Anssi could obtain a further strengthening of its powers and its field of intervention in favor of the next military programming law 2024-2030. Presented Tuesday in the Council of Ministers, this text indeed plans to strengthen the skills of the cyberfireman of the State through four articles.
These are all provisions that should allow Vincent Strubel’s agency “to increase its knowledge of the operating methods of cyberattackers, to better remedy the effects of their attacks and to more effectively alert victims of incidents or threats to their systems. of information,” says the government.
The return of the probes
In detail, this bill should be an opportunity, via its article 35, to review the provisions relating to probes and the search for technical markers. These measures introduced in the previous military programming law had already caused much ink to flow.
But for Anssi, the result did not live up to expectations. As specified in the impact study of the new military programming law, the agency thus came up against a divergence of interpretation with Arcep, the telecoms regulator, having a more restrictive interpretation of the field of possible collection.
Result: the French cyberfirefighter today only has access to the effects of malicious activities, network flows, and not their causes, code, logs or stored content, regrets the government. A failure that must now be corrected by allowing the agency, for example, to obtain a copy of the server used by the attacker.
Extension of the perimeter
Incidentally, Anssi is counting on an extension of the scope retained to data center operators, a way of taking into account the evolution of the threat. The government underlines the “frequent use by attackers of compromised servers, rented by foreign hosts from operators of data centers based on national territory”.
This article of the military programming law also provides for making it mandatory to set up detection capabilities in electronic communications operators designated as operators of vital importance. Finally, the government wants to extend to data hosts the obligation to communicate, “for the exclusive purpose of alerting”, users of vulnerable or attacked systems and technical data. Either a way for Anssi to improve its knowledge of attackers’ operating methods and to be able to identify and alert more victims.
Reporting obligation
In addition to this first large piece of legislation, the government is counting on the introduction of a new reporting obligation for software publishers who are victims of a computer incident or who have discovered a vulnerability in a product used in France. The bill thus wants to impose the transmission of information to Anssi and to the users of this software.
One way, hope the authorities, to improve transparency and reaction in this area. And without forgetting to give a stick to convince the most recalcitrant. The agency could thus make “name and shame” by reporting unanswered injunctions addressed to publishers. According to the impact study, the current amicable approaches of the cyberfirefighter do not always meet “the expected success”.
Domain name filtering
Next, article 32 of the bill should also allow Anssi to prescribe domain name filtering measures to neutralize computer attacks. This provision could take the form of an injunction to block and suspend to counter a malicious action, or a redirection and transfer of the domain name for intelligence purposes.
“Operators would thus contribute to providing end users with a secure flow of data when browsing the Internet,” the impact study points out. “This would also allow a significant increase in national capacities for detecting computer attacks and would give ANSSI the ability to neutralize serious and proven threats likely to affect the safeguarding of national security. »
DNS technical data
Finally, article 33 provides for the communication to the agency of “technical, non-identifying data, temporarily recorded by the DNS servers which establish the correspondence between the domain name and the IP address of the machines in a network”. Either a way, explains the government, which reports an existing legal vacuum, to detect the servers set up by the attackers and to establish the chronology of their attacks.
If the Council of State considered these various provisions proportionate, it on the other hand suggested not to retain one of the measures of the text, considered to be flawed. This provides for the possibility for Anssi to subcontract the collection of technical data to another State service with the aim of pooling.
Tabled in the National Assembly, the bill should be examined by the deputies during the month of May, with a shuttle to the Senate hoped for the following month. The government is betting on a promulgation around the symbolic date of July 14, the national holiday.