1 EMPLOYER SUPPORT SYMPOSIUM, BRNO – 01 AUGUST 2013 EMPLOYER SUPPORT FOR MILITARY RESERVE The Industry Perspective by a CEO (and a Reserve Officer) Mr L.-F. Salvador, CEO Sogeti Your Excellencies, General Officers, Officers, Distinguished Guests, Ladies and Gentlemen, First I want to thank Richard to let me speak in front of you all. Thank you Commander. How enthusiastic am I to see men and women dedicated to support and reinforcing their armed forces. It is also an honor to take the stage in front of you, under the CIOR French Presidency, as a French industrialist. More precisely I am the Executive Sponsor for the French Ministry of Defense at Capgemini. Sogeti is a wholly owned subsidiary of Capgemini focusing for many years in cyber-security for companies and administration. Just like Capgemini or Sogeti, other companies have a strong partnership with armed forces focusing on technological improvement and innovations. Defense has always been a pioneer of innovation. Defense still shows the way to a constant search for technological improvement and availability. In 1960s, the use of gallium arsenide for the microelectronics in Defense industry allowed the development of mobile phones in 1980s. The electronic warfare in 1970s was the starting point of the rise of Internet in 1990s. Photovoltaic technology used in satellites in 1970s gave birth to sustainable energies in 1990s. 1 2 All those innovations came from the military sector, in a process known as long time cycle innovation alongside great benefits for the civilian world when those technologies are empowered by the industry. Military demands ask for cutting-edge technologies and addresses a panel of specific needs such as: - Operational pressure (heat, radiations, vibrations…) - Search for strategic superiority - Heavy costs investment DEFENSE CIVILIAN INDUSTRY Advanced technologies Well-tried technologies Breaking technologies Progressive technologies Deadly malfunction Embarrassing malfunction Unpredictable using conditions Predictable using conditions Short production series Long production series Reliability concern Price concern Source : EADS One feed the other in a cyclic process. They are complementary forces that drive the economy in the long run. The benefits often make the appointment. But there is one issue where those benefits could become deadly if we are not careful enough: cyber. WHY CYBERDEFENSE? Our modern world is interconnected more than ever. Sending an email, making a bank transfer, ordering online or booking your flight directly on your mobile has never been as easy and fast as today. About 50 billion devices will be connected to the Internet in 2020, most of them barely protected, which implies as much potential backdoors for hackers to intrude in our machineries, our companies, our administrations, our homes and personal lives. IT and technology are at the heart of our civilizations and organizations. - The increase of networking and connections enable our organizations to become more efficient, more productive and better informed. 2 3 - Data and Information Access are key assets for every individual, every company and every state. Thus, IT and technology have become vital for decision making. - This allows processes optimization and industrialization such as railway tracks switching operability, air traffic control, gas and electricity distribution or chlorine water supply. However the ever-increasing use of technology goes with the lack of understanding the consequential stakes, especially amongst the young generations. “We don’t care how it works, as long as it works”. We become an easy target and vulnerable. All our strong points turn out to be our weaknesses. Initially hacking was considered as a game, a playful hobby for a small group of people. Then it became a political or ideological tool such as the Anonymous, impacting the public opinion and manipulating the crowds – as we saw it during the Arab Springs. But as powerful as they are, they are still in a non-detrimental mindset. Of course we can argue that they are “haktivists” organizing civil disobedience protestation more than direct or radical actions. But when it comes about publishing confidential information, they could create some serious damage jeopardizing human lives (cf. US diplomatic cables leaks published on Wikileaks that put in danger US governmental agents, known as Cablegate in 2010-11). What is more disturbing is the criminal use of networks and technologies which happen a million of times every day. Cyber-espionage is also becoming usual, especially for economical intelligence. Yet non-existing about cyber terrorism is only a matter of time before it happens. The borders between all of these actions are fuzzy mostly due to the topology of cyberspace. Despite the regulation that rules the Internet, a grey area still remains where well organized people can operate with impunity. Hackers and cyber-spies understood it well. The cyberspace provides the perfect cover making them very hard to detect. The complexity of cyber attacks makes them even more confusing. No flags. No uniforms. Your friends dress like your enemies and your enemies dress like your friends. So what make cyber attacks so difficult to prevent? - First of all, there is no smoking gun or warnings. Indeed hackers benefit from the surprise effect amplifying the fears of the unknown. 3 4 - There is also a time uncertainty especially in espionage operations. A Trojan or a worm could remain dormant in an IT system for months before being detected and measuring the amount of information stolen from your system. Each night, thousand gigabits of technological and strategic data are stolen from thousand of computers of our Western companies. - Moreover it is discreet, as the nuclear weapon secrets at its time, the knowledge of building a cyber weapon still remains in hands of few individuals. For most people, the lack of understanding in their devices is sadly another key for successful attack. Yet a cyber attack can cause significant damages at a very large scale, for long period of time and at low costs. Nowadays it is easier and cheaper to order online a cyber attack targeted to an individual than buying a gun. Under cost cutting plans and Defense budget reduction pressures, cyber warfare become an economically interesting and credible option for any harmful-minded organizations. - Finally, most of the time a cyber attack is not claimed. Identifying the author remains highly complex and depends on few characteristics like concordant items of evidence, the language used, the names of commands and so forth. I presume that you all have in mind the Stuxnet Incident of June 2010 at nuclear power plants of Natanz, Iran or even cyber attacks of late 2011 and 2012 such as DuQu, Gauss, Flame and Shamoon in Middle East. Cyber warfare is not a fiction, no more than a passing fancy for the private sector. It is a reality that strikes already throughout the world. A race for innovation is looming. It takes more than traditional resources to imagine primary response-organizations, to anticipate and deal with potential crisis and shape a global strategy. In a nutshell, we need parries for a multiform, scalable and unpredictable threat. A certain number of countries and organizations are taking this issue quite seriously: - Such as the NATO initiative Tallinn based of Cooperative Cyber Defense Centre of Excellence established in the wake of 2007 the attacks on Estonia and the Bronze Night events. It is a research center, mostly in legal field but no operational oriented. There are currently 11 countries1 involved within the centre and France joined them in early July. 1 Estonia, Germany, Italy, Latvia, Lithuania, Poland, Slovakia, Spain, Hungary, USA, Netherlands. 4 5 - Besides France also developed its own national agency for information systems security: ANSSI since July 2011. - In 2012, UK set up a Cyber Reserve force to deal with security threats, running by the Ministry of Defense. - Even the German Federal Minister of the Interior put in force new organizational, manpower and technical framework conditions for the development of the Bundesamt für Sicherheit in der Informationstchnik (BSI) into the central IT security service provider of the German government. Other responses are combat oriented by purchasing cyber capacities. In 2010, the USA have developed the US Cyber Command to centralized command of cyberspace operations, organized existing cyber resources and synchronizes defense of US military networks. These examples show the good will and the rise of a new cultural change in the usual military mindset. Of course armed forces show great concern about cyber defense because it is their role to defend their country. But in front of such a threat, what can we do as civilians in our own level of expertise? THE FRENCH CYBER RESERVE It has been 10 months now that I have answered the “call of duty” and I have the great pleasure to coordinate the French Reserve for Cyber defense, alongside the General Officer for Cyber defense. For those of you who don’t know the French Cyber Reserve, we are a group of volunteers appointed by the Chief of Staff to bring our humble experience to the French cyber defense deployment. Reservists are spread in different workshops, working closely with national authorities in charge of the topic (MINDEF, ANSSI). Our first missions are to promote a spirit of cyber defense and bring value to national thoughts. These actions are the natural contribution of the civilian sphere to the military one, in the continuation of the 2008 White Paper and the Senatorial Rapport of Jean-Marie Bockel. The idea of a reserve dedicated to this issue comes from the joint cyber defense concept published in 2011. It encourages the industrial and academic worlds to contribute to the work of the ANSSI. 5 6 Under the authority of the Rear Admiral Coustillière, members of the Reserve work for the national resiliency, they join personally and not on the name of their organization. They are patriots. Workshops take place after or before their respective professional attributions. They also sign an ethical chart and engage themselves completely to their task. Each workshop is oriented by a representative, there are 8 of them: 1. The first workshop, which I represent, consists on a network of French key people (authors, scientists, CEOs…) to relay the Cyber issue to the public opinion. 2. A second workshop is in charge of dealing with representatives and senators out of the Defense Commission to target a larger scale. It also consists in maintaining a high level of information towards specialized journalists. 3. A third workshop is interested in education and young professionals. It supposed to draw a map of schools and jobs in the Cyber security field to deduce where we need to improve on both sides of diplomas. 4. Another workshop is dedicated to list all studies and books about Cyber security to avoid redoing what has been already done and to promote synergies, conferences and events on the topic of Cyber defense. 5. Another workshop focuses on SMBs (small and medium size business). It is logical to think how we could help SMBs to protect themselves because usually they can’t afford the means of a larger group. Ergo they are the more vulnerable actors and primary targets of our economical web. Some of them are highly strategic and we cannot allow any “weakest link” in that matter. 6. It would be absurd to maintain such a structure like the Reserve without thinking about what it will become. That is why this task fall in to one particular workshop: a future operational use or mobilization in potential crisis times. 7. Two new workshops had been added to the Reserve on the legal issues of Cyber security and to better alert great firms known as Critically Important Operators such as banks, hospitals, ministries, energies and telecom operators. Our goal is not to be another think-tank at national scale, but to humbly address questions of the military authorities, to answer their doubts by giving them comprehensive tools and a high level of expertise on special issues. Our major role toward the society is to alert the general public to cyber defense. 6 7 To sum up, the Reserve is an organization at the crossroads of civilian and military worlds. It is a force dedicated to alert and propose and contribute to reinforce the national cyber posture. It is a new form of laboratory of patriotic active commitment to support armed forces and State. This new synergy at the service of the Nation demonstrates the stake behind what we are trying to do. As CEO of Sogeti and reservist, I am proud to be a part of it. I can assure you that I have never seen so much commitment and passion on the behalf of those men and women to work together. The urgency of a need to becoming closer with the military is crucial. Cyberspace is one of those places where the threats are common to civilians and armed forces. We face a double challenge: given the need to ensuring the defense of our own country without weighing too much on budgets already stretched. We are facing uneven and asymmetric enemies that grow stronger day by day. Those foes are taking advantage of a system onto our entire social and economical model is running. It is jeopardizing global trust between a firm and its clients, a State and its citizens. The general public opinion is at risks and we are already at war in cyberspace. Deploying a national strategy is the first step of this fight. It implies a global mobilization of an entire chain of actors (civilian and military), and constant diligence, not to suppress all threats, but to be one step ahead and contain them. Holding our ground is not sufficient. The complexity of the cyber defense issue calls for a certain clear-headedness and implies significant efforts in the long run. Even if both military and civilians are using same spaces, sharing same technologies and stakes, they are not building on the same values. We often see the private sector as a short gain system. That is just wrong. I can tell that there are some people in it who are patriots and yearn to take part in the Defense of their country. These men and women are an imperious need in support of the armed forces. We have to recognize that even when it comes to serious and sovereign topics such as Defense, synergies are welcome. By sharing experience, expertise, ideas and visions for the future we could keep up this partnership going for the next generations. 7 8 Values and civic-mindedness are still a currency to trust in our world and if we do not take the best of it, we may create a non-reversible gap between military and civilian worlds. If you have in mind the field of dual-use technologies we have found a perfect common ground to walk hand in hand. I believe every one of us could put a shoulder to the wheel. Starting at national scale is already a step forward, to build a European strategy would be even better. A European cooperation between patriotic European industries could be a good start and a prelude for more mutual assistant between countries. By reporting attacks and sharing knowledge, we could reinforce our cyber defense at regional level. Hence, it would be silly not to take advantage of the link between industry and military in every aspects of our technological improvement, especially in cyber defense. In France, the main IS security operators, including Sogeti, are taking part in the Council of Trusted and Security Industries alongside national authorities. National reserves could be outstanding structures as well in this matter. Given the commitment of their members and their capacity to generate new ideas, it is a highly appropriate way to promote the Cyber defense issue. Thus we could march against those growing cyber threats with confidence. CONCLUSION Partnerships between industry and military always proved their efficiency when it comes to global threat. What I wish for is a mutual trust between the armed forces and civilians whether they come from industry, university or engineering as long as they are seeking to serve a common goal. We are here, in the field of dual-use technology that can be used for both peaceful and military aims. In other words, expensive technologies which would otherwise only serve military purposes can also be used to benefit civilian commercial interests. These technologies already exist in nuclear, ballistics, chemistry and biology; cyber could be the next step forward. We can make Internet a more secure place for everybody and to do so we must push our way through R&D and innovation in a partnership both military and civilian. 8