Making Digital Space Secure: the issues (By Air Force General (2S) Jean-Paul Paloméros)

In March 2013, the inventor of the internet, Britain’s Tim Berners-Lee, published an article advocating that « the web » should remain « an area of freedom and a tool which serves all of humanity »[1]. He recalled the fundamental motivations behind this project launched in 1989: to create an open platform, a place for the universal sharing of information and knowledge, free from cultural and geographical boundaries. In particular, he emphasised his concerns about the development of the internet, identifying three harmful trends: the loss of control over our personal data and the resulting invasion of our privacy, the ease of disseminating false information via the web and the risks to democracy posed by online political propaganda. Finally, he concluded that we must strive relentlessly to ensure that the web remains an open space and, to this end, collaborate with the American internet giants, commonly known as GAFAM[2], to reduce these risks by mutual agreement, at the same time fighting against any centralised state control that undermines individual freedoms.

This stance taken by one of the inventors of the digital society in which we live today is indicative of a phenomenon that its founding fathers could not have imagined at the time: the birth and exponential growth of not just an interconnection network but a new digital arena for life, exchanges, communication, and also competition, influence, confrontation and the development of organised crime and trafficking of all kinds. This modern cyberspace probably deserves to be renamed the « infosphere » to better represent its scope and fields of application, including two areas in full expansion: the Internet of Things and artificial intelligence. Whatever its name, digital space has specific characteristics that largely explain the difficulties encountered in trying to control it and guarantee cybersecurity, a crucial issue for our societies, states, businesses and, increasingly, everyday life. Cyberattacks (the accepted term), such as the implantation of dormant viruses, are not necessarily instantly detectable – they can be activated remotely at a time deemed most appropriate. Crucially, the anonymity offered by the Internet makes it extremely difficult to identify the perpetrators of cyberattacks, and therefore to attribute them to a given source. Even if the location of such attacks can be determined by states or organisations that have sophisticated intelligence, their formal attribution is still tricky, since « hackers » – whether isolated, parastatal or even state groups – fully exploit the ambiguity that cyberspace offers between physical individuals and their virtual clones.

This last point is of fundamental importance, since national and international law is largely based on the identification and attribution of wrongdoing. In addition, this new digital space is not homogeneous – it somehow confuses substrate and substance, the resources and systems that condition its existence and use (microprocessors, computers, networks, routers, operating software, storage systems, etc…) and the data, information and messages they allow to be transmitted, exchanged and stored. All cybersecurity policies must focus on identifying the weak link in the human-digital chain. Indeed, the most important cybersecurity leaks known to date have been more the result of conscious human actions[3], comparable to acts of robbery or espionage, than sophisticated techniques of remote infiltration and data capture. Nevertheless, access to gigantic sources of information and the ability to instantly retrieve them underscore the requirements of an effective cybersecurity policy, based on monitoring, access control and the required security clearance procedures, as well as technical measures for the encryption, hierarchy and dispersion of databases (cloud computing) and the establishment of effective self-control.

The heterogeneity of cyberspace is a real challenge for inter-state cooperation. This is true at the European level and even more so in the transatlantic context. Each of the areas mentioned so far has an extremely high level of national sensitivity, and any international cooperation requires a great deal of expertise and trust, along with extensive confidentiality agreements that are much easier to apply in bilateral than in multilateral frameworks. In the context of transatlantic cooperation, this situation is very favourable to the United States, which is able to define different terms of trade according to its interlocutors. This undermines a coherent European cybersecurity policy, especially given the serious absence of global regulation in this field.

Indeed, the heterogeneity of cyberspace, its exponential growth and the enormity of its implications in terms of power and innovation, along with the differences in the way it is perceived by the various state and private stakeholders, acts as a barrier to any kind of international « standardisation ». It is true that some international agreements do exist, stemming from the technical standards allowing for the development of digital activity, mainly in the field of telecommunications (which benefits somewhat from its anteriority). Nevertheless, we must recognise that, on the whole, the big internet players are the ones who set the tone with the new standards they impose and their willingness (or not) to ensure their compatibility. In contrast, cyberspace itself is not regulated, unlike terrestrial, maritime, air or exo-atmospheric space. A certain international order has been established in all these areas over time, and especially after the Second World War, guaranteed by treaties, conventions and competent international organisations, first and foremost the United Nations Security Council. But there is nothing like this to govern digital space, and all attempts to this end made to date have failed. This imbalance is accentuated by the central role of the big American internet companies. Although these businesses have complicated, sometimes extremely tense, relations with the US government in terms of access to the confidential information and source code they own[4], there can be no denying the interaction that exists between them and the US administration when it comes to national security.

When considering the major internet players, it is also important to emphasise the rise of China, which is developing an ambitious strategy to conquer the « infosphere » with Alibaba and Tencent. The 7 internet giants mentioned above currently feature among the 10 largest companies in terms of market capitalisation, and it is conceivable that one of them could hit the 1,000 Billion mark in the years to come, which would place it around 15th in the world in terms of GDP. These giants of the infosphere are thus powers in their own right, directly in contact with nearly 2 billion users who they know, locate, inform and influence and on whom they keep collecting data – the veritable digital gold of the 21st century. The notable absence of European companies in this group is a serious handicap in the global digital competition. This makes it difficult to imagine alternative models capable of reducing Europe’s dependence on the giants of the infosphere and the great powers of the United States, China and, in information influence strategy terms, Russia.

Given this context, it would be illusory to speak of digital sovereignty in relation to Europe and, even less, on a national level. This does not mean that France and other European countries cannot protect themselves against cyberthreats and attempt to preserve their digital space. To do so, however, they must envisage a collective approach and establish strategic partnerships, but with whom? One or more giants of the private sector? Countries in much the same situation, such as India or Brazil? China and Russia, but on what basis? Or, quite simply, their natural ally in the Atlantic Alliance, the United States? In a world where global digitisation is gaining ground, can cybersecurity issues really be disassociated from wider problems of defence and security? Future conflicts are set to play a growing part in attacks on the infosphere. The so-called hybrid strategy deployed by Russia in Ukraine, the use of social media by extremist groups and the actions against nuclear research facilities in Iran are only the beginnings of the offensive movements to come within the digital battle space. Repeated attacks on critical infrastructure in the United States or Europe are undoubtedly the warning signs of significant risks that call for individual and collective responses.

I believe that Tim Berners-Lee is right to urge us to protect the internet as a precious resource, a tool for knowledge, exchanges and breaking down barriers. I nevertheless have the intimate conviction that he is undervaluing the nature and depth of the problem. Indeed, the internet represents a whole new arena of life, trade, influence and confrontation which we absolutely have to master, secure and defend. The very resilience of our societies, interests, fundamental rights and democracy, along with the future of our country and of Europe, whether digital or not, depend upon it…!

[1] Tim Berners-Lee: Webfoundation tribune 12/03/2017

[2] Google (now Alphabet), Apple, Facebook, Amazon, Microsoft

[3] For example: The theft of the Eternal Blue vulnerability used by the NSA

[4] The FBI’s iPhone decryption request to Apple following the San Bernardino shooting (2016)