The OECD1 has just released two Policy briefs2, which deserve careful attention even before they are turned into recommendations directed at States or businesses.
While the first document puts forward an original and functional approach to security of code-embedded products, the other publication, which addresses how IT vulnerabilities are managed, certainly represents a breakthrough for a document that is supported by all 37 members of the international organisation. Thus, among the Member States endorsing this document, the Five Eyes3 acknowledge in it that they, as States, bear responsibility, alongside crime organisations, for the emergence4 of a grey market of IT vulnerabilities that are not reported to the publishers, to the detriment of digital security for all and the public interest. Furthermore, the document – subtly – points out5 the hypocrisy of some States in their stated policies on the report of IT vulnerabilities. This kind of practices also led to many companies refusing to trap hardware or software equipment6 for the benefit of any governments.
As the instigator of this OECD project, France could rightfully champion not only the intent but also the content of the document during the French presidency of the EU Council that will start on 1 January 2022. Indeed, as opposed to other States, France knowingly chose a peaceful approach to the digital world. In 2009, an interministerial body that automatically prioritises defence over offence was set up. In 2013, inspiration was given for the EU Cybersecurity Directive. In 2015, a digital security strategy that reflects the need to prioritise peace and stability in cyberspace was adopted. In 2017, an international conference on this very approach was held at the initiative of the French National Agency for the Security of Information Systems (ANSSI), a variation of which was organised in 2018 by the Paris Call7, which has now been joined by 79 States and almost 400 organisations and 700 businesses. All these actions and events have made France the best possible vehicle for topics that are conducive to a sustainable digital world.
More broadly speaking, France could be the instigator of a European initiative to break the deadlock over digital security management at the UN. Between one approach that asserts the superiority of the most aggressive stakeholders and another that requires building a policed society to achieve peace and stability in the digital world, leaving no room for privacy (let alone freedom of speech, which seems to have become a thing of the past), a third way exists. It could be brought to the attention of the UN and could also be a topic on which the next French presidency of the EU Council could work. This would require the Atlanticist approach — which is dominating the highest levels of a French diplomacy still stuck in Cold War-era balances of power and paralysed by its obsession with deterrence strategy, rendered partially irrelevant by the potential for cyberattacks — to leave some room for a new generation of diplomats who understand what is at stake in this century.
As shown by the OECD’s work in this field, digital security will only be ensured by means of international co-operation between stakeholders and international law that alone can contain offensive actions from States and predatory moves from criminal organisations.
Unfortunately, internationalism and law were conspicuously missing from the statement of the President of the French Republic on cybersecurity.
- The Organisation for Economic Co-operation and Development
- Supra-national intelligence organisation comprising intelligence agencies from the United States, Great Britain, Canada, Australia, and New Zealand, which became famous in the wake of Edward Snowden’s leaking of documents.
- ”However, other actors are willing to buy critical code vulnerabilities at high prices, and with no intention of fixing them. These actors include criminals who buy vulnerabilities on the black market, but they also include government intelligence and defence agencies, as well as companies developing and selling tools based on the exploitation of vulnerabilities, such as tools purchased by police forces or intelligence agencies to access the content of mobile phones.”
- ”Policies often allow these agencies to discover vulnerabilities without reporting them to vulnerability owners, and to stockpile, weaponise and exploit them against public or private targets. These agencies can also buy vulnerabilities to carry out “offensive operations”. In some cases, government may require developers to insert “backdoors” in their products, which are equivalent to intentional vulnerabilities.” Specific measures with less adverse consequences may be implemented to support the work of law enforcement agencies.