A Time for Tech Sovereignty Reckoning
After years of mounting concerns made worse by recent geopolitical tensions, European governments are starting to come to the same conclusion: they need better control of their technology infrastructure.
These musings are prompted by the dissonance in recent developments from Microsoft. In June, it was reported that Microsoft had helped suspend the email account of an International Criminal Court prosecutor in the Netherlands, Karim Khan, who was investigating Israel for war crimes to comply with an executive order from President Donald Trump. This action came just two months after Microsoft President Brad Smith had said in a speech in Brussels that the company would retain the option to sue the Trump administration if it was ordered to suspend its European cloud operations, in an attempt to allay European leaders’ concerns that using U.S. cloud services is a risk. The tension in these two actions seems … palpable.
While largely focused on Europe, the situation has highlighted a critical vulnerability that governments face globally: Institutions that are dependent on any one provider’s technology become subject to that provider’s decisions to put politics before proprietorship. Particularly amid rising geopolitical tensions, countries—including the United States—need to take steps to safeguard their digital infrastructure by diversifying vendors and reducing reliance on dominant providers.
The economic incentives for relying on a sole-source provider are real, but overreliance on any single technology provider leads in the long run to enhanced cybersecurity risk. More problematically, sole-source dependence runs the very real risk that countries will enact laws that enlist technology companies in efforts to punish their international political and diplomatic foes, like a remote “kill switch” that turns off access to a company’s technology.
Recently, some European countries—most notably Denmark and Germany—have demonstrated that they understand this risk. Both were already moving away from Microsoft products before the news broke of Microsoft’s role in suspending the ICC prosecutor’s email account. Earlier in June, the Danish government announced plans to pivot from Microsoft Office to open source alternatives such as Libre Office, and the municipal governments in Copenhagen and Aarhus had decided to phase out Microsoft due to concerns over their dependency on a “near-monopoly” and the geopolitical climate under Trump. At the same time, the German state of Schleswig-Holstein said it was turning from Microsoft to open-source software to “take back control” of its systems.
Both countries cite digital sovereignty—the ability to have control over their own data and digital destinies—as one of the key reasons for these changes, which come as countries across the EU increasingly seek to reduce their dependence on foreign technology providers, primarily those from the United States. Their decisions reflect rising concerns over too much power being concentrated in the hands of a small number of tech companies. These concerns have increased as U.S. technology companies demonstrate that they won’t stand up to Trump on behalf of European interests.
The ICC, an international legal institution based in the Netherlands, relies on Microsoft for critical digital services. To comply with a U.S. political decision, the company turned off Khan’s email and froze him out of communications with colleagues. This suspension was seen as a wake-up call for why digital sovereignty is critical in today’s world. It was a clear demonstration of how deplatforming, generally understood to mean removing or banning an individual from a particular social media platform, extends to other digital platforms, like email. The chairman of the Copenhagen Audit Committee said about the municipal government’s decision to phase out Microsoft: “If we suddenly can’t send emails or communicate internally because of a political fallout, that’s a huge problem.”
Europe understands its overreliance on a single technology provider is a risk to digital sovereignty, but this concern is not unique to Europe. The U.S. government has also put itself in a position where it is dependent on Microsoft, with the company holding an 85% share in the U.S. government office productivity market. The reality of this dependency risk became clearer when, in the past weeks, separate reports revealed that Microsoft had been using engineers in China to help maintain the Defense Department’s computer systems and that Chinese hacking groups had exploited a vulnerability in Microsoft’s SharePoint servers to breach U.S. federal agencies. The concentration of the public sector’s digital capabilities with one vendor creates a single point of failure in which a disruption can cripple U.S. government operations.
A key part of reducing concentrated risk is prioritizing vendor diversity by engaging multiple vendors so that if one vendor fails, others can maintain continuity. But in addition to diversifying their tech stacks away from a single vendor, governments should also seek out providers who offer infrastructure that is immune to political pressure.