Cybersecurity : why protecting public data is critical

The advent of per­so­nal com­pu­ters and the emer­gence of the Inter­net in the 1980s trig­ge­red a pro­cess of trans­for­ma­tion in public and pri­vate orga­ni­sa­tions. The first few decades saw the appea­rance of the first web­sites and the crea­tion of simple data pro­ces­sing, then these were refi­ned to set up inter­ac­tive ser­vices with data exchanges¹ before arri­ving today at the use of arti­fi­cial intel­li­gence. Digi­tal tech­no­lo­gy is now at the heart of the way ser­vices are deli­ve­red to users, hel­ping to opti­mise the cost of the ser­vice pro­vi­ded, improve res­pon­si­ve­ness and offer a per­so­na­li­sed expe­rience².

The trans­for­ma­tion of ser­vices has led orga­ni­sa­tions not just moder­nise pro­ce­dures, but to rethink them in ways that make them more acces­sible to end users and bet­ter adap­ted to the infor­ma­tion sys­tem. This in-depth inte­gra­tion has made it pos­sible to opti­mise the effi­cien­cy of ser­vices, which incor­po­rate the notion of data per­sis­tence, access rights, re-use pos­si­bi­li­ties, etc. right from the desi­gn stage. Digi­tal tech­no­lo­gy is no lon­ger a sup­port func­tion for orga­ni­sa­tions, but an area at the heart of their ope­ra­tions. No orga­ni­sa­tion today can do without cross-func­tio­nal appli­ca­tions for mana­ging leave, pay and expenses ; no busi­ness unit can do without the appli­ca­tions that enable it to car­ry out its acti­vi­ty, howe­ver diverse it may be (logis­tics, bud­get, engi­nee­ring, etc.).

The mas­sive adop­tion of digi­tal tech­no­lo­gy and the way it is inter­wo­ven into the heart of infor­ma­tion sys­tems has pro­vi­ded fer­tile ground for the emer­gence of new cyber threats. The threats are mani­fold and per­pe­tra­ted by a varie­ty of adver­sa­ries : cyber­cri­mi­nals, ene­my states or acti­vist groups. Most of them now have increa­sin­gly sophis­ti­ca­ted tools with which to car­ry out large-scale attacks.

Moreo­ver, cyber threats have become more diverse and sophis­ti­ca­ted over the years, under­mi­ning the secu­ri­ty of infor­ma­tion sys­tems. From Denial of Ser­vice (DoS) attacks desi­gned to satu­rate sys­tems, to ran­som­ware that para­lyses busi­ness in exchange for a ran­som, as well as the hacking of sen­si­tive data and social engi­nee­ring attacks that mani­pu­late users, cyber­cri­mi­nals’ arse­nals are constant­ly expan­ding. Cri­ti­cal infra­struc­tures such as ener­gy net­works and trans­port sys­tems are par­ti­cu­lar­ly tar­ge­ted. The emer­gence of advan­ced tech­no­lo­gies such as arti­fi­cial intel­li­gence and blo­ck­chain has made these attacks even more power­ful, enabling cyber­cri­mi­nals to desi­gn increa­sin­gly sophis­ti­ca­ted tools and car­ry out large-scale ope­ra­tions. Faced with this gro­wing threat, orga­ni­sa­tions need to imple­ment robust and appro­priate secu­ri­ty mea­sures to pro­tect their data and sys­tems. These threats are par­ti­cu­lar­ly evident for public services.

Public ins­ti­tu­tions are attrac­tive tar­gets for cyber­cri­mi­nals. They are home to large quan­ti­ties of sen­si­tive data, inclu­ding per­so­nal, finan­cial and stra­te­gic infor­ma­tion. Obtai­ning this infor­ma­tion frau­du­lent­ly is a lucra­tive busi­ness for atta­ckers, who can use it to resell it or exploit it for poli­ti­cal or ideo­lo­gi­cal ends. What’s more, the ser­vices pro­vi­ded by public ins­ti­tu­tions are par­ti­cu­lar­ly vul­ne­rable : a suc­cess­ful attack can lead to major dis­rup­tion (in terms of finance or secu­ri­ty, for example), with signi­fi­cant social and eco­no­mic conse­quences. For example, the inabi­li­ty to col­lect taxes or the dis­clo­sure of secrets held by the mili­ta­ry are cri­ti­cal threats.

The conse­quences of a cyber-attack against a public ins­ti­tu­tion can be devas­ta­ting. In addi­tion to the direct finan­cial losses asso­cia­ted with the cost of get­ting the infor­ma­tion sys­tem back up and run­ning or the loss of tax or social secu­ri­ty reve­nue, this type of attack can dis­cre­dit an ins­ti­tu­tion over the long term. Indeed, when citi­zens are infor­med that their data has been sto­len by cyber­cri­mi­nals, they will be much less incli­ned to use the State’s digi­tal ser­vices, which can under­mine the digi­tal trans­for­ma­tion stra­te­gy. In addi­tion, cyber-attacks can dis­rupt the ope­ra­tion of essen­tial ser­vices out­side the sphere of state sove­rei­gn­ty, such as trans­port, ener­gy and heal­th­care, with poten­tial­ly dra­ma­tic conse­quences for the public.

Conse­quent­ly, imple­men­ting an effec­tive and proac­tive cyber­se­cu­ri­ty stra­te­gy is a major chal­lenge for public ins­ti­tu­tion³. Through a clear and ope­ra­tio­nal natio­nal stra­te­gy, the aim is to pro­tect infor­ma­tion sys­tems against threats while gua­ran­teeing the conti­nui­ty of ser­vices and res­pec­ting citi­zens’ rights and free­doms. This is a deli­cate balance to strike, as secu­ri­ty mea­sures can some­times hin­der the flow of exchanges and access to digi­tal ser­vices. It is the­re­fore essen­tial to put in place secu­ri­ty solu­tions that are both effec­tive and dis­creet, i.e. that do not pena­lise the user expe­rience. Cyber­se­cu­ri­ty must also be seen as a lever for pro­mo­ting inno­va­tion and streng­the­ning confi­dence in the digi­tal economy.

The stu­dy of cyber­se­cu­ri­ty approaches is a com­mon area of research and has been addres­sed by Gaie, Kar­piuk and Spa­zia­ni⁴. In this article, the authors stu­dy and com­pare the mea­sures taken by three Euro­pean countries.

France made an ear­ly com­mit­ment to cyber­se­cu­ri­ty, with its first natio­nal archi­tec­ture put in place in 2013. The focus was on pro­tec­ting cri­ti­cal infra­struc­ture, pre­ven­ting cyber­crime and rai­sing public awa­re­ness. The crea­tion of the French Natio­nal Agen­cy for Infor­ma­tion Sys­tems Secu­ri­ty (ANSSI) in 2009 has streng­the­ned the coor­di­na­tion of natio­nal efforts. The French stra­te­gy is cha­rac­te­ri­sed by a glo­bal approach, inte­gra­ting tech­ni­cal, legal and inter­na­tio­nal coope­ra­tion aspects.

Poland adop­ted a law on the natio­nal cyber­se­cu­ri­ty sys­tem in 2018, defi­ning a clear legal fra­me­work and spe­ci­fying the res­pon­si­bi­li­ties of the various players. The focus is on the pro­tec­tion of essen­tial ser­vices and the resi­lience of infor­ma­tion sys­tems. The Polish CERT plays a cen­tral role in moni­to­ring threats and respon­ding to inci­dents. The Polish stra­te­gy is cha­rac­te­ri­sed by a prag­ma­tic approach, focu­sed on the concrete imple­men­ta­tion of secu­ri­ty measures.

Ita­ly joi­ned the cyber­se­cu­ri­ty race later, with its first natio­nal archi­tec­ture set up in 2013. The Natio­nal Agen­cy for Cyber­se­cu­ri­ty (ACN), crea­ted in 2021, has streng­the­ned the coor­di­na­tion of natio­nal efforts. The Ita­lian stra­te­gy focuses on cri­ti­cal infra­struc­ture pro­tec­tion, inter­na­tio­nal coope­ra­tion and the deve­lop­ment of cyber­se­cu­ri­ty skills.

As a result, all three coun­tries have put in place cyber­se­cu­ri­ty stra­te­gies to deal with digi­tal threats, sha­ring com­mon objec­tives such as pro­tec­ting cri­ti­cal infra­struc­tures, pre­ven­ting and respon­ding to inci­dents, and rai­sing public awa­re­ness. Howe­ver, there are signi­fi­cant dif­fe­rences bet­ween them. France, a pio­neer in the field, has deve­lo­ped a solid ins­ti­tu­tio­nal archi­tec­ture and a glo­bal stra­te­gy, while Poland has opted for a more prag­ma­tic approach, based on a pre­cise legal fra­me­work. Ita­ly, meanw­hile, has more recent­ly joi­ned the move­ment, set­ting up a natio­nal agen­cy dedi­ca­ted to cyber secu­ri­ty. While the gene­ral prio­ri­ties are simi­lar, there are nuances in the orga­ni­sa­tion of natio­nal struc­tures and in the empha­sis pla­ced on cer­tain spe­ci­fic aspects, reflec­ting the natio­nal contexts and the issues spe­ci­fic to each country.

Cyber secu­ri­ty is now a stra­te­gic prio­ri­ty for Euro­pean govern­ments. At a time when digi­tal tech­no­lo­gy has become an inte­gral part of our dai­ly per­so­nal and pro­fes­sio­nal lives, cyber threats are beco­ming more diverse and sophis­ti­ca­ted, under­mi­ning the infor­ma­tion sys­tems of both public and pri­vate orga­ni­sa­tions. Faced with this gro­wing threat, govern­ments have put in place natio­nal stra­te­gies to pro­tect their cri­ti­cal infra­struc­tures and gua­ran­tee the conti­nui­ty of their services.

The approaches put in place by dif­ferent coun­tries are conver­ging towards a com­mon goal : pro­tec­ting citi­zens, busi­nesses and govern­ments against cyber-attacks. The rapid­ly chan­ging cyber­se­cu­ri­ty land­scape will require constant adap­ta­tion of these stra­te­gies and enhan­ced coope­ra­tion bet­ween EU Mem­ber States, which is what the NIS2⁵ Direc­tive is all about.