Cloud adoption obscures the digital independence of states
Retaining critical data in cloud services creates risks to data availability and information security. Finnish society is increasingly dependent on data centres located in other parts of the world.
Over the past decade, cloud services have revolutionised the data processing of private companies and the public sector. Businesses have long been working in the cloud, and governments around the world are also abandoning on-premise data systems. Cloud adoption is also increasingly affecting critical government information systems.
Cloud services are popular because of their perceived cost benefits and ease of maintenance. Especially for small businesses, cloud services offer a wide range of cyber security benefits, as updates and maintenance for the software used in the cloud have already been taken care of.
However, using cloud services inevitably means that the data stored in them is no longer as strongly under the organisation’s own control as before. From the perspective of national security, it is important to assess the extent to which we can accept dependence on external service providers. With regard to the most critical information, cloud adoption may undermine the sovereignty of states in the digital world.
WHAT CLOUD?
Cloud services refer to a model in which companies can purchase data processing capacity flexibly from international service providers. When, for example, maintaining a network service traditionally required a physical server computer and a lot of software installations, in cloud services all this is easily available in a ready-made package. In cloud services, resources can often be increased or reduced as the number of users changes.
The reliability of cloud services cannot be verified
With regard to the availability of data, cloud services create dependencies on the service provider and reduce the possibilities of ensuring that the data is processed securely.
There are numerous examples from recent years where faults in commercial cloud infrastructure have caused global disruptions in service delivery. Major international cloud service providers often have a large number of Finnish customers, which means that a fault in the service provider’s systems directly affects several Finnish organisations. Often, outages cause only minor harm, but in critical information systems, even a short malfunction can have significant consequences.
Using cloud services significantly weakens the understanding and capability to detect who can access data stored in the cloud. Cloud services are often provided via long supply chains, i.e. several subcontractors. Ensuring the cyber security of the services is primarily based on an agreement between the customer and the service provider, without the customer having any technical means to verify the matter. Servers under companies’ own control can be audited better.
Cloud services also make it more difficult for authorities to form an overall picture of espionage and influencing against Finland. Cyber security breaches targeting a cloud service or companies providing cloud services may never come to the attention of end users or Finnish authorities. State actors are making increasing efforts to break into large cloud services and steal customer data through them.
In Europe, data protection legislation defines the exact terms and conditions for storing data in Europe but does not exclude the possibility of accessing the data from outside Europe. Service providers are multinational companies and, for example, the security operations centres of many cloud services are located around the world, which also enables managing servers from outside of Europe. Foreign service providers also operate under the laws and regulations of their place of domicile. Legislation of major powers in particular grants authorities extensive powers, including access to the data of customers of private companies.
As far as critical central government information is concerned, one must be able to fully rely on the integrity of data, i.e. that it has not been manipulated. This is a small but very fundamental issue. The credibility of public administration may be at stake if central government data processing depends on foreign service providers, and any suspicions of whether the data is reliable arise, even if they are false.
Finland needs its own cloud solutions
Cloud adoption should be carefully examined as a whole. Especially with regard to the most critical central government data, it must be carefully assessed that no unnecessary risks to Finland’s national security are generated. Efforts should be made to reduce digital dependencies that pose a risk.
Organisations using cloud solutions should consider, for example, whether service outages would stop the company’s entire business and how long they can tolerate such failures. Often, data is also backed up to the cloud, even if local backups could be necessary in some cases. When using cloud services, dependence on a single service provider must also be taken into account.
Geographically, Finland is located on the periphery of the European network infrastructure. Therefore, it would be beneficial for Finland’s national security if our critical information systems were not dependent on other states or long telecommunications connections. However, the availability of competitive Finnish – or even European – alternatives to international cloud infrastructure is very limited.
Data centres can be a tool for soft power
In practice, the cloud consists of ordinary servers located in data centres around the world. Finland is an attractive location for data centres due to its cool climate, availability of cooling water, stable society, and affordable electricity. Finland currently has dozens of major data centres. During the past year, the risks associated with foreign-owned data centre projects in particular have been discussed in public.
Foreign investments are essential for Finland, but they may need to be weighed more carefully, especially if the investments are linked to authoritarian states. Authoritarian states may seek to increase their economic influence and gain a foothold in the business networks of different countries. Data centres can also be used as tools of soft influencing.
A data centre in Finland can enable access to Western export-controlled technology, such as computing chips and the purchase of computing power. These could be utilised by authoritarian states, for example, for computer simulation modelling and developing their artificial intelligence and new materials. Many foreign-owned data centres also produce district heating. This can make them a key part of the local critical infrastructure, thus creating economic dependence. If a data centre operator succeeds in covering up its connections to an authoritarian state, it may endanger Finnish data.