A general state of digital disruption during the COVID-19 health crisis has rendered companies, hospitals and public institutions particularly vulnerable to computer attacks. More than ever, the role of cybersecurity companies has been crucial in protecting these vital services which are so essential to the running of a country. But does that mean the sector has a public service mission?
The widespread switch to teleworking, often in situations of urgency and lack of preparation, not to mention general digital disorganisation, has created a perfect environment for cybercriminals. And this has been true worldwide. In the USA, the FBI has seen the number of reports of cyberattacks increase fourfold. Meanwhile, in France, the Cybermalveillance.gouv.fr website noted a 400% rise in its traffic during the first two weeks of lockdown.
Cybersecurity: a public interest requirement
“The three months we’ve just been through have demonstrated that digital technology is the lifeblood of today’s society and economy,” observes Stormshield marketing director Matthieu Bonenfant. They have also shown that a switch to all-digital technologies (use of computer equipment at the employee’s home, videoconferences, increased use of the cloud, etc.) is not something to undertake without preparation, and securing these processes is essential. This crisis has highlighted cybersecurity as an essential part of safeguarding assets and business continuity in companies and organisations. This essential role is yet more marked in sensitive sectors of activity, such as drinking water distribution, energy production and transport sector regulation. In such environments, the consequences of cyberattacks can be catastrophic, damaging the integrity of assets and individuals.”
Digital technology is everywhere. Its protection has become a critical and key issue.
Matthieu Bonenfant, Stormshield Marketing Director
Of course, governments were aware of the importance of cybersecurity before COVID-19. Its vital role was officially recognised by the European Union in the Network and Information Security (NIS) directive of 2018, which was directly inspired by France’s Loi de programmation militaire (military planning law). This directive recognises that it is critically important to ensure the cyber protection of Operators of Essential Services (OESs), as disruptions or failures in their services could have consequences for human life and the environment.
However, the crisis has served to raise the public profile of this issue. “The general public has realised that public services such as hospitals could also be affected, and that the consequences could be serious”, notes Manon Deveaux, who holds responsibility for cybersecurity issues within TECH IN France’s Public Affairs team. As well as hospitals, local government organisations were also attacked during the pandemic. In particular, the city of Marseille (France) was paralysed for a number of weeks by ransomware. The incident had a number of parallels with successive attacks on 22 American municipalities in 2019. And it is in line with a headline trend in recent years: the disruption of democratic life and frequent cyberattacks during electoral campaigns.
During the crisis, the cyber sector is standing resolutely against malicious attacks
Because they supply solutions to protect such vital services as a hospital or a voting system, does that mean that cybersecurity companies have a de facto role of public interest, or even public service? During the pandemic, the cyber community has taken its protective role very seriously; such as, for example, the publisher The Green Bow, which has made its products available free of charge to companies seeking to protect their teleworkers. And many other actors in the sector have offered their help to hospitals and companies for no financial reward. “In these extraordinary current times, organisations needed secure IT and OT infrastructure more than ever. For that reason, we gave away licences for our virtual appliances to all companies. More than sixty took advantage of them. At the same time, we set up remote training courses, to replace our face-to-face training, and offered special terms for upgrading firewalls,” Matthieu Bonenfant explains.
In the United Kingdom, cybersecurity researchers formed the Cyber Volunteers 19 group. Its goal was to bring together institutions that had fallen victim to cyberattacks and actors from the cyber sector seeking to provide voluntary assistance. “The message we’re sending out to cybercriminals is that we’re standing alongside our public services. Attacking a hospital is shameful at any time, but during the chaos of a pandemic, it’s revolting,” Lisa Forte, the creator of Cyber Volunteers 19 explained to Wired magazine.
This wave of solidarity is a one-off response to a situation of crisis. However, it does seem to show that the cybersecurity sector does in fact exercise a public interest role.
The makings of a public cyber services and a right to cyber protection?
Although this role is not officially enshrined in any legal status, it is one that is embedded in the very culture of cybersecurity companies. “Cybersecurity actors are aware of their mission, notes Manon Deveaux. And that’s something you don’t find in many other sectors. That sort of awareness is certainly connected to the cybersecurity culture; where, for example, you can find groups of ethical hackers, and to the fact that the issues faced by this sector are issues of national defence and policy, in the sense of aid to the city.”
How does this sense of mission manifest itself outside of a time of crisis? “The way we have taken account of the public interest question has been through the accelerated development of our offers to companies in the industrial operations sector, including those supplying key services to citizens, Matthieu Bonenfant explains. We offer them peace of mind from a cyber point of view, enabling them to deliver their public service mission.” But even so, cybersecurity companies do not enjoy the status of a public service. They are not required to provide a service that is accessible to all, equal for all and continuously available. “A public service mission has a very specific definition that is hard to apply to companies in the sector – because it’s a service supplied by the State or an organisation acting under State control, points out Jean-Jacques Latour, a cybersecurity expert at Cybermalveillance.gouv.fr. However, the case can be made that cyber companies have a public interest mission in that their role involves countering attacks against a country’s citizens or sovereignty.”
The case can be made that cyber companies have a public interest mission in that their role involves countering attacks against a country’s citizens or sovereignty.
Jean-Jacques Latour, cybersecurity expert at Cybermalveillance.gouv.fr
A number of French companies exercise just such a mission; for example by joining the ACYMA public interest grouping (GIP), which has been running the Cybermalveillance.gouv.fr since 2017. It raises citizen and corporate awareness of cyber risks, assists victims and puts them in touch with providers if necessary. “Until only recently, there was a gap between key organisations protected by France’s ANSSI agency and all other cyber victims (very small businesses, SMEs and individuals), who didn’t always know who to speak to,” Jean-Jacques Latour explains. “At Stormshield, we joined the ACYMA GIP, along with fifty or so other members, because we believe we’re involved in a mission, a collective drive to raise awareness; and this transcends commercial issues,” Matthieu Bonenfant says. And this role is even more essential given that cyber issues are often viewed as purely technical in nature. The general public – and even companies – are sometimes resistant. “Cybersecurity is still seen as a constraint,” Jean-Jacques Latour confirms.
A human rights issue?
But is a public interest group sufficient to continue this mission of raising awareness and providing protection? Should we be considering public cybersecurity companies? Matthieu Bonenfant is dubious. “A centralised structure doesn’t seem like a good idea to me. We need a heterogeneous and diverse ecosystem to maintain agility in developing technologies, he suggests. In addition, a structure of that kind wouldn’t provide a Europe-wide oversight of cybersecurity. I believe more in the “national agency” model, like ANSSI in France, which provides support and assistance, and ensures that a viable ecosystem exists, overseeing initiatives such as Cybermalveillance.gouv.fr... rather than a more cumbersome state-run structure.”
And what about the individual’s right to cyber protection? There are certainly calls from NGOs such as Human Rights Watch for cybersecurity to be classified as a human rights issue. After all, some cyberattacks constitute violations of basic rights such as protection of privacy, access to information and even freedom of expression – as the GDPR now shows. Human rights are at stake when Saudi Arabia is suspected of hacking into the mobile phones of journalists and activists, or of their associates.
A “right to cyberprotection” would certainly be difficult to design and enforce, because it would be “very wide-ranging”, according to Manon Devaux. However, recognition of this fact could in any case drive a growth in awareness of the importance of cybersecurity within companies, and for individuals.