- I&T: You have objected in the press to Bpifrance using the services of Amazon Web Services (AWS) to administer loans guaranteed to companies by the government. What is it about ?
- What do you think explains this choice?
- What, specifically, are the risks?
- What to do to make it change?
- Initiatives to highlight sovereign cloud offers are starting to emerge, such as the SecNumCloud label from the French Cybersecurity Agency (Anssi) or the European multi-cloud project GAIA-X. What do you think ?
I&T: You have objected in the press to Bpifrance using the services of Amazon Web Services (AWS) to administer loans guaranteed to companies by the government. What is it about ?
Frans Imbert Vier: When the decree was published to announce the Covid-19 loans for companies, there was a stir of state combat to organize the guarantee and the management of these loans. Bpifrance was then asked by the Ministry of the Economy to set up a system which would make it possible to collect the bond for all the loans to prepare the audits provided for in the decree. Nothing disturbing until then.
Bpifrance technical services then had to find a cloud service available immediately to install a database to build, interconnected with banking consolidation systems and those of Bercy. In The IT world, the technical director of Bpifrance was pleased to have been able to rely on the AWS infrastructures to implement the solution in five days. However, they could have turned to Orange or OVHcloud, or even another European cloud provider, who have all the required skills.
No technical constraint forced them to choose AWS, at least to my knowledge – but anyway, there was no call for tenders or specifications so we cannot precisely assess the chosen solution . They could even have hosted this data themselves in my opinion. Choosing a Gafam while the President of the Republic invokes digital and health sovereignty for a month and a half, it is not acceptable!
What do you think explains this choice?
The Gafam offers are extremely well constructed and developed: they are technically ready and above all marketed in such a way that they are very simple to understand and enjoy very aggressive advertising. In two clicks, it works, so it’s normal to go, we all want to go!
But in France, in Germany and in the countries of the north of Europe, in particular, many nuggets exist – not always very well promoted, I grant you. If we do nothing, many will die while they offer good-quality technologies, others will be systematically bought by the big American and Chinese players, and the two-three who will remain may be painfully diluted in a Thales or a Dassault. All this because we tell ourselves that they are fragile, that they will not necessarily be able to ensure a certain sustainability of the service and that, generally, we automatically eliminate them after tenders.
What, specifically, are the risks?
The data entered in this database concerns the bank guarantee, that is to say that a list of all the companies which have requested a loan and all those who obtained it is sent to an American company. However, the United States is the country that sucks the most data in the context of economic intelligence and its 24 American intelligence agencies can access data hosted by an American company without asking the opinion of anyone. Without even using the Cloud Act, for which they would need to ask for an authorization, but by invoking the Patriot Act, a law passed just after the attacks of September 11, 2001, which does not require any request from the moment it is put forward the American national interest.
It is therefore feared that American companies will have access to the competitive advantages and the financial situation of foreign companies. With these two elements, it would be easier for them to buy out competitors when the conditions are right. In a period like the Covid-19, when everyone is having a slap, it may be a good idea to take an inexpensive technology, financed with research tax credits, and integrate it into his offer.
What to do to make it change?
Today, we should no longer give in to ease by turning to Gafam offers. If we do not make French and European players work, we will never allow them to reach the levels of technical power and innovation of Gafam. Coming from a public actor who promotes the opposite is boring. When Cédric O publishes on Twitter that the AI offered by Microsoft within the framework of the Health Data Hub is fantastic, it greatly discredits the defense of France’s digital sovereignty. Especially when you know that a Franco-Swiss company, Global Data Excellence, has just received the 2020 prize for the best AI.
It would first be necessary to change the code of public procurement by forcing the public service to reserve 50% of its digital spending to European actors and by preserving in France all the systems supposed to preserve the sovereign data of the French State. Perhaps the different mayors from the recently elected Europe Ecology-The Greens (EELV) party will push in this direction.
Initiatives to highlight sovereign cloud offers are starting to emerge, such as the SecNumCloud label from the French Cybersecurity Agency (Anssi) or the European multi-cloud project GAIA-X. What do you think ?
It’s better than nothing, but it’s just a start. Technically, SecNumCloud does not change much against economic espionage, especially since it uses ciphers generated by a member country of NATO, and therefore potentially decipherable by any other member. But the approach is virtuous: SecNumCloud creates a model of economic trust between French companies and customers, guaranteed by an actor, Anssi, who masters the technical levels of labeling in cybersecurity unequaled in Europe.
As for GAIA-X, it’s great! The only problem is that there is no obligation in this project for the intellectual property of the services offered to be carried by a legal person hosted in the territory of Schengen. Too bad…
At the same time, members of GAIA-X must not be authorized to transfer part of their financial participation to third parties outside the EU to avoid that companies financed in this framework are then bought by American giants . In short, the entry of non-European actors into GAIA-X must be prohibited. However to date, Gafam are present in the working groups of GAIA-X … This approach is good politically, but very bad economically.
[Contactée par Industrie & Technologies dans le cadre de cet article, Bpifrance n’a pas donné de réponse, NDLR]