Tell us a bit about IDnomic.
IDnomic intervenes in citizen identification, in particular in issuing biometric passports: it provides solutions ranging from securing biometric files to verifying identity documents at control terminals. We oversee creation, management of the life cycle and support of electronic certificates, which are strong numeric identifiers, and which, when combined with other authentication factors (double or even triple) guarantee easier securitisation of access to information systems with a very high level of security. IDnomic ensures the security of IoT, using the same technology, PKI, which is becoming increasingly necessary as a transverse and quite universal technology. This technology is already being used to secure ITS (intelligent transport systems), and cars in particular, which use the STIS G5 communication network in the European project "scoop” (*).
Have you noticed a change in cyber security since you started your career?
In France, there is a before and after WannaCry. Before, security was of secondary concern. We had to do a lot of education on the topic as well as raise awareness. Now, thanks to the GDPR in particular, companies are being pushed to communicate, mainly to establish a framework of trust, but also to challenge their IT security processes. However, a lot of work remains to be done with smaller companies.
What are the needs of these types of businesses?
Small businesses look to consultants, and therefore to more general security engineers able to deal with a wide range of security problems. You should know that in France, the cyber fabric is composed mainly of SMEs because of the need for agility and speed. Large cyber companies play a unifying role as integrators in large digital projects and IT security.
Are there major constraints for companies working with the French government? If so, which ones?
The constraints imposed by the government are simply those cited in the military planning law. Every company has a level of security that it has to respect based on its importance (vital, essential, etc.). Last September, a decree was issued transposing the European NIS Directive into French law. It clearly defines the security level imposed on companies providing essential services. This ensures the resilience of the services rendered to strategic actors of the French economy and industry.
What do you think of the Diginotar case (**)?
Diginotar didn’t respect the rules in terms of security, and communicated on the incident too late. Their own certification authority was compromised even though they were providers of server certificates (SSL), “public” K+PKI electronic certificates, for which trust in the certification authority is fundamental. IDnomic provides electronic certification services for private certification authorities, so its activity is different. Still, we are a trusted third party and we have to respect the rules imposed by ANSSI, but now also by the regulations in force. This is why we are audited on a regular basis.
How can we stand up against the Big Four today?
There are probably no future Big Fours in France. It is a tough fight because while we have very good engineers and recognized expertise, we are not good enough at marketing. It’s probably utopian to try to resist, this is not the solution. Instead, we should avoid depending totally on them and propose alternatives. That is what HexaTrust is doing by grouping companies offering state-of-the-art technology in France, and proposing cyber security solutions that can be interfaced and make the use of their services more secure. So, the goal is offer something complementary rather than fight them.
Do you have a message for the women who work or want to work in cyber security?
Diversity is progressing in all areas and that’s a good thing. It increases open mindedness and makes it possible to share different points of view. However, women are still a small minority in computer science, and even more so in cybersecurity. I think that women in cybersecurity have to be ambassadors. They have to show that it is possible. IT has to be promoted to girls at a very young age, and training must be facilitated in school curricula and graduate studies, but also in continuous training.
(*): SCOOP: A pilot deployment project of co-operative intelligent transportation systems, i.e. based on sharing information between connected vehicles and between vehicles and the road.
(**): DigiNotar was a certification root authority. In 2011, it was the victim of an attack that compromised all certificates issued to that point, because it was impossible to distinguish legitimate certificates from illegitimate ones. DigiNotar went bankrupt as a result.
Interview conducted in partnership with the students of EPITA