Cybersecurity area is specific in a certain way: it’s the only one who could be used to break down a country by one shot and where defensive operations are mainly handled by private actors and not the state.

When a country is attacked on its territory by another one or a terrorist group, it’s the army and the police who are in charge of the defensive task, and the army alone for the counter-offensive.

When a country is attacked on its IT infrastructure and those of its companies, defensive job will be handled by state agencies for few organizations (called Vital Importance Operators in France), and everyone else will be let to private actors. Counter offensive will be military, of course, but not necessarily cyber. USA for example has warned everyone that a major cyber-attack on their own infrastructure will lead to a nuclear answer.

With attacks like WannaCrypt (simple cryptovirus which led us to close hospitals or car factories) or more dangerous attack like NotPetya (a mass cyberdestruction weapon which took down Ukrainian’s banks and did some side damage like Saint Gobain or Maersk) it’s now time to ask a serious question: is the security of IT infrastructure still some advice given to all organizations? Or should it be a regulatory constraint which can lead to sanction when not applied?

In France, every citizen have the obligation to have its seat belt inside a car to reduce death rates on the road.

In France, every citizen have the obligation to apply to a control process for its car to check ecological impacts and effective security for passengers.

In France, every citizen have the obligation to secure its Wi-Fi network to limit copyright piracy and so protect majors’ business.

In France, every citizen have the obligation to vaccinate children against some viral diseases to prevent any pandemic.

In France, every organization has the obligation to control subcontractor social taxes state to avoid frauds.

In France, every organization has the obligation to provide a safe working environment and validated tools, when those can hurt, to prevent work accidents.

In France, every organization ordering building jobs has the obligation to enforce law respect to its providers also to reduce work accidents.

Regarding recent news, isn’t it time to force all organizations, having an economic activity in the country, to secure its IT infrastructure? Mandatory points could be:

  • applying security update;
  • removing from production software and common hardware out of support by an editor;
  • management or checkup by qualified contractors for every IT equipment;
  • forcing software editors to publish in Open Source all software related to expensive hardware when they don’t want to update them for compatibility with other software editors (and so avoiding any trap for organization owning hardware like RMI, scanners, HPLC or other industrial tools).

In other words: should the operational and economical safety of a state be dependent of its citizen’s will? Or Should it become a national Goal?