JSSI 2015 conference report

The 14th JSSI (Journée de la Sécurité des Systèmes d'Information) conference, organized by OSSIR (Observatoire de la Sécurité des Systèmes d'Information), held in Paris on March 10th, 2015. Like previous years, more than a hundred attendees were present at this conference. We made in this article a report of the various presentations. The full agenda and the presentation materials are available on the conference website.

This year, the conference theme was « What future for French sovereignty in IT security? ».  The various talks all along the day gave different complementary views on this subject, with in particular during the morning: a view by the French government with a talk of ANSSI (French IT security Agency), a view from a pen tester on the security level of French products and a geo-strategic analysis of French key assets for national sovereignty.

 

What future for French sovereignty in IT security?  (Vincent Strubel – ANSSI)

According to the speaker, to guarantee its sovereignty, France must:

• Immediately tackle the risk of cyber attack against critical infrastructures. Such attacks fall in 3 categories:  attempts at destabilization (with incidents such as the wave of French web sites defacement after the terrorist attacks against Charlie-Hebdo, or, in the US, the attack against Sony Picture Entertainment), spying and sabotage.
• Deal with the risk that, at mid or long terms, France could lose its independence because of 2 strong worldwide leaders: USA on software topics and Asia on hardware topics.

France must consequently works on 2 axes:

• Protect critical infrastructures,
• Develop homeland made products and services.

The speaker lists the key technologies a State must take care of: cryptography, hardware, OS and intrusion detection. And for services, the key arrays are: security audits, incident response and data hosting.

The current situation in France for IT security is quite mixed:

• On the matter of protection, the most sensitive projects are very good (e.g. French national defense projects), the critical infrastructures are actively improving (new French laws enforce new requirements for these industries), but the rest is still poorly protected (the SMB not identified as critical, or citizens, are not protected at all).
• On the matter of technology and service, France is very good on some topics (e.g. cryptography) but security offers are still limited for both products and services, probably because demand for such offer is still not strong enough.

About the key technologies, the speaker depicts the following situations:

• Cryptography: France is very good on this topic
• Hardware: France must accommodate with the fact that there is no French asset on this topic
• OS: no real assets on this topic too and France should base its strategy on Open-source OS.
• Intrusion detection: significant national assets are emerging on this topic.

For the future, France must:

• Concentrate its efforts to succeed in the implementation of the LPM law (LPM is “Loi de Programmation Militaire” in French and means “Act on Military Programming”).
• Develop national product offers, by levering the French certification program.
• Develop national players on the topics of SCADA security, IDS and privacy protection.
• Develop European cooperations, especially with Germany.
•  Address SMB sector with appropriate offers such as “SMB box” (a all-in-one security box) “Cyber security as a Service” (Cloud offers). 

 

Presentation of CLIP : a secure operating system (Vincent Strubel – ANSSI)

CLIP is a secured OS developed by ANSSI. This project started in 2005 at DCSSI (the former name of the ANSSI). It has been deployed since 2009 on several hundred workstations (within ANSSI, National Defense and some critical infrastructures).

CLIP is based on a hardened Linux (Gentoo with Debian packages). It implements tight compartmentalization and the default installation provides: one compartment connected to Internet and another compartment connected to the internal network. It also includes a software update system which relies on a third compartment that is connected to a network dedicated to CLIP administration.

Note: CLIP could be compared to other compartmentalized OS, such as Qubes os (or even Chrome os).

CLIP is not a “on the shelf” product. It requires a network environment (the infrastructure used to administer and update CLIP workstations) and specific trainings for users. It is available, under Government control, for French administration and selected industrial partners. Some source codes are Defense classified.

 

French product security, seen from the trenches (Nicolas Ruff)

The speaker gives a feedback about the security audits (pen-tests) he has performed all along the last 15 years on various French made products. He briefly describes a long series of vulnerabilities he discovered, including vulnerabilities in governmental portals or in CSPN certified products. He explains that nobody ever heard about these vulnerabilities, because nobody ever published any paper on them, even after the vulnerabilities were fixed. Consequently, French product security is a black box. He states that nobody can believe that a French product is secured because it is French or because it got an undocumented security certification. For him, a product is secure if:

• The product has a good design and was developed with security in mind.
• Security issues are handled by a dedicated security team which releases security advisories. This team should also encourage external researchers to report vulnerabilities found and reward them via “bug-bounty” programs.
• The product was tested by independent researchers, and results are publically available.
• The product wins market shares and is better than competitors.

 

Cyber-Industrial revolution and Cyper power(Laurent Bloch – IFAS)

The speaker explains that industry has experienced 3 industrial revolutions:  emergence of steel, and then engine and electricity, and finally computer science. Such revolutions involve radical changes and those who do not adapt to it are condemned to die. The cyber-industrial revolution induces major changes in the following areas:

• Financial model. With computer science, most of the capital is invested at the product design stage (there is no manufacturing cost).
• Competition model. Computer science relies on a monopolistic model: each software sector has its leader and the only way for a new player can get a place in the sector is to take the place of the leader.

The speaker then raises the question of control of cyberspace, and shows that the USA is now dominant in this area. If we look at what were the elements that enabled England to be the first maritime power in the 19th Century, and we transpose these elements in the cyberspace, we then see that the US has in hands all the stakes to dominate the cyber-territory.

The speaker thinks that, as we could not imagine being a maritime power without shipyard, we cannot be a power of the computer age without the ability to manufacture processors. On this point, he draws attention to the assets available in France, and who are often ignored: ST Microelectronics, Altis semiconductor (for the manufacture of components) and Dassault System (in the field of software). He also mentions young companies often ignored as OVH, Iliad or Gandi.

 

New sentences for  IT attacks (Alain Bensoussan)

The speaker (who is a lawyer) explains the change that was made in November 2014 at the article 323-3 of the French penal law (known as “Loi Godfrain”) with the new French law 2014-1353 (that strengthens the fight against terrorism). This change adds 4 verbs to this 323-3 article that are now liable: illegally “extract”, “possess”, “reproduce” or “transmit” data are now forbidden by law.

Before that addition, the victim should have used the laws against "data theft" or "breach of trust" that are punished by other articles of laws, but it was more difficult because these articles were not directly applicable to the computer science field.

Note: Refer to this article for further information: http://www.alain-bensoussan.com/vol-de-donnees-article-323-3-code-penal/2015/02/24/

 

French or European security products (Pascal Sitbon - Seclab)

The speaker is the manager of a small company that develops and sells security products for SCADA systems which rely on hardware security mechanism. For example he sells a “data diode” that guarantees unidirectional data transfer between 2 systems. His presentation gives feedback on the industrialization of a SCADA product. In particular, it explains that:

• 80% of the investment for industrialization, promotion and marketing: the rest (costs of R & D) is low for this type of product.
• The product is designed and manufactured in France, so there is no technical barrier to the French market (no risk of cyber-backdoors).
• It is difficult to convince the first buyer. Once the product has been sold to the USA, it was easier to attract others.

 

The French “Loi de Programmation Militaire” (LPM) applied to a small “Opérateur d’Importance Vitale” (OIV) (B. Joucreau et C. Renard - HSC)

The LPM stands for “Loi de Programmation Militaire” in French, and can be translated into “Act on Military Programming”. This is a French national law which defines the objectives of the French Government for the five coming years. OIV stands for “Opérateur d’Importance Vitale” and can be translated into “National critical infrastructures”.

The article 22 of the LPM defines new obligations for OIV regarding enforcement of Industrial Control Systems security, performance of security audit and the disclosure of security breaches. On that topic, the speakers present:

• A history of known security incidents impacting SCADA systems.
• A view on French Critical Infrastructures classification : SAIV (Secteurs d’Activité d’Importance Vitale), OIV, PIV (Point d’importance Vitale), ZIV (Zone d’Importance Vitale). The detail of which organization belongs to each category is secret (confidential). There should be around 218 OIV.
• A view on the LPM. It was adopted in December 2013, and the “Decret d’application” (an official document that defines the concrete application of the law) was first expected in Autumn 2014. They just have been released by the ANSSI.
• The difficulties of implementing security measures on industrial systems: heterogeneous hardware, security requirements missing at design stage, hard requirements for reliability, dependence on third-party suppliers. On this last point, for example, the speakers explained that the supply of gas turbines depends on 4 suppliers around the world: all industrial installations that need gas turbine consequently depend on one of these four suppliers.

 

Questions about the digital sovereignty (Stéphane Bortzmeyer)

The speaker presents a series of thoughts on what is the sovereignty, and what experiences we have about it. He speaks about the following topics:

• The “French Cloud” project, that was launched in 2011 under the name of “Andromede” project, but split in 2012 in two separate and parallel initiatives:  Cloudwatt (by Orange and Thales) and Numergy (by SFR and Bull). He describes this “French Cloud” project as being an unsuccessful experiment.
• The normalization bodies, such as IETF. The USA dominates this work but France is also present. Few of the topics covered concern sovereignty, but the internationalization of standards (typically supporting non-ASCII character sets) is one of them. This subject is now well established. The new topic to defend now in such instance should be to defend privacy.
• The defense of privacy. France (and Europe in general) must be involved in the defense of privacy because the US does not have the same culture on this subject. Large dominant players (the GAFA: Google, Apple, Facebook and Amazon) are all American, and Europe must organize to convince these top players to consider the European requirements about privacy.

The speaker concludes that instead of trying to define the sovereignty, it would be simpler and clearer to define: who does decide, who does control and who does monitor? Should it be the state, citizens or private companies?

 

Conclusions

The theme of the day (sovereignty) was rather complex and theoretical, but the program committee has managed to brilliantly meet the challenge by offering consistent and interesting presentations. This is the first time that the JSSI addressed a geo-political issue, and this shows the evolution of cyber society. We have move in a few years from technical problems, to business issues (e.g. managing employee mobility) and now to strategic issues for states.