For several years now, major American cloud providers have multiplied their announcements, initiatives, and offerings presented as sovereign. Oracle EU Sovereign Cloud has been operational since June 2023, and in October of the same year, the outlines of the Amazon Web Services (AWS) European Sovereign Cloud were delineated. In 2022, Microsoft introduced its Cloud for Sovereignty, while Google had revealed its plan “Cloud. On Europe’s Terms” the previous year. The four largest cloud providers globally, all American, aspire to host the most sensitive data of French and European public services and companies. However, the conquest of this market by external actors to the Old Continent is not without controversy.
“Trusted cloud or sovereign cloud? Marketing above all”
The emulation of sovereign offers has caused some commotion in France. The use of the term sovereignty by non-European companies, in this case, Americans, has been widely debated. “All the denominations of sovereign cloud from Microsoft, AWS… are purely marketing, as they have nothing to do with the notion of sovereignty,” says Henri d’Agrain, general delegate of Cigref, an association that aims to develop the digital field and its control in large companies and public services. He is not the only one to express this opinion. Naturally, the cloud providers in question, when contacted by various media, defend themselves.
A problem arises immediately when trying to untangle what is sovereign and what is not: the very definition of this notion. A problem that is complicated by the popularity of the variant “digital sovereignty.” “Digital sovereignty is a popular formula among the media because it is easy to use. However, a bit of everything and nothing is put into it,” points out Ophélie Coelho, an independent researcher in the geopolitics of the digital field. Journalists are not the only ones who appreciate it; politicians also do: the new Secretary of State for Digitalization, Marina Ferrari, has mentioned it several times in her inauguration speech.
Given the vagueness of the notion, it is recommended to return to the original definition of sovereignty. The National Center of Textual and Lexical Resources describes it as the “quality of the State possessing supreme power, which implies the exclusivity of competence in the national territory and, at the international level, independence from foreign powers.” A good foundation but one that does not manage to reach a consensus.
“Challenges and concerns”
Damien Rilliard, director at Oracle EMEA responsible for sovereignty issues, comments that “the word sovereignty is a very precise term, which has as many definitions as people asked” and adds that “this is even truer depending on the country in which it is used.” It is impossible to reach an agreement if no one is talking about the same thing. However, the challenge is crucial. In the annual barometer of the Information Security and Digitalization Experts Club (CESIN), of 450 cybersecurityCybersecurity solutions are essential in today’s era where… managers, 55% consider sovereignty a concern for their companies.
To clarify the situation, Economy Minister Bruno Le Maire presented the government’s cloud strategy in 2021. A seal, “trusted cloud,” was created to certify the sovereignty of a service. This is based on the SecNumCloud 3.2 reference from the National Agency for the Security of Information Systems (ANSSI). The latter, which contains around 270 criteria, aims to certify, among other things, that the cloud is out of reach of extraterritorial legislations. In the United States, laws that generate fear are the Clarifying Lawful Overseas Use of Data Act, better known as the CLOUD Act, and section 702 of the Foreign Intelligence Surveillance Act (FISA). According to Henri d’Agrain, this solution is adequate for the concerns of affected companies and administrations: “SecNumCloud is a sovereignty tool. In this respect, a cloud service qualified as SecNumCloud meets sovereignty criteria.”
“Perspectives of cloud providers”
Oracle and AWS dedicated services currently do not aim to obtain the SecNumCloud qualification. Although this perspective is not entirely excluded, it is not a priority. Both groups believe they provide better clouds while still meeting the sovereignty requirement.
For Oracle, Damien Rilliard highlights that two cloud regions already active in Europe were built from scratch with this goal in mind. “They are operated by Europeans, deployed by Europeans, supported by Europeans, secured by Europeans, and belong to legal authorities subject to Europeans,” he states. He advances that these regions are “completely, physically, logically, and organizationally separate, isolated from the rest of our clouds.”
On the other hand, Amazon, for its future offering, mainly emphasizes its Nitro encryption tool. “The idea behind Nitro is that if a judge, an administration, regardless of their country of origin, asks us for data, the only answer we always have is that we are unable to provide it in plaintext.” Only the AWS customer has access to their data, so it is up to them to decide whether to respond to US extraterritorial orders or not, says Stephan Hadinger, AWS France’s chief technology officer.
Both companies claim to have audited the robustness of their solutions with fully satisfactory results. However, some interlocutors express doubts. Nevertheless, SecNumCloud is mandatory for public services and highly recommended for companies handling sensitive or strategic data. For AWS and Oracle, this is not a problem; it would only be a matter of time, as both groups have the European Union Cybersecurity Certification Scheme for Cloud Services (EUCS) in their sights. This European-scale cloud certification is under discussion and is intended to supplant the SecNumCloud.
“Strategies of Microsoft and Google”
In contrast to the European approach of AWS and Oracle, Microsoft and Google have opted for another path, specific to the French market. They have decided to form partnerships with French companies to enable the obtaining of the SecNumCloud qualification at the launch of services, scheduled for late 2024.
Microsoft is a technical partner of a company called Bleu, a result of an alliance between Orange and CapGemini. “We wanted to be radical regarding SecNumCloud by not including non-European actors in the capital,” explains Jean Coumaros, CEO of Bleu.
Google, on the other hand, created a joint venture with Thales to give rise to S3NS. “The demand of SecNumCloud sets at 24% the participation of a non-European actor, we are well below that,” informs Cyprien Falque, CEO of S3NS. He specifies that “Google has an observer position: without any voting rights, without the right to veto, and all employees are employees of Thales.” Interestingly, neither Bleu nor S3NS mention the notion of sovereignty in their recent communication. “Anyone can claim to be a sovereign cloud since there is no precise definition,” points out Jean Coumaros. Cyprien Falque agrees: “We avoid talking about a sovereign cloud, as it is a distorted term. We prefer to approach something objective, which does not generate debate like the trusted cloud.”
“Strategic autonomy: a French quest”
The path taken by Google and Microsoft is seen as a satisfactory compromise by some: “In theory, S3NS and Bleu should offer solutions conforming to the SecNumCloud version 3.2 reference. This gives a reasonable level of confidence against FISA or the CLOUD Act,” considers Henri d’Agrain of Cigref. This also responds to the expressed desire by Bruno Le Maire during the presentation of the trusted cloud in 2021. His strategy aimed to strike a balance to harness the “best technologies” while ensuring “maximum protection.”
The argument does not convince everyone. The prospect of a certification for S3NS and Bleu would be a “major discrediting of the standard,” judges Bertrand Leblanc-Barbedienne, from the media SouveraineTech. The latter, working for a company active in the cloud, Whaller, argues: “It’s not about saying that there is no great American technological power; it’s about saying that in the medium or long term, we have the ability to reach that level, provided we free ourselves from the soft power that has contaminated us and distorts our vision.”
This reasoning is also reflected in the analysis of Ophélie Coelho, author of a book on the geopolitics of the digital field. According to her, SecNumCloud does not address the problem correctly, although the intention is good. The idea of preventing the United States, China, or another state with technical capabilities from accessing European data for economic espionage is an illusion. An opinion widely shared by several interlocutors. Thus, “the real question is how to produce and control technology, rather than seeking strategies to control technologies that do not belong to us.”
This perspective aligns with the direction that the notion of digital sovereignty has taken in France since its first use in 2011, in an article signed by Pierre Bellanger, CEO of Skyrock Radio. Théodore Christakis, a digital law professor at the University of Grenoble, distinguishes “two meanings of the term”: a classic one, regulation, and another that is “sovereignty as strategic autonomy and the ability to act in the digital field without being limited by external dependencies.”
Strategic autonomy has been central in France for decades, and now it applies to the cloud. Even local offers, certified, use non-European software, hardware, or capital, remind American cloud providers. The issue does not seem to be about closing off services or technologies from the United States; no one contemplates or desires it. Rather, it is about the acceptable level of dependence for managing sensitive data.
It is a distinctly political issue. The current government has prescribed its response in France and now seeks to integrate it at the European level through the EUCS.
Source: Siecle Digital