The Defence and National Security sectors face a number of cybersecurity challenges related to programme renewals and updates and the incorporation of new technologies such as post-quantum cryptography. And although such concerns are not exclusive to these sectors, cyber-sovereignty evidently needs to be taken into account at every stage of the project’s development.
Long programmes and innovations: constant change in the world of cyberdefence
The Defence and Security sectors have specific concerns in many respects. However, although it is important to take their unique characteristics (regulations, contacts, length of decision-making cycles, etc.) into account when developing cybersecurity and cyberdefence offerings, the challenges and issues they face are not so different from a number of civilian sectors.
For the purposes of comparison, let’s consider the example of civil and military aeronautics, which fall within the same spectrum. In the defence and national security industry, military programmes have a lifespan of around 30 years. They are also subject to very strict requirements, such as France’s “Maintenance in Operational Conditions” (MOC) and “Maintenance in Secure Conditions” (MCS) provisions. Throughout the duration of the programme, a number of developments will be progressively implemented in terms of connectivity, multimedia transmission with the ground and telecommunications, all of which will require a higher level of cybersecurity. The same also applies to the civil aviation sector, where aircraft life cycles are similar and require regular upgrades (cockpit, cabin, connectivity, etc.).
As a result, the duration of avionics programmes creates a technological gap between the start of aircraft production and their use. Thirty years ago, for example, the cyberdefense aspect was not factored into the design of aircraft because their level of connection to the ground was minimal. Nowadays, every aircraft – whether civil or military – is a technological concentration of a whole range of digitalised, assisted and connected processes. The hyper-connected nature of the aeronautical sector goes hand in hand with an increase in cyber risk. In fact, the addition of an extra point of connection to an appliance is analogous to adding another door to a house, as it increases the risk of intrusion. It is therefore vitally important to properly incorporate all the components required for “Maintenance in Secure Conditions” into each stage of “Maintenance in Operational Conditions”.
To cite another example, in addition to basic connectivity, the Defence and National Security sectors are also becoming increasingly interoperable. This is the aim of France’s “Radio Network of the Future” (RRF), the very high-speed sovereign network which, from 2024, will come to form the backbone of operational communications in the security and emergency sector, connecting 300,000 agents from different services to one another. Police, fire fighters, gendarmes and ambulance services will be able to communicate with each other and share sensitive information. In terms of use cases – for example, during a chase – police officers on the ground will have real-time access to the video stream captured by a gendarmerie helicopter, increasing their chances of apprehending the suspect. For this large-scale industrial project, with its extreme sensitivity in terms of critical communications, cyber risks have of course been taken into account from the earliest stages to avoid interference, denial of service or even spying on the network during sensitive operations, and thus ensure the availability, integrity and confidentiality of the data.
Finally, among the cyberdefense challenges posed by innovation, the still largely unknown aspects surrounding quantum computing should not be overlooked. The effects of a quantum cyberattack remain uncertain, given the potentially unparalleled computing power offered by this superposition technology. Although some believe that such risks will not become a reality for several decades yet, it is imperative that we start preparing for them now. This is what industry players are doing today, by anticipating them in their strategies.
All these technological developments clearly demonstrate the importance of systems cybersecurity, which is becoming a major challenge and a key operational necessity in the face of increasing complexity and the growing threat, rather than the burden that manufacturers in the sector have traditionally perceived it as.
Anticipate, monitor and innovate: a golden rule for cyberdefence
In a fast-moving technological environment, manufacturers in the Defence and Security sectors seeking to ensure the highest level of security are thus subject to three golden rules:
- anticipate cyber risks by applying a gradual improvement in the level of security to all network and communication infrastructures, and also to all IT equipment, whether on the ground or on board vehicles of all kinds.
- constantly monitor developments in threats and the solutions available on the market to deal with them. Technological and industrial intelligence, which is often used by many governments for economic intelligence purposes, plays a key role here.
- innovate in terms of cybersecurity. Here, France has many cutting-edge technology companies capable of providing the necessary expertise. This is where the French Armaments Procurement Agency (DGA) and its support programmes, in addition to government funding, play a role in encouraging innovation.
Cyberdefence supported by public authorities
While defence and security professionals are applying this trifecta of measures (Anticipate, Monitor, Innovate), public authorities are regulating cybersecurity to make it a sine qua non. The constraints imposed by new regulations, such as the French Military Planning Act (LPM), the new IPSec DR reference framework and the NIS2 directive, are no mere rubber stamp: they help provide protection against the risks of geopolitical, industrial or commercial attacks and espionage.
Regulations are evolving to prepare our entire economies – and not just in the defence and security sectors – to square up to the new risks generated by our now hyper-connected environments. At the end of the day, the objective remains the same for all areas of the State: to ensure the sovereignty of our information technologies and guarantee flawless protection of our infrastructures, in order to protect the goods and people that make up our country.
In this respect, the defence and security industries are in the front line because of the crucial role they play in maintaining public order and national security. When national security and cyberdefence are targeted, what is at stake is the smooth running of the apparatus of state, and ultimately our economies. By implementing cybersecurity by design in security and defence solutions, and – more importantly – operating a sovereign form of cybersecurity, we will be in a position to anticipate threats and innovate, thus maintaining a technological lead over emerging players who are extremely active, and possibly even belligerent, in a cyber-environment that has multiple points of entry.