Cloud: no salvation for the public outside the private sector, says Nicolas Chaillan

A maverick in the upper echelons of the US Department of Defense (DoD). Marseille-born Nicolas Chaillan is only in his early forties, but has already led US cybersecurity operations within the Department of Homeland Security (DHS), a super ministry of the Department of the Interior, before becoming an advisor to the office of the Defense Secretary and then Chief Software Officer for the US Air Force, a post that was tailor-made for him.

This « serial entrepreneur », who wrote his first software program at the age of 12, takes cybersecurity very seriously. However, during an interview granted to inCyber prior to his visit to FIC Europe 2023, Nicolas Chaillan expanded upon some of his iconoclastic positions on the cloud.

The cloud is the central theme of this year’s FIC. We are embroiled in a strained context with Russia and China, geopolitically but also in terms of cybersecurity. Is it really a good idea to entrust your data to someone else’s computer?

It’s a little more complicated than that. There are notions of security, but also of speed and the capacity to innovate. When you examine the problem in more detail, you realise that here in the United States, we have spent tens of billions of dollars on establishing a sovereign cloud with Amazon and Azure. And despite these astronomical amounts – which Europe cannot spend because it lacks the means – the government version of clouds is, on average, lagging two to four years behind the commercial versions.

And now, with the advent of AI solutions such as OpenAI and ChatGPT, we can see that it costs $100 million to host OpenAI on a cloud. If we were to duplicate all this on the government networks, it would cost a fortune: it’s not 100 million spent once, but several times over.

Moreover, these solutions become obsolete incredibly quickly! If we want to maintain access to the best technologies at a speed that allows us to remain competitive, we soon realise that we have no choice but to use commercial versions.

Commercial clouds in such sensitive sectors as defence?

In other words, after spending so much money here, we are considering accepting the risk of hosting data or using services that are hosted on non-governmental clouds. This is because we need access to the best possible technologies and ultimately realise that not having access to them may actually create bigger security problems than if our data was hacked.

Without these new technologies, we are not competitive. And not being competitive is even more serious than data theft. So it’s about striking a balance between security and speed – the ability to innovate in order to be competitive. Security is a real problem, but there are no easy solutions. I still worry about the Department of Defense being hacked, but I’m even more afraid that it will become so obsolete that no one will try to hack us anymore.

You talk about competition with other powers

That’s it. China, Russia… everyone’s in competition; whether they are countries or companies, there is always a competitor lurking somewhere. And for us, it’s China, Russia, and North Korea.

In terms of geopolitical and cyber hazards, from the American perspective, you mention China. From a European perspective, isn’t Russia the main threat?

China is much more advanced than Russia, and worries me much more. It really has adopted a global domination model. China is engaged in a de facto war with the United States, and therefore NATO is necessarily involved.

From a European standpoint, isn’t the cloud issue even more sensitive insofar as we have little choice but to resort to US solutions, with all the problems of dependence that this may entail concerning data confidentiality, the Cloud Act, etc.?

In an ideal world, we would all like access to the best technologies and capabilities without having to pay billions for them. But the fact is, the cloud requires massive investments and we can see that European companies like OVH, which is in the Top 10 worldwide, is lagging behind Amazon and Azure. When they came to see me at the DoD, it was a joke. They were so far behind that it was almost laughable, or quite tragic.

The Americans are already integrating AI-based services, the Europeans are not, and we can see that ChatGPT is revolutionising the IT world. But these require huge investments – billions. And OVH/the Europeans don’t have the financial capacity for this kind of investment. It’s like saying that some people working in their basement are going to be able to send people to Mars, but in reality, SpaceX will be the only operator that can manage to do it.

And what scares me is that people will often use security and sovereignty as the dominant factor in their decision-making. What’s more, I have lots of interactions with governments – US of course, but also French, Australian, and UK – and I have passed on the message that the sovereign side is important, but if you are no longer competitive, it is even worse.

So at some point, you have to be realistic. A cloud today is not just about virtualising servers and storing data, it is also about thousands of services that we use on a daily basis. And rebuilding all of that is impossible; it’s a delusion. This is the conclusion you reach.

But the EU is making efforts to build a European cloud.

Efforts are being made, but they are laughable. If there is no Apple, Microsoft, Google or Amazon in the mix, it’s physically ridiculous. It’s a waste of money and a waste of time.

It also shows a very limited understanding of the cloud. What I mean is, there are people who still believe that the cloud is merely a question of infrastructure, whereas today it is about very complex services. It has been extremely complicated to innovate in the cloud; it is no longer straightforward like it was ten, fifteen years ago, when if you had servers, a virtual machine and storage then you could have a cloud. Now it’s much more advanced than that.

And so what worries me are those countries that are trying to build their sovereign clouds and completely overlooking the fact that they are spending an inordinate amount of time on this, when in the end there are already much better options out there.

Nevertheless, that still raises security and confidentiality issues.

We do this every day in the DoD. You can host data on a cloud that you consider to be potentially hacked; it’s called a «  dirty  » cloud that is not « trusted ». We have ways of managing all of this, which means that we are still able to use the cloud even if it is not sovereign, while making sure that no one can steal our data. This problem is solved by encryption technologies. Security today is about « zero trust  », and it works. In agencies like the NSA and the CIA, everything runs on foreign clouds that are not American at all.

In short, there is little choice but to use existing commercial cloud solutions, especially from the US.

At some point you have to be realistic. The worst thing is that you have a choice, but if you make the wrong choice, you lose the war. Is that really an option? The problem is that the results of the decisions taken today will be apparent in ten years’ time, when everyone who made them will be retired and won’t care about them any more. So it may well be that people are making the wrong decisions and in the short term they may get away with it, more or less, but in the longer term, you’ll lose the war.