Airports in Germany, postal services in the UK and hospitals in France: cyberattacks have no borders, and cyber-headlines in late 2022 and early 2023 confirm that any companies and organisations can become a target for cyberattacks. But being a target doesn’t necessarily mean being a victim. Could 2023 be the year in which “hardened” cybersecurity products gain a foothold? Here’s why.
In late 2015, Benoît Thieulin (then head of France's National Digital Council) called for synergy between military and civilian cybersecurity, in order to ensure that as many structures as possible have access to greater security for their information systems. “Cybersecurity has to be demilitarised; in short, it has to expand out of its usual environment to ensure that the lessons it offers can be circulated among the general public”, he explained in a speech. Several years on, what’s the latest news from the front line between the military and civilian worlds?
Cybersecurity has to be demilitarised; in short, it has to expand out of its usual environment to ensure that the lessons it offers can be circulated among the general public.Benoît Thieulin, former President of France’s Conseil national du numérique digital council
To provide some context for this quote, we should go back to the end of 2014, when the American company Sony Pictures Entertainment was the victim of a major cyberattack. Attributed by the FBI to the North Korean government, this cyberattack is believed to have been in retaliation for the film The Interview (in which CIA agents assassinate the North Korean leader). A few months later, the "Cybercaliphate" cybercriminal group began to make news after hacking into the Twitter accounts of the US Army's Middle East and Central Asia Command and the US weekly Newsweek publication. In April 2015, the French television channel TV5 Monde was affected: the broadcasting infrastructure was taken down while the channel's social media accounts were hacked to display messages supporting the Islamic State. These episodes were a general public demonstration of the ability of a belligerent state to strike at a civilian company, regardless of its size and the methods employed to ensure its computer security.
A gradual hardening of cybersecurity products
Unfortunately, almost 10 years later, such sophisticated attacks are still with us. But these cyberattacks have evolved, and are now targeting the cybersecurity products themselves. What are the cybercriminals trying to do? Their aim is to open a security hole by disabling or compromising the protection agent, and thus obtain escalated privileges on the infected machine. “Nowadays, the most sophisticated attacks are aimed primarily at cybersecurity products rather than the infrastructure itself,” says Mark Johnson, a Stormshield pre-sales engineer. The security of these products must therefore be monitored and strengthened over time to ensure optimal protection against new attacks . And as illustrated by the catalogue of known vulnerabilities from the American agency CISA, no vendor is immune to these attacks. For this reason, the issue of strengthening and hardening of security products is becoming a major challenge. This approach consists of “reducing the attack surface of a system, software or product in order to make it more secure”, explains Frantz Cournil, Stormshield Product Leader. The approach was originally developed in the military world to protect highly sensitive IT assets.
What does hardening mean in practice? The central objective of this approach is to reduce the attack surface of all the components in question. In practice, at a system or infrastructure level, it involves a combination of techniques: optimal configuration of operating systems, regular review of privileged accounts and firewall rules, restrictions on permitted IP addresses, and stricter rules associated with the use of passwords. In terms of cybersecurity solutions, hardening can (for example) take the form of a microservices architecture, or the application of the principle of least privilege for services. For vendors, it represents a statement of quality and professionalism: “We simply want to prevent the cybersecurity product from being misused for malicious purposes,” Frantz Cournil explains; “for example, by being used as a Trojan horse or via the insertion of backdoors.”
We are seeing more and more public tenders, from the State or public structures such as hospitals, with requirements regarding safety aspects and the need to use hardened products.Frantz Cournil, Stormshield Product Leader
And taking its cues from the military world, civil society is coming around to the hardening approach. “We are seeing more and more public tenders, from the State or public structures such as hospitals, with requirements regarding safety aspects and the need to use hardened products,” notes Frantz Cournil. Is the hardening of cybersecurity solutions becoming a major trend? Will it form part of a dialogue on the subject of good practices between military and civilian cybersecurity? That remains to be seen.
A cyber gateway from the military world to civil society
But is there really any need for such a boundary? Because although military information systems differ from civilian ones, they retain similar characteristics and share certain technologies, hardware and software. Due to the highly sensitive nature of the infrastructure and data they protect, military-grade cybersecurity products have to meet special requirements; for example, through certain configurations. All that remains is to create “good practice” gateways. Hardening offers one such gateway, and trust provides another – and one that’s equally important.
Some European countries have developed qualification programmes for cybersecurity products through their national security agencies (such as the ANSSI in France, the BSI in Germany, the CCN in Spain and the NCSC in the UK). And to enable inter-State recognition of qualifications, a European-level mutual recognition agreement has been signed. The objective is simple: to identify robust, reliable solutions for the protection of sensitive government services. These sensitive state services are grouped under the title of Essential Entities (EEs) and Important Entities (IEs) at European level (formerly OES, Operators of Essential Services). The French agency defines a qualified product as a robust product “which satisfies the requirements and good practices of the ANSSI and is certified according to strict criteria, based on an analysis of the source code for the software part”, and guaranteed to be free from “backdoors”. This definition clearly shows that these solutions are not merely intended for military activities. Indeed, some civilian companies already use these qualified security products, as they too may be operators of vital importance and/or essential or important entities. The European NIS2 Directive also includes subcontractors and service providers with access to critical infrastructure in its scope of essential and important entities: these are all civil companies that would be well advised to take an interest in this concept of qualification.
It is therefore important to demystify the use of these qualified security products for the rest of the civilian world. In other words, the qualification of cybersecurity products is not simply a matter for regulated sectors. If a robust, reliable security solution can protect sensitive government services, it also makes sense to use it for the protection of sensitive company data: personal data, sensitive data, vital data or even critical data, all of which contribute to the company's activity and must be protected. “At Stormshield, our focus has been on delivering robust turnkey products through intensive integration and deployment work,” explains Mark Johnson. They are no more complicated to implement than a traditional cybersecurity product.
The growing need for companies to strengthen their cybersecurity and the introduction of new requirements in conventional markets is thus becoming a clear trend. Qualified and hardened security products are suitable for both military and civilian applications; all you have to do is find your trusted partner.