November/Decemeber issue
Vive la différence, while you can
SA Mathieson
 France
has always walked its own wild, stylish and sometimes rocky path.
Sadly, homogenised technology standards spawn security threats from
all parts of the world, and this is forcing the French on to the
security superhighways.
France is different. Most countries cry Unity is strength; France
celebrates with Vive la différence. So one might expect its
approach to infosecurity to be non-conformist.
Indeed, some might say "What approach?" Certainly it
usually prefers its own technologies, which are backed by a distinctive
legal system. These differences are being eroded by international
standards and by European legal changes, but they should not be
written off, at least, not yet.
"We're more Latin than Anglo-Saxon, which means the consciousness
of security is not so high as in the UK, the Netherlands or North
America," says Patrick Morrissey, president of the French chapter
of the Information Systems Security Association (ISSA). "It
has always been a real problem to make top managers aware of the
security of their assets."
Morrissey says that France is now starting to adopt international
standards on information security. He points out that there are
around 150 Certified Information Systems Security Professionals
(CISSPs), up from zero last year. In contrast the UK has 1,100.
Larger French companies are adopting ISO17799, also known as British
Standard 7799. This follows the passing of a new finance law to
enforce compliance, which replaces a standard run by the French
infosecurity association Clusif.
Even so, Morrissey says the state sector is almost ignoring such
changes. "At its heart, the French administration is years,
even centuries, from following proper risk assessment. We're very
far behind what the UK or Sweden has been doing," he says.
Doing it in-house
"France has been more hesitant to adopt consulting services
than Germany and the UK, and that is still the case," says
Farrokh Abadi, senior vice president of global cross-industry practices
for Atos Origin, a French IT consultancy. "Although the French
market is the third largest security market in Europe, it is clearly
lagging Germany and the UK," he adds. Clients are keen on anti-virus,
firewalls and security architecture, but, he says "They wanted
most of the time to do all of that internal to their organisation."
This view is changing slowly as the need for external auditing
of security arrangements and compliance with ISO17799 start to grip.
David Naccache is vice president of research and innovation at smartcard
maker Gemplus. He thinks infosecurity practice in France has become
similar to that in other countries, at least in his globalised industry.
"I don't think that the national factor is extremely significant
in this area," he says, "but if you'd asked me the same
question 10 years ago, I would say there are notable differences."
In the past these included having to keep copies of encryption keys
in case the government required access to a system, and restrictions
on length of encryption keys. Neither is now the case.
Smart moves
Naccache says that, unlike most countries, the French state picks
technologies to support. One is the smartcard. French companies
Gemplus and Axalto (until last year part of Schlumberger) now lead
the world in this technology. Although the two firms are headquartered
in Luxembourg and the Netherlands respectively, their main operations
are in France.
Naccache says the state-owned telco France Telecom introduced the
first smart phonecards.
"Smartness was introduced here very early. Users are familiar
with the technology, and they accept it," Naccache says. So-called
chip-and-PIN cards, smart bankcards with personal identification
numbers, which are only now being introduced in the UK, have been
in use in France for many years. In addition, the government is
currently issuing a smartcard version of its Carte Vitale, the state
health entitlement card.
Naccache says government backing for a local technology is a national
characteristic. "Since the Napoleonic era, government in this
country has been very centralised," he says. "There's
a tendency to take big, country-scale decisions. Some pay back,
some don't."
This can mean the country adopts some technologies later than others.
French use of the internet was held back somewhat by Minitel videotex
terminals. France Telecom introduced these text-based dumb terminals
to provide telephone directory information but they were soon used
to deliver a wide range of information and electronic shopping services.
Crypto on a smartcard
State support for technologies can create virtuous circles. Naccache
says that the concentration of smartcard manufacturing means that
universities include the technology in their courses, and academics
work on problems connected with it. He mentions Jacques Stern and
Jacques Patarin, academic cryptologists who have developed solutions
for the limited capacities of a smartcard microchip.
"These people were exposed to the needs of the local card
industry," he says. Of the flow of specialised graduates produced
through such academic support, he adds "This keeps the engine
warm; it's what maintains the level of competitiveness."
Atos Origin's Farrokh Abadi reckons that the French use of public
key infrastructure (PKI) encryption is well ahead of other countries
due to the early adoption of smartcards. However, there have been
setbacks. "A lot of organisations saw smartcards as security,"
he says, "but when PKI proved inadequate on its own, a lot
of business managers had a bad taste in their mouths."
This is fading, he adds. "They're coming back to PKI, using
the technology to address business issues, rather than saying here's
a technology, let's look for a problem for it. They are getting
more educated, but we need to do a lot of training; managers are
not as educated as in other countries."
First is also last
France is also distinctive in its infosecurity law, although this
too is becoming less pronounced. It introduced a data protection
law and regulator in 1978, becoming the first country in Europe
to do so, according to Victoriano Melero, senior lawyer at Clifford
Chance's Paris office. However, it was the last of the old 15 European
Union countries to implement the 1995 directive on data protection.
It enacted it on 6 August this year; the UK did it in 2000 and Germany
and the Netherlands followed in 2001.
As a result, France's regulator, the Commission Nationale de l'informatique
et des Libertés (CNIL, www.cnil.fr), has changed the way
it works. Under the 1978 law that created it, CNIL focused on agreeing
an organisation's data practices before it registered, but had no
sanction power afterwards. On 6 August, it acquired the ability
to levy fines up to E300,000.
"Now they've got real power," says Melero.
The new law also allows a court to impose fines up to the same
amount. However, with no sanctions applied so far, it is difficult
to know how CNIL will use these powers.
In another recent change, on 21 June France enacted a law to promote
the digital economy. This includes the EU's e-commerce directive
of 2000. France's implementation has taken a relatively tough line
on spam, and requires email recipients to opt in. The exception
is that organisations can send unsolicited email to customers who
have previously bought the same kind of product from them, so an
online retailer could send a DVD buyer spam about DVDs, but not
about books.
Melero says that it is hard to be sure that all websites always
apply this rule, but adds that Clifford Chance always advises clients
to stick to opting-in for email marketing, as the old 1978 law included
the principle of prior consent.
Right of reply
However, the June law included something borrowed from France's
heavily-regulated newspapers: if a French-based website runs an
article about an individual, it is obliged to publish a response
from that person. Melero says this right is unused to date.
France has transferred regulations from other media before. Its
1999 broadcasting law placed websites under similar regulation as
television channels. "You had an obligation to declare any
website to the service of the prime minister, which was complete
nonsense," says Melero.
This was abrogated in 2000. However, the strong influence of the
French government, both in law and in attempting to pick technology
winners, can be expected to continue. Despite some internationalisation,
the model has delivered results. Outside the United States, which
continues to use magnetic stripe cards, smartcards are taking over
the world, to the benefit of companies rooted in the country that
placed its faith in them.
Copyright ©SA Mathieson 2004. SA Mathieson writes about
IT for titles including the Guardian and Health Service Journal.
Back to features index
|
