Cyber sovereignty - Do we need to wrestle back control from the tech titans?
SIMON CHASSAR
Interim COO
e2e-assure
It's not just charity that begins at home, so too should data governance. As nations increasingly adopt protectionist policies, there's a renewed sense that businesses should keep their data safe by determining not just where it is but who has it - and the overwhelming answer is the Americans. Realisation is growing that our data either resides with or flows through the hands of US-based tech giants, revealing a worrying level of dependency.
Amazon and Microsoft now control 70-90% of the IaaS cloud market in the UK, with Google occupying third place. This duopoly saw the Competition and Markets Authority (CMA) launch an investigation which is expected to see the regulator intervene later this year, but it's not just the competitiveness of the market that's at stake. Legislation such as the US Cloud Act and the Foreign Intelligence Surveillance Act give the US government the power to demand US companies hand over customer data irrespective of where those customers are based, meaning UK data could be surrendered upon request.
To allay these concerns, the hyperscalers have been busily promoting sovereign cloud solutions both here and on the continent. But while these do provide data residency and respect local regulations, these offerings cannot confer true sovereignty as they are based in and must comply with these US rulings. Ideally, the UK needs to fight fire with fire by introducing its own legislation that seeks to protect the infrastructure and assets of businesses deemed critical to the economy.
A lost opportunity
The forthcoming Cyber Security and Resilience Act (CSRA) currently wending its way through parliament could have fit the bill. It aims to protect essential services and businesses and applies not just to critical national infrastructure (CNI) but also digital service providers, managed service providers, cloud hosting providers, data centres and other associated entities. Lobbyists such as the Open Rights Group campaigned for sovereignty to be included in the Bill and hopes were high following its second reading in January when three new clauses were proposed.
Debated by the Public Bill Committee at the end of February, the new clauses directly addressed the problem of foreign incursion. New Clause 2 proposed a register be created of foreign powers that present a risk to CNI and information systems. It would apply to foreign powers that have attempted to attack the UK or which GCHQ identified as posing a risk, whereas New Clause 13 would identify the risks posed to systems by foreign interference. That would include unauthorised access or surveillance of network and information systems so would have been directly relevant to the US rulings. Similarly, Clause 15, which called for a review of the security risks posed by critical suppliers and essential service providers linked to foreign states, would have put businesses critical to the economy with foreign links under the microscope. However, when put the vote all three clauses were negatived so will not be taken forward and included in the bill.
These decisions are disheartening because it means the Bill will not address our dependency on foreign technology providers and the potential weaknesses this creates. The debate about the Bill focused almost entirely on malicious nation state or organised criminal group activity, with no mention of the potential for technological involvement by our allies which could pose a threat if relations continue to cool.
Strong demand for sovereignty
Across the pond, the US government is now in the process of pushing through the Cyber Strategy for America and has had no qualms in stating its intention to "move away from adversary vendors and products", that is technology solutions or services from companies based in other countries that could be considered geopolitical rivals as well as a security risk. Instead, the plan is to promote and employ US technologies.
Interestingly, a similar point was made during the Committee debate by Liberal Democrat MP, Freddie Van Mierlo, who questioned the UK's reliance on foreign technologies. He suggested the government could pivot from high-risk foreign vendors to "trusted, home-grown alternatives" to deliver cybersecurity sovereignty.
Mierlo's not alone in calling for UK-based cybersecurity as we move forward, as there's evidence of strong demand in the market for sovereign Security Operations Centres (SOCs), for example, that aren't just based here but also utilise UK technologies to carry out threat detection and response. This could mean that it's the private sector that then picks up the cause and helps sovereignty climb up the corporate agenda.
It's right and proper we prioritise cyber sovereignty and avoid pushing it back under the carpet as we've seen done under the Bill. But it's also worth noting that international cooperation can and should still play an important part. The same Committee highlighted that retailer, M&S, learnt more about the cyber attack it was subjected to last year from the FBI than it did from the UK authorities, revealing that sharing information, intelligence and best practice continues to be in everybody's interests. But there's a difference between choosing to share that intelligence and it being there for the taking.
