Achieving digital sovereignty goals with open collaborative technology

Today’s conversation around digital sovereignty began with the need for businesses to maintain control over their digital infrastructure, data and technology. According to the International Data Corporation, it is predicted that by 2024, 65 per cent of major enterprises will mandate data sovereignty controls – or the storing of data within national boundaries – from their cloud service providers, so that businesses can adhere to the data protection requirements set out by host countries.

Government agencies are now asking if they can have full trust in the technology they are using with the increasing interconnectedness of digital systems. Without digital sovereignty, there is the potential that cyber attacks can disrupt critical infrastructure, undermine national security, or even put citizen safety at risk. This concern was at the heart of the TikTok congressional hearing in the United States in March 2023. 

“After all, data poorly secured in your home country may still be at higher risk than data securely protected elsewhere,” says Vincent Caldeira, Chief Technology Officer, APAC of enterprise open source software provider, Red Hat. 

“It’s really about trust in the underlying technology. Do you actually know the provenance of the software? If you have a third party provider operating your IT platform, can you ensure this provider follows your local rules and regulations with regards to data?” asks Caldeira.

He explains that an open source approach is the best way to ensure stable, neutral, and transparent processes.

“Open source is the right DNA for digital sovereignty as a whole. I don’t think there is any other process that would guarantee the same efficiency, openness, and trust,” says Caldeira. He shares three ways open source can help agencies achieve digital sovereignty goals.

1. Know your technology inside-out

As government agencies expand digital services to bridge digital divides and ensure citizens can access services anywhere and anytime, it is critical to maintain cyber resilience. Such services generally involve the collection of personal information and citizens need to be confident that their governments are able to respond to security threats decisively.

Central to having control over one’s digital destiny is knowing where your tech comes from and what your software is exposed to – in other words, having full visibility. Open source technologies allow agencies to examine the source code of the software they’re using and have full transparency on how these tools were built, says Caldeira. 

For CTOs and CIOs looking to get a jumpstart on their digital sovereignty efforts, Caldeira stresses the importance of understanding their own software supply chains and being aware of the code baked into their software.

This also ensures IT professionals have full transparency on security matters and can examine the source code for security risks independently.

“As a practitioner, I know for sure I get notified of security alerts and fixes with open source software much faster than with proprietary software,” says Caldeira. There also tend to be communities of developers on the lookout for vulnerabilities they can resolve within open source software.

Open source software also helps teams retain knowledge of best practices even as personnel move on and teams turnover. Knowledge can be built into source code and shared transparently, he explains – an “everything-as-code” approach. 

These best practices can be audited and shared transparently between development and operations teams and enable a leaner DevOps approach, leading to stronger accountability between functions and reducing security risks, explains Caldeira. 

2. Prevent lock-in to external providers

Beyond supporting agencies in understanding their technology better, open source technologies also help agencies avoid lock-in to external technical providers, says Caldeira. 

Open source technologies allow governments to build a single open architecture overseeing multi-cloud options. In turn, this gives agencies their choice of services by different providers, and allows agencies the opportunity to switch providers if there is a security lapse or performance issue.

Dependence on a single technical provider is a central barrier on the road to digital sovereignty. When all your eggs are in one basket, all it takes is for one external provider to fall prey to a cybersecurity attack for a country’s critical infrastructure to go down.

Countries like China and Russia have managed this by building their own operating systems for government agencies based on Linux, explains Caldeira. This allows them to have full control and oversight of their software supply chains.

However, this makes it costlier to innovate and keep pace with the technological advancements happening in the rest of the world. This also means the community of developers scrutinising the code is smaller, shrinking opportunities for innovation, he explains.

For most countries, there will always be some amount of outsourcing to build and operate infrastructure, he says. 

In fact, the government cloud strategies of Southeast Asian countries like Malaysia and Singapore offer agencies the choice between multiple third party cloud providers. At a recent GovInsider conference, Tang Bing Wan, product owner for Singapore’s Government on Commercial Cloud (GCC), shared that the GCC is “cloud-agnostic” and allows agencies to tap on services by various providers.

It is critical that agencies understand their level of lock-in and ensure there is some reversibility when tapping on cloud-native services offered by third-party providers, highlights Caldeira.

3. Simplify your IT environment

Finally, open source can support countries by simplifying the complexity of their IT environments, and help countries tap not just on multi-cloud options, but also tying together private and public cloud services.

Caldeira notes that when it comes to sovereignty, it’s not an “all or nothing approach”. Most government agencies pursue a range of different cloud strategies, with varying sets of controls. 

For instance, defence agencies are more likely to have tighter data and information security controls and higher levels of data localisation regulations. In contrast, citizen-facing agencies may run their services within a relatively public zone, as the ability to access the Internet might be critical.

But this means an increasingly complex environment, and agencies may find it difficult to scale and operate efficiently when policy compliance requirements can vary drastically depending on the context. 

A sound and simple architecture stitching together the various open source components of different projects can help reduce complexity and ensure that all components work well together, explains Caldeira. Red Hat’s engineers provide such support to agencies which are looking to build and simplify such an open source platform.