, which allow those who hold them to compromise targeted software and equipment without user action (0-click). The second is spy software that uses these vulnerabilities as invisible vectors to deploy their real-time surveillance tools.

This was highlighted twice thanks to the work of journalist consortia and NGOs like Amnesty International. The first time in July 2021 by Forbidden Stories and 17 media outlets as part of the Pegasus Project, named after the spyware developed by Israeli company NSO. The second time, a month ago, in the context of the Predator Files, named after another type of software, this time developed by a consortium of companies based in Europe, particularly in France, Intellexa. This is emblematic of an ecosystem still adrift and used for political purposes. The Digital Violence platform, developed by Forensic Architecture, allows for a frightening but salutary immersion.

Today, the cyber surveillance industry market is estimated at $12 billion according to the director of the Citizen Lab.

The PEGA Commission and Its Recommendations Against Illiberal Temptations in Europe

The work of the Parliamentary Commission on Spyware, called PEGA, following the Pegasus scandal, has highlighted the main problems within the European Union.

Domestically

First, domestically, with the confirmation that 14 European countries and 22 security agencies had acquired this type of software and that 5 member countries had used it against civil society in disregard of the law and institutions. This underlines that even our democracies can be seduced by tools that bypass the indispensable control for legitimate and proportionate use, sometimes relying on a very broad definition of the concept of national security.

Internationally

Internationally, they showed the limitations of the EU’s export rules for these technologies, both permissive and without homogeneous application within member states. This allows for the implementation of opaque company structures to take advantage of these weaknesses for easier export.

A recent report by the Carnegie Endowment for International Peace indicates that EU member states granted 317 export authorizations in this segment between 2015 and 2017, compared to only 14 refusals. It also indicates that these exports are primarily to countries where human rights are secondary.

This is Europe’s paradox: being a model promoting democracy and human rights protection while importing and exporting, without strict control, the means of its regression.

“Bossware”: what is this software that spies on employees?

“Bossware”: what is this software that spies on employees?

Bossware makes it possible to monitor an employee’s activity remotely. The use of spyware is more widespread than you might think, especially since the advent of teleworking and AI. How can they be detected and what are the risks? 

What is bossware?

Bossware” is the term used to describe software designed to monitor employees. Installed on the workstation, it collects a maximum amount of data on the worker’s activity, with the aim of obtaining an overview of their productivity. This spyware can record all online activity, keystrokes, mouse movements and even, in some cases, take random screenshots and record audio or video.

Widely used since the widespread deployment of teleworking in 2020, it enables managers to keep an eye on their employees from a distance. Now, with the development of artificial intelligence, surveillance can go even further. For example, some “bossware” software, such as Veriato, is capable of analysing worker data to assign them a “risk score” for the company’s security. Others can send alerts if the worker does not seem to be behaving appropriately at their post.

Spyware not always detectable

Bossware can be deployed visibly or silently. With visible surveillance, workers are aware that their activity is being monitored. In certain configurations, they can even act on the software by pausing it, for example. Conversely, with silent surveillance, employees are not aware that they are being “spied on”. The software may therefore have been installed remotely on their workstation without their consent.

Authorised in the United States: and in Europe?

In the United States, employers can easily force employees to install this type of software on their workstations. However, laws are now being introduced to limit their use by requiring companies to be transparent.

The GDPR also protects employees

In Europe, employee surveillance is not clearly legislated. Nevertheless, the General Data Protection Regulation (GDPR) can serve as a reference on the subject. This regulation defines the conditions for the collection, use and transfer of personal data and provides a framework for data processing operations, including those relating to employee monitoring. In this way, employee consent to the processing of their data is absolutely required. However, as the European report ” Employee monitoring and surveillance: The challenges of digitalisation “it is up to each [EU] Member State to put in place specific data protection provisions“.

Controversial but still used

In France, “bossware” is highly controversial, but it is still widely used. According to a study carried out by Vanson Bourne for VMware, “63% of French companies with more than 500 employees have implemented surveillance tools”. Nevertheless, the French Data Protection Authority (CNIL) regularly issues warnings about the use of this software. It points out that such surveillance must not “undermine respect for employees’ rights and freedoms”. Employees must therefore be informed before any surveillance tool is put in place. Surveillance in the workplace is one of the main reasons for complaints to the CNIL.

But Europe’s leading country for employee surveillance is Spain. According to the same report, “40% of Spanish companies have installed spyware”, compared with 15% in Germany and 26% in the UK.

The different ways of detecting bossware

According to TechTarget, bossware can be detected by carrying out a few checks.

Check the task manager

If an unrecognised piece of software with a name containing a number of random numbers and letters is running in the background, it may be bossware. Note that many spyware programs are not detectable in Task Manager.

Download antispyware

If you are suspicious, anti-spyware software can be useful. It will scan the device and be able to identify the “bossware” as malicious software. 

Monitor outgoing Internet traffic

Some Internet traffic monitoring software can detect unusual traffic and confirm suspicions.

What are the risks of using bossware to monitor employees?

Impact on employee productivity and well-being

The introduction of employee monitoring tools demonstrates a blatant lack of trust on the part of management towards employees working remotely. And yet, this mutual trust is essential if employees are to remain committed to the company and retain their loyalty. Surveillance, when it is visible, puts constant pressure on employees, pressure that can lead to exhaustion and burn-out. While management would like to control and act on their productivity, it is harming the well-being of its teams.

Data theft and breach of privacy

In France, employees have rights regarding the processing of their data, particularly under the RGPD. They should be aware of this and not hesitate to alert their representatives if they have any doubts about spyware in their company. The use of “bossware” leads to massive processing of personal content and data, which undermines respect for employees’ privacy. If this software is not perfectly secure, it can be targeted by cyber-attacks. As a result, data concerning both the employee and the company is liable to fall into the hands of malicious parties. Employers must protect employee data, whether it has been collected for recruitment, security or business monitoring purposes.

Conclusion: to combat bossware, promote trust and communication

In conclusion, bossware has been used a lot since the health crisis and is tending to develop with artificial intelligence. However, their effects can sometimes be harmful to employee well-being and undermine team performance.

On the contrary, the use of spyware should never be systematic for remote collaboration. It is essential that teleworking is offered in a climate of trust, in order to reap all the benefits in terms of productivity and quality of life at work. To achieve this, appropriate and secure management and communications tools are essential.

Preserving your company’s cybersecurity

The security risks of “bossware” are real. They can lead to the loss of personal data and have financial repercussions for the company.

Employees must remain aware of their rights regarding the protection of their privacy and personal data, and not hesitate to contact their representatives if they have any doubts about the use of bossware.

To find out more about teleworking : https://www.tixeo.com/en/discover-tixeo-video-conferencing/security/white-paper-on-secure-teleworking/

State Cyberespionage: Challenges and Key Figures (Infographic)

State Cyberespionage: Challenges and Key Figures (Infographic)

European businesses and organisations are facing an increase in state-originated cyberespionage attacks, predominantly from Russian or Chinese sources, which have escalated since the Ukrainian war. Key statistics of state cyberespionage include:

  • In 2022, 77% of state cyberattacks involved espionage operations. (source: cfr.org/cyber-operations)
  • 9 out of 19 cyber defence operations involved China-linked groups. (source: ANSSI)
  • As of 2023, 83% of identified state cyberattacks are espionage-related. (source: cfr.org/cyber-operations)

The 2024 Olympics: A Forthcoming Challenge

80 critical entities are involved in the Paris 2024 Olympics, out of a total of 350 organisations. The cyber risk level may reach an unprecedented threshold during this period. European organisations, especially French ones, need to prepare now, as international state cyber threat actors might exploit this global event to conduct attacks, including cyberespionage, to destabilise the Olympics and potentially the nation’s equilibrium.

Cyber Resilience More Necessary Than Ever

European organisations must now prepare for the worst, particularly in the tense geopolitical context with the war in Ukraine and the Middle East. Strengthening cybersecurity measures is crucial. The ANSSI has announced conducting around sixty audits and distributing training kits to the 350 entities involved in the 2024 Olympics, including 210 healthcare establishments. The goal is to better identify risks and respond quickly and effectively, using “rapid remediation plans” to maximise organisational resilience and ensure continuity of operations.

Download the infographic:

Cyber espionage
How to Assess the Credibility of a Security Certification?

How to Assess the Credibility of a Security Certification?

To prove their dependability, IT solutions may acquire a security certification. This becomes a significant advantage in the IT market, especially in an era where cybersecurity is a key concern for organizations. However, how can one ensure the credibility of a security certification across different countries?

What is a Security Certification?

Security certification for IT solutions and software involves appraising the product based on specific cybersecurity standards. These standards can vary depending on the industry and the regulations in effect within the issuing country. Therefore, certifications from different countries may not meet the same cybersecurity requirements, underscoring the importance of analyzing the criteria that establish the credibility of a cybersecurity certification.

Criteria for determining credibility

The Cyber Power of the Nation

A nation’s cyber power plays a role in its international influence. It encompasses the ability to utilize digital technologies and cyberspace to achieve national and international goals through government strategies, defensive operations, and resource mobilization. Various global indices help in determining a nation’s level of cyber power.

The Harvard Belfer Center’s NCPI Index

The National Cyber Power Index (NCPI) from the Belfer Center is a measure of nations’ cyber power. This index uses qualitative and quantitative data models to assess the capabilities and objectives of states. It includes 29 indicators, divided into two categories:

  • Intent indicators

Intent indicators reflect a country’s priorities and motivations in terms of cybersecurity. In other words, it shows how the country plans to use its cyber capabilities, in line with its strategic and political objectives. These can range from defence, espionage and information control to influencing the definition of cyberspace norms and offensive operations.

  • Capacity indicators

Capability intent indicators assess a country’s technical capabilities and cyber resources, regardless of how it chooses to use them. This includes technical expertise, infrastructure, available tools and technologies, and qualified human resources in cyber security.

certification de sécurité
certification de sécurité
The 2022 NCPI Report Findings

In the NCPI 2022 report, the authors assessed the cyber power of 30 countries around the world. In the top 10 are the United States, China, Russia, the United Kingdom and France in 9th position. Germany and the Netherlands are lower down the ranking.

France achieves a capability score of around 40 for the objective of “influence in defining cyberspace norms”, putting it in 4th place. In terms of intention score, France is in the top 4 of nations most involved in the defence objective.

The Internal Institute for Strategic Studies (IISS) Assessment

IISS has also developed a methodology for determining a nation’s cyber capabilities and how these contribute to its power. The institute classifies these capabilities into 7 distinct categories:

  1. Strategy and doctrine
  2. Governance, command and control
  3. Essential cyber espionage capability
  4. Empowerment and dependence on cyberspace
  5. Cybersecurity and resilience
  6. Global leadership in cyberspace affairs
  7. Offensive cyber security capability

In its “Cyber Capabilities and National Power” published in 2021, the IISS analyses France’s position in these areas. It states that “In many respects, France leads the EU in cybersecurity and resilience planning.”

France’s transparency on cybersecurity

France is also said to be more transparent on the issue of cyber security. Indeed, the report states that the country “maintains a clear separation between defensive and offensive cyber operations“. Thus, the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Informations) is exclusively dedicated to defensive operations and is not part of the intelligence community, unlike the National Security Agency (NSA) in the United States or the Government Communications Headquarters (GCHQ) in the United Kingdom. “This distinction is important to some in France, based on the assumption that the objectives and remit of an intelligence agency, including its disposition towards secrecy, may interfere with some of the objectives and practices necessary for civilian sector cybersecurity, including the need for greater transparency regarding cybersecurity breaches.”

A nation’s cyber power is therefore one of the essential criteria to be taken into account when assessing the credibility of a security certification issued by a country. Indeed, when a country is highly ranked, it demonstrates its high standards and capacity in terms of cybersecurity. Another decisive criterion is the national certification scheme.

The national certification scheme

Common Criteria (CC) is the only international standard for assessing the security of IT products and systems. This analyses technical criteria, as well as organisational criteria and criteria relating to company processes, in order to assign a more or less high level of security (7 levels).

These criteria are very demanding and require organisations to put in place significant resources. As a result, only large companies or groups can afford to apply for CC certification. This difficulty in awarding certification runs counter to the desire to develop a trusted digital system, bringing together organisations of all sizes, from multi-nationals to smaller businesses.

To facilitate this certification process, France and Germany, drawing on their experience as certifying countries, have created national certification schemes focusing on the technical evaluation of products:

These schemes have made it possible to extend certification to a wider range of IT solutions, boosting their visibility while guaranteeing their high level of security. Indeed, the credibility of these national certification schemes rests above all on that of the issuing country.

The nation’s experience in issuing certification

certification cyber
Number of CC certifications issued in 2022 by country
(Common Criteria Statistics Reports 2022)

The nation’s experience in issuing certifications is a major factor in the credibility of its certification scheme. And for good reason: the number of certified products demonstrates expertise and a particular commitment to cybersecurity.

In 2022, according to the Common Criteria Statistics report, France, via ANSSI, is the world leader in the number of Common Criteria certifications issued, with 74 certified products. Over the last 5 years, France is the second country to have issued the most certifications, just behind the United States.

To sum up, the credibility of a safety certification is based on three main criteria:

  • The cyber power of the nation issuing the certification
  • The country’s commitment to developing a trusted digital system, through its national certification scheme
  • The nation’s experience in certification

France, one of the most credible cyber powers

France appears to be one of the most credible and experienced cyber powers. Firstly, because of the various “cyber power” indices and because of its experience in evaluating IT products.

ANSSI-certified solutions offer significant security guarantees and greater confidence.

Tixeo, the only secure video conferencing solution certified and qualified by ANSSI

Thanks to its sovereign end-to-end encryption technology and secure on-premise videoconferencing offering, Tixeo has been certified and qualified by ANSSI since 2017.

With three ANSSI security certificates received in 6 years, the company marks continuity in its commitment to security. A high level of cyber requirements that goes beyond the purely “marketing” aspect of certification.