Alert on the most sensitive ‘STAD’!

The first aspect—delinquency—is the logical consequence of a ‘criminal risk/expected gain’ ratio that is very favourable to the predator; the second—inter-state conflict—offers states the possibility of settling their accounts with a certain degree of discretion, favouring « digital banderillas » over « gunboat policy ». These two migrations intersect, since states do not fail to call upon organised criminal groups to act in their place: « It’s not me, it’s my sister who broke the calculator« , sang Evariste—who was also a doctor of elementary particles—in the 1960s… Some states have made this song their second national anthem. They claim to be unaware of the activities that take place on their national territory, but they admit that they are not implementing the principles of « due diligence » that are the basis of international relations.

This double transhumance first concerned the « logical layer[1] » (that of the automated data processing systems, or STAD, in French), which were victims of fraudulent penetration and maintenance, of obstruction and of infringement of the data they contain or process. The Godfrain law (1988) has not aged a bit and underlines the forward-looking vision of its author. From the « script kiddie » to the structured group, there is no shortage of examples to illustrate the increasingly targeted and devastating action of cybercriminals[2]. Cyberattacks are now penetrating the « semantic layer » (that of data) as shown by the meteoric rise of ransomware over the past two years, thanks to the opportunities offered by the Covid-19 crisis. Data is increasingly the target and attacking the STAD is the tool. Data is coveted for its market value (sale on darknets), for the competitive advantage it provides (espionage), and for its usefulness to prepare a cyberattack or to commit a fraud (bank data) or an extortion (ransomware). Data are also at the heart of sabotage, as proven by the NotPetya attack that targeted Ukraine in 2017. The development of the Web and social media contributes to the dynamism of data.

The « semantic layer » carries content, i.e. meaningful data, but it also offers a haven for false meaning, nonsense, and misinterpretation. It is the « informational space », as the Russians—not without reason—like to call cyberspace. It is strategic. In October 2018, before the Privacy Conference that brings together regulatory authorities every year, Isabelle Falque-Pierrotin, then president of the CNIL, proclaimed: « Personal data has gone beyond the sole scope of protection to become a real issue of power, influence, and even manipulation, at the very heart of our democratic systems. The deployment of AI in many countries raises questions about national sovereignty or the autonomy of individuals, issues that are taking on new strategic importance, both nationally and internationally. » National sovereignty calls for great vigilance over content: this is notably the role of intelligence services that have intelligence techniques to conduct preventive investigations. What about the autonomy of individuals?

« Code is law, » wrote Lawrence Lessig[3]. In the age of the algorithm, he said, « this regulator is code–the software and hardware that make cyberspace as it is. This code, or architecture, sets the terms on which life in cyberspace is experienced. It determines how easy it is to protect privacy, or how easy it is to censor speech. It determines whether access to information is general or whether information is zoned. It affects who sees what, or what is monitored. In a host of ways that one cannot begin to see unless one begins to understand the nature of this code, the code of cyberspace regulates. »

The code is a transformer that starts from a « raw material » (the data) to produce a result, which can determine a situation or be the basis for a decision, particularly of an individual nature. If the law is « for everyone, » the algorithm is often « for each individual », as it adapts the choices to the profiles of Internet users. The development of the law is transparent, while the code is still very « secret ».

If code is law, it can also be « the law of the strongest » and thus undermine our freedoms. It bears the seeds of a standardisation of society through the rejection of everything that is not in the norm. Let’s just imagine the processing by Big Data of atypical behaviours, excluded because they fall outside the criteria. We can also imagine the « dictatorship » of predictive algorithms. In this context, citizens are an object of study through profiling; they are enslaved to the goodwill of those who use them as raw material, as an essential element of their business model. Algorithmic governmentality leads to « algorithmic confinement ».

But worse still, the individual is the first victim of an insufficiently regulated digital space, particularly in the fight against cybercrime.

The Internet user’s digital identity—which gives them their uniqueness—is affected. Despite the rule of consent, their personal data, especially the most sensitive ones in the sense of the GDPR, are poorly protected prey, and because of regular leaks caused by the negligence of those who collect, store, and process data. In addition to the breaches of trust of which they are a victim, their freedom of opinion and of decision is harmed through the manipulation of information or the tetanisation of minds.

The Council of Europe Convention on Cybercrime, which celebrates its 20th anniversary this year, only covers child pornography as a content offence. This is no mean feat in itself, considering the trauma suffered by young children—sometimes babies—and the resulting business for unscrupulous organised crime. Today, we should add the provocation of terrorism and its apology, harassment, insults, defamation, discrimination, etc. The consumer is also a victim through content that offers illegal, prohibited, regulated, or counterfeit products. The future regulation on digital services (Digital Services Act, or DSA) lists these actions that, under the cover of very large platforms, are harmful to people who have no protection. Some will argue that these offences do not fall within the scope of cybersecurity. To convince them of the contrary, we need only refer to Article 2 of the European Cybersecurity Act, which defines it as follows: « the activities necessary to protect networks and information systems, the users of such systems, and other persons affected by cyber threats. » Note that such protection must cover « the users » and « other persons. » Humans are indeed a direct target of predators.

To protect them, there is no SOC, no « threat intelligence, » no Big Data, no AI, no behavioural analysis, no rapid intervention group, no European skills centre, no joint cyber security unit. In a digital space marked by the multitude[4], the victim is alone, even if the action of associations such as ‘Point de Contact’ must be recognised. This victim must be at the heart of the state’s concerns, because it is the state’s primary mission. If it forgets this, it will lose its legitimacy. If cybercrime is indeed the « crime of the 21st century, » it is the human being who will be the most threatened STAD, because their brain is the most sophisticated « system, » the most unrivalled—whatever the singularists say—but also the most fragile.

Originally, the FIC focused on cybersecurity offers. Then it broadened its scope to the cybersecurity of offers. Cybersecurity at the service of the citizen will be the next step. Until then, the French Presidency of the European Union must be an opportunity to step up efforts, as soon as the 27 countries decide to build a cybersecurity based on values. The first of these is the protection of EU citizens. Paraphrasing General de Gaulle[5], we can say that « in our time, the only quarrel that is worthwhile is that of humans. It is humans that must be saved, kept alive, and developed…in the digital space. » A vast programme!

To satisfy the Gaullist trilogy, we should implement the first of the 28 recommendations of the White Paper produced by the FIC Agora[6] and presented on 9 September. Acculturation, education, and training are the most urgent actions. Without them, the digital space will be populated by zombies dominated by a handful of players with ambitions that are hardly compatible with the spirit of the FIC, which places people at the heart of cybersecurity.