Like a Hurricane : Preparing for a Large Cyber Attack

Every country is now facing the threat of large cyber attacks that could affect their organisations. The interconnexion of technological systems and their dependance on few actors increase the chances that a "cyber hurricane" may occur. Institut Montaigne worked with major industrial groups, SMEs, medium-sized companies, and universities to grasp the nature of this risk and identify the available solutions. Our conclusion is that France, like other countries, vitally needs cooperation and solidarity between private actors on the one hand, and private and public actors on the other hand, in order to anticipate and identify cyber attacks and limit their impacts on French information systems.

A systemic threat

The risk of a cyber attack is amplified by two factors, which make this threat a systemic one.

• First, information systems rely on a very limited number of actors. For example, Intel microprocessors represent nearly 79% of "x86" microprocessors in use around the world. If an attacker detects a vulnerability, a large number of actors could be directly affected by it.
   
• Second, our systems' interconnexion, intensified by the externalisation of specific managerial functions (law, accounting, design) and reliance on cloud services, worsens the potential consequences of a cyber attack. The interconnexion between organisations therefore increases the number of entrance points viruses can use.  

Businesses and administrations : heterogeneous reactions

When the the Network and Information Security (NIS) directive was adopted in July 2016 by the European Union (EU), European states identified the sectors that were critical to the functioning of their economies and the preservation of the nation’s security. These sectors have the highest level of protection against cyber attacks. 

In large private companies, the level of safety of information systems remains heterogeneous and depends on the type of industry. Banks, which have been dependent on digital tools for a long time, are the most advanced in terms of cybersecurity. Service companies, particularly B2C firms, are also developing cybersecurity tools. Of all large businesses, manufacturing companies are the least prepared to face cyber attacks.

SMEs and medium-sized companies are the most vulnerable. They lack the resources to invest in cybersecurity, as well as the necessary  skills in this field. However, according to the National Institute of Statistics and Economic Studies (Insee) statistics, they account for 73% of French jobs, i.e. more than 19 million jobs, and a "cyber hurricane" could potentially cause a major economic and social crisis. 

Recommendations

Faced with the challenge of "cyber hurricanes", Institut Montaigne formulated thirteen recommendations, encouraging French actors to cooperate in order to anticipate and react to cyber threats. We believe the propositions below apply to other countries.

• Proposal 1. Incentivise large listed companies in order to prepare a report on cyber risks, available to the board of directors, or even partially integrated in the annual reports.
  In France, Wavestone, a consultancy firm, evaluates that 100% of CAC40 businesses communicate on cybersecurity, but only 25% of them address the issue at the executive committee level. Our objective is to make managers more aware of the critical nature of cyber threats, and prepare a strategy to tackle the issue. 
   
• Proposal 2. Mobilise chartered accountants and auditors to realise annual cybersecurity diagnoses based on a questionnaire designed with state authorities. Basic recommendations to cover cyber risks would be shared with managers.
  All enterprises, including SMEs, rely on accountants and auditors to evaluate risks. We suggest mobilising  them to produce cybersecurity diagnoses. Accountants and auditors will undertake training programs to conduct these evaluations effectively. In the long run, a rating system could be implemented (risk profile A/B/C/D). 
   
• Proposal 3. Incentivise large companies to increase the cybersecurity level of their supply chains.
  We propose that large companies help their supply chains face cyber risks. They could make their expertise available to smaller actors via training sessions or help desks.
   
• Proposal 4. Encourage the creation of cybersecurity services and softwares for SMEs (network connectivity solutions integrating basic security measures, secured business applications and cyber insurances). 
  Private and public actors should create simple and transparent products which do not require strong skills to meet the cyber needs of SMEs. These initiatives could come from joint projects between public administrations and operators, but suppliers should also design these products themselves to maintain their competitive advantage. 
   
• Proposal 5. Prepare a legal framework for private actors to share their employees between themselves  in the event of a major cyber attack. 
  The challenge relies in creating a trustworthy environment between private actors. Private companies could sign a charter previous to participating in this framework.
   
• Proposal 6. Strengthen the capacity of strategic businesses to exchange information on cyber attacks via a secured platform, operated by the state or by a trusted and large cyber actor.
   
• Proposal 7. Design a cyber-resilience label for the most at-risk equipment that guarantees a system’s ability to perform vital functions independently of information systems.
  We propose to label the most sensitive equipment at a European level (medical and manufacturing equipment, car brakes  etc.), to guarantee a safety mode even in the event of a cyber attack. This mode will limit the adverse consequences of systems failure.