Cybersecurity: why protecting public data is critical

The advent of per­son­al com­puters and the emer­gence of the Inter­net in the 1980s triggered a pro­cess of trans­form­a­tion in pub­lic and private organ­isa­tions. The first few dec­ades saw the appear­ance of the first web­sites and the cre­ation of simple data pro­cessing, then these were refined to set up inter­act­ive ser­vices with data exchanges¹ before arriv­ing today at the use of arti­fi­cial intel­li­gence. Digit­al tech­no­logy is now at the heart of the way ser­vices are delivered to users, help­ing to optim­ise the cost of the ser­vice provided, improve respons­ive­ness and offer a per­son­al­ised exper­i­ence².

The trans­form­a­tion of ser­vices has led organ­isa­tions not just mod­ern­ise pro­ced­ures, but to rethink them in ways that make them more access­ible to end users and bet­ter adap­ted to the inform­a­tion sys­tem. This in-depth integ­ra­tion has made it pos­sible to optim­ise the effi­ciency of ser­vices, which incor­por­ate the notion of data per­sist­ence, access rights, re-use pos­sib­il­it­ies, etc. right from the design stage. Digit­al tech­no­logy is no longer a sup­port func­tion for organ­isa­tions, but an area at the heart of their oper­a­tions. No organ­isa­tion today can do without cross-func­tion­al applic­a­tions for man­aging leave, pay and expenses; no busi­ness unit can do without the applic­a­tions that enable it to carry out its activ­ity, how­ever diverse it may be (logist­ics, budget, engin­eer­ing, etc.).

The massive adop­tion of digit­al tech­no­logy and the way it is inter­woven into the heart of inform­a­tion sys­tems has provided fer­tile ground for the emer­gence of new cyber threats. The threats are man­i­fold and per­pet­rated by a vari­ety of adversar­ies: cyber­crim­in­als, enemy states or act­iv­ist groups. Most of them now have increas­ingly soph­ist­ic­ated tools with which to carry out large-scale attacks.

Moreover, cyber threats have become more diverse and soph­ist­ic­ated over the years, under­min­ing the secur­ity of inform­a­tion sys­tems. From Deni­al of Ser­vice (DoS) attacks designed to sat­ur­ate sys­tems, to ransom­ware that para­lyses busi­ness in exchange for a ransom, as well as the hack­ing of sens­it­ive data and social engin­eer­ing attacks that manip­u­late users, cyber­crim­in­als’ arsen­als are con­stantly expand­ing. Crit­ic­al infra­struc­tures such as energy net­works and trans­port sys­tems are par­tic­u­larly tar­geted. The emer­gence of advanced tech­no­lo­gies such as arti­fi­cial intel­li­gence and block­chain has made these attacks even more power­ful, enabling cyber­crim­in­als to design increas­ingly soph­ist­ic­ated tools and carry out large-scale oper­a­tions. Faced with this grow­ing threat, organ­isa­tions need to imple­ment robust and appro­pri­ate secur­ity meas­ures to pro­tect their data and sys­tems. These threats are par­tic­u­larly evid­ent for pub­lic services.

Pub­lic insti­tu­tions are attract­ive tar­gets for cyber­crim­in­als. They are home to large quant­it­ies of sens­it­ive data, includ­ing per­son­al, fin­an­cial and stra­tegic inform­a­tion. Obtain­ing this inform­a­tion fraud­u­lently is a luc­rat­ive busi­ness for attack­ers, who can use it to resell it or exploit it for polit­ic­al or ideo­lo­gic­al ends. What’s more, the ser­vices provided by pub­lic insti­tu­tions are par­tic­u­larly vul­ner­able: a suc­cess­ful attack can lead to major dis­rup­tion (in terms of fin­ance or secur­ity, for example), with sig­ni­fic­ant social and eco­nom­ic con­sequences. For example, the inab­il­ity to col­lect taxes or the dis­clos­ure of secrets held by the mil­it­ary are crit­ic­al threats.

The con­sequences of a cyber-attack against a pub­lic insti­tu­tion can be dev­ast­at­ing. In addi­tion to the dir­ect fin­an­cial losses asso­ci­ated with the cost of get­ting the inform­a­tion sys­tem back up and run­ning or the loss of tax or social secur­ity rev­en­ue, this type of attack can dis­cred­it an insti­tu­tion over the long term. Indeed, when cit­izens are informed that their data has been stolen by cyber­crim­in­als, they will be much less inclined to use the State’s digit­al ser­vices, which can under­mine the digit­al trans­form­a­tion strategy. In addi­tion, cyber-attacks can dis­rupt the oper­a­tion of essen­tial ser­vices out­side the sphere of state sov­er­eignty, such as trans­port, energy and health­care, with poten­tially dra­mat­ic con­sequences for the public.

Con­sequently, imple­ment­ing an effect­ive and pro­act­ive cyber­se­cur­ity strategy is a major chal­lenge for pub­lic insti­tu­tion³. Through a clear and oper­a­tion­al nation­al strategy, the aim is to pro­tect inform­a­tion sys­tems against threats while guar­an­tee­ing the con­tinu­ity of ser­vices and respect­ing cit­izens’ rights and freedoms. This is a del­ic­ate bal­ance to strike, as secur­ity meas­ures can some­times hinder the flow of exchanges and access to digit­al ser­vices. It is there­fore essen­tial to put in place secur­ity solu­tions that are both effect­ive and dis­creet, i.e. that do not pen­al­ise the user exper­i­ence. Cyber­se­cur­ity must also be seen as a lever for pro­mot­ing innov­a­tion and strength­en­ing con­fid­ence in the digit­al economy.

The study of cyber­se­cur­ity approaches is a com­mon area of research and has been addressed by Gaie, Karpi­uk and Spazi­ani⁴. In this art­icle, the authors study and com­pare the meas­ures taken by three European countries.

France made an early com­mit­ment to cyber­se­cur­ity, with its first nation­al archi­tec­ture put in place in 2013. The focus was on pro­tect­ing crit­ic­al infra­struc­ture, pre­vent­ing cyber­crime and rais­ing pub­lic aware­ness. The cre­ation of the French Nation­al Agency for Inform­a­tion Sys­tems Secur­ity (ANSSI) in 2009 has strengthened the coordin­a­tion of nation­al efforts. The French strategy is char­ac­ter­ised by a glob­al approach, integ­rat­ing tech­nic­al, leg­al and inter­na­tion­al cooper­a­tion aspects.

Poland adop­ted a law on the nation­al cyber­se­cur­ity sys­tem in 2018, defin­ing a clear leg­al frame­work and spe­cify­ing the respons­ib­il­it­ies of the vari­ous play­ers. The focus is on the pro­tec­tion of essen­tial ser­vices and the resi­li­ence of inform­a­tion sys­tems. The Pol­ish CERT plays a cent­ral role in mon­it­or­ing threats and respond­ing to incid­ents. The Pol­ish strategy is char­ac­ter­ised by a prag­mat­ic approach, focused on the con­crete imple­ment­a­tion of secur­ity measures.

Italy joined the cyber­se­cur­ity race later, with its first nation­al archi­tec­ture set up in 2013. The Nation­al Agency for Cyber­se­cur­ity (ACN), cre­ated in 2021, has strengthened the coordin­a­tion of nation­al efforts. The Itali­an strategy focuses on crit­ic­al infra­struc­ture pro­tec­tion, inter­na­tion­al cooper­a­tion and the devel­op­ment of cyber­se­cur­ity skills.

As a res­ult, all three coun­tries have put in place cyber­se­cur­ity strategies to deal with digit­al threats, shar­ing com­mon object­ives such as pro­tect­ing crit­ic­al infra­struc­tures, pre­vent­ing and respond­ing to incid­ents, and rais­ing pub­lic aware­ness. How­ever, there are sig­ni­fic­ant dif­fer­ences between them. France, a pion­eer in the field, has developed a sol­id insti­tu­tion­al archi­tec­ture and a glob­al strategy, while Poland has opted for a more prag­mat­ic approach, based on a pre­cise leg­al frame­work. Italy, mean­while, has more recently joined the move­ment, set­ting up a nation­al agency ded­ic­ated to cyber secur­ity. While the gen­er­al pri­or­it­ies are sim­il­ar, there are nuances in the organ­isa­tion of nation­al struc­tures and in the emphas­is placed on cer­tain spe­cif­ic aspects, reflect­ing the nation­al con­texts and the issues spe­cif­ic to each country.

Cyber secur­ity is now a stra­tegic pri­or­ity for European gov­ern­ments. At a time when digit­al tech­no­logy has become an integ­ral part of our daily per­son­al and pro­fes­sion­al lives, cyber threats are becom­ing more diverse and soph­ist­ic­ated, under­min­ing the inform­a­tion sys­tems of both pub­lic and private organ­isa­tions. Faced with this grow­ing threat, gov­ern­ments have put in place nation­al strategies to pro­tect their crit­ic­al infra­struc­tures and guar­an­tee the con­tinu­ity of their services.

The approaches put in place by dif­fer­ent coun­tries are con­ver­ging towards a com­mon goal: pro­tect­ing cit­izens, busi­nesses and gov­ern­ments against cyber-attacks. The rap­idly chan­ging cyber­se­cur­ity land­scape will require con­stant adapt­a­tion of these strategies and enhanced cooper­a­tion between EU Mem­ber States, which is what the NIS2⁵ Dir­ect­ive is all about.