Can The EU Create It’s Own Cloud Platform?

The EU is forming an alternative to US and Chinese cloud platforms called Gaia X. This effort will fail on so many fronts

By Richard Stiennon

It reminds me of Australia’s National Broadband Network (NBN) which still struggles for viability after spending an estimated $51 billion.

This CRN article reports: “According to Germany’s Federal Ministry for Economic Affairs and Energy, the Gaia-X cloud computing platform is expected to be ready to launch in early 2021.”

That would be a remarkable time frame although admittedly you can assemble a couple of racks of bare metal servers and run virtualized services on them in short order. But can you create the equivalent of AWS? Never.

Just look at the relative size of the major cloud providers. The combined market cap of the four largest cloud companies, Amazon, Microsoft, Google, and Alibaba is $4.8 trillion (1.569+1.578+1.001+.685).

For comparison the GDP of the largest member of the EU, Germany, is $3.9 trillion. (I know, false equivalence, but I don’t know how to calculate a market cap for a country.)

Admittedly, Airbus, a similar venture partnership between government and industry, has succeeded in creating and supporting an aerospace industry in Europe.

It has not been a commercial success of course. One can make the argument that having a viable aerospace industry is critical to national security and therefore creating and operating a money losing business is still worth it. Can the same argument be made on the grounds of data privacy? I would argue no, especially when the real purpose is actually the opposite.

The era of digital mercantilism—or, as the East West Institute calls it, Tech Nationalism—was ushered in after Edward Snowden revealed the extent of the NSA’s digital tentacles as it reached into as many data sources as it could to “collect everything.”

The blowback was predictable and is destined to harm the US’ dominance of the technology sector. Also revealed by Snowden was the vast partnerships between the NSA, the rest of the Five Eyes, and Sweden, Germany, and others. They too were beneficiaries of the NSA’s systematic Hoovering of the world’s data.

The EU General Data Protection Act (GDPR) was crafted and enacted in the wake of Snowden’s revelations. But note the carve out in GDPR for law enforcement data records and government agencies. Let’s face it. Every intelligence agency wants to emulate the US and not be beholden to the NSA for favors in exchange for being able to tap into its data stores in Utah.

The three tech giants that own most of the cloud platform business in the US are rabidly competitive. Yes, we don’t know the full extent of their relationship with the Intelligence Community.

There is even a mechanism which, in the hands of an overly aggressive regime, could be abused: that of ‘national security letters’ whereby the subject of a demand for data cannot even reveal the existence of the letter. But their business would be drastically harmed if they were discovered to be providing backdoors to the FBI or NSA and they resist such efforts with lobbying and teams of lawyers.

Organizations in the EU should be as leery of working with the US cloud providers as they would be with Chinese cloud providers. But there is an argument to be made against having a domestic cloud platform.

Your own government, which has much more interest in your data than a foreign government does, could have unfettered access to your data. From a privacy perspective the people with the power to abuse your private data are your own government, not China.

The answer is not to trust any cloud provider. This is what the term “zero-trust” meant originally. You encrypt all of your data before it goes to the cloud and you protect the encryption keys with multiple layers of defense.

Do the job right and you will know when a government agency wants your data. They will demand the keys or, if it is a foreign agency, they will attempt to steal your keys.

Source: Forbes

Industrial VPN Flaws Could Let Attackers Target Critical Infrastructures

Safe handling of digital identities: 5 key questions.

Privacy By Design: Responding To The EU-US Privacy Shield Ruling