Questions raised concerning the cyber component of the Military Programming Law

« Objectively speaking« , stresses Marc-Antoine Ledieu, a lawyer who specialises in advising the digital industry, « ANSSI currently lacks the resources required to combat cyber threats to our critical infrastructures and businesses. We can therefore only applaud the philosophy of the cyber component of the draft Military Programming Law », which sets out the financial and capability-related ambitions for our armed forces over the 2024-2030 period.

The cyber component is very small, comprising a handful of highly technical but strategically important measures, which like the rest of the bill, have been under discussion in the French National Assembly since 22 May. According to the drafters of these measures, they are intended to boost ANSSI’s « capacity to detect malicious software and system vulnerabilities« .

Jean-Noël de Galzain, founder of Wallix, a company specialising in digital-access security and Chairman of Hexatrust, the association of leading French cyber firms, shares this conviction about the underlying approach to this addition, which is in line with the previous LPMs since 2008. As this leading figure and spokesperson for the private ecosystem clearly explains, « Building physical networks without security: alarms, cameras, and so forth, has become inconceivable. Is it any wonder that the State wants to beef up the cybersecurity of operators of vital interest (‘OIV’) and essential services (‘OSE’)? It’s laughable. » For the entrepreneur, « the real question is: will the resources be sufficient to meet the challenges? »

Identified by corporate insurers as the biggest global risk, ahead of pandemics and extreme weather events, cyber attacks affected 832 critical networks starting with healthcare establishments in France last year, as highlighted by ANSSI in its latest report. Jean-Noël de Galzain mentions that very soon, the State will be ensuring the security of at least two major sporting events that will bring thousands of people to our country: the Rugby World Cup (September 2023), followed by the Olympic Games (in 2024). The terrorist threat remains high and France is targeted by Russian cyberactivists. Recently, the Senate website was paralysed for several hours by hackers claiming to be close to Moscow.

However, controversy quickly erupts whenever legislators set out to alter the balance between freedom and security, and especially when they extend the scope of the State’s prerogatives to market activities. Sébastien Lecornu, the French Minister for the Armed Forces, has welcomed the discussions between the Executive and Members of Parliament on the nuclear deterrence section of the LPM, stating that the debates often have the merit of clarifying the issues at stake.

When applied to the cyber component, the limitations of this reasoning soon become apparent due to the extreme technical complexity of the issues involved, the extent of which seems to have been partially overlooked by the drafters themselves, according to an expert on domain names, who points out that the law aims to compel hosting companies, Internet service providers and registrars to filter domain names in order to « neutralise their misuse« .

Articles which are « impossible » to implement

Our expert, a member of Hexatrust, continues: « The road to hell is paved with good intentions, and several articles appear to be technically impossible to implement as originally drafted« . This has fuelled the concerns about this new cyber arsenal, which in practical terms will enable the public agency to « increase its knowledge of the modus operandi of cyber attackers, better remedy the effects of their attacks and alert victims more effectively« .

In addition to filtering toxic domain names, the articles will authorise ANSSI to recover technical login data (stored on DNS servers, which translate domain names into IP addresses) in order to improve the identification of attackers; introduce probes at operators of vital interest (OIV) and essential interest (OSE), their subcontractors and their data hosting services in order to monitor the content of communications and anticipate threats; encourage software publishers to report their vulnerabilities and the effects of their attacks. For the latter measure, no sanctions against recalcitrant operators have been envisaged, but ANSSI may publish their names, in accordance with the « naming and shaming » doctrine prevalent in the English-speaking world.

Technical inaccuracies aside, the first concrete question from professionals concerns the scope of the new obligations imposed by ANSSI. Will they only target entities registered and based in France or all operators present on the French market, irrespective of their nationality or location? These professionals are concerned that the bill remains silent on this point. Jean-Noël de Galzain warns of the risk of distorting competition and triggering the relocation of an entire segment of the French ecosystem. In practice, many of the operators involved have to take account of the prevailing international standards and norms, which are not always compatible with these new rules, such as those imposed by ICANN, the privately owned Californian company responsible for the de facto regulation of Internet addresses.

What about the processing of additional data?

The other major question concerns the manner in which ANSSI will collect and exploit the additional data to which it will gain access. The inclusion in this bill of the obligation for all essential and vital operators to install probes is, in itself, merely the transcription of the European NIS 2 Directive, scheduled to come into force in 2024 (concerning 160,000 entities in Europe). However, it is accompanied by a new right: knowing the identity and addresses of the owners of vulnerable networks, their subcontractors and data hosting services, and also collecting the content of communications channelled through these networks.

The Conseil d’État [Council of State, French supreme court for administrative justice] has issued its ruling. The arsenal of measures is proportional to the aim: safeguarding the nation’s fundamental interests. « But where do they begin and end ? » retort industry players, aware of the heated debates currently raging in the United States between the defenders and detractors of federal laws (FISA, Cloud Act) that give security agencies a virtual carte blanche to capture the world’s digital data.

The guardians of Internet freedoms and the right to freedom of opinion imply that legislators could unwittingly turn ANSSI into an Internet police force, or even a French NSA. « Pure fantasy« , dismisses the lawyer Marc-Antoine Ledieu: « The question of civil liberties is a non-issue in France, where its sensitivity has long been understood, as reflected by the efforts to create the European GDPR, a pioneering text that is highly protective of private data. What’s more, the data accessed by ANSSI in the future will be anything but personal. »

Jean-Noël de Galzain considers that the risk could even be reversed: « On the pretext of protecting personal data, we must not create a straitjacket likely to handicap our companies vis-à-vis their Indian and Chinese competitors and the Big Five tech companies, which are all-powerful in the global race to exploit vast amounts of data. The emergence of a French AI industry and the ChatGPT revolution will depend on France’s agility. »

However, experts from the private sector insist on the importance of clearly defining and clarifying the right to collect data: who at ANSSI can access it, and by what means? Will the operators be legally certified or under contract? Will the agency be able to employ subcontractors, and under what conditions? They are calling for complete traceability of operations, and for all procedures to be subject to an independent audit, which in turn will be monitored by a recognised body. They insist that this is the only way to build trust in ANSSI and provide a guarantee of legal certainty to operators that can be enforced in the event of the slightest incident.