The Cyber-Security Industrial Policy: The Challenges of Structuring a Complex Dialogue
Posted: October 18, 2016 at 9:36 am, Last Updated: October 18, 2016 at 9:37 am
In the aftermath of Edward Snowden’s intelligence revelations, many governments around the world are increasingly elaborating so-called “digital sovereignty” policies. The declared aim is to develop trusted technologies to protect more sensitive networks. Rather than attempting a theoretical analysis, the ambition of this research is to start from a specific case study (the French experience) and turn over the complex—and often contrasting—motivations and interests behind the industrial policy movements. In accordance with the strategic objective to become a world power in cyber-defence, France has put many resources in and launched numerous initiatives aimed at independently ensuring its security. Industrial policy is part of the toolbox used to “master and develop [. . .] a range of guaranteed ‘trusted products and services.’”
Trusted Solutions Wanted
The definition of trusted solutions can be found through the reading of official documents. A sovereign solution is firstly synonymous with integrity: namely, the assurance of the absence of built-in backdoors ensuring the protection of sensitive information and systems. For that, the public powers require “an evaluation process under the control of the National Network and Information Security Agency (ANSSI).” But the integrity and high-grade requirements are not sufficient criteria for assuring the commercial success of the solutions.
Since the current demand consists mainly of civilian infrastructures, a twofold need, therefore, has arisen. The customers are requiring an ergonomically designed solution compatible with operational technology and simultaneously marketed at a competitive price. As a result, the offer of trusted solutions needs to be suitable for the new demand. The difficulty is thus achieving the right balance between a commercial solution and a high-grade technology solution. For doing that, the French authorities developed a policy based on four pillars: the conventional rulemaking, the organization of the public-private partnership, the Research and Development (R&D) funding campaign, and the certification process.
A Coordinated Public Procurement Policy
In 2013 the French government passed the Loi de Programmation Militair 2014-2019 (LPM 2014-2019) and imposed mandatory measures on public and private critical infrastructures. The rules consist of mandatory cartography of the critical information systems; regular audits of information systems by certified third parties; mandatory declaration of cyber-incidents; and implementation of certified detection sensors. The aim of this move is to boost the internal demand to consume national solutions and thus to promote the development of a broad offering and limit the dependence on foreign suppliers.
Structuring the Public-Private Partnership
The democratization of information systems and the interdependence of infrastructures have increased the need to develop a coordinated approach between the different players involved in cyber-security: infrastructure operators, industrial control systems (ICS) providers, maintenance firms, security companies, etc.
In 2010, ANSSI conducted a series of interviews on ICS security with critical infrastructure operators, security suppliers, and ICS vendors. A long process was thus initiated to address the following question: how to develop and maintain a trusted information system based on (a few) national and international technological bricks. The aim of the interviews was to draw a shared understanding of the limits of the current solutions and where the best practice was to be found. Thus, information sharing within the selected players contributed to the understanding of the future requirements, so that national authorities can establish new standards and industry can work to offer tailored solutions for critical infrastructures.
However, the differences of language and culture emerged and emphasised the need for a permanent exchange. In 2011 ANSSI was aware of this need and created a department fully dedicated to fostering cooperation with the private sector around the 12 sectors defined as critical and an office dedicated to industrial policy. Additionally, to move beyond the different languages and interests, in 2012 a permanent exchange platform was established with 25 players. On a voluntary basis, ANSSI brought together the main stakeholders from the French government (ANSSI and the Ministry of Defence (MoD) representatives) and industry (SCADA providers, national critical infrastructures and security suppliers) to develop supply chain risk management best practices that can apply to critical infrastructures.
On the same level, and shaped by the aim to encourage cooperation and dialogue between public and private players, another initiative should be mentioned: the establishment of the Council of Security Industrial Base (Comité de la filière des industries de sécurité-COFIS). Reacting to strong desire from the private sector, the Prime Minister launched the COFIS in 2013. This initiative brings together all the stakeholders involved in security industry from government agencies to trade federations and critical infrastructure representatives to match the needs of the offer and the demand and structure the security supply chain.
The latest initiative is the Industrial Roadmap dubbed “Cyber-Plan”, a broad policy program consisting of 17 actions around four strategic goals: boosting the national demand of trusted solutions; developing a national offer; structuring the export approach; and consolidating the national industrial complex.
The common achievement of these moves is the mutual understanding of various interests and thus the convergence of opinions in adopting minimum-security standards. In doing that, these initiatives reduce the gap between the government’s lack of a technological path and the operators’ lack of a security path, contributing to better assessment of future needs for security providers.
The Certification Process
The certification process, led again by ANSSI, is seen as a strategic way to ensure confidence in trusted solutions. To help the public authority state how well critical infrastructures have implemented the new legal framework passed in 2013, the labelling process assesses the audit companies as independent evaluators. In addition, it also tests the integrity of security solutions and vendors aiming to bring transparency to the suppliers that should be embedded in the critical infrastructures. In this way, ANSSI, through the expertise acquired on the field of incident-response, promotes the development of trusted suppliers evaluating products and services that should be commercialized. Thus, potential customers could choose their trusted solutions among the catalogue established by the national authority. With these trends in play, the public authority aims to structure the offers available on the national market.
The outcomes of these initiatives directly impact the risk factors; enhancing the secure design of new solutions leads to the reduction of the technical vulnerabilities. On the other hand, the implementation of trusted products, such as detection sensors, generates more countermeasures and a broader view of frequency and gravity of cyber-attacks. Finally, this means fundamentally fewer risks for the network infrastructure.
Orienting the R&D
To ensure continuous investment in R&D, the state has increased its efforts in both civilian and military investments. The MoD has tripled in two years the research credit (€30 million in 2014) for investment. In parallel, in the framework of the 2013 Program for the Future Investments a call for projects entitled “Digital Security” has received eighteen proposals. Through a fund of €20 million, this initiative aims to guide investment in R&D and thus promote the development of an offer so far absent. This will include the implementation of capacity requested by the LPM 2014-2019. In continuation of this strategy, the Cyber-Plan envisages a new wave of calls for projects in order to develop two to three new ranges of deals per year.
In addition, a flagship project was announced and funded by the MoD in 2013. The project aims to structure a regional cluster focused on cyber-defence in Brittany and based on the concept of triple helix. Private companies from the telecom sector, as well as from the security and defence sectors, will jointly cooperate with the main research laboratories and MoD agencies in promoting innovation and technological development. On the one hand, the private sector will drive scientific developments; on the other hand, the public sector will shape the innovation through supporting policies and relevant research.
The Limits of High-Tech Colbertism
The analysis of the initiatives launched in France stresses how industrial policy depends on many variables that public and private players can impact only through a coordinated approach. Therefore, a comprehensive policy is needed. However, a more in-depth analysis reveals important tensions that might be potentially damaging for the implementation of the industrial policy.
Sovereignty Versus Business Interests
On the private side, an increasing number of critics have been heard condemning the regulatory approach without taking market drivers into account.
Due to the deregulation process of many public sectors in the 1980s and the globalization of the 1990s, the private sector now owns or controls the majority of vital infrastructures, many with multiple domestic sites. Thus the primary interest of critical infrastructure operators is to employ solutions broadly adequate for their multinational plants.
At the same time, the concern for security suppliers is more for developing solutions that are able to be sold on the international market and amortize R&D costs. This is where corporate interests clash with national security and highlight the need for more international cooperation. Since cyber-security is a matter of national sovereignty, public powers are imposing new constraints to critical infrastructures. In addition, they are influencing the development of national technologies that should fulfill national standards with high-grade requirements demanding a lot of investment. The consequences are relevant for the private sector: limitation of foreign investment, increasing cost to implement a multitude of national standards, and more constraints on the development of national solutions.
Market Size Matters
Subject-Matter Experts (SMEs) are the engine of innovation in the cyber domain. Due to their structure and innovative culture, they are an essential element to face the extremely rapid evolution of threats and technologies. This explains the importance of the relationship between SMEs and big corporations in building the ecosystem of cyber-security. Although it is not specific to the cyber domain, this point becomes important for the French case because of the current critical situation and the fierce competition in international markets.
However, the national market is too tight, and despite the presence of many innovative SMEs, they are not able to reach a critical mass because of a lack of demand. Moreover, the absence of a culture adapted to the new market is at the heart of the difficulties in coordination between SMEs and big corporations to bid jointly; times and methods of development, sales channels and culture management are not the same in the cyber-security market. The result is that many SMEs are acquired by foreign competitors or they stop investing.
The Paradox of a Schizophrenic World
On the political side, there are also some complications. As the Snowden affair revealed to the global public, the state organization suffers from schizophrenia; promoting and implementing defences while actively attacking is no longer sustainable with the concept of resilience. This applies to the United States as well as to the other States developing offensive capabilities like France. Keeping vulnerabilities secret, cracking encryption standards and installing backdoors all increase technical vulnerabilities for everyone, thus mining the trust of society in the global information infrastructure.
However, the schizophrenia is also on the citizen’s side; we accept that the state needs pre-emptive intelligence in order to anticipate major threats like terrorism. This explains the reaction of law enforcement agencies such as the Federal Bureau of Investigation and the Government Communications Headquarters to the strengthening of encryption technology by social network companies. For intelligence agencies adding extra layers of security that prevent national authorities from gaining access to information stored by service providers means more difficulties in the fight against threats using these technologies.
The French case is striking for a least two reasons. First, multiple factors behind the implementation of industrial policies: market fragmentation, corporate interests, and national security are coupled with the ever-increasing issues of technological independence.
Second, the dynamics analysed reveal on the one hand the willingness of public authorities to control the cyber-security mechanism, and on the other hand, they underscore the need to find the balance between national sovereignty, business interests, and privacy. Given that industrial policy needs to take into account market-driven objectives and equally important objectives linked to societal and technological independence concerns, research of the balance is a hard task. It is even more complicated because businesses operate across borders while law enforcement agencies are nationally based.
 Government of France, The French White Paper on Defence and National Security, trans. ALTO (Paris: Odile Jacob Publishing Corporation, 2008), p.174, http://www.mocr.army.cz/images/Bilakniha/ZSD/French%20White%20Paper%20on%20Defence%20and%20National%20Security%202008.pdf.
 The three reference documents: Loi 2013-1168 du 18 décembre 2013 relative à la programmation militaire pour les années 2014 à 2019 et portant diverses dispositions concernant la défense et la sécurité nationale, Jornal Officiel de la République Française [J.O.], Dec. 19, 2013, p.20570 (Article 22); Programme d’Investissements d’Avenir 2013 – Développement de l’Économie Numérique, « Cœur de filière numérique-Sécurité numérique », Octobre 2013; Le guide pour la qualification de Prestataires d’audit de la sécurité des systèmes d’information (PASSI).
 Danilo D’Elia, “The Economics of Cybersecurity: From the Public Good to the Revenge of the Industry,” in Security of Industrial Control Systems and Cyber Physical Systems, eds. Adrien Bécue, et al. (Switzerland: Springer International Publishing, 2016), 3-15.
 Danilo D’Elia, “Public-Private Partnership: The Missing Factor in the Resilience Equation. The French Experience on CIIP”, in Critical Information Infrastructures Security 9th International Conference, CRITIS 2014, eds. C.G. Panayiotou, et al. (Switzerland: Springer International Publishing, 2016).
 The website of Comité de la Filière des industrielle de sécurité-CoFIS, http://www.gouvernement.fr/comite-de-la-filiere-industrielle-de-securite-cofis.
 Pascal Brangetto, National Cyber Security Organisation: France (Tallinn: NATO Cooperative Cyber Defence Centre of Excellence, 2015), 8-9, 11-12, https://ccdcoe.org/sites/default/files/multimedia/pdf/CS_organisation_FRANCE_032015.pdf.
 David Omand, Securing the State (London: Hurst & Co., 2010).
Write to the Editors at firstname.lastname@example.org