The Assembly votes to broaden the prerogatives of Anssi

In a context of cyberattacks still at a high levelthe National Information Systems Security Agency (Anssi) saw its prerogatives reinforced by the adoption on Wednesday June 7 by the National Assembly of the military programming law (LPM) 2024-2030.

The LPM embeds its share of protection measures against the cyber threat. A law “renovation and transformation”defends Sébastien Lecornu, Minister of the Armed Forces, because currently Anssi can only obtain information on the network traffic of suspicious machines: judged data “very limited”. The bill was an opportunity to review the measures introduced in the previous LPM that Anssi had deemed insufficient. Among them, the provisions relating to probes and the search for technical markers.

The previous law allowed internet service providers (ISPs) who so wished to install threat detection tools on their network. In the event of a detected threat, they could inform Anssi, which, if it was a serious attack aimed at “a strategic actor”, could in turn install its detection tools at the ISP concerned. Article 35 of the new LPM speeds up the process, since it makes mandatory the installation of probes and markers on the networks of ISPs, allowing the agency to obtain the copy of the network data.

“The text authorizes access to data and metadata” by Anssi even without being seized beforehand by the ISPs, regret Tom Barthe, member of the Federation of Associative Internet Service Providers. THE government justifies this extension by “frequent use by attackers of compromised servers, rented by foreign hosts from data center operators based on the national territory”.

Towards a blocking of administrative domain names

Article 32 of the law ratifies the possibility for Anssi to prescribe domain name filtering measures (DNS) when it is found that a threat is “likely to harm national security”. In concrete terms, Anssi is asking a DNS provider to suspend, transfer the domain name to a secure server or block these sites – blocking which will be done administratively, that is say without going through a judge’s decision.

The question of this administrative blockage makes some people fear a questioning of the open Internet. Among them, M.^e Alexandre Archambault, lawyer at the Paris Bar and member of the Renaissance Numérique think tank. For the lawyer specializing in digital law, “even if we have a regulatory framework that takes new threats into account, the law comes to break the moral contract between the services of the State and the office of the judge”. These new injunction powers of Anssi make M fear^e Archambault the “human errors” of officials who “under the guise of efficiency, would dispense with the decision of a judge”.

Finally, the new LPM also introduces an obligation for software publishers who are victims of a computer incident or who have discovered a vulnerability in a product used in France: they must report this incident to Anssi and to the users of this software.

At the end of its easy adoption at first reading in the National Assembly, the text will be examined in the Senate, the government counting on a final adoption before July 14.