Destabilization of democracies, cyber-attacks on our companies, exploitation of sensitive personal data and, at the extreme end of the spectrum, war in cyberspace: the digital environment is undergoing a revolution.
At the same time, the digital transformation of organizations is gathering pace, against a backdrop of physical distancing amplified by the Covid health crisis. While examples show that the political will at national level is not yet there, concrete, hopeful European projects are just waiting to be encouraged.
European digital sovereignty can only be achieved through strong political will, which is the only possible response to the exponential growth in multi-faceted cyber threats.
Does France's and Europe's desire for digital sovereignty actually exist?
- The Data Health Hub (HDH), currently being deployed, is a sign of France's current lack of political will when it comes to digital sovereignty.
The HDH is a one-stop shop for access to all healthcare data, enabling the development of artificial intelligence applied to healthcare. These data are those of all French citizens and concern all computerized systems: hospitals, pharmacies, shared medical records and research data from various registries. The amount of data hosted is set to explode, particularly with the emergence of genomics, imaging and connected objects. All this data is stored on Microsoft Azure, the cloud platform of American giant Microsoft.
This "public interest" research project, a legally vague concept, opens the door to our health data and the financial power it represents to GAFAM, artificial intelligence start-ups and insurers.
This privatization of healthcare is perceived as dangerous by many players, including the director of Paris hospitals, the Conseil National des Barreaux, publishing software companies, the Conseil National de l'Ordre des Médecins, the Commission Nationale Informatique et Libertés (CNIL), and the director general of ANSSI. (1) .
Unlike the Ministry of the Interior in 2015, in its fight against terrorism, the Paris hospitals turned down the offer from Palantir, a company subject to the Cloud Act and working for the NSA, FBI and CIA, to participate in the development of "digital tools for monitoring the Covid-19 epidemic".
Despite all this, a decree published on April 21, 2020, which was the subject of a référé-Liberté before the Conseil d'État, obliges hospitals to intensify the sending of our data to HDH-Microsoft, testifying to a new fundamental contradiction, "between the logic of unconditional care specific to the public sector and the Hippocratic oath, and the demands for efficiency and profitability now being denounced by medical and hospital staff through their strike action and their reaction to the Covid-19 crisis".
The Cloud Act, adopted in 2018, allows American justice to access data stored in third countries. This text is contrary to the General Data Protection Regulation (GDPR) supposed to protect European citizens. In the event of a political will or computer attack, patients are subject to the risk of a breach of medical confidentiality. What would be the impact of a massive health data leak?
- At the other end of the European spectrum, there are some encouraging European initiatives
GAIA-X, a Franco-German project to be presented at the Digital Summit in October 2019, sets out a European framework for the "sharing and circulation of data corresponding to Europe's values". Gaia-X (whose name is provisional) has three main objectives:
- Laying the technical and economic foundations for a sovereign infrastructure;
- Create a shared ecosystem of users and providers from public administration, healthcare, business and scientific institutions
- Create an enabling environment and support structures.
It aims for a digital economy for all, widespread adoption by SMEs, added value for individuals, states, trade unions and the economy, control of data and services through technological independence, self-determination in sharing data in an open, fair, diverse and democratic way.
The Franco-German position was published on February 18, 2020 in a paper bringing together the common positions in the following terms:
"We, representatives of industries, cloud service providers (CSPs) and cloud service customers (CSCs), from France and Germany and their respective governments, support GAIA-X in its aim to facilitate the creation of European data and AI (artificial intelligence)-focused ecosystems, in order to guarantee data sovereignty and ensure that value creation remains with the individual participants. We agree that these ecosystems
- In line with the European Data Space promoted by the European Commission
- The initial focus will be on a number of sectors, including mobility, finance, health, housing, environment-climate-agriculture, public services, industry 4.0 and others. [...]Other European member states will be invited to join our efforts, paving the way for the establishment of best practices worldwide."
The European Community will invest €600 million from 2021. GAIA-X will be supported by European policies and regulations such as :
- the aforementioned April 2018 RGPD, applicable since May 25, 2018;
- the "Electronic IDentification Authentication and trust Services" (eIDAS) regulation of July 2014, which is an EU regulation on electronic identification and trust services for electronic transactions within the European Union already implemented in Estonia, based on open technologies,
- SWIPO, which facilitates the change of supplier and the transfer of data between computer systems,
- the free circulation of data,
- the European Cybersecurity Act, adopted by the European Parliament on March 12 2019 and then by the Council of the European Union on June 7, which marks a major step forward for European strategic autonomy, with a dual objective: the adoption of ENISA's permanent mandate (2) ,
The European Cybersecurity Agency, and the definition of a European cybersecurity certification framework, essential for strengthening the security of Europe's digital single market. Technically, GAIA-X is an open, standards-based architecture.
The German government describes Gaia-X as "a networked data infrastructure, the cradle of a vital European ecosystem". Legally, it will take the form of "a company incorporated under Belgian law, and will operate as a non-profit association".
Certainly, some Cloud analysts and influencers, perhaps acting as the GAFAM influence in France, believe that the Public Cloud war is behind us. Louis Naugès, for example, writes in a very pertinent article: "As the graph above clearly shows, these three industrial players in the Public Cloud are each investing between $10 and $20 billion a year in their infrastructures. The die is cast: all the other major incumbent suppliers - IBM, HP, Oracle, Dell, etc. - have lost this cloud infrastructure battle once and for all."
As an analyst, he remains strictly focused on economic, financial and industrial issues, leaving aside the question of sovereign policy, which should be central to this field.
On a more strategic level, ANSSI is currently working with ENISA to draw up the cyber priorities for the "Horizon Europe" program, which follows on from the "Horizon H2020" program. Within the "Security" program, cyber will be allocated €1.7 billion over the period 2021 - 2027. The main areas of focus are: the resilience of connected infrastructures; the security of hardware, software and the supply chain; disruptive technologies (post-quantum crypto transition and Artificial Intelligence); dynamic cybersecurity assessment for product certification; and, finally, the protection of privacy through ergonomic tools that enable us to scale up. The first calls for tender are scheduled for March 2021.
Last but not least, ENISA has already made good progress on the European "Common Criteria" certification schemes for cyber products, and is committed to cloud computing.
In September 2020, European Commissioner Thierry Breton set out the European Commission's ambitions: "Digital Decade", that's our label... a minimum of 20% of funds must be programmed for the digital transition and establish what Mrs Merkel, who has taken over the rotating presidency of the Union, described as "Europe's digital sovereignty".
The question of national and European political will
- Is the war for the public cloud and our sovereign, sensitive data really lost?
History sheds some light on the subject: why, if not out of a desire for sovereignty, did we, in the 1960s, engage in the kind of industrial cooperation in space and aeronautics that we know today, such as Airbus and Ariane, when commercial alternatives existed on the other side of the Atlantic? Why did we embark on a civil nuclear power program?
Why did Communist China, still in the throes of the "Cultural Revolution" in the 70s, embark on a reconquest program in the 90s that has made it a world economic power today, with digital technology at the forefront?
It's all a question of political will! When European countries, starting with France, believe that their citizens' sensitive data is a strategic asset with real political value, and not just a commodity, then they will have the means to control it, whatever the cost.
In addition to the issue of data industrial policy, it will then be necessary, in the spirit of the RGPD, to severely regulate and toughen penalties for the leakage of sensitive personal data to a non-European Cloud. Counterfeiting currency is a crime against the state and punishable by imprisonment. Similarly, the commercial exploitation of sovereign, sensitive and personal data must, in future, be considered a crime.
Beyond the speeches and martial professions of faith, what are France's quantifiable actions? Reproducing the errors of its management of the steel industry in the 1970s, France has found €10 billion to support the aeronautics industry and €4 billion for the automotive industry, both of which have no future because of the major environmental and climate crisis looming on the horizon. At the same time, it is pledging its allegiance to GAFAM for its citizens' personal and sensitive data. Does Europe have the political will to achieve sovereignty in practice? The GAIA-X project is a start, but too timid. Will Europe invest the €20 billion a year needed to build the trusted European Cloud that is strategic for our future?
(1) ANSSI: French National Agency for Information Systems Security www.ssi.gouv.fr
(2) ENISA (European Network and Information Security Agency ) : European Union agency responsible for network and information security www.enisa.europa.eu
Article published in Lettre Eurodéfense N°70-October 2020