FIC 2018: European cyber-security cooperation will endure post Brexit
FIC 2018: European cyber-security cooperation will endure post Brexit

Guillaume Poupard, director general of ANSSI (Agence Nationale des Systèmes d'Information), France's cyber-security agency - an equilvalent of the UK's NCSC but one which reports directly to the French Prime Minister - told SC Media UK during FIC 2018 that while cyber-security is a matter of national sovereignty, it should not stop at this level.  "Cooperation between States is absolutely essential. Within Europe, the European Commission and the different Member States are really keen to work together to develop cyber-security. At the European level he emphasises the need to put a cooperation network in place, currently underway with the European Agency (ENISA).

[See full interview responses here - subtitled]

He adds that European-wide cyber-security should not be in opposition to national cyber-security programmes.  On the question of cooperation with the UK following Brexit, Poupard told "We have a long-standing cooperation which isvery effective, especially since the creation of the NCSC, which is the UK counterpart to ANSSI, to protect what must be protected within the UK. We have information exchange on threats, ways to protect ourselves, and also operationally ... to deal with attacks together, because we have common enemies. When you come down to it, that is the secret of our cooperation."
Poupard commented: “What will happen after Brexit?” I sincerely think, at least in respect to bilateral cooperation between the UK and France, nothing will change. We need one another, we know it's effective. We trust each other, so we will continue to work (together)," adding that the EU was not needed for this cooperation to work.

The role of ANSSI includes anticipating and preventing attacks, promoting good cyber-security rules and particularly, to protect critical infrastructure, in the energy sector, telecommunications, industry, transport sectors and to help them when attacks occur. When it comes to detecting attacks Poupard said, "I am certain that we do not currently see all of the attacks. It is imperative that we must develop this competence and identify more attacks, whether that be us, within the State,or at the operator level, at the industry level - and lastly, we have to prepare for the worst, be capable of responding in the event of a serious incident, prove capable of limiting the damage and for us, the State, we have to be able to go to the operators and provide effective help. We have to be able to react very, very fast."

Another issue discussed at FIC and brought up by Poupard was certification of products on a Europe-wide basis. He observed, "There's a major question nowadays, which is, what kind of trust can we have in security products in cyber-security service providers? ...there's a lot on offer so who should they turn to? The only way to have a level of confidence in a security product or service is to conduct an evaluation. And it's very important to calibrate these evaluations well,"  adding that the evaluation needs to be differentiated dependent on the purpose of the connected to meet the different levels of confidence required from different products and services, from thermostats to power stations.  He pointed out that sometimes we'll be looking for an extremely high level of confidence, and in other cases, it will have to be very agile, very quick and very cheap. 

"It's a European subject, because doing this separately in each country makes no sense. We need to conceive of this European certification truly at the continent level as that's what our industry operators and their clients need," concluded Poupard.

Regarding resilience, Poupard noted that we expect critical operations in particular to  protect themselves, anticipate attacks, detect, react and that everything returns to normal quickly. But referring to large organisations hacked by WannaCry, still trying to solve the problem months and months afterwards, he said, "That's unacceptable, and we really expect sensitive players to be able to survive and to continue to function. That's what we ask of them, and that's what we're working on with them."