23 Dec 2019 France at the forefront of cyber standards
In mid-October 2019, France hosted the six-monthly meeting of the SC 27, the international body in which professionals draw up voluntary standards on information security, cybersecurity and the protection of privacy. France’s representatives are determined to make their voices heard.
What do bottles of champagne, the French Ministry of the Interior and cybersecurity all have in common? Voluntary standards! The traceability of bottles is one of the latest concrete results of the work done in France. In mid-2019, producers and the ministry referred to the new standards to define the technical specifications of a non-forgeable certificate that is invisible to the naked eye and can be stamped on bottles. This tiny printed label is scanned at every stage of the supply chain to guarantee the traceability of the product and prevent counterfeit. An international standard will soon be published covering this innovation.
“Today, cybersecurity is everywhere, even where you least expect to find it,” sums up François Zamora, Chief Compliance & Security Officer of Orange’s Europe division and chairman of the French standardization commission in charge of these subjects, which is hosted by AFNOR. “France is a leading player in this field on an international scale. It was a French expert who identified the flaws in a Russian proposal for a cryptography technique which could have serious consequences, because it could have been integrated in the secure https protocol. The French team brought these flaws to the attention of the international community in order to supervise the work to preserve the robustness of encryption standardized by ISO, thereby maintaining its credibility.” Digital technology and the security-cybersecurity pair are at the heart of the priorities of France’s new standardization strategy.
The AFNOR commission: a select gathering
320 experts from 38 countries came to Paris for the six-monthly meeting of the SC 27 on 14 to 18 October 2019, proof of France’s leadership in these questions. This joint offshoot of ISO, the Geneva-based international organization for standardization, and of the IEC, its counterpart for electro-technologies, initiated standard ISO/IEC 27001 on the management of information security. These strategically important annual meetings offer an opportunity to sing from the same hymn sheet and reach international consensuses. Every country has its own standardization commission on this subject, and makes contributions at the international level.
In France, Frédéric Solbes is the secretary of the AFNOR commission. “Hosting such an important event is significant, because it reflects France’s dynamism in these subjects,” points out the project manager. Our commission is very active, and its members include industrial companies (Thales, Orange, Schneider Electric, Airbus, Microsoft France, etc.), users (BNP Paribas, RATP, EDF, FDJ, etc.) and institutions (the French Data Processing Authority (CNIL), the Ministry of the Interior, the French State agency for information systems security (ANSSI) in order to take the point of view of every stakeholder into consideration. ”
Protection of privacy: ISO 27701 revised in France
ISO 27001 has been adopted by numerous companies and has now become a prerequisite to access certain markets. If you do not implement the standard, the institution that placed the order will not select you. Its latest extension, ISO/IEC 27701, which was drawn up by the SC 27 and covers the protection of privacy, is already set to become a bestseller. It will be subject to a public inquiry in France in September 2020, and is expected to be published in April 2021, as part of the AFNOR collection. “This represents a tremendous victory for France’s stance,” claims Frédéric Solbes. “The CNIL, Orange and Microsoft France have worked hard to convince the other countries to incorporate their technical contribution.” It has become strategically important for the companies involved to make their voices heard through standardization.
An argument that will be equally true for tomorrow’s subjects. François Zamora quotes the example of smart cities, another flagship theme in France’s standardization strategy. “Cities are starting to aggregate data on traffic or the environment”, he explains. “This data will be collected, stored, viewed and used by French local authorities, thanks to decision-support tools based on big data. They will form the basis of predictive models of air quality, the use of charging stations for electric cars, the energy efficiency of buildings or public lighting. These initiatives, which are already mature in Asia, but still in the prototype phase in Europe, use architectural and cybersecurity models that will form the backbone of smart cities. Data security and integrity must be addressed and tested right now.”
> Contact the AFNOR standardization commission on information system security (in French)…
> Buy NF EN ISO/IEC 27001 (in English)
> Download AFNOR’s guide about Voluntary standards and innovative approaches to cybersecurity