The art of war according to Sun Tzu
With only a short time away from the French presidential election and in a context of acute tension between NATO and Russia, the question of sovereignty has become an essential one for enterprises, in addition to being absolutely vital for states.
At the heart of the concept of sovereignty, the digital economy and cybersecurity are on the front line. Growing risks of interference and destabilisation must now be faced along with classic risks relating to cyber-criminality. The war has definitively moved onto new terrain. Alongside land, air and space, we now have to deal with a new dimension: cyberspace.
In this context, the position of our future political leaders in relation to digital sovereignty will be decisive. This concept of sovereignty as applied to digital remains difficult to define. In 2009 the Senate designated it as the “capacity of the state to act in cyberspace […] a necessary condition for the preservation of our values”. involving, on the one hand, “an autonomous capacity to evaluate, decide and act in cyberspace” and, on the other, the control of “our networks, electric communications and data”.
It echoes the traditional vision of the trio: “Territorial sovereignty – National sovereignty – Legal sovereignty” but remains very incomplete.
An understanding of digital sovereignty can only be provided by fully taking into account the risks of the digital chain:
- Control of risks related to infrastructure, with a real capacity to act on infrastructures;
- Control of risks related to data, with a capacity to dispose of the data present in an information system at any time and in any place;
- Control of risks linked to code.
Geopolitics is a risk
An enterprise or any other organisation must henceforth take geopolitics into account as a real cyber risk.
An organisation’s relationship of belonging to a state can no longer be ignored. An enterprise necessarily becomes a target since it resides in a given state.
This risk combines with other traditional obligations in the area of compliance (for example the question of cross-border transfer of data in the GDPR). This forces organisations to respond to new questions such as: “where am I in the process of storing my data – do I have an emergency plan, including physically, in case of services shut down – have I evaluated the consequences for operations if an IT department ceases to operate?”
Do we have to turn in on ourselves, in an approach to solutions based on sovereignty? Or should we have an alternative solution that would involve identifying and controlling our risks?
A risk-based approach is one of the keystones of a healthy resilience to cyberattacks.
Today, cyberattacks can lead to the destruction of a sovereign state
The geopolitical stakes of cyberattacks broadly transcend the context of a simple enterprise or organisation. These attacks seek to destabilise states in a lasting and structural fashion, to threaten the economy of a whole area, and to put into question societal models.
Cyberattacks are now carried out by structured groups, under state control and sometimes of a criminal nature, and can be equipped with considerable resources and precise goals.
In a similar way, states can respond to foreign interference by controlling information flows. It is now possible to deliver considerable blows to the economy of an entire country by shutting down a service. For example, placing embargoes on the export of technologies or closing down the SWIFT interbank messaging service. We must ask, will we see the closure of other IT services that are just as essential to our economies and our lives?
However, are these measures effective? Knowing for sure will take time and numerous debates among economists. They show that control by a state of a hegemonic or market-dominating technology has the consequence of transforming the latter into a potentially massive weapon of destruction.
Although there are other questions about foreign investment in digital enterprises, the position of many states, including France, between laissez-faire and state capitalism has yet to be determined.
Control of infrastructures: revenge against interference?
The fight against “fake news” has shown the incapacity of our democratic systems to combat the interference of certain states. For instance, the proliferation of false accounts broadcasting false information, attempts at destabilisation of online public services, and attacks on banking systems. States have for a long time fought only timidly against this interference, preferring the legal terrain to the technological struggle.
However, a new doctrine seems to be emerging with the ban on media broadcasting connected to the belligerents in the Russian-Ukrainian conflict, proving that control of infrastructures is still in the hands of states.
For a long time, the possibility of a state directly intervening on infrastructure to control information was seen as a practice reserved for states outside the European space.
Sun Tzu explains it in the Art of War “The art of war is to subdue the enemy without fighting.” We prevent potential attackers from subduing us by remaining in control of the whole of our territories, including at the digital level.