Originally published at: https://nextcloud.com/blog/why-aws-is-an-obstacle-to-true-digital-sovereignty/
Manifesting in the launch of a “sovereign” European cloud powered by AWS, the global expansion of Amazon risks locking the public sector out of the opportunity to create open, interoperable and internally controlled infrastructure.
Dependency on proprietary hyperscalers like Amazon will strangle local technology, end up controlling and rerouting public spending, and make the state and society vulnerable to blackmail.
Sovereignty is the absence of strong dependencies on third parties. The Sovereign Cloud from AWS is a misnomer here.
Frank Karlitschek, CEO and founder of Nextcloud, in his comment to FAZ.net.
A viable strategy to build a naturally sovereign European cloud already exists and should be put into action. It is entirely possible to build local, open-source ecosystems offering government and citizens direct control over data access and security, unmoderated by foreign big tech monopolists.
Issues with growing reliance on Amazon services
Due to Amazon’s monopoly-like role in the global cloud market, the employment of AWS cloud locks the government administrations and the European public sector in general within an externally controlled proprietary framework:
- When administrations commit to AWS cloud and the technology behind them, controlled exclusively by Amazon, it would limit the interoperability with the broader ecosystem and consequently lead to further expansion of the technological monopoly.
- A massive technological dependency would also mean continuous flow of substantial financial resources to Amazon and providers developing exclusively on its standards, making investments in European cloud offerings unattractive and permanently entrenching the monopoly positions.
- As the code isn’t available for public review, there is no guarantee against back doors present in the code or introduced anew via software updates and fixes.
- The withholding of security patches, late application of security improvements for known issues (or absence of such) or sharing information about known, unfixed problems with a third party could compromise the security of the platform. Recent incidents around the Pegasus spyware have shown the risks of unknown and know open security issues and how these can be and are abused at industrial scale by state and non-state actors.
- With Amazon being the single provider behind the ecosystem, the unilateral termination of the contractual relationships could jeopardize the provision of public services.
As a final result, the state actors critically dependent on Amazon products would be forced to:
- Pay almost any price called for.
- In the future, forego concessions originally made with regard to data security and independence from U.S. authorities.
- To accept non-open, proprietary standards set by Amazon, to which other (EU) states and large parts of the economy might have to realign themselves.
Strategic use of open source software as an alternative
The key alternative to the use of Amazon-controlled cloud infrastructure in public administration is the strategic use of open source software. This includes the adoption and further development of open source solutions that already exist and have been tried and tested by millions of users across all sectors of economy and government.
Open source technologies have become so successful because they were able to adapt very quickly to new requirements by a huge developer community. Only in this way could the high pace of innovation of digitization be realized at all. In fact, the large, market-dominating cloud providers such as Google, Facebook and Amazon, have relied almost exclusively on open source software, adapting them to their needs and building their own proprietary offerings on it. It is no exaggeration to say that the entire internet is built upon an infrastructure of open source technologies.
Benefits open source brings, like the excellent usability and functionality, ability to control data access and security provisions, interoperability and complete customization freedom can thus meet the key needs that exist in administrations and industry worldwide.
Open source software is continuously developed by international communities. These usually consist of employees of companies and other organizations that use this software industrially. Conceptually, the state can build up sufficient competence in institutions such as the planned Center for Digital Sovereignty to participate in corresponding communities so that it can competently manage corresponding service providers.
According to studies, investments in the development of OSS bring an impressive 4x return on investment for the European GDP. With targeted investments, a successful strategy to create an equal-opportunity supplier market for European IT and digital ecosystems and platforms is fully conceivable.
How to achieve the real digital sovereignty for the European public sector
As a part of a strategy against escalating dependence of public administration and the industry on the proprietary, foreign cloud technology, the government should implement the following:
- Deploy only fully open source-based offerings for implementing and handling key tasks of a sovereign state and enforce the same for in the private sector for mission-critical industrial applications.
- Invest in open source cloud application and infrastructure. These alternatives to the hyperscaler tech have a great potential to leapfrog even the hyperscalers in innovation. They should become the basis of a sustainable European digital economy.
- The open source ecosystem must be initially strengthened with targeted government mandates in order to activate private-sector investments and the involvement of the local providers. Every investment in open source is immediately available to the general public and thus also directly benefits the economy and civil society.
- Cooperation with Amazon (or any proprietary offering) to build a “sovereign” cloud runs counter to these goals. Unilateral dependency threatens to make the state and society highly susceptible to malicious foreign actors, and limit strategic autonomy.
- Do not wait. Digital dependency already starts with the IT infrastructure. A later change of the cloud platform entails high costs and efforts that are insurmountable for many organizations. The state must set the course for a sovereign and open cloud today.
It is positive to see the American Big Tech firms realizing they have to take the Digital Sovereignty of Europe more serious, and to see them look for ways around the US CLOUD ACT. That an EU datacenter does not block foreign entities from accessing EU citizen data is clear, and neither do company policies.
The effectiveness of Amazon’s approach, which to us just seems a slight variation on earlier, unsuccessful attempts, will end up having to be tested in US courts — likely in secrecy under a gag order, so we won’t even know if it made a difference. Even if it does work, it does little to resolve the dependency problem which is at the core of the Digital Sovereignty challenge.
As we now see with various sanctions, foreign companies can be forced to stop services or sales to Europe, limiting the EU’s ability to make its own, sovereign decisions. A real Digitally Sovereign solution would need a fully open source based platform which is fundamentally not under control of a foreign state. Without the ability for European countries to run, maintain and improve a platform, independence just can’t be guaranteed.
We outlined the direction the governments should take, and look forward to constrictive input and a chance to contribute to the implementation of a strong, European Digital Economy.