A guide to digital sovereignty, autonomy, and business resilience

(First public draft)

Imagine that you are part of the government of an average nation, and you have just realized that IT has become a substantial factor in your operation. Or you have a similar position in a manufacturing industry, or in the financial sector. As IT increased in volume, you have tried to keep its costs down, it was just a facility. Outsourcing to more experienced partners was an option, and so was the use of cloud computing, for example for your Office applications.

Now you realize that IT is not just a cost, but that it is also existentially important to your business.

No IT means no business.

This is no longer about cost. It is about survival.

The geopolitical situation and the oligopolistic dominance of big tech are creating a massive challenge. In the west, we are talking about the US government and the three big hyperscalers. In the east, it is China and their big companies. All these actors have demonstrated that they can and will exert their influence in a way that can be counter to the interest of IT consumers.

Cloud computing has aggravated the situation. Where vendor lock-in was already an issue in the early days of computing, most companies could operate independently from their vendors for a while. In a cloud world, service can stop from one minute to another.

Hence the call for more sovereignty and autonomy.

Sovereignty and autonomy sound nice, and appeal to core human values. But they are problematic: they are ill-defined, and unattainable in the absolute sense. On a global level, there are very few countries, if any, that have no dependence on any other country. So no country is fully sovereign and autonomous. In my opinion, the most important objective is to reduce the negative effects of that dependence.

In this unit I want to develop a framework for structuring the conversation around business resilience, which I think is the umbrella concept here.

I propose to start with a risk based approach, focussing on the supply chain. We start by identifying the threats that the call for sovereignty and autonomy is supposed to address.

For example, a nation state order might force a cloud provider to cease operations for a specific customer in a different country. This leads to an availability risk for that customer. In this case, they cannot access their email anymore.

The next questions are: what is the bad consequence of that, what are the chances that it happens, and how quick can we reduce the impact of that?

All this is fairly standard risk management procedure. But for this conversation I suggest to specifically look at the following.

• What do people mean when they talk about the need for more sovereignty and autonomy?
• What are the risks that derive from having a geographically distributed IT supply chain?
• What are, in detail, the components of that supply chain? For example, there is a difference between the location of a datacenter, the software that runs in it, and control over the operations of that hardware and software.
• How can nation state actors and corporations exert power that is counter to sovereignty and autonomy?
• What are the mitigations that cloud providers propose? How tenable are they?
• What are mitigations, technical and political, that are applicable for cloud consumers and regulators?
• In particular, what alternative sources for IT assets and services exist?
• What residual risks do these have? For example, building a large single service provider company has the risk that it will be acquired by a multinational under foreign control. This has happened.

I suspect we will also find out that many of the risks and mitigations are not technical, not even legal, but (geo)political. To fully analyze those, we will need people with these skills. Understanding the essentials of this technology can be challenging for experts in politics or law. And, by the way, that is one of the reasons why I have taken up writing Digital Infrastructures at Scale.