(by Army General (2S) Watin-Augouard, Founder of the FIC)
The symbiotic relationship between security and freedom is central to building the rule of law. Far from being opposing, these concepts are interdependent. It is impossible to have one without the other. The overarching principles of security and freedom seem to be stabilised in the “real world.” However, new technologies that are emerging with the development of the digital sphere are raising problems in this respect in new terms.
First off, it is interesting to note that when cyberspace was originally developed with a programme started in the late 1950s by Paul Baran – the inspiration behind Arpanet – it was intended to meet security and defence requirements. Left to its own devices, it has fallen into the hands of academics with a single-minded focus on freedom. Mention may even be made of a libertarian current supported by American neo-communalism and 750,000 hippies living in Silicon Valley, including many doctoral students at major American universities.
If there were only a few dozen or a few hundred connected machines, “cyberspace independence” might have managed to cling to a utopian expression. However, with more than 10 billion connected machines in 2016 and perhaps one trillion in 2030, the digital arena no longer amounts to “some other place.” Ultimately, it will undoubtedly become the “only” arena for land, sea and air undertakings.
Once cyberspace started to be democratised, predators found their way onto the scene. Consequently, security and defence strategies started to be prepared, first with information systems security (ISS), then with the fight against cybercrime and, more recently, with cyber defence. The digital sphere is increasingly taking on the appearance of an arena conducive to profit, competition, the struggle for influence and malevolence with extremes that have come close to sparking conflict.
Cyberspace, being universal (by design) and (seemingly) borderless, could have or should have benefited from global governance. Despite multiple international attempts (International Telecommunication Union [ITU], United Nations Group of Governmental Experts [GGE], etc.) that have met with limited success, a worldwide mechanism for addressing cyberspace challenges is far from being a reality. Digital Europe as a necessary third option between an American model and a Chinese model is still in its infancy, even if some elements of it seem to be gaining ground today.
States, then, must return to the front-line. Having “abandoned” the Internet to private players, they are now obliged to cooperate wit these to shape and structure it. They must return not only to fight cybercrime, but also to protect critical infrastructure, operators of vital importance and operators of essential services, through cyber defence. While this cyber defence must, of course, be defensive, its offensive capabilities must not be overlooked. The terrorist threat, which expresses or manifests itself with many technical skills through cyberspace, intensifies interventionism in cyber defence. The inflation of the volume of legislation since the early 2000s testifies to this fact.
“Processing” was central to the 1978 law. Processing “systems” were the basis of the 1988 Godfrain law. Now, data are the main target of predators of every stripe, due to their intrinsic value and the multiple possibilities they unlock when stolen, distorted, etc. While cyber attackers may direct malicious acts towards the digital arena’s “hardware” layer (infrastructure, routers, underwater cables and data centres) or “software” layer, they are increasingly targeting the “semantic” layer — i.e. the layer of meaning.
Regarding the hardware layer, its protection and defence are largely nonspecific since this layer constitutes a marker of cyberspace in the real world. Thus it requires physical security measures, as freedom of access to the digital arena is limited if, for example, underwater cables are cut or their landing sites are affected, or data centres or routers are damaged.
Protecting freedom on the software layer requires security measures that, for the time being, are not very invasive of privacy, even if ISS may raise unprecedented problems in terms of sharing between private life and professional life. Biometric authentication and threat intelligence combining query profiling, behavioural analyses and “cognitive security” may open up more intrusive pathways into the private lives of Internet users.
The semantic layer is undoubtedly where the conflict between security and freedom is (or begins to be) most intense. The development of special investigation techniques and intelligence techniques bears witness to this. In France, two recent examples illustrate this tension. First, there is the withdrawal, under pressure from the Senate fearing a conflict with the Constitution, of the obligation to provide subscription numbers and technical identifiers for all means of electronic communication available to an individual suspected of terrorist activities. Second, there is the “saga” of the constitutionality of the offence of regularly checking terrorist websites (this was a high-priority question of constitutionality submitted by the Court of Cassation on 4 October 2017). Beyond these French examples, encryption offers a more global case in point of the tension between security and freedom. It is both a requirement for building trust in exchanges and an obstacle for security forces, which clash with end-to-end encryption in over-the-top services (WhatsApp, Instagram, etc.). We can understand the need for access through justice for unencrypted messages transmitted by terrorist movements and organised crime. However, we must also weigh the dangers associated with implementing back doors, which indeed are not requested by the French investigating authorities.
The quest for balance is more necessary than ever if we want a secure digital arena to become an arena for freedom. The moderated speeches, regularly uttered by ANSSI Managing Director Guillaume Poupard, reflect this aspiration. Moreover, for the last 10 years, the “FIC spirit” has spoken to the desire to give an end to the means of cybersecurity. The FIC’s watchword? Neither absolute security, which would negate freedom, nor absolute freedom, which would bolster the notion that “might makes right.”
To achieve this state of equilibrium, it is important to combine skills and, in particular, to bring the “hard sciences” closer to the social sciences. Such is the cross-cutting ambition that the FIC strives to fulfil. Such is its desired contribution to a debate that goes well beyond merely exploring technological challenges.
To strike this vital balance, we must also subscribe to the notion that individual freedom is the product of collectively implemented cybersecurity. Hyperconnection, the theme of the 10th FIC, spotlights areas of overlap and interaction as well as intertwined responsibilities, which can only grow in the next five years. Between “securitarians” and “libertarians,” the FIC is a meeting place for those who wish to find a happy medium. Many of us will express this ambition on 23 and 24 January 2018!
- EncroChat: Deciphering of the End-to-End Encryption Service Used by Criminals Cybercrime
- Preserving Digital Footprints and Cyber Resilience: Training the Swiss Police Cybercrime
- Ransomware in Six Questions (by the Ministerial Delegation to the Security Industries and the Fight Against Cyberthreats, French Ministry of the Interior) Cybercrime