EU's digital sovereignty boo-boo may be the best thing to ever happen to the project

OPINION There's a spy in the court of Europe's digital sovereignty. Actually there are two, the half-siblings Intel and AMD, whose chips power the Old World bit barns on which the sovereign cloud is based. Both companies' chips have so-called Ring -3 management subsystems, complete computers with deep access to the host system, while remaining largely opaque to the people who own and administer it. All this isn't secret, even if it's not widely discussed. The story is more that the French specification derived from the EU's IPCEI-CIS specification and for sovereign clouds, while having thousands of technical details, doesn't mention this at all. The management subsystems are designed to be controlled over the same networks that servers use for servery stuff, which makes them in theory and in practice vectors for remote attackers. As Intel and AMD are governed by American laws that can force them to act in secret for the state, the billion-Euro effort to fly the European flag over an impenetrable cloud fortress seems badly flawed. A good old supply chain attack, not so much secret as too boring to think about. Fixing it will mean fixing that supply chain, and the others that live in the same blind spot. Sovereignty is supply chains. If you don't control the components that keep your state safe from malign influence or outright attack, you don't have sovereignty. This is most starkly on show during wartime, not just in military logistics in theatre but also the industrial base that keeps the machinery going. The effective strangulation of Japan's oil and other raw materials during World War II fatally constrained what its military could do. In technology, America controlled the supply of high-quality quartz needed to make radio crystals, which gave its battlefield communications a generational advantage. Britain's early warning radar system depended on tubes made only in Holland, necessitating a last-minute convoy of components and tooling that left the Dutch factory the day before the Germans overran it. Most ironically, during the Cold War, the titanium needed for the Mach 3 SR-71 spy plane came from the Soviet Union. Which obliviously sold it to a chain of shell companies set up by the CIA. That's the same CIA which surreptitiously took control of Swiss cryptography company Crypto AG to backdoor its products. Supply chain attacks can come in many forms. Sovereignty can never be guaranteed, only risk-managed. Managing the risk of Europe's autonomous cloud security is the primary lens of the specification, and in overlooking the risk inherent in CPU management engines, this task is incomplete. That risk can be extended to everywhere in the overall infrastructure that CPUs touch data and network. Routers and switches inside the datacenters, as well as in the connectivity between there and the users, all offer extensions of that threat surface. Mitigating that risk isn't as unthinkable as may appear. The first step is to characterize the traffic types and patterns that the management subsystems generate and evolve defences. Asking Intel and AMD how to do this, and how to disable them permanently, at the same time as developing these techniques independently, will create an initial patch. Then, armed with an updated specification which specifies no Ring-3 independent processing or ones that are properly transparent, ask the chip companies to comply and make variants of their processors that can go in the next refresh. The best opportunity, though, is for Europe to build its own datacenter chips. It is unduly pessimistic to say that the only way to do this is to wait for Risc-V to mature for a decade or so. There is plenty of Arm expertise and licensable IP out there for high-performance devices. It's not open source, but it is available under NDA to clients, and with the right Arm license you get to add what you like. Apple started developing the project that became the M1 Apple Silicon in 2018, and started selling the results two years later. If the EU wanted, it could ask a third party to build Arm designs to digital sovereignty specifications. It could start its own design bureau, hire the talent and keep everything in-house. Apple did it, Qualcomm and Broadcom did it, Samsung and MediaTek and Renesas did it. This is a well-trodden path. The size of the market for digital sovereignty-certified datacenter chips is unknown, but there's a good chance that any venture set up to create them will see a lot of interest from enterprises and other states who don't want their most intimate silicon to spy on them. Plus, Europe gets some very desirable capabilities in CPU design. There's good eating in that. You can only have true digital sovereignty when you either control or trust the supply chains that link data and network. That's the perspective that can deliver what's needed, and the only one that can. Open source is the obvious foundation for the software component, not necessarily for hardware. We can make Intel and AMD burn their codebooks, and we can evict them altogether from the fortress. The best control is the most control if you want to be king. (R)