Unless Sweden and the EU strengthen their digital autonomy, there is a risk of catastrophic consequences. That is the conclusion of Lund University researcher in computer science, Johan Linåker, who considers that we must begin to think about control and maintenance of digital infrastructure in the same way as critical physical infrastructure such as seaports, airports, roads, and water and power networks.
Non-European, principally American, IT companies and cloud services dominate our digital lives - from social media, payment services and digital meetings to the entire IT structures in healthcare and industry.
As a result of increased geopolitical tensions in recent times, a wider public has suddenly become aware of the disadvantages associated with these non-European dependencies.
However, experts have been flagging this up for a long while. One of them is Johan Linåker, adjunct senior lecturer in computer science at Lund University and senior researcher at RISE - Research Institutes of Sweden.
"There is now an increasingly explicit risk that the providers we are reliant on could be used as pawns and leverage in the geopolitical game, all to create advantage or to force a foreign power's own agenda on others."
He emphasises that if access to digital services or clouds is restricted, disrupted or intercepted, it could have catastrophic consequences.
"You can compare it with pulling out a power cable. We would lose access to a large part of the digital world and societal institutions that we are reliant on, consciously or unconsciously."
If we go back a little, can you give a concrete example of what this reliance entails?
"Take cloud services as an example. Many public sector organisations in Europe use American providers such as Microsoft Azure, Amazon Web Services or Google Cloud. These are needed to run and use many of the digital services we are reliant on in one way or another. This also means that data relating to citizens and societal functions are often stored and processed outside the EU's jurisdiction. This can create conflicts when American legislation gives public authorities there the right to request data, even though it is stored by the same provider within Europe."
"A while ago, the media covered a technical fault at an American cloud provider, Amazon Web Services, something that impacted several apps and messaging services globally. But that is just a ripple compared with what the consequences could be."
In other words, without our own server halls and service providers there is a risk that the whole of society could be paralysed.
"Yes, exactly, if we do not start to act preventively. Just like civil society in general, even the digital part of society must be able to function in the event of a crisis. We must begin to build up digital resilience and the ability to manage crises if they arise."
How are we to avoid the risk of this happening?
"A significant measure that perhaps seems surprising but which is extremely important is public procurement. It must be easy to make the right choices. We must start learning to set clear requirements for security, control and maintenance of digital infrastructure just as we do for critical physical infrastructure such as seaports, airports, roads, and water and power networks. Price cannot always be the guideline in the evaluation of different tenders."
"One example of guidance is how the French cybersecurity authority has developed a certification for services that meet the requirements of European data legislation. Even though it has flaws, it's an example of what concrete guidance can look like. Another example is the Cloud Sovereignty Framework - a set of guidelines recently introduced by the EU Commission that can be used to rate alternatives in a procurement."
Does the EU also need to try to build up its own companies to correspond to companies such as Microsoft and Meta?
"Swedish and European cloud and service providers need to grow larger, stronger and greater in number. We already have good, competent providers but they must be able to meet the enormous needs covered by the major, often American, giants. There is big potential if they can begin to cooperate and create joint offerings. If they are invited to join the dialogue, they would probably rise to the occasion."
In addition to clouds, you also talk about IT services - what is the situation there?
"There is a lot happening in this area right now and that is pleasing to see! For example, replacement options for the Office package are now emerging - until recently there have not been any direct alternatives. We are now seeing that countries such as France, Germany and the Netherlands are in full swing through an EU initiative to develop complete systems based on open products for video, chat, document management and so on, which can be combined like Lego according to your preferences."
"In Sweden, we have a corresponding light solution for digital collaboration tools that is being developed and provided by the Swedish National Insurance Agency under the name SAFOS and which is aimed at the public sector in general."
How could services be developed across borders?
"Open source code and open standards will be very important tools in this respect. It will make it possible to build digital solutions that are transparent, reusable and adaptable, and it will be easier to switch to other alternatives. Using this approach, public sector organisations can share solutions between themselves, choose their own mode of operation and ensure they have control over both function and data."
Is there any part of Europe that has come a particularly long way in strengthening its digital autonomy?
"Yes, the state of Schleswig-Holstein in northern Germany is currently the pacesetter, having reduced the number of Microsoft licences to 30 percent of the original figure and it expects a reduction to one percent by 2029."
"Here in Sweden it may be worth mentioning Helsingborg, where the municipal management is currently running a pilot project to prioritise parts of the municipality's operations and test how these function in the event of a digital blackout. Can school catering and teaching, healthcare and long-term care, the fire service and social services continue to function? If not, what needs to be done about it?"
Does the same reasoning apply to services from other parts of the world, such as China?
"Yes, the principles should be the same regardless of the country of origin. It's about ensuring control over critical infrastructure and that data processing is performed in accordance with European legislation, norms and values. TikTok is an example that has sparked a debate about how our data is collected and used, but there are also other Chinese actors in the cloud services and hardware used in Europe. Here, there is a need for risk assessments and creating clear frameworks for what is acceptable in terms of security and sovereignty."
What can Sweden do in practical terms to contribute to Europe's digital sovereignty?
"Sweden is well placed to take an active role. By setting requirements for ownership, control, openness and interoperability in public procurement, investing in domestic and European digital capacity, and participating in European collaborations, we can help to build a more resilient and autonomous digital ecosystem. We can also promote the use and development of open source code in the public sector - something that is already happening to some extent, but which could be scaled up."
And finally - can we really be completely digitally autonomous?
"No, we won't be able to be fully digitally autonomous. But we can and should strengthen our capacity so that we can continue our digital lives and use our digital infrastructure, just like the physical infrastructure, in the event of a crisis, regardless of the type of crisis."
