Digital sovereignty first!

Current debates on the defence of Europe are already discussing the kill switch – an emergency switch built into the control software of weapons systems supplied by the USA that can be used to paralyse them in one fell swoop. But it is not only with regard to defence systems that there is growing concern about the dangers of the extensive use of US software. German and European companies and administrations are dependent on it throughout, which presents them with imponderable challenges in the current situation. “Since taking office, US President Donald Trump has united the CEOs of the major tech companies behind him and has been exerting pressure on them. The economic and political instrumentalisation of the quasi-digital monopolies, such as Microsoft, Alphabet and Amazon, has developed into a scenario that companies can no longer ignore,” warns Joachim Richter, Partner at AXXCON, a management consultancy specialising in energy companies.

There are numerous manipulation and blackmail options before the kill switch

Specifically, according to the energy and IT expert, companies need to ask themselves what happens if US software for European corporate customers is manipulated, its functional scope is restricted or necessary security updates are no longer available? Or if unauthorised persons gain unnoticed access to sensitive company data, making companies vulnerable to blackmail? Equally threatening: the US government could already legally access data stored by US cloud providers via the Patriot Act, even if the data is not stored in the USA. Dr Bernard Richter, Managing Director of the consulting firm RCON, which specialises in resilient strategies, explains: ‘The kill switch scenario, in which central services are completely shut down, is just the tip of a long list of manipulation possibilities that could severely affect German and European companies.’

These scenarios are particularly threatening for energy suppliers as operators of critical infrastructures. Although it can currently be assumed that the operation of their power plants and grids cannot be substantially disrupted, all other business areas of an energy supply company could be almost completely taken out of the running – for example, if bills can no longer be issued and user data and energy consumption can no longer be processed. This would also have an impact on the control of the energy grids and could damage the critical grid infrastructure in the medium term.

This makes it all the more important that energy supply companies think the scenarios through to the end and stop burying their heads in the sand – even if they are in a dilemma. As Joachim Richter explains: “European cloud and software providers are currently not fully competitive. US software is seen as having no alternative in many business areas.” German or European specialised applications are also increasingly being converted into cloud solutions – operated by US cloud providers. Progressive cloudification is also increasing the dependency on US hyperscalers here – through the back door, so to speak. Nevertheless, further digitalisation and the use of new AI technologies remain imperative for competing companies.

What can energy supply companies do specifically?

But what steps can be taken to achieve digital sovereignty and resilience on the arduous, expensive and yet unavoidable path to security? First of all, energy supply companies need to take a very close look at their dependency, which is significantly increased by a ‘cloud only’ or ‘cloud first’ strategy. According to AXXCON, companies choosing this path need to think very carefully: Which parts of IT should remain in their own data centre and which should be moved to the cloud? Or is a sovereign cloud the right solution? They should also think about multicloud solutions in which European providers are used in addition – for example, when it comes to the so-called ‘crown jewels’ – applications that are absolutely essential for company operations.

According to Joachim Richter, “Wherever things become critical, you need to be able to demonstrably control and monitor the entire components from start to finish. A holistic view is therefore necessary: of application software, operating systems, infrastructure, data networks, security and backup systems and possible dependencies on service providers and their subcontractors.”

Raise awareness and start with encryption and backups

The potential threat posed by Donald Trump’s political pressure on US hyperscalers requires a different approach than, for example, protection against hacker attacks. A fundamental change of perspective is necessary. All procedures that have been defined as part of a business continuity strategy need to be re-examined. IT departments need to be sensitised and, among other things, data that is already stored at US hyperscalers needs to be checked to see whether it is sufficiently encrypted – ‘and in such a way that Microsoft, Alphabet or Amazon don’t have the key to it,’ adds Joachim Richter. At the very least, nothing can be done with encrypted data. Gaining control over the encryption keys is therefore a key point that can be started immediately. The backup strategy should also be reviewed in the short term. Is it sufficient and working as planned? Can the backups also be used sensibly if a US hyperscaler suddenly becomes unavailable? What are the scenarios for emergency operation?

Last but not least, it is important for the energy supply companies to position themselves in the political arena. A large proportion of the 500 billion euros that Germany plans to spend on infrastructure in the future should also be invested in digitalisation – including in the management of energy grids and their security. ‘Energy supply companies should prepare themselves to demand these investments,’ warns Dr Bernard Richter, Managing Director of RCON.