Stéphane Taillat: "In cybersecurity, the United States' main vulnerability is its own system".

A researcher at the Saint-Cyr Coëtquidan Military Academy Research Centre (CReC), the historian has published "De la cybersécurité en Amérique", a detailed review of the latest developments in this field. As far as electoral interference is concerned, "we are a long way from 2016", he says. Interview.
Entretien de Stéphane Taillat pour l'IHEDN

Stéphane Taillat is a senior lecturer in contemporary history at the Institut Français de Géopolitique, Université Paris 8, on secondment to the Saint-Cyr Coëtquidan Military Academy, and a researcher at the Centre Géopolitique de la datasphère (GEODE). After co-editing "La Cyberdéfense. Politique de l'espace numérique" (Armand Colin, 2nd revised edition 2023), he has just published, with Presses universitaires de France "Cybersecurity in America. Reference to Tocqueville is not anecdotal, so much so that the protection of networks and data in the United States is subject to the complex rules of this democracy.

In this interview, he discusses some of the elements that enable him to "describe, explain and interpret all the policies adopted under the Biden administration in terms of cybersecurity or issues related to digital space". This analysis takes us beyond this sector, since, in his view, "policies relating to cyberspace, cybersecurity or the digitisation process are a privileged observation point for the logic, modalities and limits of US foreign policy and national security policy".

YOU HIGHLIGHT THE PARADOX OF US POWER IN CYBERSPACE: THE COUNTRY ENJOYS SUPERIORITY ON A GLOBAL SCALE, BUT SUFFERS FROM GLARING VULNERABILITIES ON A NATIONAL SCALE. HOW DO YOU EXPLAIN THIS? WHAT ARE THE MAIN VULNERABILITIES?

To understand this, we need to look at the way in which, historically, the various US players have appropriated cyberspace. The earliest to do so were the intelligence services, such as the National Security Agency (NSA), then the armed forces. These players saw the digital space primarily from an offensive point of view. 

At the same time, this emerging digital space has also been approached from the angle of vulnerabilities, particularly concerning critical infrastructures and essential services. But despite early warnings from the very top of government, this aspect has often been marginalised, from both a political and a budgetary point of view. The main explanation therefore lies in the tension between a preference for offensive solutions and structural difficulties in taking on the defensive aspect.

This tension can also be understood through factors internal to the United States: on the one hand, the weight of the national security sector, and on the other, the political, administrative and legal difficulty for the Federal State, particularly the executive, to organise, on its own initiative, a coherent defensive system: finding players capable of coordinating crisis management, imposing security regulations on private players, etc.

There are therefore two levels of vulnerability: firstly, the difficulty of organising this sector, linked to the Constitution and the political, legal and administrative culture. The executive has limited powers, the federal state is limited in what it can do compared to the federated states, and the private sector has a great deal of leeway compared to the regulators. Although I would qualify this observation, we can already see that there are holes in the system.

"CYBERSPACE IS THE DEPLOYMENT OF US INFRASTRUCTURE AND RULES ON A GLOBAL SCALE".

To understand this, let's draw a comparison with France: the ANSSI, which has been in existence since 2009, has the regulatory capacity, as well as the human and technical resources, to organise cybersecurity for a large number of sectors, both public and private. In the United States, the closest thing to this is Cisa (Cybersecurity and Infrastructure Security Agency), which was only created in 2018 within the Department of Homeland Security. In reality, it only has as much power and resources as it has been able to obtain through a complex political game of alliances with Congress or local authorities.

The second level of vulnerability is the US digital ecosystem, which is closely linked to the first. We mustn't forget that cyberspace is the global deployment of US infrastructures, rules and standards. But, as I was saying, issues of cybersecurity and regulation are not present at all. So there is a structural, fundamental vulnerability at the heart of the system: the basic building blocks of the digital space are not designed for security. Add to this the presence of numerous private players, who are entry points for adversaries. This lack of regulation results in a very open system and a very vast attack surface.

Two examples. Throughout 2023, one of the priorities of Congress and the federal agencies has been to draw attention to the fact that a large proportion of attacks on targets in the United States originate from infrastructures based in the United States, such as the cloud services of Google, Microsoft, Amazon and Oracle. The political authorities have little control over them: should they twist their arms, or make them understand that they must collaborate voluntarily? It will probably take a mix of both.

The second very recent example dates from the end of September: the three main telecommunications operators in the United States reported that they had been the victims of an intrusion by a group of hackers probably affiliated to certain Chinese ministries. To steal the data, these hackers installed themselves in the systems set up by these operators for legal wiretapping. These Chinese hackers were therefore spying on spies.

In a way, the United States' main vulnerability is its own system.

YOU SAY THAT THE PRIVATE SECTOR "IS THE BACKBONE OF SECURITY IN CYBERSPACE": HOW CAN IT BE REGULATED TO ENSURE CYBERSECURITY IN A COUNTRY WHERE ADMINISTRATIVE INTERVENTIONISM IS MUCH CRITICISED?

This is a key point in my book. Let's look at the solutions that are being put in place today, over the 2021-2023 period that I'm studying. We can divide the private sector into three parts: the cybersecurity market, the digital ecosystem in general (the one that everyone uses, such as the Microsoft Office suite), and the operators of critical infrastructures: water, energy, transport, etc.

With the cybersecurity sector, at the initiative of the NSA and Cisa, the aim is to create cooperation, which will increasingly tend towards a form of operational symbiosis. This involves collaborative threat analysis platforms and shared databases on hacker groups.

For the digital ecosystem, it's more complicated. Here, as the Biden administration puts it, we need to "recast the social contract of cybersecurity". From the outset, it has been based on the behaviour of the user (individual, industry, government, etc.), who must update their antivirus software. The idea behind the overhaul is to say that this burden should be placed back on the shoulders of those who can bear it: public authorities and the digital ecosystem, i.e. service and software providers, who are the key to the whole thing - the GAFAMs, but not only them.

"REGULATION IS MADE COMPLEX BY THIS VERY PARTICULAR POLITICAL CULTURE".

That's where it gets complicated, because you have to negotiate very hard with these players. There will be attempts by regulatory authorities to bring them to heel, or even arm wrestling. The Department of Justice is trying to get the GAFAMs to bend on a number of issues, in particular Google, Meta, Amazon and Microsoft. There are at least five cases in progress, to protect privacy, minors, or put an end to monopolies that are becoming dependencies. 

The problem with critical infrastructures is that they are currently classified into 16 sectors, each of which is the responsibility of one or more federal agencies for cyber security. To operate, these agencies depend on the laws of Congress. And while the Energy Commission gives a great deal of regulatory power to the agencies that report to it, the Environmental Protection Agency, which is responsible for monitoring water distribution and treatment, for example, has very little power, and this power is still being eroded by various legal proceedings. It has therefore had to put an end to certain regulations.

In finance, the powerful Securities and Exchanges Commission (SEC) was able to impose rules in 2023 requiring companies listed on the stock exchange to notify it, within a fairly tight timeframe, if they have been the victim of an intrusion or a ransom demand. 

With the CIRCIA Act passed by Congress in March 2022, the idea is to apply the same thing to all critical infrastructures. But more than two years on, the proposal just made by Cisa has yet to be examined by the various stakeholders.

As we can see, regulation in the field of cybersecurity is complicated by this very specific political culture.

PREVIOUS NATIONAL ELECTIONS HAVE SEEN FOREIGN CYBER INTERFERENCE. WHAT LESSONS HAVE THE UNITED STATES LEARNED FOR THE PRESIDENTIAL ELECTION IN A FORTNIGHT' TIME?

In 2016, 2018, 2020, 2022 and 2024, both the presidential elections and the mid-term elections were affected by disinformation operations, as well as attempts at "hack and leak hacking into campaign email accounts in order to divulge "juicy" information, possibly "disguised", to influence the vote.

Since 2016, the Russians have been the main players in this field, but they have since been joined by the Iranians and the Chinese.

Federal agencies, public authorities, politicians and the media have all learned a great deal in this area. What we are seeing this year is relatively unprecedented. First of all, at federal level, since 2018 we have seen the emergence of greater cooperation and synergy between players: Cisa, the FBI, the NSA and the armed forces' CyberCommand have built a system that seems to be working.

It also works because a relationship has been forged with the many players involved in elections at local level - since in the United States, voting is the responsibility of local authorities that are not necessarily independent of the two parties. The aim is both to secure the digital infrastructure used to hold the vote, and to combat false rumours that could distract Americans from voting.

"A FORM OF MATURITY IN THE MEDIA AND POLITICAL TREATMENT OF HACKING OPERATIONS".

However, since 2020, some officials, particularly Republicans, have tended to be less open to messages from the federal authorities. This is particularly the case with Cisa, which is seen by some elected officials as a kind of propaganda ministry in the hands of the Biden administration, aimed at censoring conservative voices.

As far as the NSA and CyberCommand are concerned, it works, and some of the interference operations have been nipped in the bud, either by cyber operations or by legal action to seize domain names or IP addresses.

We are also seeing a form of maturity in the media and political treatment of successful operations. This summer, Iranian actors attempted a hack and leak by apparently hacking into part of Donald Trump's campaign and trying to leak the information to major US media outlets. This time, the media did not exploit these elements, and instead collaborated with the FBI to compile investigative files.

This is a far cry from 2016, when the fact that the New York Times and the Washington Post about leaks from Hillary Clinton's campaign may have had an impact on the outcome of the election.

YOU WRITE THAT FOR THE AMERICANS, "CYBERSECURITY IS SEEN AS A CENTRAL ISSUE IN THE LONG-TERM COMPETITION WITH CHINA": WHAT IS THEIR STRATEGY TOWARDS CHINA?

The first strategy is internal to the United States: it involves developing resilience in order to hold its own in this competition. The United States feels vulnerable to China's assertiveness in the digital space. We have seen this since the spring of 2023 with the presence or attempted intrusion into critical infrastructures of a whole series of players, which Microsoft has named with names that always end in "Typhoon": Volt Typhoon, Flax Typhoon... This feeling of vulnerability is echoed in the question of TikTok in the social layer.

In the United States, there are fears that structural vulnerabilities could create an asymmetrical relationship with China, which would take advantage of US global infrastructures, such as cloud services, to turn them against the United States by playing on the absence or weakness of regulation.

The second strategy is international, in the sense that the digital space is also an instrument of US leadership and power. From their point of view, there is a competition between two models of governance, norms and technical standards: the American model, a model "for democracy" according to the rhetoric of the Biden administration, which exists today and which needs to be rebuilt to enable it to withstand; and, on the other hand, an authoritarian model, which would be promoted in particular by China via the deployment of infrastructures as part of the digital "Silk Roads".

"GRADUALLY BUILDING THE LEVERS THAT WILL ENABLE US TO TAKE ACTION AGAINST CHINA".

In strategic terms, this opposition translates, as the Biden administration's National Security Adviser Jake Sullivan has theorised, into the idea that the United States must be "de-risked" vis-à-vis China: the interdependence between the two countries, made even stronger by digital technology, must no longer pose risks for them. We also need to control Chinese exports and investments in the United States, so that we can gradually build up levers that will enable us to take action against China.

This is obvious in the field of semi-conductors, to which the Americans are trying to limit Chinese access: even though they are mainly manufactured in Taiwan, their patents are mainly American, as are those for the high-precision machines used to produce them.

The American strategy is therefore both to guard against this interdependence and to use it to contain China.