● A former Orange Group CISO, Jean-Marie Mélé specialises in the protection of critical infrastructure and has wealth of experience in crisis management and the organisation of cyber defences.
● A confirmed expert in the analysis and prevention of Advanced Persistent Threats, Jean-Marie Mélé warns of a new generation of informational risks linked to artificial intelligence and the manipulation of large language models.
Roles in the field of cybersecurity are evolving to counter internal and external threats, and to focus on the protection of critical infrastructure. At the head of the Orange cybercrisis unit for five years, former Orange Group CISO and the current Head of Audits & Risk Assessments Jean-Marie Mélé has spent much of his career structuring defences against advanced persistent threats (APTs). Often orchestrated by States or State-sponsored actors, APTs are distinguished by a patient strategy that aims to exploit vulnerabilities over the long term. “The dice are loaded,” explains Jean-Marie Mélé. “The attackers have plenty of time, and they only need to find a single error. The defenders, on the other hand, are required to achieve constant success… So, it is not a matter of ‘if’ there will be an attack but ‘when’ there will be an attack.”
The dice are loaded. The attackers have plenty of time, and they only need to find a single error. The defenders, on the other hand, are required to achieve constant success… So, it is not a matter of ‘if’ there will be an attack but ‘when’ there will be an attack.
Countering APTs
Jean-Marie Mélé developed an approach based on an organisation divided into specialist units (Legal, Technical, Threat Intelligence, Research), which was inspired by international best practice and adapted to the specific characteristics of APTs. “It was more than a race; it was a marathon. Some of the crises went on for six months, a year, and even longer.” He notably cites the case of Salt Typhoon, a group believed to be working for the Chinese government which compromised US telecoms operators by exploiting longstanding vulnerabilities in Cisco equipment. “These groups have a long-term vision. They wait for the right moment to exploit zero-day vulnerabilities and human errors. There is no way of knowing where they are hiding. You have to anticipate their moves, actively search for them, and make rapid decisions in real-time.” In Mélé’s expert view, APTs have largely fashioned our understanding of digital security, the legislation to protect it and the way we go about defending it: “They aren’t a new phenomenon, but a kind of enduring force that evolves with technology. Every attack leaves behind lessons that are societal as well as technical.”
And let’s not forget other threats…
Let’s not forget ransomware groups, hacktivists, and a host of other threats that are a constant menace. The alarming reality of these attacks, which are widely reported in the press, is an ever-present reminder of the extent to which our society relies on information systems that are made vulnerable by their very complexity. Although they are for the most part non-targeted, they should not be dismissed as indiscriminate trawling, they may still cause enormous damage, notably financial implications that may be nothing short of catastrophic.
Threats that persist in spite of an arsenal of reinforced European regulations — NIS2, REC, CRA — that aim to raise the level of cybersecurity
Over the last decade, the European Union, which is increasingly aware of these threats, has introduced the GDPR and the NIS2 directive, which have obliged companies to reinforce risk analysis and management measures. With regard to the latter, Mélé explains that “the directive took into account past cybersecurity failures as well as the first years of the GDPR with the introduction of penalties for companies whose security posture remained too passive.” Under his guidance, Orange maintained its lead in the field and secured its supply chain by imposing the new standards across all of its subsidiaries including those outside Europe.
“With the stipulation that it can impose penalties of or up to two percent of global turnover, NIS2 provided governments with a powerful lever to improve the overall level of cybersecurity,” points out Jean-Marie Mélé. Orange Group had every reason to adapt its procedures to comply with the new rules. “Telecom operators are prime targets, not for themselves, but as a means to an end because of their strategic role in the functioning of countries. At Orange, we supported the move to the cloud by integrating cybersecurity from the outset.”
The drive to prepare for a new generation of threats
Attackers are often the first to benefit from technological advances, and artificial intelligence is a perfect example of this: “Certain threats take the form of informational attacks: for example, Russian entities that create fake news websites to poison LLMs, then we also have the phenomenon of LLMs that adjust content to suit users’ political leanings.” These new threats affect companies as well as individuals. Once again, the attackers are unfortunately one step ahead, and the priority should be not to fall too far behind. In this context, the protection provided by risk analyses and audits assumes its full importance. Analyses, which are conducted at the outset of projects, are the first step in the Security by Design process, while audits are implemented during final testing to ensure that processes are adequately protected. In the course of development, security is indissociably linked to quality: ensuring that mistakes are avoided inevitably benefits both operators and their customers.
A co-sponsor of the Orange Expert Security community, Jean-Marie Mélé explains that “the goal is to foster exchanges and to encourage the 110 experts in the forum to step forward and share their knowledge. Cybersecurity is not just a technical challenge; it is also a cultural and economic imperative.” He further points out that it plays a role in training future talents and raising awareness of cyber-issues among decision-makers. “Executive committees are mainly preoccupied with financial matters, so it is crucial to present technical risks in terms of their potential business impact,” he concludes.
Jean-Marie Mélé
