Focussing on the particular characteristics of a cyber attack, this guide aims to show that good cyber crisis communication is primarily a reiteration of all the tools and reflexes we commonly apply to any crisis communication strategy.

 “When a cyber crisis occurs, the actions of communicators all too often take a back seat. This is a mistake. For global crisis management, it is essential that the communication response works hand in hand with the technical response.” Guillaume Poupard, Director-General of ANSSI

WHAT IS THIS GUIDE FOR?

Based on situations encountered by ANSSI since its formation in 2009 to provide assistance to victims, this guide aims to provide highly operational advice and recommendations in order to develop and then trigger the crisis communication component during a computer attack.

Although there is no magic recipe in crisis management, there are a number of reflexes and key concepts that can be integrated without delay by your organisation, whether private or public, in preparedness for a cyber crisis.

The recommendations in this guide are therefore also suitable for managing situations described as “sensitive”, which often precede a potential media crisis.

WHO IS IT FOR?

This guide is intended for all people acting in the role of communicator during the management of a crisis. Depending on an entity’s size and organisation, this may be a communication professional (Head of communications, communication officer or communication agency), but can also be other profiles (firm of professionals, legal expert, decision-maker), for lack of dedicated communicators. Depending on the situation, even the operational team can sometimes play the role of communicator.

While this guide is primarily intended for communication professionals, who have a key role to play in crisis management, it also aims to provide tools and advice to other technical and decision-making professionals called on to support our communicators.

WHAT ARE THE PREREQUISITES?

This guide aims to provide insight into the particular characteristics of cyber crisis communication, as perceived by ANSSI. Its purpose is not to go into detail about how to develop a crisis communication strategy in general. Ideally, this task should be carried out and tested

upstream in order to be able to adapt your organisation and tools to the specific nature of a cyber crisis.

This guide does, however, offer a few reminders of the basics of crisis communication to familiarise all readers with the concepts and key issues at stake for the communication function.

BY THE WAY, WHAT IS A CYBER CRISIS?

A crisis of “cyber origin” is defined as the immediate and major destabilisation of the day-to-day operation of an organisation (cessation of activity, inability to deliver services, heavy financial losses, major loss of integrity, etc.) due to one or more malicious actions against its digital tools and services[1] (cyber attacks like ransomware, denial of service – DoS, etc.). This is a high-impact event, which cannot be dealt with by the usual processes and within the framework of the organisation’s normal operations. By convention, we will use the term “cyber crisis” from here on.

Anticipating and managing your cyber crisis communication

This guide is part of the « Cyber Crisis Management » collection, designed to help organisations prepare for and manage a cyber crisis. This collection is composed of three volumes: Organising a cyber crisis management exercise (available in French and English), Crisis of cyber origin, the keys to operational and strategic management (available in French and English) and Anticipating and managing your cyber crisis communication (available in French and English). This collection aims to provide a cross-sectoral expertise on all aspects of cyber crisis management.

[1] To which are associated the organisation’s IT systems and those of its service providers.

Crisis of cyber origin, the keys to operational and strategic management

This guide is part of the « Cyber Crisis Management » collection, designed to help organisations prepare for and manage a cyber crisis. This collection is composed of three volumes: Organising a cyber crisis management exercise (available in French and English), Crisis of cyber origin, the keys to operational and strategic management (available in French and English) and Anticipating and managing your cyber crisis communication (available in French and English). This collection aims to provide a cross-sectoral expertise on all aspects of cyber crisis management.

This guide has several objectives:

• increase the security, the quality and the reliability of written source code, by identifying bad or hazardous programming practices;
• facilitate source code analysis during peer reviews or by static analysis tools;
• instate a level of trust in the security, reliability and robustness of a development;
• further software maintainability while also helping with adding features.

This guide does not pertain to a particular field of application and is not intended to replace development constraints imposed by any normative context (automotive or aeronautical industries, critical systems, etc.). It addresses precisely secure C developments that are not covered by such normative constraints.

This guide is also available in French: « Règles de programmation pour le développement sécurisé de logiciels en langage C »

• to State administrative services which implement sensitive information systems (1);
• to public or private entities subject to the regulation pertaining to the protection of the Nation’s scientific and technological potential (PPST) and which implement sensitive information systems ;
• to all other public or private entities which implement Diffusion Restreinte information systems.

The recommandations descibed in this guide are intended in the first place to entities which are fully subject to II 901 directive. As the II 901 directive is also recommanded for all other public or private entity which implements a sensitive IS, those recommandations should usefully be declined to any other public or private entity dealing with a sensitive IS (e.g. IS hosting ‘business secret’ information, IS hosting ‘professional secrecy’ data…).

This guide has been conceived as a tool for entities which intend to implement an IT architecture compliant with II 901 directive. The reader’s attention is drawn to the fact that some area of II 901 directive are not covered in this guide (2).

This version of the guide do not address the issues raised when sensitive or RD data are hosted in cloud.

(1) The State administrative services as defined in this directive are the Central Administrative Services, the National Public Bodies, devolved State Services and Independent Administrative Authorities.
(2) Exemples of non included fields are: physical security or software developement lifecycle. As a result, it is not sufficient for an IS to be compliant to the recommandations of this guide to attest the compliance to the whole bunch of II 901 requirements. A complementary effort is required to attain the full compliance of the IS, in case a accreditation at sensitive or RD level is sought.

This guide is also available in French : « Recommandations pour les architectures des systèmes d’information sensibles ou Diffusion Restreinte »

Although issues of national sovereignty remain relevant today, the way in which “cyber” subjects are handled at the EU level has changed considerably. In a decade, exchanges between states and bodies of the Union have been ramped up, resulting in regulations, cooperation groups, recommendations, benchmarks, common stances and large-scale projects. All blocks laid down in just a few years, and now testimony to the inestimable value of European cooperation. Because when it comes to cyber issues, things move at great speed.

To prevent the emergence of a two-speed Europe in terms of security, with varying levels of vulnerability among states, the implementation of protection mechanisms at the EU level was in fact inevitable. All the more so since in cyberspace, “borders” are porous: an attack affecting the information systems of an operator within one State can have a rebound effect and impact the services it provides in other countries. When we talk about IT protection, the interests of the various parties involved often overlap. [...]”

ANSSI’s Papiers numériques continue the story in nine points:

• Developing national capacity
• Focus on essential operators
• Strengthening cooperation
• From a technical to a strategic level
• A unifying agency
• Ensuring trust in the ecosystem
• Scaling up
• Preparing the next steps
• Thinking with solidarity

The publication also includes:

• An interview with Jean-Yves Le Drian, French Minister for Europe and Foreign Affairs;
• An interview with Karel Řehka, director of NÚKIB in the Czech Republic;
• Extracts from interviews with Guillaume Poupard and thirteen ANSSI agents.

Discover the french version : Papiers numériques – Cybersécurité européenne : histoire d’une mue culturelle

In order to address this unprecedented situation and within the framework of a governmental initiative, the ANSSI, in partnership with the DACG, publishes the guide Ransomware attacks, all concerned – How to prevent them and respond to an incident. Very practical, the guide is aimed in particular at general and IT managers, in the private sector and in local authorities.

This guide to good preventive and reactive practices in the face of ransomware has benefited from the contributions and experience of several actors: the cybermalveillance.gouv.fr system, the Brigade de lutte contre la cybercriminalité (BL2C), the French Data Protection Authority (Commission nationale de l’informatique et des libertés, CNIL) and the Direction centrale de la Police judiciaire (DCPJ). It is enriched by the testimonies of three victim organisations that contribute significantly to the awareness of the risk: the M6 Group, the Rouen University Hospital Centre and Fleury Michon.

This guide is also available in French.

“In the face of the threat, organising exercises is crucial. I have seen this with my own eyes! Through training, and with each exercise, the teams involved in crisis management develop their reflexes and better ways of working together. They are then ready to cope when faced with an attack.” Guillaume Poupard, Director-General of ANSSI

Who is this guide for?

Any private or public organisation, be it small or large, wishing to train in cyber crisis management can consult this guide. More specifically, this guide is for anyone who wishes to organise exercises at the decision-making level in order to train its organisation’s crisis unit: the risk managers, those responsible for business continuity, exercises or crisis management, those responsible for the security of information systems (SIS) or equivalent, etc. This guide is not intended to construct exercises that are purely technical, for instance, by providing a complete simulation of an information system using virtual machines (“cyber range”).

What does it contain?

• Four steps accompanied by fact sheets which supplement and illustrate these steps.
• Recommendations from the experience of ANSSI and the members of the CCA Crisis Management Work Group.
• A complete exercise as the guide’s main theme called RANSOM20 that is gradually developed to illustrate each step.
• Annexes, including a glossary defining all the terms used in this guide and that are specific to the exercises.

How can it be used?

The steps can be consulted independently depending on the organisation’s experience and needs in crisis management exercises. This format also makes it possible to consider outsourcing all or part of these steps so that each organisation, regardless of its size and budget, can carry out this type of exercise.

This guide is also available in French.

• reinforce the security, the quality and the reliability of produced source code by identifying bad or dangerous programming practices and also good practices for the usage of the Rust ecosystem’s tools;
• improve the readability of the code for source code analysis throughout peer-reviewing;
• establish a trust level in security, reliability and robustness of a development;
• help the maintainability of a software, but also the addition of features.

It is now impossible to ignore these issues and we do our best to guide each actor through this process, whatever their size, activity, maturity or resources.

Controlling digital risk: an appropriate approach

This guide, proposed by ANSSI and AMRAE (a French association of risk and insurance specialists), provides managers and risk managers with a progressive approach to build, Step by Step, a digital risk management policy within their organization.

The proposed approach makes it possible to:

• TAKING A READING OF THE DIGITAL RISK
• UNDERSTANDING THE DIGITAL RISK AND GETTING ORGANISED
• BUILDING YOUR SECURITY BASELINE
• MANAGING ONE’S DIGITAL RISK AND ENHANCING ONE’S CYBERSECURITY

The EBIOS RM method can be used for several purposes:

• setting up or reinforcing a management process of the digital risk within an organisation;
• assess and treat the risks relating to a digital project, in particular with the aim of a security accreditation;
• define the level of security to be achieved for a product or service according to its use cases and the risks to be countered, in the perspective of a certification or accreditation for example.

It applies to public as well as private organizations, regardless of their size, their sector of activity and whether their information systems are being developed or already exist.

An iterative approach

The EBIOS Risk Manager method adopts an approach to the management of the digital risk starting from the highest level (major missions of the studied object) to progressively reach the business and technical functions, by studying possible risk scenarios.
It aims to obtain a synthesis between « conformity » and « scenarios », by positioning these two complementary approaches where they provide the highest value added.

Going Further – Methodological sheets

In addition to the EBIOS Risk Manager guide, « method sheets » have been created to help users conduct each workshop described in the guide.

Designed as pedagogical support tools, these method sheets are regularly updated.