The Palace Journal. Can you remind us of the challenge of cybersecurity, for businesses and local authorities, as well as hospital-type structures for example?
Patrick Molinoz. First of all, it must be remembered that cybersecurity is one of the main challenges of the digitalization of society. I like to remind people that the digital universe should be thought of like the “physical” world: there is no freedom, no democracy, no growth for citizens in the “physical” world without security. It’s the same thing with digital.
It is therefore necessary to protect the data collected and the systems that process them to allow the normal, healthy functioning of their activity.
The question is not to know “if” a cyberattack will take place, since it is certain that it will take place, but “how” to protect oneself from it… one of the specificities of cybercrime is that the attacks are more and more “all-round”. In Burgundy Franche-Comté, as elsewhere, many entities, of all sizes, public and private, are victims of computer attacks every year.
Communities, businesses and citizens themselves produce and/or collect data that is of interest to a multitude of malicious third parties. Cybercriminals may seek to exploit stolen data for their own interests (economic or technological espionage, etc.), to use it as “bargaining currency” (extortion, blackmail) or even as part of political destabilization operations ( influence electoral processes, etc.) and economic (macroeconomic destabilization).
If the majority of cyberattacks aim at extortion via ransomware (programs that make data unusable by its owner) or bank fraud (mainly requests to change bank details for payment of invoices) the money is not not everything… Beyond financial damage, we must protect ourselves from paralysis… it is therefore vital (sometimes literally) to guarantee the continued functioning of the entities attacked and particularly public services. So with regard to university hospitals, it is obviously necessary to guarantee the continuity of patient care, even with a degraded information system, and to protect health data.
What is the assessment of the first years of existence of the CSIRT-BFC?
The CSIRT-BFC, implemented by the Regional Digital and Artificial Intelligence Agency (ARNia) on behalf of the region, has been operational since 2022, thanks to funding from ANSSI (National Security Agency). information systems).
The number of requests is steadily increasing. Between 2023 and 2024, the change is +61%. The CSIRT-BFC is aimed at companies, public establishments, communities and associations.
Beyond incident response, the CSIRT-BFC plays several roles: awareness raising (nearly 40 interventions in 2024), vulnerability detection (2,200 sites were analyzed in 2024) and coordination of the sector.
-Our role is essential because without us, there is no structure serving mid-sized businesses and communities. In this regard, we are concerned about the future because ANSSI no longer plans to finance the CSIRTs… but there are only two solutions to avoid abandoning SMEs and communities: either ANSSI takes care of it directly, or it continues its support to regional CSIRTs. The president of the region is mobilized on this subject.
What are the challenges of this Forum dedicated to cybersecurity in BFC?
The Cybersecurity and Digital Forum is the result of the mobilization of the sector (French Tech BFC), ANSSI and ARNia. A regional event, it is a major meeting for players in the cybersecurity sector in Burgundy Franche-Comté.
Aimed at all decision-makers – in businesses, communities or associations – the Forum aims to increase awareness of this now crucial topic and to connect regional suppliers of cybersecurity offers with requesting entities. In Burgundy Franche Comté, the issue of cybersecurity is thus placed at the heart of strategic issues for both the public and private sectors.
What legal arsenal to protect companies from foreign regulations, particularly regarding data protection? Should administrations and local authorities be required to use French office suites and hosting?
Legislators, both French and European, are carrying out regulatory work around these subjects. The General Data Protection Regulation (GDPR) was one of the first building blocks. We will have to implement the European directive relating to network and information security (NIS 2) which will impact businesses and public administrations. The latter requires organizations to apply reinforced rules regarding cybersecurity.
For digital solution providers, the European Cyber Resilient Act regulation pursues the same objective in terms of software and hardware.
Finally, sovereignty is crucial. And it is not limited to the question of software but also concerns data hosting (which must be French or European) or even the problem of the hardware and components themselves. So that digital sovereignty is not just a slogan, we need both European champions and a “digital small business act”.
