T0 0:
The Long Road to Sovereign Combat Cloud. But Which One?
(Source: Special to Defense-Aerospace.com; posted Nov. 15, 2021)

(By Collectif Lépante)
PARIS --- A cloud infrastructure is an information system distributed among one or several servers and data repository that is not necessarily hosted by the data owner, and is accessed through the internet possibly across various locations.

As defined in 2011 by the U.S. National Institute of Standards and Technology (NIST), Cloud computing is “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e. g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics (on-demand self-service, broad network access, resource pooling with other users, rapid elasticity and measured service), three service models (IaaS (Infrastructure as a service): PaaS (Platform as a service) and SaaS (Software as a service ), and four deployment models.”

With the ubiquity of the web and the complexification of the digital economy (not to mention the forthcoming 5G), network-based operations are more and more common, and the underlying data is often stored by third parties.

The emergence of « the cloud » is one of the major features and contingencies of the digital economy. Indeed, digitalized data is estimated to have grown by 45 times in the last 10 years! Market forecasts varies, but they all agree on the massive growth of the cloud market, with growth rates in the 30% to 40% range! According to KMPG, the European cloud market was worth around €53bn in 2020. And could be as high as €500bn or even €800bn in ten years according to some estimates…

So, the cloud is massive and it is here to stay. It is meant to host, process and eventually share all sorts of data, from the most mundane to the most sensitive.

Can any cloud be sovereign?

The diversity of application hosted in “the cloud” demonstrates the importance of the concept in today’s connected world. Most of the digitalized economy runs on the cloud: banks, insurance, communication, manufacturing, energy, logistics, health, education, agriculture, smart cities, transport and other critical infrastructures…

On a personal level, with the empowerment of the most of your private or semi-private data such as healthcare, pension status, and fiscal records are on the cloud, one way or another – not to mention personal data voluntarily posted on social networks... Many governments have put in place specific policies and infrastructure to help “civil service 2.0” emerge and boost performance in terms of response time, cost control, and big data analysis.

Now, the idea is to rationalize, streamline and control, as much as possible, the government-related storage of data.

As of today, cloud services suppliers are predominantly US, with Microsoft (Azure) Amazon (AWS) and Google Cloud holding 40% to 50% of the global market according to Gartner figures. Then come Chinese players such as Tencent, Alibaba or Baidu with another 10% of the market. The rest is very much atomized. But many other players, such as Accenture, Oracle, IBM, Salesforce and VMware, are trying to grab a share of this huge market. As of today, 80% of the CAC4O French leading companies are Amazon Web Services (AWS) customers, for example.

Many governments developed their cloud infrastructure using the products on offer.

So, for countries other than the USA, particularly in Europe, a major concern are a series of so-called extraterritorial laws set in place by the United States, such as the CLOUD act, LAED or FISA. They stipulate that any data hosted in the US, or on a US supplied system, or processed via a US-made software, can be accessed without restrictions by US authorities.

This, and the adoption of the RGPD privacy shield set in place by the European Union, has led EU government to limit the dependence of their cloud on US providers. They have been promoting, although with mixed results, the emergence of local providers such as OVH, Outscale, Atos, Dassault Systemes, Deutsch Telekom, and others. Some alliances (such Gaia-X at the European level) between players have also been encouraged in order to reach a “critical mass”, once again with mixed results.

Of course, all data are not critical nor sensitive, but for them, governments have put in place certification process to approve alternative solutions that are deemed secure and “as sovereign as possible”. One example is the French SECNUMCLOUD label certified by the French IT security national agency ANSSI

But as frankly recognized by French President Emmanuel Macron recently, let’s face it: a sovereign cloud is economically unrealistic as of today, and most governments are left with mitigating solutions. One of them being ad-hoc partnership between US suppliers and trusted national players as recently seen with agreements between Thales or OVH with Google, or CapGemini/Atos with Microsoft and Orange (BLEU), or Amazon and Orange.

For its part, US supplier VMware is also open to partnership and claims that it is neutral, totally open-source and very safe due to significant investment in cybersecurity "As we do not store data, we are not subject to the American cloud act," the company CEO adds. In addition, VM ware has even already provided French OVHcloud with components for its “certified SecNumCloud” offer…

What are the military implications?

The so-called network centric warfare is nothing new for the military who have been increasingly dealing with more and more sophisticated information systems and ever-speeding transmission and telecom systems over the past decades, but with advances in computing power and civilian IT developments, military use of AI started in dual areas such as: communications, logistics, predictive maintenance, etc. For example, the US Army openly inspired itself upon Amazon to manage its warehouses using new technologies.

The strictly military use of the cloud model itself started in the US around 10 years ago, through an ambitious (and sometimes controversial) cross-services architecture now known as the joint enterprise defense infrastructure (JEDI). The use of the cloud for military information and communication systems. Today, there is no platform or soldier that is not connected to the grid one way or another. To the point that the military was at some point drowned into data.

But the utilization of artificial intelligence and software to run big data analysis and make sense of these terabytes of data gathered everyday around the world.

In 2016, under the authority of Gen Dave Deptula, the US Air Force defined a doctrine around the concept of a combat cloud, meant to allow platform and units in combat to access a massive volume of stored data and make sense of it through advanced algorithms. The idea is to maintain the information advantage even at the edge of the battlespace, at a time when usual and proven tactical datalinks such as Link16 are showing their limits.

Sophisticated platform such as modern battleships, or advanced fighters therefore count on the “combat cloud” to run operations, collect and interpret intelligence, guide effectors on targets and transmit battle damage assessments and situational awareness to headquarters.

For the UK, this does not seem to be a problem: no later than last week a £500mn contract was signed with AWS to host a big chunk of nothing less than …MI6 data!

Indeed, in the military domain, sovereignty is paramount, but interoperability is also key. In the “combat cloud”, the cloud infrastructure should ideally be ultra-ring-fenced for national eyes only, while flexible enough to allow instant sharing according to a complex web of level access rights when needed. A tricky technical and political challenge.

New multinational (and eventually competing) systems are currently dealing with those issues and try to anticipate future cooperation. This is the case between Tempest and FCAS for example. There are discussions at state and industry levels to make their future respective combat cloud "as compatible as possible" without compromising data sovereignty.

Let's not forget that mission data files - including enemy radar signatures, and electronic countermeasures - are among the most sensitive military information out there. Leaking them would not only reveal the way they were collected, but would also seriously compromise mission success and pilots’ safety.

By the way, most ministries of defense are working with national providers - eventually startups - to make their military cloud as autonomous, secure and sovereign as possible. For example, the UK MoD Rapid Capability Office is working on its NEXUS combat cloud prototype with British startup securecloud+.

In France the defense procurement agency (DGA) launched in November 2017 in the Artemis cloud initiative with major AI and Big data analysis partners such as Atos, Capgemini and the Thales - Sopra-Steria consortium – not withstanding innovative start-ups.

Meanwhile, as revealed by French weekly Le Point, the first military AI should be operational shortly at French Center for Planning and Conduct of Operations (CPCO). The AI will be supervised by the Defense Innovation Agency (AID), which already has a cell entirely dedicated to work on this disruptive technology, Le Point adds. And as far as the French Air Force is concerned, an initiative dubbed Connect@aero is meant to incrementally develop a genuine, cloud-based capability from future Rafale variants in 2025 up until the Franco-German-Spanish FCAS enters service by 2030 and onwards.

But this is still a work in progress.

And apart from interoperability, there is a big question mark on the whole combat cloud: cybersecurity And, once again, there must be ways of mitigating the security risk associated with the cloud:

-- Work on common advanced standards with sophisticated, built-in integrity protocols, zero-trust architecture and multi-level security systems;

-- Find inter-governmental political agreements, eventually on an ad-hoc basis, to share data. Most military agree that having different, eventually sovereign combat clouds is not so much of a problem to operate in coalition, as long as you can tap into in other data with the appropriate technical gateways, and clearance levels;

-- Invest in national “edge computing” solutions that aim to process data as close to the sensor and the decision as possible and retrieve only the most meaningful portion of it in order to share it in a strictly controlled more restricted manner.

However, due to the huge progresses in cyber-attack as well as electronic warfare capabilities (possibly in combined mode) military planners cannot rule out that cloud data integrity might be compromised at some point, or simply totally unavailable. Therefore, a stand-alone, fail-over "unplugged" mode must be retained for emergency situations.

Network, data and artificial intelligence are key, but one still has to be able to perform the mission without them and hopefully come back... As one British military official was recently pointing out: “the cloud is very much like “the Force” in Star Wars: it’s both an asset and a vulnerability…”

-ends-

prev next