This September, the “Annales des Mines” published number 23 of their “Digital Issues” series, entitled “Digital sovereignty: ten years of debate, and after?”. Online (PDF of 145 pages), this issue has around twenty authors, whose contributions are divided into three parts: “The multiple observations of a deficient digital sovereignty”, “The strong links of digital sovereignty” and “Paths and levers of ‘action”. Dense readings to meditate on, in which I particularly point out a contribution directly linked to the themes of this blog: in the first part, Jean-Paul Smets, among other founders of the free software publisher Nexedi, wrote a text, “ Digital confidence or autonomy, you have to choose” (p. 30 to 38 of the PDF).
“Market conditions unfavorable for free software”
This article should be read in detail, but to give an idea, here is its summary and a few passages:
“Digital trust, the exorbitant role of the National Information Systems Security Agency and European regulatory inflation create unfavorable market conditions for many European digital technologies and free software. Together they are accelerating the adoption in France of American cloud technologies that are not immune to unauthorized access by a third state. They increase the risk of general outage by favoring centralized cloud offerings that are not very resilient. In terms of cyber risk management, the notion of “transparency” offers an alternative to “trust” to strengthen European industrial autonomy in digital technology on a resilient technological basis and immune to unauthorized access by a third state.”
Taking up the criticisms of the French cloud strategy that he already expressedJean-Paul Smets underlines that two years after its announcement by Bruno Le Maire in May 2021, “our data hosted on American clouds is not protected, whether at large health operators like Doctolib which suffers data leaks sensitive or with the Health Data Hub which continues its activity in violation of the General Data Protection Regulation (GDPR)”.
“The key mechanism for the exclusion of European technological offers from public markets is the “SecNumCloud” qualification issued by the National Information Systems Security Agency (ANSSI). (…) What this qualification favors is above all the centralization of infrastructures and the formalization of procedures: centralization of risk management, supplier approval procedures, procedure for checking the background of candidates for employment , procedure for controlling access to physical installations, etc. Large French digital companies excel in this area, as do their international counterparts.
This prejudice on the part of ANSSI can also be explained by the omission of the network of extremely competitive European SMEs in the software field and whose main customers are exports. The Grenoble-based company VATES, publisher of the XCP-NG infrastructure software, offers a French equivalent of VMWare, the American proprietary software used in almost all clouds qualified as “SecNumCloud” to date. VATES generates 95% of its turnover from exports. The scikit-learn project, hosted by the INRIA foundation, is the leader in learning tools, one of the most used branches of artificial intelligence. Its financiers include Microsoft, Fujitsu and the Boston Consulting Group.
Together, European SMEs are capable of offering competitive, pioneering and comprehensive cloud offerings, from IaaS to PaaS, including industrial edge computing and virtualized 5G.”
“Mainly SMEs and individual authors”
However, underlines Jean-Paul Smets, “Free software, by involving numerous developers in the creation of a shared work, is one of the most accomplished forms of industrial district. Free software is created and published in Europe mainly by SMEs and individual authors, more rarely by non-profit organizations. Their security is based on social mechanisms of shared trust based on mutual recognition between peers and not on bureaucratic audit procedures.”
“This is not the first recent attack against European free solutions”, notes the author, who quotes: “In 2021, the General Directorate of Enterprises launched a process of European rapprochement with a view to constituting important projects of interest Common European Union (IPIEC) with large subsidies. However, it favored large French integrators and omitted many European cloud infrastructure software providers. The ultimately validated projects, carried out by Google partner integrators, favored Google’s free software rather than that of equivalent European free software publishers. (…)
On January 24, 2023, the interministerial Digital Directorate (DINUM) organized a meeting to promote proprietary cloud solutions for development teams. However, there is a competitive European offer of free cloud, the promotion of which to administrations is explicitly part of the missions of the DINUM in accordance with the law of October 7, 2016 for a digital Republic.
“Transparency makes the market more fluid”
The article also presents the case of the Cyber Resilience Act (CRA) proposed in 2022 by the European Commission, currently being developed, of which many actors French and Europeans have pointed out the risks that it would impose on the rights holders of free software. “The only escape for the rights holder: transfer their software assets to a free software foundation, most often American. For others, the European Commission estimates in its impact study that this regulation will involve a minimum of €25,000 in administrative costs per software and a 30% increase in development costs, a level far too high to encourage the growth of the software. “ecosystem of free software publishers, the necessity of which the Commission recognizes to achieve digital independence.”
His conclusion: “While trust produces obscurity in the market, transparency makes the market more fluid by avoiding the phenomena of concentration, agreement or non-customs barriers. While trust favors American technologies, transparency accelerates the adoption of European suppliers of digital technologies whose export success remains the best demonstration of their competitive advantages and whose existence is essential to our autonomy.