Jean-Baptiste Demaison

 

International Working Group on Cyber Security and the Law participant shares insights on cyber security

November 21, 2014

Jean-Baptiste Demaison, International Cyber Policy Senior Advisor at the French Cybersecurity Agency (ANSII) joined the International Working Group on Cybersecurity and the Law in Washington D.C. on October 14-15, 2014. Through a series of high-level exchanges and round-table discusions, this Working Group explored the new risks posed by technology and new strategies in law enforcement to encounter cyber criminality.

Organized by the French-American Foundation under the patronage of INTERPOL and the French Minister of the Interior, the conference provided a closed-door forum for approximatively 30 particpants - including senior European and American government officials, security professionals, and IT industry leaders - to address questions concerning cybercrime, with a focus on identifying solutions to emerging therats.

Jean-Baptiste Demaison is senior advisor on International and European cyber policies within the international department of the French Cybersecurity Agency (ANSSI). Mr. Demaison is also Member of the Management Board and of the Executive Board of the European Network and Information Security Agency (ENISA). Previously, Mr. Demaison worked for the Strategic-Research Institute of the French Military Academy (IRSEM) and as Deputy Director of the French department of the Faculty of Political Science and Economics of the Cairo University. Mr. Demaison holds a Master's degree in International Affairs and specialized on global technological security challenges.


1. Jean-Baptiste,we are delighted to have you to share your insights with our readers. Along with other experts on cyber security, you recently participated in the International Working Group on Cyber Security in the Law held in Washington, D.C. on October 14-15, 2014. As senior International cyber policy advisor at ANSSI (French Cybersecurity Agency) could you tell us more about your work and the agency?

First of all, let me thank the French American Foundation for giving me the opportunity to participate to this year’s International Working Group on Cyber Security in the Law. Such high level and expert discussions on cybersecurity are very important in order to enhance our countries’ mutual understanding of our national approaches.

As cyber policy advisor within ANSSI’s international department, I am in charge of analysing multilateral strategic challenges, proposing orientations and ensuring coherent implementation of ANSSI’s actions with regard to cybersecurity policies within international organizations and fora, such as the UN, NATO and the EU.

As part of my responsibilities with regard to the EU, I as well represent France within the Management Board and the Executive Board of the European Network and Information Security Agency (ENISA), located in Greece. 

2. From an international policy point of view, which changes in cybersecurity have been the most significant in recent years?

As mentioned during the discussion in Washington, several important evolutions have drastically modified our approach to cybersecurity.

First of all, threats to cyberspace have grown in size and in complexity, requiring rapid evolution of national organizations and capacities. France has itself made tremendous efforts in recent years: ANSSI has grown from 140 people in 2010 to 400 today, and should reach 500 next year. We nevertheless must remain modest given the size of the task to achieve.

Secondly, cybersecurity is no longer the monopoly of governments, and constitutes as well a concern and an objective for businesses and citizens. Taking into account this evolution, France, to my opinion, evolved from a traditional “State’s security” approach to a “National Digital sovereignty” one.

Finally, whereas cybersecurity was originally seen only as a technical challenge, it has since become a highly strategic challenge with a strong political dimension, recognized as such in France’s 2013 White Paper on National Security and Defence. Indeed, cybersecurity is not anymore only about securing and defending information systems, it is also about defining efficient governance models, establishing dialogue with relevant stakeholders, engaging internationally with other countries and in multilateral fora, etc. The international policy and legal dimension of cybersecurity is in particular becoming prominent, as illustrated by the ongoing work of the group of governmental experts on “information security” within the UN, which recognized in its previous report the applicability of international law to cyberspace and continues to discuss “norms of acceptable behaviour of States in cyberspace”.

3. Does France cooperate with others countries, especially the United States?

Beyond international cyber policies, France has established and maintains a broad network of bilateral relations focusing on cyber, with countries inside and outside of the EU and NATO, ranging from formal diplomatic dialogues to close partnerships.

As historic Allies, the cooperation between France and the US on cybersecurity has always been considered important. The organization of the International Working Group on Cyber Security in the Law reflects the importance of the dialogue among our two countries on the various dimensions of cybersecurity, from security and defence of information systems and critical infrastructures to fight against cybercrime and prosecution. 

4. France recently adopted a legislation aiming at reinforcing the cybersecurity of its vital infrastructures: how a "regulatory" approach can help businesses to protect themselves better?

Acknowledging the rapid evolution of cyberthreats and, in particular, the threat to our national critical infrastructures, France adopted in December 2013 a legislation establishing, among other provisions, measures to significantly reinforce their cybersecurity (Military Programming Law).

It includes four main provisions: First, ANSSI will be responsible for defining security measures for the protection of critical IT systems in critical infrastructures; Second, incidents on their critical systems shall be notified to ANSSI by the critical operators; Third, these operators can be subject to security audits by ANSSI or qualified companies; Finally, ANSSI will have the authority to request these operators to take certain measures in case of a cyber crisis.

While several countries and the EU itself are planning to adopt similar regulations, some fear that a regulatory approach to cybersecurity could be a burden for businesses and that governments should instead favour dialogue and non-binding frameworks.

Our experience shows that not only both approaches are important but are complementary and should be led in parallel. While dialogue and confidence building with private sector is essential, a regulation should be seen as a common basis upon which to build our cybersecurity in order to benefit to all. I personally call this an “incentive regulation”.

In order to achieve this objective, our Law is now implemented in close collaboration with our critical operators, taking in particular into account the need that these measures be financially sustainable. ANSSI also ensured that this regulation be as focused as possible. Beyond the competitive advantage that cybersecurity will create for them, operators will as well directly benefit from this legislation as their cybersecurity will be more than ever our priority and France’s government will take liability for the measures to be taken in time of crisis.