Interview with Jean-Louis Desvignes, Major-General; expert consultant in information systems security, Vice-President of the Bull Institute
Jean-Louis Desvignes is a graduate of the Saint-Cyr military college, and trained as an engineer at ESEAT, the French armed forces electronics academy (the Ecole Supérieure d’Electronique de l’Armée de Terre), going on to obtain a higher diploma in cryptography and, via the specialist electrical engineering academy, the Ecole Supérieure d’Electricité, a military teaching qualification in science and technology. In 1981, he became project manager at the French armed forces Signals head office, and Operations Office Manager in two successive regiments in Germany, before, in 1985, becoming head of the Cypher Office at the Armed Forces Central Command. In 1990, he pursued his career as head of the Army Corps 8th Signals Regiment and then in 1992, as head of the research department at the Signals Inspectorate. In 1994 he was auditor for the Advanced Defence Research institute. In 1995, he became head of the central office of Information System security (reporting to the Prime Minister’s office). In 2000, he was promoted to Major-General and Captain of the Signals application academy (the Ecole Supérieure et d’Application des Transmissions) at Rennes. In 2004, he was appointed as a program head at the Armed Forces Training Command. He is currently an expert consultant in information system security (Altran, Thalès), President of the cypher and information system security reservists association, and Vice-President of the Bull Institute.
Two years ago, security was top of the list of IT Directors’ concerns. Today, it seems to be less of a priority. Is this because the potential hazard has receded?
Quite the opposite, the threat only seems to be intensifying. I would even say that things are progressing from small-scale isolated incidents to the level of organized crime. Too often, the risks are considered to be on a par with the kinds of practical jokes perpetrated by ‘hackers’ in the 1990s, which attracted such media attention. But the threat has changed both in nature and scale: nowadays it is increasingly industrialized.
Today, botnets can be hired specifically to paralyze organization by denying them access to services. Counterfeit cards are being manufactured on a massive scale. Millions of PIN numbers are being stolen…. And that’s just the tip of the iceberg. In the past, offenders would boast about their exploits; today, discretion is the order of the day. They’re aiming for profit, not fame. They introduce their spyware, or Trojan horses, and then are happy to wait for the opportune moment. Some will even take care to ensure that systems are operating quite normally, so as not to arouse their victim’s suspicions, right up to the moment when they strike! Countless SMEs have had their know-how stolen in this way… often without even realizing it has happened. Larger groups are also targeted, of course. Just recently, a major French retailer’s information systems were seriously attacked during disputes between France and China. Nation-states are themselves not spared. The instances of widespread attacks against Estonia and Georgia are well known.
Not to mention attacks from inside the organization, still the most common source of threats, representing 80% of all incidents: a dishonest employee who changes a price for just a few seconds so they can buy goods at a knock-down price; a troublemaker who tries to sell customer listings to a competitor; a technician who wants to wreak revenge on his employer by sabotaging systems…
The cardinal sin? From the start, the software industry has been growing with too indulgent users towards bugs and security weaknesses. Is there any other industry sector where you would be allowed to sell vulnerable products? When you drive your car, catch an aeroplane or you buy groceries, you are protected by hundreds of quality procedures, certifications and controls… So why are we not prepare to take the same kind of precautions when it comes to IT security?
Far too often, users are concerned with finding entry-level solutions. They’re prepared to trade security for cheap systems that benefit no-one. By aiming too low, they are arming tomorrow’s pirates. Or even terrorists, who could really take a serious interest in our vital infrastructures such as telecommunications, transport or energy.
Most large enterprises have realized the dangers, and implemented appropriate security measures. But are they sufficiently protected even so?
There are a growing awareness of risk. But many organizations are still looking at security from the wrong angle. Many are too strongly influenced by preconceived ideas, or give in to sales pitches that don’t necessarily correspond to their needs, and still less to the real priorities!
Security is not something that can be improvised. The golden rule is: take a logical approach that starts by analyzing the risks. What really needs protecting? Against whom or what is protection needed? It is possible to imagine many different kinds of scenarios. And it is not strictly necessary to implement the most sophisticated of them. Sometimes, simple organizational measures can counter a large number of risks: checking out staff, monitoring vulnerable users (players, etc)… Then you need to anticipate who is likely to want to cause damage, in a realistic way: competitors, or perhaps staff bearing a grudge? Only after you have carried out this kind of analysis should you choose and deploy technical solutions: internal partitioning tools, external fire-walls, IP encoders to create a protected channel across the quick-sands that constitute the Internet, identity and access management… And of course, the security of new technologies; virtualization, Radio Frequency Identification or RFID, Cloud Computing, etc.
One crucial point is that you should never rely on just one barrier: there should be several. If the first fails, the second might perhaps contain the aggressor. And it’s a good idea to remember that, once the security system is in place, this is by no means the end of the story. On the contrary, this is where it all starts, and constant monitoring is needed to watch over what happens, take great care over auditing logs and journals, to detect anything out of the ordinary or abnormal, and run vulnerability audits at regular intervals… It’s impossible to anticipate every single eventuality. The important thing is to be able to react quickly! Since security is a long-term activity where you constantly have to uestion yourself, and ensure that everything is maintained in a state of operational security. This is a security issue, but also a financial one: the key to innovation today is to computerize your business processes, and the key to doing this successfully is trust.
Although the world’s power base is becoming increasingly dispersed, security is still dominated by US IT players. Does this pose a risk? Are there issues of sovereignty that need to be resolved?
It is clear that security tools themselves must be protected from any kind of corruption, compromise or interception. Many times, we have seen that organizations, which fall foul of viruses have used components of Asian origin.
It is also a well-known fact that many applications, especially US ones, are in fact ‘backdoor’ applications in cryptographic terms. This trend has been increasing since 9/11, under the guise of anti-terrorist measures. While an assault on encrypted solutions using brute force has become impossible, it is so much simpler to take the information at its source! Relying on these ‘security’ solutions is like installing an armour-plated door in a plasterboard wall!
So to achieve the desired level of security, we need to draw as far as possible on trusted solutions, ones we can audit and control, such as those based on open software. The Chinese, who are rapidly developing their own IT industry, are investing huge sums in this. It is vital for France and for Europe that we benefit from an autonomous, well-regulated IT industry. This is the only way to avoid being tied hand and foot to foreign powers. Strangely, some people apparently have a problem with understanding this, either through intellectual inertia, or due to a kind of fatalism: you don’t build a fortress on land that has been mined!
The French government seems to have understood this: it has promised to double the resources available to the French information system security agency, ANSSI (the Agence Nationale de la Sécurité des Systèmes d’Information), enabling it to embark on creating a major cyber-defense center. This is a vital challenge. In the end, the level of security we achieve determines our rank in the alliance of nations. And what’s more, it conditions the real extent of our national sovereignty.
Pour plus d’information >>> http://www.bull.com/security/index.html