On the occasion of his last FIC as general manager of Anssi, Guillaume Poupard reflected on his action and gave some advice for his successor.
Shaken by the health crisis, the calendar of the International Forum on Cybersecurity (FIC) needs to adapt. After an edition in September, therefore at the beginning of June held the 2022 vintage. As the entire cybersecurity ecosystem responded, this edition also marked the last FIC of Guillaume Poupard as Director General of Anssi. Earlier in the year, he announced to his teams that he would be leaving his post in the summer.
Focus on territories and Europe
Inaugurating the plenary session of the event, Guillaume Poupard gave a speech in the form of a review of his 8 years at the head of Anssi, around three pillars: national, European and territorial. In the preamble, however, he warns “about the very high level of cyber espionage at the state level against France’s interests” and worries about the day “when there could be dramatic consequences”. Thus, the agency identified 14 spy operations in 2021, 9 of which came from China. Returning to the national level, he accepted the work done and the awareness of the entire cybersecurity ecosystem. From the LPM (military programming law) that established operators of vital importance (OIV) by imposing a high level of security on them, through various certifications and labels of cybersecurity products and services and the creation of the Cyber Campus. “There is progress, with strong awareness on the part of key industrialists and administrations,” the leader reported on the podium.
At the European level, here again the consciousness is triggered, “there is volatility,” says Guillaume Poupard. However, the beginnings were chaotic, “the question is more of a struggle for influence to figure out which institution will eat the other”, he recalls. Things have changed since then, with a desire to work together. The result of these joint discussions was the NIS directive, which has just been negotiated to extend the scope of its action. “The list of OSEs (operators of essential services) will grow, and that is a good thing, considering the public sector in particular”, slips the director general of Anssi. The NIS 2 directive will have an impact at the national level, he continued. “The number of players classified as OSE will be multiplied by 10 and they will be regulated”. And take for example “135 hospitals now classified by OSE”. He also welcomed the inclusion of SecNumCloud certification for the highest level of cloud data sensitivity at the European level, the C5 label defended by Germany is affected for less critical data. In work at the European level, there are still things to be done, Guillaume Poupard observes, specifically on unity in Europe, he added, while welcoming various initiatives such as the gathering of CERTs, Storms, etc.
Finally, the last aspect of its balance, the territorial aspect. Faced with attacks increasingly targeting local authorities and hospitals, France needs to “respond quickly to secure these structures”. For this, the recovery plan was mobilized (with an envelope of 136 million euros) and the Anssi teams created safety courses, “to get your foot in the safety stirrup, including an envelope of 90 to 120 K €, a report/ audit and an action plan ”, suggests Guillaume Poupard. In total, 1,000 public actors benefited from these courses. “This approach can be adapted in the future for other sectors, including the private sector”, indicated the DG, who also returns to the creation of CSIRTs in the regions. These structures “must be agile and able to mobilize resources to help victims”, he stressed.
National consciousness and sovereignty as an aspiration for the future
Finally, after the balance, Guillaume Poupard wanted to give some short -term advice to his successor. First, he wanted to launch “a truly national awareness campaign. The goal is to have 5 minutes of brain time for every French person to pass on a few messages about simple security principles and direct them to cybermalveillance.gouv.fr in case there is a problem ”. Another point, “we should move towards a cybersecurity service” and cite the example of ACD in the United Kingdom which provides a range of free tools and services for companies to protect themselves from some known attacks and repeated. “We can combat typosquatting, more secure DNS or Active Directory audits,” Guillaume Poupard said. The issue of HR and training has not been forgotten, “this will limit us in the coming years”, the manager said while welcoming various initiatives including SecNumEdu and the mobilization of schools within Cyber Campus.
Finally, taking the heights, he wants France in terms of cybersecurity “to be respected”. France has a defensive and offensive strategy and “its word must be strong at the political level”, the leader assured. Finally, he evokes the term sovereignty, which should be an obsession “but not in the sense that products or services should be entirely French. It is a question of controlling its information system and ultimately its fate” .At this last point, the director general of Anssi gave no indication of his future duties.