France abandoned the sovereign cloud without discussion and without real opposition. French Thalès, who specializes in defense, has signed a partnership with Google to develop a cloud service intended not only for private companies but for public institutions. However, last year, amid the crisis at Covid, the discovery that public health data was entrusted to Microsoft raised an outcry. The State then announced its desire to create a sovereign cloud that guarantees the integrity of public data.
In fact, the government in May gave birth to a text that was significantly altered under the influence of lobbyists to make it “GAFAM compatible”. Exit the sovereign cloud, make way for the “cloud of trust”. Behind this clever name change lurks the abandonment of sovereignty in favor of GAFAM. A sovereign cloud, in other words, the fact of placing public or private data on servers that are safe from any foreign intrusion thanks to the use of French or European technology, has been replaced by another concept, the “cloud of trust “where the data is in theory protected by a contract of trust made with private companies that are free to communicate with whom they wish.
“We signed a contract in which France’s largest company became American technology resellers,” choked Luc d’Urso, vice-president of Hexatrust, an association that brings together France’s cybersecurity players. instead of building sovereignty, an ecosystem to promote European technology, we literally bow to American commands. After the submarine affair, this is the pompom! “
A new risk of hope in the industry
If Google and Thalès welcome the creation of this government’s “trusted cloud” label, not everyone has the same opinion. “Supposedly promoting the use of licensed software solutions seems like a difficult choice to understand in terms of industry policy, worried Yann Lechelle, CEO of Scaleway (cloud), last May.-European software technology … The State seems to be dismissing any ambition for the development of a French cloud sector. ” And add: “lFar from solving the sovereignty problem, this solution exposes the French digital environment to new types of dependencies. The label “cloud of trust” is not included in the scope of offers of a certain number of French players who however differ themselves by their sovereign credo on the value of large investments.
The contract signed between Thalès and Google provides for the creation of a joint venture in which Thalès will be the majority shareholder for the operation of the servers under Google’s technology. “It’s a shame, Luc d’Urso continues. French players in the sector have been forced to obtain ANSSI certification. [Agence nationale de la sécurité des systèmes d’information qui évalue et certifie les équipements, NDLR] while Google does not. Not likely. ”Google France confirms that it does not have ANSSI certification because the company does not yet have to operate the servers.
At this point, the government defends itself by asserting that the two groups need to show a high level of security to be stamped “cloud of confidence”. Bruno Le Maire and Cédric O welcomed the initiative that allows companies and public organizations to access America’s cloud technologies while maintaining control over the data, which will remain hosted in France. At least in theory. Because the Cloud Act, passed in 2018 in the United States, actually obliges American suppliers to notify when requested the data they store, even if this data is hosted outside the United States. But these suppliers have no right to disclose that they have been the subject of requests and much less to disclose what they have provided.
More seriously, this “cloud of trust” can reveal major strategic flaws. “Metadata that is intrinsic to foreign solutions will always allow the application of American law,” Yann Lechelle explains. The source code is unlikely to be audited and will therefore allow any of the back-doors. [programme informatique malveillant utilisé pour accéder à distance à un ordinateur infecté en exploitant les vulnérabilités du système, NDRL]or release sensitive information without it being easy to analyze outgoing flows, hence perfect opacity from a cyber point of view. ”The law may have evolved at the whim of American leaders, leading to a lack of predictability.
Soon a “trusted cloud” on Alibaba?
The first violation of technological sovereignty already occurred with the emergence of “Bleu”, the “trusted cloud” of Capgemini and Orange that introduced Microsoft to public data management, in May. AWS, a subsidiary of Amazon is also running: “What is likely to be developed, confessed Stephan Hadinger, technical director of AWS France, is a technology licensing model. We provide licensing that is operated by third parties. Announced we include Atos the deployment of servers using our technology in the military field, for example. ” Clearly, the three American behemoths have already succeeded in making their nest in the promising niche of the “cloud of trust”.
In the future, “we can well imagine that public data will be hosted in France, says one host, on a data farm developed by American Equinix, on Intel servers, using Microsoft cloud technologies, Google AI, Google algorithms, encryption. Software developed jointly by Thales and Google. The label “trusted cloud” will serve as a fake nose for Gafam and possibly the NSA. ” Finally, it’s hard to see why the conditions required for stamped “trusted cloud” don’t apply to Chinese Alibaba, which also has a full range of services. In other words, as the snake of jungle book: “Have confidence…”