Globally, the cybersecurity industry is largely focused around Israel, China, and the US, each of whose considerable needs and expertise has enabled them to become leaders in the world. But, over time, some of these countries’ strengths have become weaknesses — especially for companies based in the EU.
Many of China’s cybersecurity capabilities are intrinsically linked to military and governmental powers, for example, making it impossible to assess many organizations for their independence and neutrality accurately. European authorities have also viewed some of the tools developed here as operating in a ‘grey area’ and could prove to be powerful offensive solutions should they fall into the wrong hands.
What’s more, legislation introduced since 9/11 raises several questions around the use of US cybersecurity companies, services and applications. Not only does the government have oversight of all activities, but the legislation also requires backdoors to be built into all US cybersecurity products — a real Achilles heel. And when you consider that the three biggest cloud service providers fall under the jurisdiction of the US Government, it’s clear that the issue stretches beyond just cybersecurity.
There’s an argument to be made, then, that European businesses should look toward European cybersecurity and infrastructure providers for greater peace of mind.
Raising Concerns Over Data
The global cybersecurity “superpowers” have strict regulatory governance in place, much of which has profound implications for personal and corporate information privacy.
There are concerns around a draft bill by the Israeli Prime Minister’s Office that will empower the government to ultimately gain direct access to the data and systems of private and public organizations if valuable for cyber-defense purposes.
And China’s cybersecurity law, ‘The Cybersecurity Law of the People’s Republic of China,’ which came into effect in 2017, allows Chinese authorities to conduct spot-checks on an organization’s network operations and requires service providers to allow full access to data upon request. While Beijing insists that it intends to bring China in line with global cybersecurity best practices, the law has raised concern over data controls and the potential for IP theft. Asked to provide authorities with crucial information such as source code or encryption keys, companies are worried that it may be passed on to local competitors or even used by the Chinese government.
Built-in Backdoors
US-based organizations are beholden to regulations such as the CLOUD Act and the US PATRIOT Act, which pose a risk to data belonging to any other region. Any application or solution built in the US — be it concerned with cybersecurity, hosting or collaboration — is required to have a backdoor built-in, allowing third parties to access the data within, often without the owner ever knowing — particularly if they’re foreign.
Moreover, on his last full day in office and following the large-scale Solar Winds attack, former President Trump signed an executive order decreeing that American IaaS cloud providers must keep a wealth of sensitive information on their foreign clients — names, physical and email addresses, national identification numbers, sources of payment, phone numbers and IP addresses — in order to help US authorities track down cyber-criminals. As these services include “destination” cloud networks, such as AWS, Microsoft Azure, and Google Cloud, it impacts many citizens and companies worldwide.
While there have been attempts in the past to stem the flow of information to the US, such as the invalidation of the EU-US Privacy Shield by the European Court of Justice in July 2020, data subjects can still find themselves vulnerable.
Looking Closer to Home
There are alternatives, however. Rather than risk their data privacy with hosts from other continents, European businesses should consider looking closer to home and house their data with European-based providers instead. In addition, they should ensure that all the third-party software and service providers they use are also based in the region, with no infrastructure links or partnerships with any of the “big three” countries.
Operating hybrid solutions over European infrastructure will guarantee an organization’s data, and infrastructure won’t be exposed to foreign entities — state and otherwise — and the uncertainty of regulations like the CLOUD Act and the US PATRIOT ACT, with no interest in protecting the data of businesses based in the EU. Relying on private cloud infrastructure in Europe can also ensure the low-latency data transfer essential to increasingly distributed organizations.
What’s more, an organization’s cybersecurity challenges will always be best addressed by experts who understand the organization, its language, and its culture. The same native understanding of their customers’ regulatory environment, and the constraints it represents, enables those experts to respond to any issues the moment they arise.
Most importantly, perhaps, with cybercrime continuing to rise, choosing a European provider will offer organizations peace of mind that their data, and that of their customers, remains fully protected by the GDPR, one of the most stringent data protection regulations currently in existence.
Going global is undoubtedly good for business. But in the case of an organization’s data and its security, staying local may be best.