France abandoned the sovereign cloud without discussion and without real opposition. French defense firm Thalès has partnered with Google to develop a dedicated cloud service not only for private businesses but also for public organizations. However, last year, in the midst of the Covid crisis, the discovery that public health data had been entrusted to Microsoft sparked outrage. Then the country announced its desire to create a sovereign cloud that would ensure the safety of public data.
Indeed, last May the government gave birth to a text that was significantly modified under the influence of lobbyists to make it “GAFAM compliant”. Step out of the Sovereign Cloud, and make way for the “Cloud of Trust.” Behind this clever change of name conceals a relinquishment of sovereignty in favor of GAFAM. Sovereign cloud, in other words the fact that public or private data is placed on servers that are secure from any foreign interference thanks to the use of French or European technology, has been replaced by another concept, a “trust cloud” where the data is theoretically protected by a trust contract concluded with private companies that are free to associate with they wish.
“We signed a contract under which the largest French companies would become sellers of American technology, as Luc Dorseau, vice president of Hexatrust, an association of French players in cybersecurity, strangles. Instead of developing sovereignty, there is an ecosystem to promote European technology, we literally bowed to American orders. After Submarine case, it’s boom boom!”
A new danger from industrial dependence
If Google and Thalès welcome the government’s “trusted cloud” tag, not everyone is of the same opinion. “Promoting the use of ostensibly licensed software solutions appears to be a difficult choice in terms of industrial policy,” Yann Lichel, CEO of Scaleway (cloud), worried already last May. French players will find themselves confined to the role of distributors of European non-technology software. …the country appears to be giving up any ambition to develop a French cloud sector.” And to add: “toFar from solving the problem of sovereignty, this solution exposes the French digital environment to new types of dependencies. The designation “cloud of trust” excludes from the scope of the offers a certain number of French players who nevertheless distinguish themselves by the doctrine of their sovereignty at the expense of large investments.
The contract signed between Thalès and Google provides for the creation of a joint venture in which Thalès will be the majority shareholder to operate the servers under Google’s technology. “Shame, Luc Dorseau continues. French players in this sector have been forced to obtain ANSSI certification [Agence nationale de la sécurité des systèmes d’information qui évalue et certifie les équipements, NDLR] While Google does not. This is not possible. “
On this point, the government is defending itself by assuring that the two groups will have to provide a high level of security to be stamped with a “cloud of trust”. Bruno Le Maire and Cédric O welcomed this initiative that allows companies and public organizations to access US cloud technologies while maintaining control over data, which will continue to be hosted in France. At least in theory. Because the Cloud Act, passed in 2018 in the US, already requires US suppliers to communicate on demand the data they store, even if that data is hosted outside the US. But these suppliers have no right to disclose that they have been the subject of requests and even less to disclose what they have provided.
More seriously, this “cloud of trust” can be major strategic flaws. Yann Lechelle explains that “the metadata that is intrinsic to foreign solutions will always allow US law enforcement. The source code will likely not be auditable and therefore will allow any backdoors [programme informatique malveillant utilisé pour accéder à distance à un ordinateur infecté en exploitant les vulnérabilités du système, NDRL]or putting out sensitive information without it being easy to analyze outbound flows, thus completely obscuring from an Internet point of view.” to unpredictability.
Soon ‘trusted cloud’ with Alibaba?
The first breach of technological sovereignty actually occurred with the advent of Bleu, the “trusted cloud” of Capgemini and Orange that brought Microsoft into public data management, in May. AWS, a subsidiary of Amazon, is also in the works: “What can be developed, Stefan Henger, Technical Director of AWS France, trusts, is a technical licensing model. We grant a license to be operated by third parties. We have announced with Atos that we will deploy servers with our technology in the field. Military, for example. It is clear that the three American giants have already succeeded in making their nest in the coveted position of the “Trust Cloud”.
In the future, “We can very well imagine that public data will be hosted in France, in a data farm built by American Equinix, on Intel servers, using Microsoft cloud technologies, Google AI, Google algorithms, and jointly developed encryption software Between Thales and Google. The “Trusted Cloud” label would act as a fake nose for Gafam and possibly the NSA.” Finally, it’s hard to see why the conditions for the “Trusted Cloud” seal don’t apply to China’s Alibaba, which also has a full range of services. In short, like a snake jungle book: “Have confidence…”