As an independent Swiss cloud operator and whistle-blower in the “Public Clouds Confederation” affair, we are often faced with concerns linked to the confidentiality, security and sovereignty of data. In order to provide objective answers, we met Solange Ghernaouti, Prof. Dr. and international expert in cybersecurity at the University of Lausanne, Director of the Swiss Cybersecurity Advisory & Research Group, Chairwoman of the SGH Foundation – cyberspace research institute and member of the Swiss Academy of Engineering Sciences, to ask her the questions we regularly receive via our support service and our social media.

Data sovereignty and the monopoly of the web giants are increasingly publicised. What is behind this growing interest in these relatively technical questions?

In Switzerland, I believe that this renewed interest has been stoked by the Confederation’s decision in spring 2021 to choose five non-European service providers for its “Public Clouds Confederation”. As indicated in the communiqué from the Federal Chancellery dated 10 November 2021 “The contract has been awarded to four American companies – Amazon Web Services EMEA Sàrl, IBM Suisse SA, Microsoft Suisse Sàrl and Oracle Software (Suisse) Sàrl – and to the Chinese company Alibaba.com (Europe) Limited” [1].

Furthermore, these same multinationals are regularly in the headlines following cybersecurity incidents that have caused or are sometimes also the victims. This leads to cyber attacks affecting all their customers, including public authorities. To cite only a few examples, there were the flaws in the Microsoft products [2] or the Log4Shell security issue [3]. Exploitation of this flaw primarily facilitates ransomeware attacks. “Numerous companies have nevertheless reacted publicly, such as Amazon Web Services, Google Cloud or IBM, recognising that certain services they provide their users are concerned by this vulnerability, guaranteeing that they will make every effort to implement a corrective patch as quickly as possible. [4]

It is also impossible to ignorer the fines issued by the European Union or certain European countries against the tech giants (Google, Facebook, Amazon, etc.) [5], which should encourage us to question their practices in light of the need to protect our data.

It is true that the reality of incidents linked to design, management or usage faults and flaws in the security of digital environments means that it has become impossible for either the general public or our political and economic leaders to ignore the negative consequences that digital technology can cause if the risks are not firmly under control.

I also think that collectively speaking, we have acquired a certain digital maturity and now understand that the digital transformation of society is not only a technical matter, as we explored it with the philosopher René Berger in our 2011 work “Technocivilisation, pour une philosophie du numérique”. [6]

The political, economic, social and legal dimensions of digital transition are important. We now know that digital technologies substantially modify our behaviour, our habits, our means of communicating, working, learning or entertaining ourselves. This affect sour relationship with the world and with others at both a local and international level. All of our possibilities for “making society” are concerned by digital technology.

What are issues of digital sovereignty?

For a country, using digital infrastructures based on foreign cloud platforms casts a doubt over its ability to ensure its digital sovereignty and its independence vis-à-vis actors and the states they come from. Being controlled by operators from a superpower, the lack of control over digital infrastructures essential to the correct running of a country, to its stability and to its economy leads to dependence and, de facto, the loss of control of your own digital territories.

The power asymmetry between the actors providing cloud services and those using them is such that the weaker party is subject to the rules imposed by the stronger party. This could be deemed digital supervision. This situation facilitates not only economic intelligence actions but also digital espionage and surveillance. This weakens the actions of a country in the economic, political, diplomatic, military and cultural spheres, while simultaneously increasing the power of the dominant players. The latter “feed off” the digital activities of their customers. The know how to exploit data and metadata capture, authorised by the way digital technology works and the contractual framework whereby users must accept the general terms and conditions of use of their services. Their development, their power and their financial capacities demonstrate that the web giants have understood how to take advantage of their business models, based on the exploitation of data to obtain competitive advantages and assume a hegemonic position and enjoy constant growth with a view to expanding their offer of services (including those based on artificial intelligence).

It is therefore perhaps time to escape the spiral of “I continue to give power to the hegemonic operators because I have been persuaded that I couldn’t do without them. I entrust my data to them without any guarantee that they are not being hacked or used without my knowledge for other purposes. I consume more of their services and I am increasingly dependent on them.”.

It is a vicious circle that we must break in order to develop the economy and local know-how, to develop new practices and adopt responsible digital habits.

Is it a problem to choose companies such as Microsoft, Google or Amazon AWS which are globally recognised?

It is not the fact that they are well-known worldwide that is the biggest problem, but the fact that they are hegemonic, non-European operators [7]. Digital multinationals boast a unique scale an monopolistic position. They are in a position to exert pressure on prices on a market they control and to implement sponsoring or cut prices to win tenders, only to increase them again after creating customer loyalty, as is the case, for example with the Microsoft Office 365 software used by the majority of the public sector and companies) [8]. They are also capable of offering an extended range of services and offers integrated into closed ecosystems, representing yet another argument of persuasion.

All this leads you to think that cloud offers appear highly competitive. However, there are often hidden indirect costs. In particular, this concerns costs for migration or for additional security services which subsequently prove essential but are neither announced or included in the initial offer, but which swell your bill considerably in the long term.

Once you are a captive of a cloud solution, the dependence can create continuity problems and generate costs, as the suppliers can change the conditions of use and increases their prices at will. How can you be sure of the stability of the environment and of the availability and treatment of data in the long term? Backtracking or migrating to other platforms is generally difficult or event impossible. The cloud choices are actually irreversible, as backtracking would be too costly or technically too difficult. De facto, this dissuades or prevents customers from switching to competitors. It is often impossible, or possible at an exorbitant additional cost, to know what happens to data and processing operations entrusted to a platform. When it is almost impossible to perform independent controls and audits, how can you trust the integrity and confidentiality of the data and processing operations?

The tech giants build data centers in Switzerland and Europe. Is this enough to guarantee that companies and public institutions maintain control of their data?

The critical problem is the legal dimension of the foreign countries in which these multinationals are based. This is particularly the case with the existence of extra-territorial laws authorising their authorities to access data captured anywhere in the world, including on servers located in Switzerland. The nationality of the service provider and software developer processing the data is even more important than the geographical location of the servers. The tempting argument of justifying security by the fact that the servers are located in Switzerland is often used for marketing and publicity purposes. It creates an unfounded feeling of security. Extra-territorial laws such as the American Foreign Intelligence Surveillance Act (FISA) (1978), PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) (2001) and Cloud Act (2018) apply to software providers (Microsoft, Amazon, Oracle, Google, etc.) which store and process data hosted in Switzerland. Being a Swiss or European partner or intermediary of American or Chinese platforms is thus not sufficient to ensure cyber-sovereignty.

In Europe, the Gaia-X project [9] brings together international actors from different companies in the field, research institutions, associations, public administrations and the political sphere to define and implement a global digital infrastructure (a cloud of interconnected clouds in accordance with the standards defined by the consortium (Gaia-X standard) compatible with the notion of European sovereignty. This project raises numerous challenges; it is progressing but remains critical. The pressure exerted by the Chinese and American hyperscalers (Huawei, Alibaba, Amazon and Microsoft) on the decisions of the Board of Directors is a matter for concern. Scaleway, one of the 22 founding members of the project, therefore announced its withdrawal from the project in November 2021.

“A structural imbalance (…) has formed within the working groups of GAIA-X. The risk now is that certain orientations serve the interests of actors that are already dominant instead of reflecting the needs, expectations and challenges of the different European technology providers. We observe that the same causes reproduce the same effects in several similar organisations. The interests of the major players are regularly protected to the detriment of less important organisations whose innovative yet alternative orientations are often marginalised.” Yann Lechelle, CEO of Scaleway [10]

Let’s talk about “Cloud confidence” labels [11]. They do not provide such as strong guarantee of digital sovereignty if they apply to foreign providers. Complying with a label is not the same as enjoying complete control over the infrastructure. Even if data is encrypted, the label does not protect against the decryption capabilities of those who control the infrastructures and the state authorities under whose auspices they fall. The legal risk, like the technological risk, is therefore not under control.

References to be labels or certifications do not guarantee either the quality of the digital responsibility of the entities promoting them or the real level of security and confidence of the products benefiting from them. In this respect, the Ethos studied conducted in January 2022 on the digital responsibility of tech companies listed on the stock exchange in Switzerland [12] is interesting insofar as it highlights the low level of transparency of these companies in terms digital responsibility, a field which also concerns data protection. The pseudo-transparency of the certification and label allocation processes is a curb on the trust to be placed in the labels. Who defines the security standards to which the products must comply? Who certifies the independence and reliability of the actors that grant awards labels? Who controls the controller? How much confidence can we have in the certifier and the controller? The problem of confidence is merely shifted, not resolved.

At best, a label can reassure, rather like an insurance policy that it is good to have but which does not prevent an incident from occurring and does not guarantee that such an incident will be covered under the specific inherent conditions and clauses.

Self-regulation is a common practice. In this domain as in others, it is not uncommon for the same actors to define the rules that best defend their interests, to approve them (with the blessing of certain members of the scientific and political community) and to promote them.

How can you explain that the Confederation and numerous public authorities in Europe opt for non-European cloud infrastructures?

These well-known hegemonic actors benefit from highly effective lobbying [13] and marketing.

For some, choosing their solutions is also a means of “covering themselves” in the event of a malfunction (“we opted for the most important actors”). How can we avoid giving in to the sirens of facility (“everyone chooses them”) and to an integrated offer that is, a priori, less expensive in the short term? Others might incorrectly believe that outsourcing their IT to the tech giants’ platforms (who are experts in the field), is the same as outsourcing their responsibilities.

There is also the question of the price, often unbeatable when the call for tenders is issued. Justifying the choice of a Chinese or American cloud by the price is nonsense. In the long term, the price of being subject to these actors and the dependence on proprietary (closed) solutions is that of no longer having any choice and of having to pay the prices imposed. When you are dependent, there is little room for bargaining.

What are the consequences of this? How can it be possible?

It is surprising that insufficient attention is paid to the economic and political reality of these multinationals, whose aims are to generate income and exploit data. Is defending their interests compatible with defending the interests of Switzerland or Europe?

So the policy-makers and public authorities really take account of the geopolitical, economic and social implications (present and future) before making restrictive, even irreversible, digital choices?

Perhaps certain decision-makers might not understand the strategic importance of digital sovereignty? Maybe they have not yet understood that digital technology destabilises the prerogatives of a state and competes with its public authority?

Perhaps they are not sufficiently aware of their responsibilities or have sufficiently understood that their role is also to set an example for companies by choosing actors and solutions compatible with Swiss and European interests?

Fortunately, numerous parliamentary initiatives prove the contrary and illustrate a growing awareness. The Swiss Parliament, for example, would appear to be increasingly concerned by these questions of sovereignty and cybersecurity [14]. Let us hope that the solutions provided will deliver with regard to the issues and challenges facing Switzerland.

For a country, choosing foreign actors to ensure the availability of its digital infrastructure is the same as strengthening its own cyber-inferiority while consolidating the cyber-supremacy of the multinationals supplying the tech solutions, whose quality labour force is provided by our education system. Resorting to local infrastructures and software operated by Swiss or European service providers also means benefiting from training financed by public funds while developing, retaining and promoting know-how and competences in Switzerland and Europe. This contributes to protecting jobs and ensuring employability while avoiding the brain drain. Furthermore, these multinationals very often benefit both directly and indirectly from public financial support and advantageous taxation.

What action should be taken to benefit local firms and citizens?

If the decision is taken in Switzerland and Europe to call on local software and cloud services that are independent of the tech giants, it would be necessary to choose actors who work towards these goals. Those actors who have incorporated the desire to develop reliable alternatives into their business strategy. If we want to ensure they earn a living and continue to develop, we have to give them work and, if possible, opt for some or all of their solutions.

If a public tender is issued and it automatically excludes local actors, obviously the only options that remain are the turnkey solutions of the tech giants, which are attractive because they are available immediately, user-friendly and promoted by the international lobbying and marketing mechanism.

It is crucial that calls for tender, in particular those issued by governments and public institutions, are coherent from the standpoint of sovereignty and that the expression of needs is fair.

When the calls for tender are established, it is therefore important not to set conditions that only the American or Chinese multinationals are capable of meetings (or to limit this scope to specific, justified elements). It is necessary to guarantee a sense of proportion between the requirements set and the real needs to be covered, but this means clearly defining those needs. In the case of the “Public Clouds Confederation” in Switzerland and Gaia-X, was this what was done? Who approved it?

A clear, fully assumed political will to develop and support cyber-sovereignty is required. It is particularly important for the public sector to set the example by avoiding calling on the tech giants, in particular in the fields of health, education and defence for example.

Furthermore, the public sector can support initiatives intended for the private sector and private individuals with a view to making them aware of the importance of digital sovereignty and to promote local and European alternatives. Public-private partnerships (PPP) may prove beneficial, on condition that the positive impacts are distributed equitably between the private and public sectors. In this type of collaboration, it is indeed not uncommon for the public sector to take all the risks while the private sector enjoys all the benefits.

Public funding, in particular in the fields of education, research and local economic development (for example funding for start-ups) should also be primarily and explicitly reserved for those operators committed to developing the country’s digital sovereignty. There should be incentives and effective controls to ensure that public money is being put to good use. If this is not the case, quid pro quos could exist, for example the restitution of public money if a start-up is taken over by a non-European multinational or of their promotion and profitability is largely guaranteed.

A political effort is absolutely necessary as only a strong political decision will make it possible to work together with all the actors concerned to create a local, sovereign ecosystem with all the stakeholders in the economy.

With regard to the cloud, an approach based on security and sovereignty should guide investment, not economics. With good investments, the companies and talents available in Switzerland and Europe would be fully capable of developing competitive and reliable IT solutions in a short space of time. The desire to bring all the actors involved together around a common roadmap and to support the local digital ecosystem is a political and strategic decision.

Today, technological sovereignty conditions all other forms of sovereignty. If the government is not in a position to control its own digital sovereignty and that of its data, how can a regular citizen manage?

Finally, we should also address the question of human rights, which is at the heart of digital development and artificial intelligence concerns (right to privacy, to data protection, to digital integrity, to e-reputation, to digital access, to disconnection, not to be under computerised surveillance,etc.). Sovereignty is also the ability to ensure compliance with laws in a given space. Only digital sovereignty can contribute to defining laws and ensuring they are respected in the digital sphere.

Find out more

References

[1] https://www.bk.admin.ch/bk/fr/home/documentation/communiques.msg-id-85828.html

[2] Information available, among other places, on the website of the National Cyber Security Centre (NCSC) on the “Vulnerability in Exchange servers” https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/exchange-server.html

[3] In December 2021, the publisher Apache reported a security flaw concerning the log file component Log4J (largely used by numerous applications written in Java/J2EE), which allows a hacker to take remote control of systems.

[4] https://www.lemonde.fr/pixels/article/2021/12/14/la-faille-log4shell-laisse-entrevoir-quelques-semaines-agitees-previennent-les-experts-en-securite-informatique_6106028_4408996.html

[5] Cf. website of the French Commission nationale de l’informatique et des libertés (CNIL).

[6] René Berger, Solange Ghernaouti “Technocivilisation, pour une philosophie du numérique”. Focus Science, Presses polytechniques et universitaires romandes (2011).

[7] In particular GAMAM (Google, Apple, Meta (Facebook), Amazon, Microsoft (USA)) and BATX (Baidu, Alibaba, Tencent, Xiaomi (China)).

[8] https://www.ictjournal.ch/news/2021-08-23/microsoft-va-augmenter-les-prix-doffice-365-pour-les-entreprises & https://www.lemondeinformatique.fr/actualites/lire-microsoft-prevoit-d-augmenter-discretement-le-prix-d-office-365-84269.html

[9] https://www.data-infrastructure.eu/GAIAX/Navigation/EN/Home/home.html

[10] https://blog.scaleway.com/fr/une-veritable-offre-multi-cloud-en-reponse-aux-promesses-non-tenues/ 

[11] SecNumCloud referential of the ANSSI (national IT systems security agency) and ESCloud label, for example. https://www.ssi.gouv.fr/actualite/secnumcloud-evolue-et-passe-a-lheure-du-rgpd/https://www.ssi.gouv.fr/actualite/escloud-un-label-franco-allemand-pour-les-services-informatique-en-nuage-de-confiance/

[12] https://ethosfund.ch/en/news/ethos-publishes-its-first-study-on-the-digital-responsibility-of-swiss-companies

Report entitled “The lobby network: big tech’s web of influence in the EU” Corporate Europe Observatory and LobbyControl e.V. Brussels and Cologne (August 2021). https://corporateeurope.org/sites/default/files/2021-08/The%20lobby%20network%20-%20Big%20Tech%27s%20web%20of%20influence%20in%20the%20EU.pdf

[13] How big tech spends millions on lobbying to influence Brussels, 31/08/2021. https://www.france24.com/fr/éco-tech/20210831-comment-les-gafam-dépensent-des-millions-en-lobbying-pour-influencer-bruxelles

Generally speaking, observing the logos of sponsors of events, meetings, conferences, publications, etc. gives an idea of the beneficiaries of the interested being defended. How can you not call yourself into question, as the review Usine Digitale did in an article on 2 December 2021, entitled “Alibaba, IOC sponsor for the 2024 Olympic Games, gives rise to concerns about data protection”? https://www.usine-digitale.fr/article/alibaba-sponsor-du-cio-pour-les-jo-2024-suscite-des-inquietudes-sur-la-protection-des-donnees.N1165642

[14] To cite just a few examples: