“A test like we have never experienced in our collective cybersecurity” : Vincent Strubel, director general of the National Information Systems Security Agency (Anssi), immediately sets the tone when discussing the Olympic and Paralympic Games in Paris, which will begin at the end of July. On the occasion of the InCyber cybersecurity forum, which takes place until March 28 in Lille, the director general of the decentralized service took stock of the main upcoming projects, with the Olympic Games in mind. “This should not make us forget the general challenge of scaling up, with the development of cybersecurity solutions that meet the needs of as many people as possible”however tempers Vincent Strubel.
A current challenge, with “threat trends that are being confirmed”. On the one hand, a state threat, being “agile, stealthy, reactive, targeted, on the same strategic entities”with an evolution towards sabotage “more and more concrete”. On the other, a systemic threat, coming from organized crime and hacktivists, “with diverse visions”. This threat is not targeted, but “is massive and spares no one”. Between 2022 and 2023, it increased by 30%. At the end of February, Anssi published its annual overview of the cyber threat, warning of the increase in cyber attacks targeting “the most fragile”.
Advertisement
Avoid being “drowned under attacks of low severity but high visibility” during the Olympics
In the short term, Anssi intends to respond to the challenges surrounding major events, first and foremost, chronologically, the European elections of June 9. For each election, the agency places itself at the service of the election judge, the Council of State, but also “available to campaign teams, without distinction, while remaining in (one’s) role”.
The major project remains that of Olympic Gameswhich Vincent Strubel describes as “new, unique”. A period during which “all the spotlight will be on France”, including those of cyberattackers. The director general of Anssi distinguishes between malicious state actors, who want to harm the image of France, particularly during the opening ceremony, for example, from organized crime, with the sales period, and “hacktivists of all kinds who want to seize the media megaphone”.
Vincent Strubel says to himself “confident about (the) ability to cope”highlighting the cooperation work with Paris 2024, the organizers' subcontractors or sports federations. “Confidence does not mean carelessness, he notes. The worst scenario, according to him: that “in which we would be drowned in low-serious but high-visibility, high-profile attacks, which would put such pressure on us that we would not so much spot the more sneaky, more serious attack.”
Against these threats, the director general of Anssi insists that all incidents be reported, and calls for collective responsibility and education so that certain attacks do not contribute to an anxiety-provoking climate. “During the Olympics, there will be very visible but not very serious attacks, such as denials of service, and perhaps serious attacks but not having an impact on the Olympics, such as data theft”. During the Tokyo Olympics, 450 million cyberattacks and 4.4 billion threats were recorded, for an edition without spectators due to the health crisis.
Advertisement
An “independent structure” created to monitor compliance with the NIS2 directive
In October 2024, the NIS2 directive will be transposed into French law, legislation aimed at harmonizing the level of cybersecurity across Europe, and which will concern the vast majority of SMEs and most communities. Vincent Strubel wants to be reassuring : “I can't imagine us asking for total compliance before three years, from the publication of the text. We will have to look for a certain progressiveness, perhaps with tests and blank checks, but we are not going to distribute the sanctions straight away.”
Anssi, which will intervene as a regulator and supervisory authority in the application of this directive, specifies that the sanction regime will be dissuasive. Its general director adds that a “independent structure” will be created to make decisions. It will be a “college training, which will respect the adversarial rule and the proportionality of sanctions to offenses.” In addition, a portal will be set up “to allow the boarding of new taxable persons, to allow them to test whether or not they are subject to NIS2”, before connecting them.
Vincent Strubel also mentioned the “My cyber help” project, developed by a state start-up in the experimental phase, which will connect “entities” needing to do a cybersecurity diagnosis with those who can offer them help, whether public or private.
Strengthen the attractiveness of cybersecurity professions
On Monday, Anssi published the second edition of its Observatory on cybersecurity professions, focusing on the perception of different professions by cybersecurity practitioners. Only 6 out of 10 professionals say that this field is recognized or socially valued, and 41% of them think that their profession allows them to reconcile professional and private life. “These studies highlight the factors which limit the attractiveness of our professions today, which mean that we do not attract enough young people to initial training, or less young people to retraining”deplores Vincent Strubel.
The opportunity for the latter to recall the “Tomorrow cyber specialist” initiative, launched in 2023 with the Cyber Campus and the Ministry of National Education. This project combines communication campaigns, games and hackathons with middle and high school students. “Seeing high school students working hard, reinventing a werewolf of cybersecurity, with VPN cards and zero-day cards, it’s amazing and it fills me with confidence in the future”concludes Vincent Strubel.
Selected for you