The session was moderated by Sébastien Héon, Director public affairs at Cassidian CyberSecurity, France, and the following participated in the session:

  • Frederick Douzet (Professor & Associate Director French Institute of Geopolitics, University of Paris; Castex Chair of Cyberstrategy, France)
  • Gisèle Ducrot (Casuality and Servicing Clinet Manager, AXA Matrix Risk Consultant, France);
  • Emmanuel Harrar (Partner Dreyfus & Associés, France);
  • Nagaaki Ohyama (Professor Tokyo Insitute of Technology, imaging Science and Engineering Laboratory, Japan);
  • Frédérick Polycarpe (Head of international Sales & Programmes Cassidian CyberSecurity, France);
  • Michel Toporkoff (Attorney at Law, Toporkoff Law Firm, France);
  • Paul Wormeli (Execute Director Emeritus Integrated Justice Information Systems Institute – IJIS; Innovation Strategist, Wormeli Consulting, LLC, USA).

Frederick Douzet talked about the relevance of geography and geopolitics as useful tools to help identifying areas and zone of influences of countries in the cyberspace. She pointed out that that cyberspace represented a “territory with no regulation” and that cyber conflicts were actually originating from the real world, and so from a real location. She claimed that while nations want to regulate and control the internet, they can’t really obtain the goal since in the internet there is no boundary.

Paul Wormeli talked about the threats that came from the ether. He showed a timeline displaying the actors of cyberattacks in 2003, the current cyber attackers now and the most probable future ones in ten years from now. According to this timeline, while in the past hackers were mainly hacking out of hobby, today we face real criminals and associations of hackers, and tomorrow we will probably see armies, governments and corporations fighting on the internet. The possible consequences of successful attacks range from denial of services to cyberwars to destruction of systems, and the frequency of the attacks is growing up from millions per day to continuous, real time, interactive. Finally he claimed that the only possibility to fight this scenario was to always have a strategy of defense, so that when an attack occurs you are ready to instantly handle it.

Michel Toporkoff showed the only three real cases of cyberattacks that have been trialed and had a verdict in France in the last year. Therefore, the first important point that he highlighted was that a lot of attacks remained unknown. From the analysis of the cases he brought, another key problem of judging is that usually you cannot identify the so called “puppet master” behind the attacks. The last problem is that in some cases the victim actually fails in protecting its own data. So who is to blame?

Nagaaki Ohyama presented the security solution for the future Japanese public system that will manage digital taxation and security area for Japanese residents. The system will use a combination of an ID-Number assigned to every resident, memorized into a smartcard. He explained the risks that may come from that system in terms of personal privacy invasion and the way to handle them by using legal and security countermeasures (i.e. people will be able to watch every single transaction of their personal data). Finally, he claimed that a key problem for the “digitalization” of personal data is the social acceptance, since people are suspicious on it.

Emmanuel Harrar talked about the upcoming new gTLDs: generic top level domains (i.e. .com, .net, .us) and the problems that may come from their implementation. The importance of extending the number of the existing ones comes from the fact that current ones usually do not have a specific meaning (i.e. “.com”) and are low in number, while the new ones will be significant for brands (.mcdonalds, .bmw), for geography (.paris, .berlin), generic stuff (.sport, .hobby) and will have a direct impact on the e-commerce. The risks that may come (and probably will) from their implementation are the related to the internet stability and resilience, since the number of new web sites and application will exponentially grow. The legal risks are cyber-squatting, counterfeiting, phishing, and the business problem is the low ranking of sites using meaningless domains like “.com”, causing the loss of brand awareness for big companies.

Sébastien Héon presented an analysis of the UK government statistics about security. Based on a survey about the UK government it was established that 78% of large organizations were victims of cyberattacks in the last year and only 20% of those companies detected the problem, while others did not even notice it. Another important problem is that it usually takes 371 days on average or a company to realize that it has been attacked. He pointed that the main security issues come from a lack of standard procedures that companies project and adopt. Finally, he said that the principal way to handle security issues is to prevent attacks rather than react – in fact to react it usually takes 3 months to analyze and understand the attack, several days to neutralize it and plus than one year to recover from the damage.

Gisèle Ducrot said that cyber risks were strategic risks for the companies and not only technical issues. She partitioned the risk in elementary factors. The first one is the “cause” that identifies why a cyberattack could happen: company data and tools. The second factor is the “consequence” of the attack and it regards: finance, liability of the company, commercial, brand image and business interruption. Finally she brought some possible solutions for the risk management process: the first step is to identify the risks via risk analysis and via evaluating its origins and impacts; the second one is to adopt mitigation measures and the third and final one is to transfer it by using an insurance since in fact it provides a financial exposure reduction.

Frédérick Polycarpe talked about possible solutions and ways to manage cyber security for companies. He claimed that a big company must assume that it will be constantly attacked and it will need a consistent cyber security master plan on all divisions, all countries, all regulations. He reminded the audience that the attackers are motivated by ideology or by money, and that they could be hired by governments and organizations. Moreover, attackers are highly professional, they know how to beat standard countermeasures and a big company must assume that the attacker will always have more time and needs less money to attack than would the company in order to defend itself. He claimed that cybersecurity is a balance between technology, people and processes: companies needs tools to evaluate risks, detects attacks and to take decisions on how to prevent attacks and, eventually, react quickly. For Polycarpe, a big company needs a continuous security improvement cycle.

IMG_7324 IMG_7339 IMG_7341