Cybersecurity investment: can Europe catch up?

In February, before the deputies of the information mission entitled “Building and promoting national and European digital sovereignty,” whose report was published at the end of June, Cédric O, the Secretary of State for the Digital Transition, recalled that “while France invests 5 billion euros per year in its startups, the United States invests 100 billion.” And the European figure is “much lower.” Out of the 450 unicorns (companies valued at more than one billion) identified in the world for this sector, he added, 200 are American, 200 are Chinese, and only 30 are European. And while Amazon and its subsidiary Amazon Web Services (AWS) spend 20 billion per year on research and development, France spends 60 billion—including both private and public efforts.

This explains why Jean-Noël de Galzain, founder of Wallix and president of Hexatrust, told the MEPs that “we are today torn between (…) a Chinese digital world organised for the benefit of government organisations and the Chinese system, and the rest of the world led by the Americans.” But he and others remain hopeful that a national and European digital trust will emerge; that is, “an ethical digital environment that protects personal data and guarantees the criteria of freedom and autonomy, and therefore of sovereignty.”

The health crisis has brought about major strategic changes. It confirmed the inexorable growth of digital infrastructures and the vital need to secure them. The private equity market reacted immediately. In 2021, funds raised by French cybersecurity startups should double to 200 million euros, according to the directors of Ace Capital Partners, quoted by the weekly Capital Finance. The management company headed by Marwan Lahoud has just set up the largest dedicated European fund (175 million euros). Specific vehicles are multiplying, such as Cyber Impact (10 million euros), launched by Jean-Noël de Galzain, two other entrepreneurs, and the Auriga Partners fund. This mobilisation must accelerate if France wants to keep its gems. At the beginning of the year, the French government watched helplessly as the U.S. company Tenable acquired Alsid for 98 million dollars.

The strategist state seems determined to catch up. It is betting 720 million euros of the ‘France Relance’ recovery plan on the sector from now to 2025. The objective is to triple its turnover and create champions. Cautious on the extent and the real impact of this decision, the interested parties invite the state to revise its method. Stéphane Volant, president of the CDSE (Corporate Security & Safety Directors’ Club), is very clear with the MEPs: “We are told that Orange and Atos are champions of sovereignty, while they have strategic partnerships with Microsoft (…). The big companies—which are sometimes gorged with public money and subsidies—have not shown, in recent years, all the strength they could have had. We expect them to leave some room for SMEs, SMIs, and startups.” Because it is from there that the innovation actually comes, explains the expert.

Cybersecurity training is becoming a national cause. Following the example of the creation by the French state of the ‘Cyber Campus’—this “totem” place which will gather all the actors in La Défense—training schemes are multiplying. “It is the right strategy to maintain one’s rank for lack of means,” analyses Nicolas Arpagian, strategy director of Trend Micro. The first condition to defend oneself in cyberspace, he explains, is to be able to count on specialists in attack and on trusted experts who understand the technologies acquired off the shelf and can enact doctrines of use guaranteeing to the user the control of the risks. Alexandre Papaemmanuel, professor at Sciences Po Paris, agrees: “The greatest danger is to import a black box into one’s organisation. France has the know-how to guarantee the end-to-end autonomy of any system, because it became aware of its dependencies very early on and developed countermeasures in the governmental sector.”

In Brussels, finally, it would have been understood that the boundaries between cybersecurity and cyberdefence are blurred, “and that sovereignty is not an ugly word,” underlines Olivier Kempf, associate researcher at the FRS (Strategic Research Fund). On 16 September, Thierry Breton, the Commissioner responsible for the internal market, detailed the components of the strategic roadmap entitled “Cyber Resilience Act.” Rayna Stamboliyska, professor at Sciences Po Paris and expert at ENISA, is pleased to say that the tightening of rules promoting a “democratic vision of technological innovations” has already begun. The 2016 Network and Information Security (NIS) directive will be extended to all public and private infrastructures. Two new regulations will be implemented to frame the practices of the digital economy (the “DSA” or Digital Services Act) and the design of online platforms (the “DMA”, or Digital Market Act), so as to rule out those “predatory” models that kill any competition. This arsenal—whose first brick is the GDPR—will make the internal market more difficult to penetrate for the Anglo-Saxon giants.

In the meantime, it is up to Europeans to invest in those technologies that outline a new frontier: artificial intelligence and quantum computing; “at each breakthrough, the counters go back to zero,” emphasises Olivier Kempf. Thierry Breton estimates that the European “community” of civilian players can mobilise 4.5 billion euros between 2021 and 2027 for cybersecurity technologies. An effort to which we can add the military budgets: in France, the Ministry of the Armed Forces has decided to spend 1.6 billion euros between 2019 and 2025—a record amount that aims to consolidate its lead in both the defensive and offensive fields.