Cybersecurity: why protecting public data is critical

The advent of per­son­al com­put­ers and the emer­gence of the Inter­net in the 1980s trig­gered a process of trans­for­ma­tion in pub­lic and pri­vate organ­i­sa­tions. The first few decades saw the appear­ance of the first web­sites and the cre­ation of sim­ple data pro­cess­ing, then these were refined to set up inter­ac­tive ser­vices with data exchanges¹ before arriv­ing today at the use of arti­fi­cial intel­li­gence. Dig­i­tal tech­nol­o­gy is now at the heart of the way ser­vices are deliv­ered to users, help­ing to opti­mise the cost of the ser­vice pro­vid­ed, improve respon­sive­ness and offer a per­son­alised expe­ri­ence².

The trans­for­ma­tion of ser­vices has led organ­i­sa­tions not just mod­ernise pro­ce­dures, but to rethink them in ways that make them more acces­si­ble to end users and bet­ter adapt­ed to the infor­ma­tion sys­tem. This in-depth inte­gra­tion has made it pos­si­ble to opti­mise the effi­cien­cy of ser­vices, which incor­po­rate the notion of data per­sis­tence, access rights, re-use pos­si­bil­i­ties, etc. right from the design stage. Dig­i­tal tech­nol­o­gy is no longer a sup­port func­tion for organ­i­sa­tions, but an area at the heart of their oper­a­tions. No organ­i­sa­tion today can do with­out cross-func­tion­al appli­ca­tions for man­ag­ing leave, pay and expens­es; no busi­ness unit can do with­out the appli­ca­tions that enable it to car­ry out its activ­i­ty, how­ev­er diverse it may be (logis­tics, bud­get, engi­neer­ing, etc.).

The mas­sive adop­tion of dig­i­tal tech­nol­o­gy and the way it is inter­wo­ven into the heart of infor­ma­tion sys­tems has pro­vid­ed fer­tile ground for the emer­gence of new cyber threats. The threats are man­i­fold and per­pe­trat­ed by a vari­ety of adver­saries: cyber­crim­i­nals, ene­my states or activist groups. Most of them now have increas­ing­ly sophis­ti­cat­ed tools with which to car­ry out large-scale attacks.

More­over, cyber threats have become more diverse and sophis­ti­cat­ed over the years, under­min­ing the secu­ri­ty of infor­ma­tion sys­tems. From Denial of Ser­vice (DoS) attacks designed to sat­u­rate sys­tems, to ran­somware that paral­y­ses busi­ness in exchange for a ran­som, as well as the hack­ing of sen­si­tive data and social engi­neer­ing attacks that manip­u­late users, cyber­crim­i­nals’ arse­nals are con­stant­ly expand­ing. Crit­i­cal infra­struc­tures such as ener­gy net­works and trans­port sys­tems are par­tic­u­lar­ly tar­get­ed. The emer­gence of advanced tech­nolo­gies such as arti­fi­cial intel­li­gence and blockchain has made these attacks even more pow­er­ful, enabling cyber­crim­i­nals to design increas­ing­ly sophis­ti­cat­ed tools and car­ry out large-scale oper­a­tions. Faced with this grow­ing threat, organ­i­sa­tions need to imple­ment robust and appro­pri­ate secu­ri­ty mea­sures to pro­tect their data and sys­tems. These threats are par­tic­u­lar­ly evi­dent for pub­lic services.

Pub­lic insti­tu­tions are attrac­tive tar­gets for cyber­crim­i­nals. They are home to large quan­ti­ties of sen­si­tive data, includ­ing per­son­al, finan­cial and strate­gic infor­ma­tion. Obtain­ing this infor­ma­tion fraud­u­lent­ly is a lucra­tive busi­ness for attack­ers, who can use it to resell it or exploit it for polit­i­cal or ide­o­log­i­cal ends. What’s more, the ser­vices pro­vid­ed by pub­lic insti­tu­tions are par­tic­u­lar­ly vul­ner­a­ble: a suc­cess­ful attack can lead to major dis­rup­tion (in terms of finance or secu­ri­ty, for exam­ple), with sig­nif­i­cant social and eco­nom­ic con­se­quences. For exam­ple, the inabil­i­ty to col­lect tax­es or the dis­clo­sure of secrets held by the mil­i­tary are crit­i­cal threats.

The con­se­quences of a cyber-attack against a pub­lic insti­tu­tion can be dev­as­tat­ing. In addi­tion to the direct finan­cial loss­es asso­ci­at­ed with the cost of get­ting the infor­ma­tion sys­tem back up and run­ning or the loss of tax or social secu­ri­ty rev­enue, this type of attack can dis­cred­it an insti­tu­tion over the long term. Indeed, when cit­i­zens are informed that their data has been stolen by cyber­crim­i­nals, they will be much less inclined to use the State’s dig­i­tal ser­vices, which can under­mine the dig­i­tal trans­for­ma­tion strat­e­gy. In addi­tion, cyber-attacks can dis­rupt the oper­a­tion of essen­tial ser­vices out­side the sphere of state sov­er­eign­ty, such as trans­port, ener­gy and health­care, with poten­tial­ly dra­mat­ic con­se­quences for the public.

Con­se­quent­ly, imple­ment­ing an effec­tive and proac­tive cyber­se­cu­ri­ty strat­e­gy is a major chal­lenge for pub­lic insti­tu­tion³. Through a clear and oper­a­tional nation­al strat­e­gy, the aim is to pro­tect infor­ma­tion sys­tems against threats while guar­an­tee­ing the con­ti­nu­ity of ser­vices and respect­ing cit­i­zens’ rights and free­doms. This is a del­i­cate bal­ance to strike, as secu­ri­ty mea­sures can some­times hin­der the flow of exchanges and access to dig­i­tal ser­vices. It is there­fore essen­tial to put in place secu­ri­ty solu­tions that are both effec­tive and dis­creet, i.e. that do not penalise the user expe­ri­ence. Cyber­se­cu­ri­ty must also be seen as a lever for pro­mot­ing inno­va­tion and strength­en­ing con­fi­dence in the dig­i­tal economy.

The study of cyber­se­cu­ri­ty approach­es is a com­mon area of research and has been addressed by Gaie, Karpiuk and Spaziani⁴. In this arti­cle, the authors study and com­pare the mea­sures tak­en by three Euro­pean countries.

France made an ear­ly com­mit­ment to cyber­se­cu­ri­ty, with its first nation­al archi­tec­ture put in place in 2013. The focus was on pro­tect­ing crit­i­cal infra­struc­ture, pre­vent­ing cyber­crime and rais­ing pub­lic aware­ness. The cre­ation of the French Nation­al Agency for Infor­ma­tion Sys­tems Secu­ri­ty (ANSSI) in 2009 has strength­ened the coor­di­na­tion of nation­al efforts. The French strat­e­gy is char­ac­terised by a glob­al approach, inte­grat­ing tech­ni­cal, legal and inter­na­tion­al coop­er­a­tion aspects.

Poland adopt­ed a law on the nation­al cyber­se­cu­ri­ty sys­tem in 2018, defin­ing a clear legal frame­work and spec­i­fy­ing the respon­si­bil­i­ties of the var­i­ous play­ers. The focus is on the pro­tec­tion of essen­tial ser­vices and the resilience of infor­ma­tion sys­tems. The Pol­ish CERT plays a cen­tral role in mon­i­tor­ing threats and respond­ing to inci­dents. The Pol­ish strat­e­gy is char­ac­terised by a prag­mat­ic approach, focused on the con­crete imple­men­ta­tion of secu­ri­ty measures.

Italy joined the cyber­se­cu­ri­ty race lat­er, with its first nation­al archi­tec­ture set up in 2013. The Nation­al Agency for Cyber­se­cu­ri­ty (ACN), cre­at­ed in 2021, has strength­ened the coor­di­na­tion of nation­al efforts. The Ital­ian strat­e­gy focus­es on crit­i­cal infra­struc­ture pro­tec­tion, inter­na­tion­al coop­er­a­tion and the devel­op­ment of cyber­se­cu­ri­ty skills.

As a result, all three coun­tries have put in place cyber­se­cu­ri­ty strate­gies to deal with dig­i­tal threats, shar­ing com­mon objec­tives such as pro­tect­ing crit­i­cal infra­struc­tures, pre­vent­ing and respond­ing to inci­dents, and rais­ing pub­lic aware­ness. How­ev­er, there are sig­nif­i­cant dif­fer­ences between them. France, a pio­neer in the field, has devel­oped a sol­id insti­tu­tion­al archi­tec­ture and a glob­al strat­e­gy, while Poland has opt­ed for a more prag­mat­ic approach, based on a pre­cise legal frame­work. Italy, mean­while, has more recent­ly joined the move­ment, set­ting up a nation­al agency ded­i­cat­ed to cyber secu­ri­ty. While the gen­er­al pri­or­i­ties are sim­i­lar, there are nuances in the organ­i­sa­tion of nation­al struc­tures and in the empha­sis placed on cer­tain spe­cif­ic aspects, reflect­ing the nation­al con­texts and the issues spe­cif­ic to each country.

Cyber secu­ri­ty is now a strate­gic pri­or­i­ty for Euro­pean gov­ern­ments. At a time when dig­i­tal tech­nol­o­gy has become an inte­gral part of our dai­ly per­son­al and pro­fes­sion­al lives, cyber threats are becom­ing more diverse and sophis­ti­cat­ed, under­min­ing the infor­ma­tion sys­tems of both pub­lic and pri­vate organ­i­sa­tions. Faced with this grow­ing threat, gov­ern­ments have put in place nation­al strate­gies to pro­tect their crit­i­cal infra­struc­tures and guar­an­tee the con­ti­nu­ity of their services.

The approach­es put in place by dif­fer­ent coun­tries are con­verg­ing towards a com­mon goal: pro­tect­ing cit­i­zens, busi­ness­es and gov­ern­ments against cyber-attacks. The rapid­ly chang­ing cyber­se­cu­ri­ty land­scape will require con­stant adap­ta­tion of these strate­gies and enhanced coop­er­a­tion between EU Mem­ber States, which is what the NIS2⁵ Direc­tive is all about.