France: In the cross-hairs of the state-backed hacker
23rd March 2023 • The Westin Paris - Vendôme (Paris)
Nation-state attacks are now more dangerous than ever. To beat them cybersecurity has to change – and it’s little to do with technology.
From secrecy to transparency: how cybersecurity has to change
According to a recent study, 75% of French participants believed they had been targeted by a cyber-attack by an organization acting on behalf of a nation-state and 82% believed nation-states are working through cybercriminal groups to execute their cyber campaigns. They believe the main aim of these attacks is sabotage or disruption of their organizations’ operations but almost half had also seen attacks on personal data and IP, financial data and business process operations data.
When asked which factors make them particularly vulnerable to nation-state actors, French respondents identified a lack of collaboration between their sector and their national government (37%), a lack of cyber hygiene across their organizations (36%), the use of outdated security technologies (34%) and the cyber talent shortage (34%).
The fact that CISOs see collaboration with government as a key weak link in the security chain is interesting. France, along with other countries, has institutionalised cyber defence at state level and there is interaction between the public and private sectors. More interesting is what the CISOs did not say: the real issue in cybersecurity today is in disclosure, data sharing and collaboration between companies themselves.
Organisations are still extremely unwilling to disclose attacks and breaches; many refuse to talk in even general terms about the ways in which they implement cybersecurity, believing that somehow this “puts a target on their backs” (when attackers know their entire security stack within a few minutes of conducting reconnaissance and when everyone is already a target).
French respondents in this study were most resistant to share information about the data affected, the length of time their organization was exposed or the financial cost of the incident. They are not alone – other countries are not far behind.
But this lack of transparency is the core issue in cybersecurity today: without data sharing organizations cannot learn from their collective experiences; without accurate data on attacks, attack vectors and material impact it is impossible to build quantitative models to evaluate
cyber risk and accurately assign resources to that risk; without that data designing and pricing cyber-insurance is just a guessing game.
When asked whether national governments should do more to support organizations in defending them against nation-state cyber-attacks, including things like provision of real-time threat intel, 89% of British, German and French respondents agreed. But only 64% of French said they have or would proactively reach out to government.
So, how do we get organisations to collaborate better? How can companies find a way to share data anonymously but in enough detail to be valuable for the collective good? And if companies will not share voluntarily, then given the rise of nation-state attackers, will some kind of public-private collaboration have to be mandated simply for the defence of the nation?
