16 March 2000. Thanks to Anonymous
Source:
http://www.scssi.gouv.fr/rubriq/direction.html
Translation by Cryptome.
15 March 2000
S.C.S.S.I. FRANCE |
|
|
New
The Council of Ministers has just named Mr Henri SERRES, engineer general of telecommunications, as director in charge of information system security.
This measure intervenes within the framework of the policy of security which the Government intends to promote in parallel to the accelerated development of the tools of information industry for public administration and services. This policy, with the service of the citizen and the companies, must also make it possible to protect the confidentiality of communications and privacy.
This falls under the continuation of decisions announced in this field by the interdepartmental committee for the information industry of January 19, 1999 and the speech at Hourtin by the Prime Minister on August 26, 1999. The first concretization was the installation and the rise to power of the Center for Emergency Response to information attacks for administration (CERT/A) at the end of the year 1999 and at the beginning of year 2000.
It will be the responsibility of the new director to transform the Central Service of the Information System Security (SCSSI), integrated into the General Secretariat of the National Defense (SGDN) since January 1, 1999, in Direction of full exercise of the SGDN, responsible for the information system security at the interdepartmental level. This decision marks at the same time an upgrading of the means by which the Government wishes to be equipped in this field and will ensure a better coordination of the efforts of the State.
The decree organizing the new central direction will be published in the Official Journal in the current of year 2000.
Information system security is a concern which appeared from the very start of the Eighties, at the moment when the revolution of new communication and information technologies started (NTIC). By developing a voluntary action, through the PAGSI in particular, to support the entry of France in the information industry, the Government endeavoured to fully take into account this security dimension. In this field, the administration must be exemplary.
The Central Service of the Information System Security (SCSSI) was created in 1986. Charged with evaluating the level of protection of the information systems of the State, it also has the role of taking part in the activities of research and to coordinate the studies and developments made in the field of the SSI. Historically based on the expertise of the military skills and cryptology, its competences extended gradually to all aspects of protection for information systems.
At the time, this governmental policy was initially implemented by an interdepartmental delegation on information system security, the coordination of administration resting on an interdepartmental "directory" and an interdepartmental commission for information system security.
In 1996, the SCSSI was attached to the SGDN, and the directory and the commission placed under the presidency of this department. The Secretary-General of National Defense is, since the adoption of this text, the responsible authority, at the interdepartmental level, to implement the policy of the Government as regards information system security. In 1998, the Government decided to fully integrate the budget and manpower of the SCSSI within the general Secretariat of National Defense. This evolution was devoted by the decree of April 14, 1999 and the finance law for 1999.
Consequently, the priority of the Government is to set up a structure at the height of the stakes of the new information industry, the objective being to answer the increasing request expressed by the administration, the public services, like the industry, of an expertise, a capacity of evaluation and certification of the security of their information systems.
At the conclusion of the interdepartmental committee for the company of the information of January 19, 1999, the Prime Minister announced several orientations fondatrices concerning " the electronic administration ". Knowing that communication and information technologies, while increasing the effectiveness of the administrations, by offering more services to the users and while answering their waitings better, open exploitable potential vulnerabilities by badly disposed thirds, the Prime Minister decided the creation of a Center for Emergency Response to Information attacks, for the administration, which will take part in the world network of the ERTS: the CERT/A. It also announced a significant increase in available techniques and staff assigned to information system security, at the same time by the reinforcement of the SCSSI and the development of available techniques necessary for the services to adapt to the spread of encryption products.
In his speech at Hourtin on August 26, 1999, the Prime Minister underlined, once again, that the development of new forms of criminality based on communication and information technologies required an in-depth evaluation of the risks incurred for the vital infrastructures of the country and on the necessary adaptation of the governmental apparatus. This concerns in particular the modernization and rise in power of the services of the General Secretariat of National Defense, particularly in two goals:
At the beginning of 2000, the attack by unidentified information pirates - and the immobilization for a few hours - on Internet sites of major American electronic commerce companies, as well as the existence of the world network of electronic interception ECHELON, or the calling into question of certain products "general public," put at the first plan of the topicality the concerns related to the new threats and the need for ensuring the protection of our networks. In this field, the Government and the administration, as well as the public services, will have to set an example.
For all these reasons, the Government decided on the creation in 2000, starting from the SCSSI basis, a new Central Direction of Information System Security (DCSSI) within the General Secretariat of National Defense.
The announced effort will result in a significant reinforcement of the capabilities of the SGDN engineers and technicians, the objective being to gradually bring the new direction to the level of the services of experts of our principal partners, in particular British and German. It implies to create a true pattern, in terms of human resources, starting from the DCSSI.
It will be allocated to the director in charge of information system security which has been just named in the Council of Ministers, to put in place the new direction, 2000, and to ensure his role in regards to the coherence of public policies for information system security at the governmental level.
To appreciate the capability of resistance of an information processing system, it is necessary to be able to voluntarily subject it to a panoply of more or less probable attacks.
Vis-a-vis the increasing needs expressed by the various ministries, the SCSSI undertook to obtain an expertise in the field of the information attacks. As of now, the SCSSI can make demonstrations of real attacks aiming at sensitizing those responsible and users with the reality of the risk and the urgency of the situation: today, the use of the Internet network presents considerable dangers being able to increase until the loss of control of whole networks.
The development of controlled tools of attack will allow in the second time to proceed to audits of sites Internet or Intranet leading to fast diagnoses and a noticeable improvement and immediate of the level of information system security governmental. It will be one of the tasks of the future direction.
The information systems are usually protected by security products. Each one of them can be evaluated to assess the quality of the protection it offers. This work of evaluation consists of a battery of standardized tasks carried out by an independent laboratory, approved by the SCSSI.
Undertaken according to controlled methods, this evaluation, which can require a few weeks of a few months, is then confirmed by an official certificate issued by the SCSSI.
In France today, there are five approved laboratories. Under the control of the SCSSI, an increasing number of evaluations (10 in 1999) are carried out and certified each year. Two or three times per annum, the work of evaluation show that a product does not provide the promised quality, which confirms the relevance of the step.
The competition is keen between cryptographic systems which transform clear text into encrypted text, and cryptanalysis systems which seek to restore the clear text starting from the only knowledge of the encrypted text.
A recent branch of cryptography, public key cryptography makes it possible to encrypto and sign exchanges of messages between two interlocutors, without having as a preliminary access to secret keys. This technique is essential to make secure communication networks as complex as the Internet, especially when the interlocutors have never met before. It can use three types of mathematical tools: a complete factorization, a discrete logarithm or elliptic curves.
The studies undertaken by the teams of the cryptography laboratory of the SCSSI made it possible to establish two records:
With the explosion of the use of the portable telephones, it was necessary to place at the disposal of the administrations secure mobile telephones. The need identified by the SCSSI was the protection from beginning to end of communications of Confidential Defense level between portables or a portable and a fixed telephone. Only a solution derived from a commercial product made it possible to meet this urgent need quickly, to guarantee the perenniality of the product while minimizing the costs. In 1998, the SCSSI analyzed the product of a French company and defined the modifications to be made so that it fulfills the governmental requirements of security. The company developed a telephone answering these criteria, which was approved in November 1999. A great number of this equipment have been already bought by the administration. In a forthcoming stage, running into 2000, the approval of new modules will make it possible to establish connections made secure between mobile telephones and fixed stations.
Any radio-frequency (RF) radiation is likely to be intercepted and, with the help of an special treatment, to reveal the direction of the signal which it propagates. Experiments undertaken by the SCSSI showed that this risk exists in particular for the systems where a radio-frequency radiation makes the connection between a microcomputer and its keyboard.
It was observed that every metal connector near the transmitting keyboard (wire of the network, Ethernet cable, telephone cable...) can receive and propagate the signal useful to a distance definitely higher than that of the direct radiation of the keyboard. Reassembled on a "spy" microcomputer, any typing on the radio-frequency keyboard appears then in plain view, even those passwords whose characters are masked on the screen of origin.
The studies undertaken by the SCSSI also make it possible to evaluate the functions of security (protection of the documents by password) of a series of office automation "general public" softwares.
In many cases, it is possible to find quickly the password protecting a file or to show that coding is weak. This phenomenon results, most of the time, due to the use of very vulnerable means of cryptology.
Until a recent date, the management of the secrets (thanks to cryptographic keys) related to closed networks of users having the same equipment. This management rested on the central-controlled generation of the keys and their distribution.
Today, open networks and relaxation of the procedures have led to an upheaval in the management of these secrets. New Infrastructures of Management of Keys (or IGC) must allow the opening of the fields of security and a more flexible implementation.
In 1996, the SCSSI anticipated the emergence of these new needs and undertook a basic work on the IGC: drafting of technical specifications resulting from international standards, development of platforms of tests and installation of a distribution controls within the SCSSI.
This acquired expertise benefits the administrations now, in particular the ministries for the Economy, Finances and Industry, Justice, Employment and Solidarity, Defense, the Interior, the Equipment and Transport, which can request the SCSSI for actions of council, training courses and a technical aid.
One of the major missions of the SCSSI is to help the ministries to take into account the requirements of security in the establishment and the use of their information systems, with the objective of making them as autonomous as possible in this field.
This co-operation can take a comprehensive character. With the ministry for the Equipment, Transport and Housing, for example, the person in charge of the security of the ministry, in collaboration with the SCSSI, multiplied the actions to reinforce the culture and the means of information system security within the services: a capacity of formation to the SSI was installation, leading to the training of some 800 specialists; an interdepartmental recommendation was made compulsory (request for guarantee of the SCSSI for the methods of significant information management). Thus, the rigorous methods developed by the SCSSI to make secure information systems during their development and their exploitation were fully integrated in each step of the ministry.
This co-operation can also take the form of an assistance on specific projects. As follows:
In the field of information system security (SSI), the analysis of the texts in force, practices accompanying their implementation and need to satisfy, resulted in centering the action taken by the SGDN, authority of the Prime Minister, four main category of functions.
The strategic function of contribution to the interdepartmental definition and the expression of the governmental policy as regards information system security.
The function of regulation consisting in, in particular, issuing the authorizations, approvals or certificates envisaged by the texts, in an obligatory or optional way, and playing the part of national authority of safety as regards information system security, at the same time at the national and international level.
The operational function in the form of provisions of services, in priority with the profit of the administrations and public organizations, consisting to evaluate, know and make known the vulnerabilities and the threats, and to help to prevent and counter the attacks carried to the information systems.
The function of center of reference and scientific and technical expertise/contre-expertise covering the various disciplines concerned.
The Director, helped by assistants, directly takes up the strategic duty of animation of evaluation and contribution to the definition of policy for information system security. He also ensures:
For the implementation of the three other functions, the Director charged with the SSI will be based on three subdirectorates.
A subdirectorate strategy and regulation, in charge of the following tasks:
A subdirectorate of the operational evaluation, charged to know and make known the threats as regards SSI and to bring the adapted answers there, assuming the following tasks:
A scientific and technical subdirectorate, charged to bring the essential expertise in SSI, while organizing itself around the following poles:
At the conclusion of the CISI of January 19, 1999, the Prime Minister announced: "in order to reinforce and to coordinate the fight counters the intrusions in the information processing systems of the administrations of the State, the Government decides creation D `une structure of alarm and assistance on Internet, in charge of a mission of day before and response to the data-processing attacks. Placed near the General Secretariat of National Defense, it will work in network with the services in charge of the safety of information in the whole of the administrations of the State. It will take part in the world network of the CERT (Computer Emergency Response TEAM)."
Currently attached to the chief of the SCSSI and major component of the future central Management of the information system security of the general Secretariat of national defense, the center of census and treatment of the data-processing attacks, named CERT/A, is charged to assist the organizations of the administration victims of incidents or data-processing aggressions. It constitutes the complement essential to the preventive actions already ensured by the SCSSI and the future DCSSI (council with the administrations in the analysis of the safety of their information system, identification and choice of technical solutions, certification of products, approval and guarantee of certain systems...).
The two principal objectives of the CERT/A are to ensure the detection and the resolution of incidents concerning information system security, like contributing to the installation of means making it possible to guard against future incidents. In order to achieve these two goals, the following missions must be carried out in parallel: to ensure a technological survey, to organize the installation of a network of confidence, to control the resolution of incidents. The CERT/A, in its launching phase, took part in the system set up for the passage of Y2K.
To be constituted in the long term of about fifteen engineers and technicians, the CERT/A fits right now in the world network of the ERTS which work, each in its own field, to ensure better security for data-processing networks.
The second half of the Eighties saw the Arpanet network, developed by DoD (American Defence Department), come out of the R&D phase to become a practice under the impulse of the university world. Effectiveness and constant improvement of the various services, Like electronic mail, quickly made this network essential for many sites.
In November 1988, a student of the University of Cornell released on this network a program which propagated and reproduced all alone. This program, known under the name of "Internet worm," exploited various security faults of the Unix system (the operating system of the majority of the computers connected on the network). Although programmed without malevolent intentions, this first data-processing virus was spread quickly while blocking the machines infected by multiple copies of the worm. At that time, the network included approximately 60 000 computers. With only 3 to 4% of contaminated machines, the network became completely inaccessible for several days, until instituional measures were taken (which involved the disconnection of many machines of the network).
To eliminate this "Internet worm," an ad hoc analysis team was created with experts of MIT, of Berkeley, Purdue... The code of the virus was reconstituted and analyzed what allowed, on the one hand, to identify and correct the faults of the operating system, and on the other hand, to develop and distribute mechanisms of eradication. Following this incident, the building owner of Arpanet, the DARPA (Defense Advanced Research Projects Agency), decided upon installation of a permanent structure, the CERT Coordination Center (CERT/CC) similar to the team joined together to solve the incident.
Since the Internet did not cease growing, to become the network which we know today, with a fast multiplication of the machines connected (several million) which could be similar sources of potential aggressions. Other ERTS were created throughout the world on the same model as the initial CERT/CC.
The essential tasks are the following ones:
Article 1
Within the framework of the policy laid down by the Government, the Secretary-General of National defense takes care of the coherence of the actions undertaken as regards information system security.
Article 2
For this reason, the Secretary-General of National Defense follows the execution of the directives and instructions to the Prime Minister and puts forward measures which the national interest makes desirable.
He coordinates the activity of all the organizations concerned and makes sure that the relations between those answer the objectives defined by the Prime Minister. He takes care of the respect of the procedures applicable to users deprived as regards information system security.
He takes part in the orientation of the studies entrusted to the industrialists and follows their financing.
Article 3
For the exercise of this mission, the Secretary-General of National Defense has the Central Service of the Information System Security. He approves the protocols envisaged between this organization and the other government agencies concerned.
The Secretary-General of National Defense or his representative chairs the interdepartmental commission on the information system security.
He is kept informed of the needs and the programs of equipment of the government departments so that those are harmonized.
Article 4
The Secretary-General of National Defense annually submits a report to the Prime Minister on the status of information system security.
To build a protective legislative framework of the exchanges and private life.
Cryptology, personal data protection, recognition of the convincing value of digital documents and electronic signatures: three files which condition an assured use of Internet and information technologies in France and justify an adaptation of our law. The Government chose to submit to the Parliament a wholly new provisions, on the basis of of the reports to the Prime Minister of Mr. Guy Braibant on personal data, and the Council of State on the legal stakes of the Internet.
Vis-a-vis the development of the means of electronic espionage, the possibility of encrypting communications seems an effective answer to protect the confidentiality of communications and privacy.
The Government gave itself time for evaluation. After having consulted the international players, experts and its partners, it acquired the conviction that the provisions resulting from the law of 1996 are not sufficient any more. They strongly restrict the use of cryptology in our country, without making it possible for public authorities to fight effectively against criminal intrigues whose encryption could facilitate concealment. They reveal moreover a risk of isolation of France compared to its principal partners.
The Government thus decided a fundamental change of orientation which aims at making completely free the use of cryptology in France, while adapting the means for public authorities to guarantee public freedoms in this new environment and to fight against the use of encryption for crimnal purposes.
The project of legislative reform which will be submitted to the Parliament will articulate around the following orientations:
The law thus should be changed, which will take several months. But the Government wanted to remove without waiting obstacles which weigh on citizens anxious to protect the confidentiality of their communications and on the development of the electronic trade. Thus, while waiting for announced legislative modifications, the Government decided to raise the threshold of encryption from 40 bits to 128 bits, a level considered by the experts to ensure a very strong security.
With regard to the supply of cryptology products, the declaration procedure will be simplified, in particular by the suppression of the simple test of stop. Lastly, the constraints weighing on the trusted third parties of confidence which can be modified right now by lawful way will be strongly softened, in particular by the suppression of the requirements of enabling secrecy-defense weighing on their personnel and for availability 24 hours a day.
The transposition of the European directive of 1995 relating to data protection in personal matter must make it possible to adapt the internal legal framework with the generalization of the data-processing processing the data and with rise of Internet. It must guarantee the safeguarding of the rights as fundamental as personal freedom and respect due to privacy.
The transposition of the directive, far from weakening the legal guarantees now offered to citizens, will have as an aim to ensure an even higher level of protection.
Accordingly, the orientations which the Government will propose will aim in particular to the reinforcement:
Digital transactions take an increasing importance in commercial matters or in the administrative procedures. Certain legal obstacles make necessary a modification of the civil code to allow the adaptation of our law of proof to new technologies and electronic signature.
This modification will meet a double need:
conformity with the orientations followed within the European Union;
the taking into account, with all the guarantees necessary, of the convincing value of the document in digital form and electronic signatures.
The use of information technologies in the administration is a powerful lever for reform of the State. This is why significant budgetary means are released to generalize the use of new technologies in the central administrations and the decentralized services. This mobilization facilitates the emergence of a "electronic administration." It is the key to a better service of the citizens and modernization of the State.
To reinforce the budgetary means.
To generalize the new tools of service to the citizen and the industry.
To place information technologies in the center of the reform of the State.
To reinforce the protection of the networks of the State against the attacks.
In order to reinforce and to coordinate the fight against intrusions in the information processing systems of the offices of the State, the Government decides upon the creation of a structure of alert and assistance on the Internet, in charge of a mission with preventative response to data-processing attacks. Placed within the General Secretariat of National Defense, it will work in network with the services in charge of the security of information in the whole of the administration of the State. It will take part in the world network of the ERTS (Computer Emergency Reaction Teams).
Ladies and Gentlemen,
I am very happy to join you in Hourtin for this twentieth University of Communication. Two years passed since our last meeting here on August 25, 1997. Two years marked, for the Government, by a voluntary step in favour of new communication and information technologies. Two years of a deep collective change: the entry of France into the information industry. It is in the direction which I give to this change for our country which I would wish to return, before stating to you what will be the policy of the Government for the period which comes (...)
Two years the positive assessment last invites us to continue and intensify our effort. Beyond what I already indicated you on research, I would like to evoke in front of you several main trends of work (...)
We fight against the new forms of criminality based on information technologies. This criminality develops indeed quickly. It calls for a reinforcement of the international co-operation in legal matters. For what concerns us, we should better coordinate the various services which act already against this delinquency. It is to this end that Mrs. Élisabeth GUIGOU, Minister for Justice, Mr. Jean-Pierre CHEVENEMENT, Minister for the Interior, and myself, decided to create within the general Management of the National police force a central office of fight against criminality related to information technologies. It will be operational in the weeks to come (...)
A study has demonstrated the possible consequences of this criminality for national security. Information networks are indeed a vital infrastructure for our country. If the flows which they transport are immaterial, the attacks of which they can be the target of are quite real. This is why I entrusted to the General Secretariat of National Defense a mission of evaluation as soon as possible. Important means will be devoted to him, since the budget of the Secretariat will be increased of almost 20% by way of the finance law 2000.
webmaster@scssi.gouv.fr - Copyright © 1999 Central Service of the Information system security Last updated 15/03/00 to 15:04:50