The Russian-Ukrainian conflict has brought the issue of cybersecurity to the top of the European and national agendas. The issue was already much debated, at least at policy level, in contexts regarding 5G, the cloud sector and in general the resilience of essential telematic infrastructures. But the war unleashed by Russia in Ukraine has brought to attention a new subject, that of the Russian anti-virus Kaspersky, used by many European governments and especially in Italy, where it is installed in thousands of public offices, including ministries and police forces. Kaspersky is no stranger to this controversy, so much so that it was banned by US administrations in 2017.
In fact, in order to work properly, an antivirus must be able to filter, that is, read and even manipulate, the system and the data it intends to protect: if for some reason the antivirus is produced or linked to a country with which there are geopolitical problem, it is like handing over the house keys to the worst enemy. It will not be a worst worry for a simple private individual, but it could instead be a vital problem for a national critical infrastructure.
Rightly, those of Kaspersky have taken steps to reassure customers, as did for example the CEO of the Italian branch in the Italian media. These reassurances are understandable, but unfortunately they cannot reassure us completely, because they find limits already known in the debate on Chinese 5G vendors as well as on American cloud providers, which can be summarized as follows.
The foreign jurisdiction of the parent company is unavoidable
When the headquarters of a technology company are located outside the EU (in the USA, China, Russia or elsewhere), the entire company is subject to the jurisdiction (understood as jurisdictional power but also governmental power) of that country, also with regard to its branches within the EU or elsewhere (Switzerland, for example, as in the case of Kaspersky). Therefore, despite the best reassurances, as well as the adoption ad hoc contractual schemes and guarantees, the jurisdiction of the country of the parent company is always destined to prevail, even in violation of the laws of the countries where the branches are located: this applies to the American Cloud Act and FISA 702, as well as Russian and Chinese security regulations which always will prevail over European regulations.
This is not a problem of unfairness or double-dealing on the part of non-European companies, which are certainly in good faith when declaring to European customers that their data and services are safe. The problem is that such promises or even contractual obligations are inevitably destined to lapse if one day someone in Moscow or Beijing decides that it is time to use local technology companies (operating abroad) to safeguard their national interests towards Taiwan or Moldova.
Therefore, it is not enough, and there is no need to move branches, data centers and codes to the EU or Switzerland, if the parent company of the technology company continues to be subject to the jurisdiction of the Kremlin, the White House or Beijing. And no European contract will ever be able to provide legal security when the company’s parent is demanded to act in compliance with the national security laws of its non-European country of establishment. A contract subject to European law does not constitute any obstacle for a foreign ministry, be it American, Chinese or Russian.
The extraterritoriality of foreign jurisdictions: software counts more than hardware
If the solution of moving data centers, servers and offices within the EU does not eliminate their subjection to non-European jurisdictions, the same applies to the practical possibility of technically defending data and services from intrusions. Location and physical separation of the equipment are not an obstacle when a non-European technology provider may very well have access to data and services hosted there, even within the EU. A simple software update is enough to access it. If this access is technically possible, then the non-European operator could be forced to carry out actions contrary to the customer’s interest but required by the jurisdiction of the parent company. The places where servers and other boxes are located, and any physical separations, do not matter, while it is more important who has the control and the keys of the software that makes them work. Software matters much more than hardware. In such cases, however, whether the software is proprietary or open source is of some importance, because at least in the latter case, a certain supervision by the customer on what happens to their data and services is possible.
Encryption and other unfinished remedies
Certain defense mechanisms such as data encryption should not be overestimated because, while effective against external threats, they are less effective against the chosen technology provider. Against the latter, encryption is effective when the data is “at-rest”, that is, deposited in the hard-disk of the servers, but not when they are “on-work”, that is, they must be processed to run the applications. In the second case, the encryption keys will have to be shared with the technology provider to proceed with data processing, and the data – finally “in clear” – will be accessible, and therefore goodbye security for the reasons already mentioned.
Even the “key management” systems are at risk, insofar as these systems are managed by a non-European technology supplier (moreover, these are solutions contemplated in the call for tenders for the National Strategic Pole in Italy).
Interdependence is the only realistic choice
That said, there are no completely self-sufficient solutions and scenarios, that is, allowing a single country to use only national technology (even if Russia and China are trying). Europeans must get used to depend technologically on non-European suppliers and, given the current times, it will be necessary to accept an accentuated dependence on the USA or in any case on countries with which we share, in general, the choice of geopolitical field, while it would not be tolerable the same with other countries openly or potentially hostile to the EU.
This means that foreign policy choices must be consistent with technological and security ones. Moreover, even with respect to the USA it is desirable that European at least arrive at an interdependence, rather than a situation of chronic dependence as it seems to exist today. To achieve this interdependence, which is currently the only realistically achievable goal for the EU, it would be necessary to do everything possible to support the development of European technology companies. Development, mind you, and not survival, and it is therefore vital that the funds of the Next generation EU are also used for this purpose.