President Ilves, you are the chair of the European Cloud Partnership (ECP), which unites key representatives of private industry and the public sector to establish a Digital Single Market for cloud computing in Europe. Why do you believe that this is important for Europe?
It has become clear over the past few years that cloud computing represents an enormous economic potential. Currently, much of that potential is realized mainly by companies outside of Europe, primarily those in the US. Since companies compete internationally, there is an urgent need for Europe to catch up.
The ECP is well positioned on that front, since it includes representatives from leading cloud vendors and from the public sector. The former are important as developers of innovative solutions, and the latter can stimulate and shape the market through their significant buying power.
The European Council also recently expressed its strong support for cloud computing, calling for EU action to provide the right framework conditions for a single market for Big Data and Cloud Computing. What actions could be taken at EU level?
There are of course many potential action points, some of which – such as reforming European data protection laws – are already ongoing. Those efforts are necessary to facilitate EU-wide commercial activities.
At the same time, there is a need for further initiatives that specifically improve the quality, security and trustworthiness of cloud services – that do not rely on legal changes. The creation of reference codes of conduct that cloud providers could adopt voluntarily is one such example: such codes would improve transparency for consumers, and provide a clear statement of their rights and privacy expectations. The identification of shared security standards is also important, to improve the reliability of cloud services.
A key barrier right now is the reluctance to host data outside one’s own national borders. This is detrimental to achieving the benefits of scale that the cloud offers. Currently there are laws in place that restrict governments’ use of cloud. Most importantly, this reluctance is entirely unjustified: with appropriate security measures, such as the use of advanced encryption tools, data can be just as secure on foreign servers as within your own borders. The EU needs to act to counter this trend toward the nationalization of the cloud.
Estonia is often seen as one of the frontrunners in the adoption of new ICT solutions. Are Estonian public services using cloud solutions? And what benefits have you seen in practice?
Estonia has indeed been an early adopter of ICT in a number of areas, and the cloud is no exception. We’ve already introduced the basic tools we need to drive innovative services, such as our electronic identity card and a service bus that allows Estonian administrations to securely exchange trusted data, and these are enabling a shift towards cloud services. We’ve implemented signing-in-the-cloud services that allow citizens to sign any electronic document using eID cards or mobile phones. These types of services enable new innovations and show Estonians how easy it is to use cloud services.
The key is secure, government guaranteed authenticated ID, and legislation that promotes the effective development and use of e-services: first, we have a law that the government cannot ask for data that it already has, and second, the citizen is the owner of his or her own data, she has control over who has access to her data and for what purposes. In these times, the sense of security and trust is crucial for the governments to be able to go ahead with developing e-services, without trust the political will to do so is hard to find. Legislation in the rest of Europe needs to be updated to create the trust and the political will to go ahead.
Is it possible for public sector services to use cloud computing on a large scale? Wouldn’t there be a risk of public services breaking down completely if technical problems occur?
On the contrary: one of the main advantages of the cloud is that it can improve resiliency. The case of Fukushima, with lots of data lost after the earthquake, indicates how important a backup outside your own borders can be. We are also vulnerable to external threats, as we in Estonia saw during the DDoS attacks against our public and private websites in 2007. However, even though several websites – banks, government sites, online media – were impaired for a while, our government provided encrypted e-service system remained, and has remained ever since, uncompromised.
Much of the economic potential of cloud computing comes from the ease with which data can be exchanged internationally, and flow from data centres in one country to the next. Are cross-border clouds possible for the public sector as well, since this would mean potentially sensitive governmental data being moved outside of national borders? Are there any pilot cases in Estonia?
It’s a sensitive problem, to be sure: no one wants to move their crucial services or data to a location that they can’t fully control. The public sector plays a particularly important role on that point, since we manage large amounts of personal data relating to all of our citizens. That’s a trusted position that we must protect at all times.
But that does not mean that moving some services and data to service providers outside your own borders is entirely impossible. The key question is control: if you can be certain that your data is placed with a trustworthy host, who cannot access it without your permission, and if the necessary technical and legal conditions are implemented to ensure that this trust isn’t violated, then cross border clouds in the public sector are entirely possible. The goal should be to ensure security, not to keep data within a border.
In fact, Estonia and Finland have been working on a project to interconnect our clouds, beginning with our VAT databases. Finland has decided to adopt the existing Estonian system, and we will develop the systems’ next phase together. This will be a genuine cross border cloud, with all related benefits. All Member States should look into such an approach, since it’s the only way to make crucial services and data disasterproof.
Much of the public debate today revolves around the public’s trust (or lack thereof) in cloud computing, against the backdrop of national security incidents unveiled by whistle-blowers like Edward Snowden. What can be done to ensure that confidential information in the cloud remains confidential?
This all comes back to the core question of trust. Part of this solution comes from appropriate technical and legal solutions to ensure that data in the cloud isn’t up for grabs. This is why European initiatives on this point are so important: we need to ensure that there are common standards and processes to secure cloud data.
Key to any secure digitally based system is a secure and trusted identity. In other words one needs to absolutely sure that whoever accesses the system is who they say they are. Without this, all systems are vulnerable.
A second point is transparency: it’s not only necessary for clouds to be secure; they must also be seen to be secure. In Estonia we have been able to create trust and goodwill with a large part of our population by being secure and transparent: in the Estonian system, all entries leave a trail, and any Estonian can use his or her eID card to find our who’s been accessing their data and why. And our system uses a high level of encryption – RSA 2048 – that would take some forty years for even the NSA to break, using current technology. That kind of security-and-transparency-throughtechnology is needed to show EU businesses and citizens that their trust in the cloud is justified.
But we also need to remember that confidentiality is not necessarily the most important security issue. We also need to ensure data integrity, the fact that no one changes the data in the process of transfer. While violating privacy may be uncomfortable, violating data integrity can be lifethreatening, and seriously dangerous to people and whole societies. It is not only storage and access, but the whole process that must be adequately protected.
Advanced security often comes at a high cost. Isn’t there a risk that European cloud service providers will be priced out of the market if they have to meet high standards for secure, high-quality and reliable cloud services, as the European Council has recommended?
Not necessarily. While high quality security isn’t free, it also creates significant added value. When it comes to sensitive data and services, the cheapest cloud solutions can become very expensive when the cost of incidents is factored in. Furthermore, there’s also the flipside of the coin: strong security is a differentiator, something that you can sell on the market. If EU cloud providers can be shown to be more secure than their competitors, then this is an advantage that they can use to sell services internationally.
Finally, not everyone needs the highest level of security. Non-sensitive data can be stored without the highest level of security. Payroll or pension figures for a large company presumably would not require the same level of security as people’s health records.
What are your hopes and expectations for the outcomes of the ECP’s work?
The ECP is working with a real sense of urgency. Cloud computing is not a technology of the future; it’s the technology of today. The ECP needs to provide results that cloud vendors and cloud users can adopt right away, results that will help grow the market and drive new innovations. We need to become a leading cloud provider and cloud adopter in the global market. This is the only way to maintain a strong and competitive economy in a challenging environment. Ultimately, that is the target for the ECP’s work.
(Article from net-cloud future magazine (2013) - for complete magazine click here)