Certified Secure online training

When i pre-registered for the ICSS 2018 i got access to a website called Certified Secure which is an online training website. In which you can even get some certificates.
With my account, I have temporary access to everything, even premium content.

Panel of the premium content

Panel of the premium content

User Profile

Here is what a user profile looks like screen of user profile

On the left, you have all the certifications you can get.
The panel in the middle shows what to achieve to get the selected certificate (Here the Essential Security certificate).
This is mostly quizzes, CTF, games.
To know how to answer to the quizzes or get help with games and CTF, you can watch the videos or read the provided content (cheat sheet for instance). You also have a forum in dutch (but you can translate it peacefully with Deepl ) and an irc channel with a an active community that is always willing to help.
Finally, on the right, you have the extra content (not mandatory to get a certificate).
With the arrow on the top right, you can swipe between each certificate’s content.

When you succeed and get a certificate, you can download it as PDF and you’ll have something looking like this:

Certificate for Essential Security certificate

The challenges

You have a few challenges. But don’t worry if you don’t know anything about how to achieve those they provide videos to help you out.
Some of those challenges are free other are premium.

– This is a platform where you can learn things pretty quickly and get certificates for it.
– If you don’t want to pay you still can have access to many things.
– Fun, entertaining, engaging.
– Great helpful community.
– Even if some content and challenge are only in dutch you can still complete them with a good translator like Deepl

– Some challenges are only in dutch
– The community forum is only in dutch

To conclude, i would recommend it because it his helpful to learn basics. Even if some challenges are only in dutch i managed with Deepl to complete them.
Like i said this training is challenging in a fun way. The challenges are well made and the tutors in the videos are really helpful.

OECD’s 2018 forum « What brings us together »

On tuesday the 29th of may 2018, thanks to Led by Her i was invited to the OECD’s forum and went to three talks.


This panel was moderated by Cyrille Lachèvre, a macroeconomics reporter from the french media « L’Opinion », who asked questions to every person of the panel.
To introduce he said that cybersecurity is such a big subject that they decided to focus only on the following question:

“How can public and private sector cooperate to enhance cybersecurity and especially government and private actors?”

Moderator’s question to David Martinon “What is the french strategy and how do you handle the cybersecurity question from the government point of view?”

  • Organize the state so that it can ensure the security of critical infrastructure
  • The Diplomatic Strategy consists, through multilateral negotiations at the United Nations, in trying to stabilize cyberspace.
  • We need to find diplomatic’s answers to cyberattack and new and hybrid cyberattack.
  • No state are invulnerable but also no state are not able to conduct attack
  • It is not a block to block confrontation but a multi polar context, everyone can act. And beyond the states, private actors are incredibly efficient. For each of them the expected benefit of a cyber attack is far beyond the initial investment. This is why we need to find a way to stabilize the situation.
  • The United Nations is trying to clarify the rules of international laws applicable to cyberspace.
  • In the OECD we are trying (it is a french initiative) to engage in a multi-stakeholder debate. It is essential to involve a certain number of private actors whose role has a systemic scope.
  • There is a digital battlefield created by vulnerabilities in computer products (software or devices) of the market that can be exploited.
  • Three main ideas:
    • We want to achieve a better recognition by software and tool manufacturers of their economic, political and moral responsibilities.
    • Preventing the proliferation of the cyber arms trade
    • The need to ensure that a certain number of practices such as reverse hacking or hack back are prohibited. That enable private actors to conduct private wars on behalf of private actors.

Moderator’s question to Casper Klynge “ How can today governments and private actors work hands in hands with private company to enhance private security?

  • Wake up call twelve month ago with the NotPetya attack
  • Two weeks ago launch of a new cybersecurity strategy which focuses on multilateral collaboration. How can we cooperate multilaterally on cybersecurity issues?
  • Increase dialog with the private sector not only GAFAM because we have a global mandate we also take a global view on the industry including in China, Asia and Europe.
  • Fundamental task: Make sure that the companies will assume the responsability which is proportional to the influence they exercizing over our societies.
  • We need to have a public private partnership to find common solutions. We need the private sector to help us solve this problem.
  • We need to include Artificial Intelligence and Machine learning into that equation. There’s a common misunderstanding that Artificial Intelligence will be part of the solution and will help us solve the cyberattacks but A.I is going to increase the capabilities of the state and non state actors that are not necessarily well intentioned.

Moderator’s question to Tarah Wheeler: As you well know private actors what is your opinion with this relationship with governments?

  • She is afraid of an attack that has no name yet. What would be the Pearl Harbour of cybersecurity? What would be the attack that is so devastating that it has a new name?
  • The public sector does not often listen to the best resource it has for determining in advance where risk lies. Many of the same vulnerabilities are still present in american and global internet infrastructures.
  • There’s a lack of partnership between private and public resources in the United States and beyond.
  • She hopes for the wisdom to reach a hand out and provide the kind of wisdom that private security tries to gather as well as information about the potential for devastating attacks. She calls for the public sector to listen carefully to the words that are coming from the information security about the vulnerabilities that they have discovered.
  • Public sector should listen to the information security community instead of prosecuting them, instead of frightening them with threats of lawsuits.

Moderator’s question for Renata Avila: We have developed countries that are seen as ambassadors about these cybersecurity questions but we see a lot of developing countries with a lot of people getting use to the Internet so danger could come from here also.

  • Cybersecurity is a global problem it is something that brings us together and we are not bringing the right pieces into place because the two ambassador here are describing the public private partnership but the consumer side, the citizen side is neglected. Usually civil society find closed doors. Why do we perpetuate this exclusion of civil community from security? If you exclude community from a security problem you end up with a flaw.
  • Who ever we are, we are walking asleep in this interconnectedness
  • We need to follow top down bottom up combined, open up our spaces be open about the problem and be more creative for the solutions. We have a responsibility to not delay this problem.

Moderator’s question to Shane Curran: “Are you afraid of the protection of data? Or is it something that is getting better and better?”

  • He used to think to think that cybersecurity is mostly a human issue and that education is the best way to correct it. But that is not the case.
  • Data security is not something people want to learn about only a small amount of people have a keen interest on it and are sort of developing their own knowledge of it.
  • In the example of Facebook everybody cares about data privacy. Even with the cambridge Analytica problem people have a lack of care for the data privacy.
  • That is why he developed with his company a platform that allows third-party services to process personal data without ever seeing or handling it
  • The difficult thing for government is to bring things out of academia and bring them in to a real world use case. With cybersecurity in particular there’s a lot of research happening but the solutions government are trying to do are mostly regulatory. Over time this is not a feasible solution.

Moderator’s question to the two ambassador: Do you fear a global attack? What kind of attack do you fear? How can we enhance education? How to work with customers?

David Martinon

  • A global attack is something we fear. Even though we have already face that kind of attack.
  • But there may be at some point cyber terrorist attack. Skills are on the market so if you are a mafia you have the means to hire people and make a cyber attack.

Casper Klynge

  • We do fear global attack and with the grow of iot vulnerabilities are going to increase. This is a real issue and we need to do something about it.
  • We are trying to enable company to say that they have been attacked without their image being impacted
  • The international dimension is a critical part of it. We need to talk together but we also need to bring the private sector.
  • The digital inequality is an important part of it, it is damaging for company but for people it is a life or death issue.

Question’s of moderator for every panelist: Who should pay for cyber protection? State? Companies? Citizens?

Tarah Wheeler

  • Cybersecurité is a public good
  • It’s not just private company not just private sector or private citizens who have the responsibility of paying for cyber protection it’s much like removing pollution. Each responsible person has the responsibility to not pollute.
  • Cybersecurity is a public good that involves a partnership among industry, among governments and among citizens all of whom bear the responsibility of the ecosystem we are all affected by.

Renata Avila

Security should not be a plus in the product it should be the standard. Technology industry should redesign standard for everyone.

David Martinon

  • Everyone should take responsibility for cybersecurity.
  • Government can not cover for everyone.
  • We don’t see insurance market growing in Europe as it grows in US because the pricing for insurance contracts based on cyber risk is impossible.
  • How do we make sure that everyone including private companies behave correctly when they protect themselves?

Shane Curran

  • He is a supporter of personal data monetization. There should be something similar as bank for data privacy.
  • Individual should definitely not pay for it

Moderator’s question: How can we trust NSA and how can we trust the government to help us? How can we cope with this trust problem?

Tarah Wheeler

  • If your incentive are misaligned with who you should trust you probably have a problem.
  • What is that trust based upon? For companies incentive needs to based around serving their customers and sometimes customers and users are not the same thing.
  • Don’t trust where you don’t have to. Cause you don’t know who you’re delegating that trust to as a third-party.
  • The digital battleground is not only real but it is very difficult to adjust proper weights to it in terms of risk and if you can’t tell what your risk is if you can’t tell what your problem is and the people around you are not even sure about what you’re talking about is real it is going to be difficult to trust them with your life, your security and your future.

Casper Klynge

  • Part of the solution is to have standards for devices
  • Difference between EU and US in the trust issue in Eu we tend to trust governments this a difference of culture approach to where trust lies
  • We need to find a common approach of regulation also in the cybersecurity issue.

Poll for the audience: Do you trust your government to handle cybersecurity?

I made a big summary of this round table because i am really fascinated about the subject and i felt like it was tackled in a different way than it usually is that is why i think you should also have a look at the video.
Every panelist was really interesting. I was particularly fascinated by Renata Avila which put into light very important issues regarding inequality.
Finally as Tarah Wheeler said it is necessary to listen to the information security community because they know very well what is happening in the field and could bring a lot to citizen, governments and private companies.

Universal digital rights and digital inclusion

For this round table i will only make a quick summary of what has been said.

  • There is insufficient transparency regarding human rights in the digital.
  • We outsource our own way of doing things as humans. Silicon Valley is telling us the speed is the right way.
  • Everyone has the right to learn and work as an adult all along their lives
  • You don’t need to choose between privacy and AI anymore. You can use modern technic without giving up privacy. We invented a way to create fake data and use it to train the AI. This method works even better.
  • With AI the real risk is bias.
  • The future has already arrive in marginalized communities too. They have to trade basic human rights for other rights (ex privacy for food)
  • The way that data flows has everything to do with who has powers
  • Companies start with the best of intentions with the time things happen and go wrong. How do you make sure that policies are being made on the values of company
  • How to you take care of integrity and make sure that it is not questioned. Humans rights are in critical stake
  • You can’t blame propaganda for being powerful because we all use it. But the drivers of all of this remain the humans. We’re living in a world governed by us not robots. Our values are what need to be challenged
  • We need to move our business model from targeted advertising. We need to take responsibility.

I really invite you to follow every people of this panel as everything that was said was really interesting. The best thing to do though if you want to have a nice sum up of the subject is to watch the video

Meet Tarah Wheeler the author of “Women in Tech: take your career to the next level with practical advice and inspiring stories”

Meet Tarah Wheeler
Interviewed by Sarah Box Counsellor, Doctorate for Science, Technology and Innovation OECD.
This presentation of Tarah Wheeler really made me want to read her book. She is really inspiring. She presented her book and gave us some advices.
Here is a quick summary of what has been said:

  • Most of technology is interrelated in a way that we do not often pay attention to. It is overwhelming but being a women in tech can be overwhelming too.
  • With her book she hopes she has been a voice for other women. There’s a reason why she and seven other women talked about their experiences: “you are not alone”. There are women everywhere all of us have different stories but ultimately it is all the same: we all face the challenges and we all overcome and we are not alone.
  • The problem is there and it does not seem to get better. She keeps having the same questions again and again about the subject which means that those question are not being answered properly by the companies that we are working for.
  • She then gave some advice:
    • Money is power don’t turn it down. When you negotiate a salary: Don’t name a number first, the first person to name a number always loses. Don’t say yes to the first offer. Think and talk about always being a good member in the team and use that as a negotiating strategy.
    • If you feel like you are not being treated well in your current position: get out. It is not your job to make it better. Find the company that will treat you well or create your own.
    • How do you have a family and work life at the same time? As Sheryl Sandberg said there is no more important career choice a woman can make than her choice of a partner
    • If you have that sense of joy in tech don’t let anyone tell you to leave.

To conclude people from the audience asked her questions and advices.
If you want to see the full interview which i encourage you to do you can find it here.
You can also buy her book here

To go further

Les métiers de la cybersécurité

Note: This article is in french because it is related to the career possibilities in cybersecurity in France.

Il m’a toujours semblé difficile de se faire une idée concrète d’un métier.
Comment faire pour avoir une liste de tous les métiers relatifs à un domaine ? Et surtout comment se faire une idée précise des métiers en question ? Autrement dit, à quoi ressemble le quotidien d’un poste spécifique ?

Quand on souhaite faire ses premiers pas dans la cybersécurité par exemple cela peut sembler compliqué de faire le tri entre les différents sous-domaines et métiers possibles.
Dans cet article, j’ai donc tenté de regrouper des ressources intéressantes pour faire le tri et mieux comprendre les différents postes.

Le “profils-métiers” de l’ANSSI:

Bref, mais efficace, on a un aperçu des différents profils et même une idée du niveau.
C’est une excellente ressource pour choisir un profil.

L’article “La cybersécurité” de l’Onisep:

La fiche de l’Onisep sur la cybersécurité. On y trouve quelques métiers et aussi des formations.

“Quel référentiel pour les métiers de la cybersécurité?” par le CEIS:

Ce document édité par la Compagnie Européenne d’intelligence stratégique tente de proposer un référentiel.
En un seul coup d’œil grâce à leurs indicateurs, on peut savoir la “densité” en terme de “métier”, “IT” ou “sécurité” pour chaque “emploi type”.

“Les métiers des Systèmes d’Information dans les grandes entreprises” du CIGREF:

Ce document ne concerne pas uniquement la cybersécurité puisqu’il aborde tous les métiers des systèmes d’information, mais le métier du RSSI y est présenté de façon très précise. On y trouve les “activités et tâches”, les compétences, et même les livrables.

Le “career pathway” de cyberseek (uniquement en anglais):

Un outil très visuel qui donne un bon résumé de chaque rôle et permet de voir aussi les évolutions possibles ou les postes de début de carrière. En passant la souris sur un métier, on a le salaire moyen et en cliquant sur un poste, on a plus de détails comme les compétences nécessaires ou même les certifications possibles.

Jobs in cybersecurity de cyberdegrees (uniquement en anglais):

On y trouve une liste des métiers et en cliquant sur un métier une fiche vraiment bien détaillée : un résumé rapide du métier, les responsabilités, les évolutions de carrières, les emplois similaires, les diplômes requis, les compétences, etc.

Cyber Security Jobs de Cybrary (uniquement en anglais):

C’est une référence un peu limitée au niveau des descriptions de métier, car il s’agit surtout d’un site de ressources pour se former mais on y trouve une liste de métiers et la partie “a day in a life of…” en cliquant sur un métier qui donne un bon aperçu de la réalité du métier.

Carte des domaines de la cybersécurité de Henry Jiang (uniquement en anglais)

Cette carte permet de voir en un seul coup d’oeil tous les domaines de la cybersécurité.

Pour aller plus loin:

Si vous êtes un.e globe trott.er.euse, je vous conseille ce lien :
Cyber Security around the world de Cybrary
Vous aurez un aperçu du marché de l’emploi en cybersécurité en fonction du pays. Pour le moment, la liste n’est pas complète, mais plutôt bien remplie.

CTF Field Guide by Trail of Bits

What is Trail of Bits?
trail of bits logo
Trail of Bits is an independent information security company that aims to build better security for organizations over the world.
You can learn more about them here

When you want to learn more about how to become an ethical hacker and how to get your hands dirty and start to practice it is quite hard to know where to start.
Of course you have plenty of information online but it’s hard to find a way to start from scratch.
The CTF Field Guide will explain everything in a very structured way and you’ll  find plenty of resources (books, CTF, wargames, websites, courses,… ).
Also you’ll be able to learn the differences between CTF and Wargames  and the basics you should know about those.
Besides, they explain what type of Employers you have in the field and what kind of jobs. This is  a good point because I had quite a hard time to find a proper knowledge about this. I was only able to find out more when I talked to professionals and experts in the field.
Furthermore they make a good point in the chapter about certification. I let you find out about it but it made me think and reform my challenge.
When you’ll be done reading the intro you’ll have a great base to continue the practice in a well structured way with few main themes: Vulnerability discovery, Exploit Creation, Forensics, Toolkit Creation and Operational Tradecraft.

To conclude, I would totally recommend this guide if you are the kind of person who like to learn things in a structured manner. Also you’ll find a bunch of great advise.

Cyber Challenge by department of defense of the US military

screen of the game
Screen of my badges at the end of the game

I tried the game cybermission available here .
It took me around less than 1 hour to finish the full game.

– Nice introduction to cybersecurity types of job positions: you understand that you have three main fields in cyber: protect, defend and strike.
Protect consists in detecting threats and suspicious activities,
Defend consists in creating secure networks
Strikes consists in finding the ip address of a hacker.
– Really fun to play. I had a great time and it is a nice entertainement.
– You don’t have to create an account to play.

– Very short to fulfill the whole game. As i said before it took me less than an hour.
– Very basic introduction. It is very basic you won’t have strong concepts of cyber security here. It seems like the purpose is mostly to be a fun game.
– You won’t be able to register and keep your progress it recognize you with your ip address. But you still can keep your progress with a good old screen.

To conclude i would recommend it as an entertaining break between two moocs, hard wargames or CTF.  It is fun and shows a very basic introduction in what cybersecurity looks like.

Conférence les lundis de l’IHEDN: « Souveraineté numérique et cybersécurité »

Article available only in french

Guillaume Poupard: Souveraineté numérique et cybersécurité

Mots clés: cybersécurité, mutualisation, harmonisation, systémique
Photo de Guillaume Poupard

Qui est Guillaume Poupard?

Joël Bouchité a tenu à présenter Guillaume Poupard en se basant sur son parcours.
Guillaume Poupard est polytechnicien de la promotion X92. Il obtient un doctorat en cryptologie en 2000. Il est également diplômé en psychologie.
Il est ensuite expert en cryptographie au sein de la DCSSI (Direction Centrale de la Sécurité des Systèmes d’Information).
Il rejoint en 2006 le ministère de la Défense puis il est responsable à la direction de la SSI (sécurité des systèmes d’information) au sein de la DGA (Direction Générale de l’Armement).
Depuis le 27 mars 2014, il est directeur général de l’ANSSI (Agence Nationale de sécurité des Système d’Information).

La sécurité numérique, une jeune discipline

Pour introduire son propos, Guillaume Poupard a précisé que le sujet de la sécurité numérique était assez nouveau. En effet, cette question était inexistante en 2000 outre l’apparition d’Internet ceci reste encore confidentiel.
Aujourd’hui, l’ANSSI compte environ 500 personnes, il y a donc eu une évolution considérable en 20 ans.
En 2007 l’Estonie est victime d’une série d’attaques visant notamment le Parlement des banques et des ministères.
De plus, en 2008 la cybersécurité est abordée dans le livre blanc pour la défense et la sécurité ce que Guillaume Poupard qualifie de visionnaire.
En 2009, l’ANSSI est créé.
Enfin en 2013, la cybercriminalité est une des trois menaces prioritaires

Que se cache-t-il derrière ces attaques?

La cybercriminalité est un Eldorado, en effet, il y a peu de chances d’être identifié le ratio risque gain est inédit. Cela rapporte des centaines de millions d’euros par groupe de cybercriminels (un groupe étant composé d’environ une dizaine de personnes).
Pour les victimes, les coûts sont considérables. La cybercriminalité coûte de plus en plus cher et pose également un réel problème à l’échelle de la sécurité nationale.
Le deuxième risque concerne l’espionnage. Ce sujet ne pourra pas être traité de façon très précise, car les victimes d’espionnage préfèrent être discrètes. Aussi, un des objectifs de l’ANSSI est de protéger ses victimes et de respecter le secret de leur identité.
Il faut simplement retenir que la réalité est éloignée de ce que l’on sait et que l’espionnage est une réelle menace.
On compte 15 à 20 cas graves par an.
Il y a une efficacité et un côté systémique.
Le troisième risque est le sabotage. La destruction, la perte matérielle, et même la perte humaine sont des scénarios imaginables.
Il faut toutefois, éviter de faire peur de manière irresponsable.
Selon Guillaume Poupard pour se protéger, il faut identifier les risques et créer un collectif pour répondre collectivement à la menace.
Aussi, depuis 2016, il y a de nouvelles menaces, des processus tels qu’une élection sont manipulables par des attaques informatiques. L’attaque informatique est une manière supplémentaire pour complexifier la guerre d’informations.
Certaines attaques sont plus complexes à classer. Pour expliquer ceci, G. Poupard évoque l’attaque TV5, WannaCry et NotPetya.
Les conséquences financières des cyberattaques sont dramatiques.

Traitement des questions diplomatiques

La cybercriminalité touche de plus en plus de ministères. Guillaume Poupard précise cependant qu’attaquer la France depuis la France ou l’Europe depuis l’Europe sont des opérations sérieusement risquées.
Il précise aussi que les industriels capables de protéger la France ne sont pas forcément américains ou israéliens, il existe en France des professionnels tout aussi compétents.
Le rôle de l’ANSSI est d’être là pour réaliser ce qui peut être mutualisé. Il faut des bases solides et efficaces. La réaction de l’état seule n’est pas suffisante : c’est à chacun de se protéger.

Les Organisations d’importances vitales

Pour les OIV, la cybersécurité devait devenir une nécessité. Il ne suffit pas de donner des conseils.
En 2013, la loi a permis d’imposer aux OIV de faire de la cybersécurité une nécessité.
Il ne faut pas voir ça comme quelque chose de coercitif, mais plutôt comme une main tendue.
Il s’agit d’organiser une défense collective, de savoir quel organisme est attaqué, quand l’attaque s’est produite.
Il faut aussi imposer des règles de sécurité. Il existe effectivement un panel de solutions et des règles de sécurité efficaces pour se protéger.

La cybersécurité une question de gouvernance.

C’est aux décideurs de faire remonter les bons arbitrages. Il y a aussi un problème de sensibilisation en effet des hommes et femmes peuvent aussi être acteurs d’attaques informatiques à leur insu simplement pour des questions d’hygiène informatique.
Tous systèmes numériques est susceptible d’être attaqué. Les systèmes doivent être « by design » conçus pour se protéger. Pour une cybersécurité efficace il faut une architecture sécurisée dès le départ.
C’est aux décideurs de comprendre ces questions.

L’Europe et la cybersécurité

Pour renforcer la cybersécurité l’Europe renforce son autonomie stratégique.
La sécurité numérique de l’Europe est importante et liée à la sécurité nationale.
Assurer cette sécurité à l’échelle européenne est nécessaire et compatible avec les intérêts nationaux.
Il s’agit de développer la cybersécurité avec des fonds européens notamment axés sur la recherche et le développement.
Aussi ce qui a été développé avec les OIV a inspiré la Communauté Européenne.
Cependant, en ce qui concerne la certification, le processus est plus compliqué. Il faut en effet passer par des acteurs de confiance et organiser des processus d’évaluation pour certifier et qualifier.
Pour conclure son propos, G. Poupard a qualifié de décevant le premier draft européen, mais reste persuadé de l’efficacité prochaine à l’échelle européenne.

Les questions

À la suite de son exposé, plusieurs personnes du public ont posé des questions à Guillaume Poupard.

Qu’en est-il de l’OTAN et des mécanismes de lutte déployés ? Existe-t-il un volet de coopération ?

G. Poupard estime que c’est une erreur de se mettre sous la protection de l’OTAN.
Le plus judicieux serait de reproduire le travail effectué avec l’ENISA à l’échelle internationale. En effet, le but de l’ENISA consiste aider les états membres de l’Union européenne à travailler entre eux. La France a ainsi des partenariats privilégiés avec par exemple l’Allemagne ou le Royaume-Uni.

Est-ce que le GDPR a un impact sur la diffusion des manières?

Les problématiques liées aux données datent d’avant la sécurité numérique cette approche est donc en avance. Pour faire bouger certains acteurs, il faut des sanctions. Dans la sécurité numérique, les entreprises sont des victimes. Pour les OIV, il existe des sanctions.
Cependant, le but n’est pas de sanctionner, ceux qui seront sanctionnés seront ceux qui n’auront pas mis en œuvre de façon volontaire les règles de cybersécurité.
Il faut toutefois noter que le GDPR semble avoir un effet de contagion très positif sur les industriels non européens.
L’ANSSI n’a pas de lien administratif avec la CNIL, mais les deux organismes travaillent en commun.

Faut-il envisager un partenariat entre l’ANSSI et Hexatrust?

Hexatrust est une association de PME française dans le domaine de la cybersécurité. En France, l’écosystème est croissant. L’organisation de cet écosystème est essentielle et en progrès constant.
Le coût de la cybersécurité représente aujourd’hui 5 à 10 % du budget IT. C’est une opportunité de développement économique.

Faut-il s’attendre en cas d’attaque à un krach majeur dans le domaine de l’électricité ou bancaire par exemple ?

On se doit de préparer les scénarios les plus anxiogènes. Ceci permet de s’assurer que l’analyse a été faite jusqu’au bout.
Cependant le niveau de préparations des acteurs aux menaces cyber est très hétérogènes.
Les banques par exemple sont très familières avec le sujet.
Il y a une nouvelle idée selon laquelle il est possible de faire des choses très fines.
Par exemple, si l’on bloque tous les distributeurs automatiques de billets.
Il faut donc toujours se préparer au pire dans tous les domaines.

Certains états sont-ils à l’origine d’attaques ? La Russie par exemple ? Et si oui comment les contrer ?

La question de l’attribution d’une attaque est très complexe et cette problématique est inédite dans le domaine de la sécurité.
Dans le cyber tout est clandestin. Aujourd’hui on peut lier différentes attaques et reconstituer un puzzle pour mieux comprendre les attaquants.
Mais si dans des codes certains commentaires sont en cyrilliques par exemples ou si les fuseaux horaires sont russes il ne faut pas pour autant conclure à une attaque d’origine russe, cela pourrait aussi être le but de l’attaquant.
L’attribution est un acte politique et la pire des choses et de se tromper dans une attribution.

Concernant la cybersécurité et la politique industrielle, faudrait-il une politique européenne industrielle basée sur des systèmes d’exploitations libres?

La souveraineté ne passe pas par le fait de tout réinventer.
Il faut bien penser les architectures et en déduire les contraintes.
On peut favoriser les systèmes d’exploitations libres, mais des systèmes propriétaires peuvent aussi très bien fonctionner.
La priorité réside d’abord dans le fait de bien analyser les risques.

Faut-il des champions français en services cyber ? Et si oui comment former les futurs experts ?

L’intelligence artificielle va faire évoluer le métier. Il y a une demande croissante mais l’offre aussi croissante, simplement moins rapide.
Il faut améliorer la formation et proposer aussi plus de formation continue (formation tout au long de la vie) et professionnelle.

Ressources ou pour aller plus loin:

Le mooc sécurité numérique de l’ANSSI

This article is in french because it is a review of a french Mooc

Screen Secnum Académie
Le mooc sécurité numérique de l’ANSSI propose une initiation à la cybersécurité pour les professionnels ou particuliers.
L’agence nationale de la Sécurité des Systèmes d’information a pour mission d’apporter “son expertise et son assistance technique aux administrations et aux entreprises avec une mission renforcée au profit des opérateurs d’importance vitale (OIV). Elle assure un service de veille, de détection, d’alerte et de réaction aux attaques informatiques.” source

Ce MOOC est composé de quatres modules:

  • Module 1 : Panorama de la SSI ou une première immersion dans le monde de la SSI
  • Module 2 : Sécurité de l’authentification ou la base de la sécurité informatique
  • Module 3 : Sécurité sur Internet ou les bons réflexes à adopter sur la toile
  • Module 4 : Sécurité du poste de travail et nomadisme ou la sécurité même lors de déplacements professionnels

Chaque module est découpé en cinq unités dont chacune débute par une vidéo d’introduction qui explique tous les concepts qui seront abordés. Elles sont conclues par des quizz pour contrôler ses connaissances et valider le suivi du module ainsi que par une page de liens pour aller plus loin.
A la fin des quatre modules on peut obtenir une attestation certifiant qu’ils ont été réalisés avec succès.

Attestation de suivi du Mooc

Cette formation m’a permis de renforcer mes connaissances en cybersécurité et de mettre le doigt sur certaines choses peu sécurisées que je faisais.
En effet, elle m’a d’abord permis de me familiariser avec les acteurs de la cybersécurité en France. Par exemple j’ai appris l’existence de la plateforme cybermalveillance qui a pour objectif de venir en aide aux victimes d’actes de cybermalveillance.
J’en ai appris plus sur l’ANSSI (quand et comment elle a été créé, quelles sont ses missions) et sur les différents acteurs publics.
J’ai pu compléter mon vocabulaire relatif à la cybersécurité et aux attaques informatiques et j’ai même pu faire une courte initiation à la cryptographie.
Ensuite j’ai pu mettre à l’épreuve mon hygiène informatique. J’ai notamment appris qu’il vaut mieux jeter les clés USB que l’on nous donne gratuitement lors d’évènements. En effet, le firmware de ces clés USB peut effectuer des commandes systèmes à l’insu de l’utilisateur.

J’ai commencé cette formation pour avoir une bonne introduction en cybersécurité. J’ai été très satisfaite sur ce plan car sans être trop complexe on y apprend quelques éléments techniques.
Je recommande ce Mooc non seulement à toutes les personnes qui utilisent régulièrement l’outil informatique dans leur travail mais aussi dans le cadre privé.
En effet de plus en plus de services administratifs nous permettent d’accélérer nos démarches grâce à l’outil informatique, ainsi nos précieuses données personnelles sont plus facilement exposées. Ce MOOC permet d’appréhender les risques cyber en toute sérénité.


International cyberspace mapping symposium

View of ecole militaire in Paris
View of ecole militaire in Paris

On the 13th and 14th of march in Paris was the international symposium of cyberstrategy entitled “Cartographie du cyberespace” which means literally “Mapping cyberspace”.
It was run by the Castex Chair of cyberstrategy of the IHEDN

To make it more lively and facilitate the reading of the notes taken during this symposium, i used different formats (interview, summaries, slides).

Introduction: The digital Space, what geographies?

Frédérick Douzet, Castex Chair of cyberstrategy, French institute of Geopolitics of Paris 8 University

Frederick Douzet

In this introduction, Frederick Douzet exposed the aim of this symposium and the future challenges regarding the mapping of cyberspace.

Her presentation attempted to answer the following questions:

How to understand the geography of cyberspace?

For this first question, which is still under study F. Douzet said that concepts method tools and graphical representation should be developed in order to better understand strategic stakes.

What can we measure and comprehend?

To this question she refers to the digital dimension in a geopolitical context.
Mapping is a pedagogic tool that helps explain stakes, it is an accessible way to represent digital spaces. It helps to understand the strategies of influence and geopolitical rivalries that are expressed through cyberspace.

What are the methodological challenges when representing cyberspace?

F. Douzet also pointed out that cyberspace was an environment generated by global interconnection. She underlined the fact that as cyberspace was hard to visualize it would be hard to map because of its complex planetary dimension and highly dynamic aspect. She added that the physical world was more and more projected in cyberspace.
In order to map it correctly she intends to ask relevant strategic questions to guide the choice of elements to be taken into account in a cartographic representation. An interdisciplinary and an experimental approach in geography should be used. The challenge would be to relate the cyber dimension to other dimensions.


John Frank, Microsoft

To introduce his keynote J. Frank explained that 2017 was an inflection point for cybersecurity.
He insisted on the fact that attacks like WannaCry were intended to cause as much chaos as possible in E.U and North America. They were not targeted against a particular organization. Those last attacks were containable but what if the next ones are not?

J. Frank also mentioned the attack in Ukraine on the 27th of June during the Ukrainian Constitution day.
Several radio and TV stations went off the air, bank ATM stopped working, people could not buy gas. Through forensics we can track an attack and that’s how we knew that this one was led by a russian crew.

Then J. Frank explained what we learned from those attacks. According to him 2017 was our wake up call and 2018 must be our response.
2017’s attack could have been far worse but we know now that attackers can do significant damage to civilian infrastructures.
The economics damages are high, for a country in struggle the impact can be dramatic.
More than 40 countries are now developing cybersecurity. This is not a military operation anymore people are now in the middle of a conflict.

He also tackled the issue of international laws, what is the law and does it exist in certain areas?
NotPetya was taking place in a context of conflict so it was acknowledged as a violation of international law.

To conclude he said that we need to insure that there are more international laws to respond to cyber attack.

Territories and sovereignty in cyberspace

Territories and sovereignty in cyberspace

To address the subject of territories and sovereignty in cyberspace various military actors, ambassador and academics presented their work and experience.
In this panel different points of view were expressed. Stakeholders, depending on their status, define territories and sovereignty in a different way. That is why I have chosen to present these points using the following keywords: territory, sovereignty and cyberspace.


Général Olivier Bonnet de Paillerets

  • Modern weapon should be used and that it is not by chance that France has taken measures in cybersecurity

David Martinon

  • There must be an effort for the laws of the republic to apply on the republic’s territory.
    For instance, it is necessary to ensure that heinous content is avoided by the application of the laws of the republic. To do so we must enter into discussions with the platforms that operate in France to ensure that these legislative measures are applied.

Uta Kohl

  • We consider the term territory as physical. Territory is not the same as land it includes the notion of someone’s authority on a land.

Theodore Christakis

  • The cloud act is in discussion in the american congress (it was in discussion during the symposium but it was signed into law on march 23rd). This act is related to personal data and its aim is to allow US authorities to request data even if servers where the data is stored are located outside the US.
    The European Union said that they would cooperate and give access to this data and that they would as the USA give an extraterritorial access.
    This law is prejudicial to human rights and it should be reconciled with the GDPR


Général Olivier Bonnet de Paillerets

  • It is a question of the state responsibility. How do we answer to an attack?
  • It is a question of conditions of an equipment control sovereignty which in the field of operational decision is essential.
  • Cybersecurity is becoming a stake of collective security.
  • Nowadays ANSSI is first mobilized by spy attacks.
  • Espionage is the center of gravity of the Army Ministry’s concerns.

David Martinon

  • Today there’s a complexity in understanding these issues so that our government can ensure that these notions are fully respected and considered.
  • Our defence appartus must always be state of the art, enforcement and compliance must be audited.

Martin Schallbruch

  • We are losing control over public goods on behalf of private companies. Governments have to build assessments abilities. They have to force the platforms to open for government inspection.
  • We should support the idea of having a more and more bigger part of Internet designed as a public good

Pavel Karasev


Général Olivier Bonnet de Paillerets

  • The threat comes from the fact that the digitalization is an advantage but also a critical weakness.

David Martinon

  • Can a country be isolated in terms of cyberspace?
  • In cyberspace, threats and influence also comes from private actors.
  • In the cyberspace cooperation exists but is not satisfactory.
  • Today borders are diffuse and the imposed regulations can be circumvented.

Uta Kohl

  • The law does not really relate to Data we are never attaching legal consequence purely to data but to actors of the data. In the cyberspace, the border guards for states are not actually inside the territory. These guard borders are asked to act in terms of criminality. The complexity of cyberspace is also related to the fact that data is being collected through private actors outside the borders. For instance any private company in the US is not allowed to give any information relevant for another government.

Martin Schallbruch

  • In order to make proper international laws we should intensify our cooperation between countries.

Pavel Karasev

  • Cyberspace must be defined before making any international law.

Mapping how data travels

Mapping how data travels
To present this debate it seemed relevant to me to show some slides of the speakers who illustrate the journey of the data.

Doug Madory

The internet is shaped by the geopolitic around it
The internet is shaped by the geopolitic around it

Kevin Limonier and Louis Pétiniaud

The use of the Internet’s data flow has made it possible to map the geopolitical boundaries of cyberspace.
The tool used is the Atlas network

Comparing the travel time of data in the black sea space
Comparing the travel time of data in the black sea space

Olivier Fourmaux

To map cyberspace O. Fourmaux used the traceroute utility program. It is therefore mainly based on the path the data takes when it is transferred.
The path of transferred data

Kavé Salamatian

K. Salamatian studied three frameworks:

  • Cyberspace embedded in geography
  • Geography embedded in cyberspace
  • Cyberspace as a space on its own

He also showed that some flows have their source in History.

From gulags to data centers: the strategic territories of Russian cyberspace
From gulags to Data centers

Pavel Pilyugin

He explained that borders are real or imaginary lines in the political space.

How to present the digital boundary between states
How to present the digital boundary between states

The Geopolitics of the Datasphere

The Geopolitics of the Datasphere

Stephane Grumbacht

For Stéphane Grumbacht, the data sphere is changing the balance of power between states because of new players who are platforms and operators.

Jim Cowie

He presented several maps related to climatic phenomena to conclude by proposing an improvement on how to map events
“Cartography’s challenge will be to uncover (and validate) spatial/regional patterns within these global-scale overlay networks”

Henri Verdier

H. Verdier believes that cartography is an obsolete reading grid to understand modern issues.
He argues that « the geography of data precedes the geopolitics of data ».

Amiral Arnaud Coustillère

The Amiral Coustillère stressed the importance of French sovereignty by protecting itself, being at the forefront and establishing a strong legislative framework.

The Art of representing the Intangible

The Art of representing the Intangible
Two artists and a philosopher presented their work to approach cartography from an artistic perspective.

Pierre Cassou-Noguès

He talked mostly about the invisible and the intangible.
According to him the digital medium is related to the intangible.
He also refered to Bruno Latour and his Mapping of controversies.

Louise Druhle

L. Druhle tried to represent the shape of the Internet. Her artwork is an Atlas of the Internet.
Critical Atlas of Internet

Gwenola Wagon

G. Wagon made an artistic documentary about the Internet network in the World.

Mapping the Information Warfare

Mapping the Information Warfare
This panel of researchers and experts presented case studies and described the methodology used.
For each speaker I will make a short description of their study and show a representative slide of their remarks.

Remi Géraud

R. Géraud approaches information warfare in a poetic and mathematical manner based on the notion of time.
Time becomes a space that rhythms cyberspace and an information strategy.

How to approach cyberspace
How to approach cyberspace

John Kelly

J. Kelly suggests that we follow his thought process by first comparing Internet expectations (more participation, more diversity and quality in public sphere) and reality (elections targeted, spread of hatred, weakening of democratic debate).
He continues his reasoning by deciphering the propagation of fake news versus news by shedding light on the difficulty of discerning the protagonists of the displacement of a rumour.

Mapping cyber social terrain
Mapping cyber social terrain

Romain Campigotto

R. Campigotto presented a mapping of information dissemination via social networks and specifically via Twitter.
To carry out this search he collected the tweets via an API (Twitter Streaming API) and connected them via direct links (mentions, replies to, retweets) and indirect links (hashtags and posted links shared).

Community detection
Community detection

Kevin Limonier

K. Limonier tried to map the information related to the French presidential elections.
Following his study Kevin Limonier asked himself the following question: If we put in parallel with the American campaign how can we explain that the macron leaks movement had little impact on our election?

Ecosystème participant à la propagation
Écosystème participant à la propagation

Estelle Lezean

E. Lezean used different media (youtube, facebook, twitter) to observe the Arabic-speaking cyberspace based on two dimensions: geopolitical reasoning and mastery of the Arabic language and its different dialects. She took as example Saudi Arabia’s strategy of influence against Qatar on Twitter.
During her research she was confronted with various technical challenges:

  • The need to develop a scrapping tool to recover all facebook friends from a public account
  • How to organize and import data collected on a visualization software?

Army of loyalist bots relaying anti Qatar content from Saudi information accounts.
Army of loyalist bots relaying anti Qatar content from Saudi information accounts

Martin Dittus

M. Dittus tried to propose a geography of darknet market places.
To do this he and his study group have scraped the largest darknet markets by focusing on different types of data:

  • Collection of listings accross the largest market
  • Buyer reviews to get indication on sales volumes.

With this research they were able to note the fact that darknet vendors don’t appear to be based in drug producer countries.

Seized production darknet trade and population demand
Seized production darknet trade and population demand

Gisèle Ducrot

G. Ducrot tackled cyber risk mapping. For her, cyber risk must be managed like all risks in a society. She also made an analysis of this mapping:

  • 5% of the topics addressed by the CAC40 concern cybersecurity and data protection
  • 23% of the topics addressed by the CAC40 concern Big Data, digital transformation and transformation projects.
  • 39% of companies do not update their risk mapping annually, while 100% of audit committees rely on risk mapping.

Cyber risks an ecosystem of risks
Cyber risks an ecosystem of risks

Sébastien Heon

S. Heon talked about cyber insurance. He explained the challenge that cyber insurer have to tackle. Fisrt they need to score the cyber maturity of their client, imagine the worst case scenarios and the kind of information they need. Then they need to establish a fair modelling price ratio. Finally they have to analyze systemic aspects of cyber risks.
He added that in order to be more accurate a multi-disciplinary approach must be made.

Collective intelligence and information sharing
Collective intelligence and information sharing

Geopolitics and Datascience

Geopolitics and Datascience
This panel of researchers questions the ethics, accountability, transparency and biases of the algorithm.

Martin Dittus proposes a declaration or a manifesto of the data scientist and developer who commit themselves to more respect of the users. He wishes that these professionals commit themselves in conscience in a responsible approach which includes a systemic glance of the tools which they create.

Nozha Boujemaa presented the importance of the transparency of the algorithm as an asset of confidence towards the user. According to her, the opacity of the platforms who use personal data should be limited. She also warned about the new discriminations that the algorithm can generate because of its technicality to people who are less informed or educated about algorithm.

Algorithmic systems in every day life
Algorithmic systems in every day life
Amaël Cattaruzza presented a critic of predictive algorithms and the biases they may contain. This limitation may be discriminatory and exclude traditional social science approaches.

Mathematizing criminal behavior
Mathematizing criminal behavior

Kavé Salamatian explained that ethical work is necessary to reflect on human adaptation to this digital revolution.

To go further: