Guillaume Poupard, director general of ANSSI (Agence Nationale des Systèmes d'Information), France's cyber-security agency - an equilvalent of the UK's NCSC but one which reports directly to the French Prime Minister - told SC Media UK during FIC 2018 that while cyber-security is a matter of national sovereignty, it should not stop at this level. "Cooperation between States is absolutely essential. Within Europe, the European Commission and the different Member States are really keen to work together to develop cyber-security. At the European level he emphasises the need to put a cooperation network in place, currently underway with the European Agency (ENISA).
[See full interview responses here - subtitled]
The role of ANSSI includes anticipating and preventing attacks, promoting good cyber-security rules and particularly, to protect critical infrastructure, in the energy sector, telecommunications, industry, transport sectors and to help them when attacks occur. When it comes to detecting attacks Poupard said, "I am certain that we do not currently see all of the attacks. It is imperative that we must develop this competence and identify more attacks, whether that be us, within the State,or at the operator level, at the industry level - and lastly, we have to prepare for the worst, be capable of responding in the event of a serious incident, prove capable of limiting the damage and for us, the State, we have to be able to go to the operators and provide effective help. We have to be able to react very, very fast."
Another issue discussed at FIC and brought up by Poupard was certification of products on a Europe-wide basis. He observed, "There's a major question nowadays, which is, what kind of trust can we have in security products in cyber-security service providers? ...there's a lot on offer so who should they turn to? The only way to have a level of confidence in a security product or service is to conduct an evaluation. And it's very important to calibrate these evaluations well," adding that the evaluation needs to be differentiated dependent on the purpose of the connected to meet the different levels of confidence required from different products and services, from thermostats to power stations. He pointed out that sometimes we'll be looking for an extremely high level of confidence, and in other cases, it will have to be very agile, very quick and very cheap.
"It's a European subject, because doing this separately in each country makes no sense. We need to conceive of this European certification truly at the continent level as that's what our industry operators and their clients need," concluded Poupard.