Is the dependence of governments on digital giants a problem?
- The breakdown of Windows servers due to Crowdstrike’s Falcon EDR revealed the risks of State dependence on private software.
- Digital sovereignty requires the State to ensure its independence in terms of technological and digital resources.
- The use of non-state digital solutions, although cost-effective, can compromise the security and independence of the state.
- The outsourcing of digital services must be carefully managed to balance efficiency and sovereignty.
- A DevSecOps approach and other measures such as active monitoring of systems would protect the State’s digital sovereignty.
The recent critical failure of Windows servers, linked to Crowdstrike’s Falcon EDR1, has highlighted the risks associated with the State’s dependence on private software. Although the French Minister for the Armed Forces has sought to offer reassurance2, the fact remains that the use of commercial digital services within the State must be subject to a benefit-risk analysis designed to ensure that the gain in efficiency outweighs the concessions in terms of sovereignty.
What is digital sovereignty?
The sovereignty of a State is its ability to guarantee its independence from other States. It requires the ability to have at its disposal the human, material and technological resources and any other component needed to produce the nation’s vital goods and services. This capacity is judged either at a systemic level or at the level of each public policy. Sovereignty covers food, finance, military, and now digital issues, which are common to all these areas.
Digital sovereignty concerns many aspects, the main ones being3,4:
- Digital assets, since it is necessary to have basic equipment generated without security risk (fibres, antennas, servers, firewalls, routers, etc.) to build a trusted information system.
- Digital services, because it is essential to be able to collect, process and return information securely to carry out the State’s sovereign functions (digital identity, crisis management, collection of taxes and social security contributions, etc.).
Why use non-government digital solutions?
Using non-government solutions means that solutions already developed elsewhere can be made available more quickly, enabling the government to focus its digital efforts on its core business. This is often done for reasons of efficiency and economies of scale, since a proprietary or open-source solution is sometimes used by thousands or millions of other organisations. Examples include text or spreadsheet editors (various Office suites), payroll or leave management software (SAP, HR-Access, etc.)5 or e‑mail sending and receiving software (Outlook, Thunderbird, etc.). This cross-functional software is tried and tested and ready to use. Creating an internal solution for the administration would be very costly and probably unsuitable for managing a common digital requirement.
The acquisition of equipment via services also makes it possible to meet needs that would require very substantial investment by the government. And without being able to easily ensure economic opportunities. This is particularly true when it comes to purchasing computers, printers, storage bays or network equipment. These purchases offer a guarantee of expertise and know-how in relatively standard components, as well as the possibility of using dedicated digital assistance. This approach offers excellent efficiency, provided that the hardware used is sufficiently standardised to be integrated into the administration’s information system and can be supplemented by additional services: applications, supervision, intrusion detection, etc.
The use of open-source solutions can also offer a significant capacity for innovation and responsiveness, as it enables tools and applications to be integrated rapidly at a moderate investment cost. In addition, this approach makes it possible to attract digital profiles keen to contribute to the open-source community and to offer citizens real transparency about the tools used within the government6.
What are the risks of using non-government digital solutions?
The digital solutions offered by commercial companies comply with European and French regulations. But they may also comply with the regulations of other countries on matters relating to the protection of national interests. To illustrate this risk, we can cite the Patriot Act, created after the 2001 terrorist attacks, which enables the FBI to force companies to give it access to their personal databases, even for information stored in Europe. Similarly, the Cloud Act allows the American authorities to access data stored by American companies, even if this data is stored in Europe, contrary to the obligations of the RGPD7.
Furthermore, commercial or open-source solutions may have vulnerabilities; the correction of which may be delayed due to cost, lack of human resources or a variety of other reasons. These delays in maintaining security conditions are not necessarily known to the company or are not immediately communicated to customers. As a result, these solutions, which have not been developed by the State, can create security vulnerabilities without the State services necessarily being aware of them. The flaw linked to the use of Moveit transfer software had a major impact on Colorado’s Medicaid programme8.
In addition, the increasing use of digital solutions developed by private companies may increase the State’s dependence on private technologies. This can give private companies significant power over how the state operates and may limit its ability to control costs and services. The major change in pricing policy for VMWare solutions is an example of this9.
Finally, the process of integrating non-government solutions into government information systems requires particularly rigorous management of the interfaces between the various components, whether software and/or hardware. To this end, interoperability protocols must be precisely defined and comply with the latest regulations and security standards, to avoid potential exploitable vulnerabilities. A symptomatic example is the use of RESTful APIs for inter-service communications. This can enable seamless integration and offers a layer of security via authentication and encryption protocols. The adoption of container technologies such as Kubernetes or Docker should also be carefully considered. Containerisation enables more agile and secure management of application deployments10.
How can we achieve the best possible balance between sovereignty and efficiency?
For the State to function as effectively as possible, we believe it is important to strike a balance between sovereignty and efficiency. We therefore propose several non-exhaustive guidelines:
- Define the services that can be outsourced and those that absolutely must be provided in-house. This approach concerns business applications (tax calculations for the DGFiP (Direction générale des Finances publiques), internal security applications for law enforcement agencies, etc.), as well as the necessary technical services (office automation, internet browsing, operating system, network operation, etc.).
- Identify the risks associated with outsourcing and the measures to be taken to mitigate them. The aim is to define the actions to be taken to maintain control of each outsourced service within the State. To achieve this, it is advisable to define the organisational procedures for outsourcing: the players involved, contractual commitments, verification procedures, the ability to ensure reversibility, etc. These actions are part of the process of integrating security into projects and validating them during the security approval process11.
- Pay particular attention to MCO/MCS procedures. The aim of this task is to ensure that internal and external solutions are updated regularly, with a view to correcting malfunctions and security flaws. The quicker patches are released, the quicker applications are protected against known flaws and malfunctions. This approach ensures that the solutions used remain state-of-the-art.
- Use a DevSecOps approach. At the heart of a necessarily integrated process, adopting a DevSecOps approach is a means of reinforcing security in the early phases of software development. It is by integrating automated and robust security tests into the CI/CD (Continuous Integration/ContinuousDeployment) pipelines that the main vulnerabilities can be detected and corrected. This is particularly effective, as it means that a correction can be made before the code reaches the production environment. This approach can lead to substantial differences for government-critical applications. For these types of application, a security flaw can have direct consequences for digital sovereignty12.
- Raise awareness amongst all parties involved and set up a dedicated committee. The aim of this action is to ensure that every member of the organisation has the necessary knowledge of how the application works and how to take into account the patches reported by the CERTs13. In this way, the application’s protection will be better taken into account and it will be possible to prioritise the most significant developments for the State.
- Rely on a monitoring and intrusion detection system. SIEM (Security Information and Event Management) is another technical dimension that is essential when setting up robust systems. SIEM solutions such as ELK Stack or Splunk are essential for analysing logs in real time, so as to effectively detect abnormal behaviour and patterns, which may be the result of inaction or a security breach. This integration of tools with automated response systems can reduce the time taken to react to a threat. This is a decisive aspect in limiting the potential impact on the State’s critical infrastructures14.