Government policy in the UK has recently woken up to the importance of a digitally equipped public sector, recognising the crucial role that digital transformation will play for public and private sector organisations. Policies from “levelling up” to the MOD Defence Digital and the National Data Strategy all indicate an ambition for the UK to harness its data and become a 21st Century world leader in the digital space. The adoption of sovereign multi-cloud offerings will be pivotal if this ambition is to be realised in the long-term.
Nowhere is this more important than in the defence and national security sector. While underwriting government efforts with a secure cloud computing strategy implemented across this sector is the logical next step, the transition to a robust digital future is still in its infancy.
Prior efforts to institute the Cloud First Policy were a step in the right direction but their application was flawed. It remains the case that the safest way to protect the UK’s most sensitive data and intellectual property is by shifting away from legacy hardware data centres to adopting sovereign cloud service providers.
Harnessing and protecting sensitive data
Sovereign cloud allows an organisation to aggregate its data – it therefore becomes more valuable and begins to expose new information (e.g., joining up datasets). Joining up locational or geographic data, with visas or names of service personnel in a country can become sensitive intelligence. Crucially, sovereign multi-domain cloud allows scalability of that data, so as its classification changes it can be re-allocated between different levels of security in real-time, from open source to the highest levels of classification.
There are key security benefits too. Jurisdictional concerns that other countries can make use of legislation such as the Cloud Act, Patriot Act or FISA to circumvent privacy laws can be dealt with by using a cloud provider that is sovereign; foreign companies cannot gain access or transfer sensitive data away from the UK.
Using a sovereign provider can also be an operational necessity. Military bases stationed abroad in Cyprus, the Falklands and until recently in Afghanistan benefit from establishing a “Sovereign Base Area”, which acts as an extension of UK territory and jurisdiction, protecting the transfer or storage of data on foreign soil could be treated similarly using sovereign cloud services.
Three core considerations
Alongside the scalability provided by multi-cloud – allocating sensitive data at different security classifications – a ‘defence in depth’ approach can be used to further secure data using firewalls, segregating networks, using identity access management and rules-based access control tools. Physical security guarding individuals or cloud hosting facilities can work in tandem alongside Security Operations Centres analysing the behaviour of those interacting with protected data sets. Defence policymakers need to be more agile and move beyond legacy hardware which can be physically secured but may not be secure from insider threats, malware, ransomware and viruses.
Retaining our digital skill base into the future is also a fundamental consideration for defence policymakers. Where investment diminishes, the national skill base quickly narrows until it is obsolete. Job opportunities in growth industries like cloud computing sustain the education and training of specialist professionals, fostering future resilience as well as benefiting the wider national economy. This is valuable IP – but it also allows for strategic trade deals with technologically savvy international partners. For UK security to be sustainable, we must retain a mutually enforcing ecosystem where degrees lead to jobs, and jobs lead to profitability and increased demand.
Passing a Data Sovereignty Act into law, following in the footsteps of 126 other countries would address a lacuna in legislation. The UK is behind the curve on taking a security-orientated view of protecting government data. Japan and India have developed world leading data sovereignty and localisation frameworks. Examples are there to be followed and we should act sooner rather than later.
The UK must become a 21st Century global power, taking a security-first approach to procurement – and it must learn lessons from recent leaks.
Ways of working in central government have not matched the pace of digital transformation. Cautionary tales abound, whether it was the high-profile leak of documents detailing naval movements, left by an MOD official at a bus stop, or the accidental MOD leak detailing the names of Afghan interpreters applying for asylum.
A sovereign cloud provider would be better placed to protect key information whether because of data classification, data sensitivity or both, providing greater security for that data which, were it to be exposed or compromised would lead to reputational damage for HMG, exposing military operations to greater risk, constraining freedom of movement in military operations, or putting personnel or their families at some form of risk.
Given the risks, embracing digital transformation in the defence and security sphere seems a no-brainer, with a secure and customisable cloud helping to avoid similar pitfalls in the future. Re-examining procurement practices is a must to recognise the importance of sovereignty and to realise the core benefits of UK offerings such as social value and national capability.
A step change towards sovereign cloud adoption
It is not controversial to suggest that public sector bodies have an imperative rather than a choice to embrace digital transformation – but in the UK’s defence sector, it is especially pressing, and a step-change is needed. There must be greater understanding amongst policymakers that a scalable sovereign multi-cloud provision can patch vulnerabilities exploited by foreign intervention or ransomware attacks, whilst offering a reem of benefits. Failure to invest in retaining UK skills in cloud computing and turning a blind eye to the necessity of fit-for-purpose national data sovereignty legislation is tantamount to sleepwalking into a crisis. A secure and sustainable approach to cloud computing is both possible and pivotal to the sustainability of our national security in the long run, and policymakers must make right decisions now to realise it.
If you would like to join our community and read more articles like this then please click here.