THE CYBERSECURITY AGENCIES OF G7 COUNTRIES HAVE A COMMON ROADMAP
Vincent Strubel, Head of the French ANSSI, who was the chair of the meeting held on May 27 with the G7 cybersecurity Agencies, summarizes the directions:
Encourage and support the transition to post-quantum cryptography, this long-term urgency which requires large-scale coordination of very many stakeholders, and on which it is very valuable to align the recommendations of all G7 members. This is what our Canadian colleagues have done excellently following their G7 presidency.
Improve our collective understanding of AI-related risks, and establish recommendations to cover these risks. The strength of the collective represented by the G7 is also very valuable here to shed light on this complex subject and propose solutions. The proposal of a “SBOM for AI” developed by our German and Italian colleagues is remarkable in this regard, and could constitute a first building block for enhanced traceability for AI systems.
Improve the security of telecommunications networks, which are increasingly a super-critical infrastructure, exposed to systemic risks and by nature shared on a global scale.
trengthen the security of SMEs, a problem whose importance we all recognize without yet having a universal solution. In any case, we have enough feedback from G7 members on what has been tried or not, and what has worked or not, to try to pool good practices.
NEW FRENCH ACTOR TARGETS SMES
A new player is emerging in the French cloud landscape. Named “Nubevia,” it comes from the merger of three companies already well established in their respective segments: ARD-Com in telecommunications and IT services; Hosteur in hosting and cloud infrastructure; and TAS Cloud Services in IT outsourcing and managed services. Nubevia positions itself as an integrated provider of digital services. Its offering combines cloud hosting, IT management, connectivity, and managed cybersecurity. The objective is to set up a ‘one-stop shop’ model aimed at simplifying the management of IT infrastructures for companies. The company’s policy is to prioritize French solutions, then European ones, before resorting to open source technologies when it is appropriate.
CRA: THE NEXT STEPS
As the Cyber Resilience Act will now soon enter in force across the EU, the two next dates approach:
- on June 11, 2026, the audit boards will be nominated. Each country will have an “entry point”, such as ANSSI in France, and a number of test companies entitled to practice audits and verifications, under the supervision of the entry point.
- as of September 11, 2026, manufacturers (Hardware) and designers (Software) will have the obligation to report incidents.
MICROSOFT DEVELOPMENT FACILITIES HIT BY A CYBER ATTACK
Security researchers said a fast-moving supply-chain attack linked to the “Miasma” worm hit Microsoft’s developer ecosystem on Friday June 5, spreading through code repositories tied to Azure cloud tools. The attack is reported to have spread to more than 70 repositories Friday in under two minutes, forcing the temporary disabling of Azure Functions-related repositories and development workflows. Researchers at StepSecurity said attackers used a previously compromised contributor account to push malicious code into Microsoft’s Azure ecosystem. The attack triggered an automated campaign designed to infect developers who interacted with affected repositories through artificial intelligence-assisted coding tools.
TCHAP THE SOVEREIGN FRENCH ADMINISTRATION COMMUNICATION SYSTEM HAS BEEN HACKED
An account takeover led to a security incident on Tchap, the messaging service of the French administration. A hacker claims to have access to more than 643,000 messages exchanged between agents. The affected account was quickly identified and then blocked to stop the attacker’s access. Through a targeted social engineering operation, the attacker managed to hijack a valid account on a Ministry of Education server.Investigations are ongoing to determine precisely which data was accessed or possibly exfiltrated. The Dinum (French State digital directorate) specifies that private conversations on Tchap remain protected by encryption. “Even in the case of account impersonation, the history of private and encrypted conversations is not accessible,” states the government service, if there is any exfiltration, the data would therefore be limited to the “public rooms”.
ORANGE, CREDIT AGRICOLE … THEY ALL WANT TO BE PART OF THE GLASSWING PROJECT BUT WILL THE US GOVERNMENT AGREE ?
GLASSWING is the project launched by ANTHROPIC to test the use of its MYTHOS system designed to detect vulnerabilities in code. Having found that distributing MYHTOS without restriction could generate a tidal wave of cyber attacks, ANTHROPIC has decided, in a first stage, to partner with some bug companies to evaluate the system’s impact. Among other impacts, however, is the possibility that cybersecurity vendors will be deeply disturbed, as the shield services they provide might be delivered directly through AI systems.
As we come to publication, news has surfaced that the US Government decides to stop provision of the most advanced ANTHROPIC models to foreign actors (and foreign persons living on the US territory). This should be taken seriously by Europe…
In the ECA opinion, this should trigger an European approach. Is queuing at ANTHROPIC’s door the best solution ? We strongly advocate for an European response. Europe has AI providers and expertise, and has good cybersecurity vendors and experience. The ECA is working to provide a common frame to these actors.
AGENTIC AI: THE FRENCH CERT RECOMMENDS BEING MORE CAUTIOUS
The French cyber watch board gives a warning of five major risks: the compromise of the user workstation due to a vulnerability in these tools, most of which are still in beta. The leak of sensitive data to uncontrolled external resources. The excessive access rights given to the agent across all of the user’s office applications (email, calendar, file manager, business and HR applications). Sharing authentication secrets with the agent, and their potential leak. Finally, losing control over the actions performed by the agent on the workstation, with the possibility of destructive actions on data or business applications These five risks all point to the same issue: the agent accumulates the user’s rights and secrets, and can act without any intermediate validation.
FRENCH CISO’s REPORT
CESIN, the French CISOs organization, publishes its yearly report.A first take is that, while registered attack rate tend to decrease, their impact gets higher. Regarding risk index, shadow AI comes first, a remarkable progression. Moreover, the number of actors which have built a control strategy is poor (16%). Not surprising,supply chain is the second major risk in the list. Finally, another interesting finding is that digital sovereignty is making strong progress, mentioned as a priority by 63% of companies, up 11 points. It’s becoming a key factor when choosing critical infrastructures and managing strategic data, and cyber espionage is seen as a high risk by 40% of organizations.
THE US CISA SETS A NEW SYSTEM TO CLASSIFY VULNERABILITIES
Named Stakeholder-Specific Vulnerability Categorization (SSVC), this aid-to-decision system resorts to 4 criteria:
– Is the asset publicly exposed?
– Is the vulnerability in the KEV catalog?
– Can the exploitation be automated?
– Does it give full or partial control?
However, according to Fred Raynal of QUARKSLAB, even for covered vulnerabilities, CISA sticks to what’s objective: technical impact, automation, exploitation. Contextual questions (which assets are exposed on your end, which missions are affected on your end) are still up to users/CISOs.And he adds 3 questions to sort out priorities : What revenue, data, and obligations are affected by the asset? What controls can compensate (WAF, monitoring, segmentation)? Is the product on the radar of Advanced Persistent Threats (APT) targeting my sector?
