With growing geopolitical risk, a stricter regulatory environment, and new technologies such as Blockchain, how and where sovereign data is stored and accessed is an increasingly important issue for governments and companies. ThorGroup Chairman and President Dr. John B. Sheldon examines the security claims of new diplomatic and commercial concepts for storing sovereign data in data embassies and in Earth orbit.
Geopolitical risk these days is more than just the threat of great power conflict. It is also about ensuring and assuring the security, integrity, and accessibility of sovereign data through the use of data embassies on Earth, as well as data storage in Earth orbit.
Estonia is seeking to mitigate the geopolitical risk of possible invasion by Russia by establishing a data embassy in Luxembourg. Companies such as SpaceBelt and SpaceChain intend to establish satellite constellations utilising Blockchain technologies and the remoteness of the space domain to manage the geopolitical risk to vulnerable terrestrial data storage centres as well as the increasing regulatory demands for sovereign data use and storage.
With a number of diplomatic and commercial efforts underway to address the need to provide for the security and integrity of data, they are also far from invulnerable and infallible. This means that redundancy will be critical to sovereign data security, integrity, and accessibility, and this will inevitably be costly.
Why Data Embassies and In-Orbit Data Storage?
We are living in a vast ocean of data.
And this data is under constant threat from criminals, terrorists, trolls, and hostile state actors. Witness the crime spree believed to be perpetrated by North Korean cyber units in support of its state interests. In essence, there is a country that is a member of the United Nations that practically robs banks as a matter of undeclared policy. The fact that they carry out these crimes remotely from computers rather than physically with sawn-off shotguns and ski masks does not detract from the enormity of this phenomenon.
Yet while North Korea’s cyber crimes capture the headlines, data of all kinds is under constant, hostile threat and vulnerable to the effects of natural disasters. These threats and vulnerabilities are spurring a wave of technical and conceptual innovation that seeks to overcome these challenges.
Enter data embassies and space-based sovereign data storage and access.
Almost all data, whether its Personal Identifiable Information (PII) such as bank, medical, and social security information of citizens, or corporate accounts and government records, are subject to increasingly strict and demanding national laws in how and where it is used, stored, manipulated (if at all), and accessed.
One has to only look at the strict demands and inevitable costs made on governments and companies with the imminent introduction of the European Union’s General Data Protection Regulations (GDPR).
Further, this data is increasingly being targeted by criminal organisations, and more serious in possible consequences, by hostile states. Estonia learned this the hard way in 2007 when it found itself under cyber attack by what many believe came from Russia. That attack had a sever impact on Estonian banks, government services, and the actual functioning of the Estonian public and private sectors.
Data breaches, such as regular criminal theft of sensitive customer data from corporate databases, or the Chinese breach of the U.S. Office of Personnel Management (OPM) database that exposed the PII of millions of American civil servants and military personnel, demonstrate the need for such laws and regulations.
But they have also incentivized countries like Estonia, and companies such as SpaceBelt and SpaceChain, to innovate.
To ensure continuity of government operations in the event of attack or natural disaster, and to disincentivise attacks in the first place, as well as to protect its sovereign data, Estonia is about to open a data embassy in Luxembourg.
As the term implies, sovereign data is data that cannot be stored outside of the national territory where that data originates from, meaning that it cannot be stored in foreign data storage centres that in practice might be more physically secure. These laws and regulations require large data storage centres that can be vulnerable to natural disasters (storms, earthquakes, floods, and so on) as well as to physical and cyber attack by hostile entities, placing that data’s security and integrity at risk.
For a country like Estonia, bordered by what it considers to be a hostile Russia and with its comparative lack of strategic depth, it must find new ways to protect its sovereign data and ensure continuity of government and economic operations in the event of a national emergency or crisis.
As a result, building a data storage facility in a third country that is, in fact, an extension of its traditional embassy with all of the rights, privileges, and obligations that emanate from the Vienna Convention governing diplomatic relations, status, and immunities, provides a solution to the Estonian challenge to its national security.
By storing its sovereign data in a third country such as Luxembourg, Estonia not only creates for itself a virtual form of strategic depth that has beneficial geopolitical implications, but it also increases the diplomatic and geopolitical costs to any would-be attacker targeting that data since it would impact a third country in any hostile action.
This innovation does not render Estonian sovereign data completely secure under all circumstances, but it does exponentially increase costs to would-be attackers while at the same time securing and ensuring the integrity of its sovereign data.
Space-Based Data Storage
Another innovation is to store sovereign data on-board satellites in Earth’s orbits, a concept being pursued by companies such as SpaceBelt and SpaceChain.
Companies like SpaceBelt recognise the problems and challenges of storing and securing sovereign data while at the same time making sure that it is accessible and usable to the authorised individuals and entities that must use that data.
The SpaceBelt solution is to create a secure cloud on satellites in Geosynchronous and low-Earth orbits. Data is beamed via uplinks to a SpaceBelt satellite in GEO, which then uses encrypted laser communications to send that sovereign data to a data storage satellite, from which it is not only stored but can also be accessed by authorised users.
For Spacebelt, the attraction for would-be clients is that satellites in orbit are immune to many of the natural and manmade risks that plague data storage centres on Earth, simply by virtue that a data storage satellite is hundreds if not thousands of kilometers in altitude away from the Earth’s surface.
Of course, SpaceBelt are not only relying on the relative remoteness of space for securing sovereign data. They also intend to utilise laser communications (immune to most traditional electronic warfare techniques) and store and transmit the sovereign data using their own version of the Blockchain, namely the Hyperledger.
For SpaceChain, who rely on the Qtum Blockchain, the aim is to decentralise data storage and actually bypass stricter national laws and regulations for data storage, though their business model seems at odds with the overall trend of centralizing data storage and management for regulatory and security reasons.
Innovative for sure, and certainly the SpaceBelt and SpaceChain proposals could offer a measure of improved security to those seeking redundant means of storing and securing their sovereign data.
Further, space-based concepts such as that advocated by SpaceBelt and SpaceCahin rely upon the legal and sovereign status of satellites in orbit. Space itself cannot be appropriated by states for sovereign control, yet satellites and spacecraft in space are the sovereign property – much like embassies in foreign countries – of the states that own and operate them, or of the companies that are registered in those states.
For example, the U.S. Global Positioning System (GPS) satellite navigation system is thought to be composed of about 28 satellites in medium-Earth orbit (MEO), and each one of those satellites is the sovereign property of the U.S. government. Similarly, a commercial communications satellite owned and operated, for example, by Intelsat – a U.S. headquartered private company – is the physical property of Intelsat, but falls under the sovereign jurisdiction of the U.S. government because Intelsat is a U.S. owned and registered company.
As a result, Intelsat must ensure that its activities in space not only comport with U.S. laws and regulations, but also with U.S. obligations to international laws and treaties governing space activities to which the United States is party and signatory to.
This is not as strict as it sounds, since that comportment in reality is in large part dependent upon how the U.S. government interprets its obligations to those international laws and treaties, but the legal and diplomatic point is nevertheless an important one.
The United States, GPS, and Intelsat are used here merely as examples, since what I have just described applies also to government and privately owned satellites operated by Algeria, Bhutan, and Canada, as well as all other spacefaring countries.
Don’t Believe the Hype: Vulnerabilities and Threats
But, by themselves, are data embassies, whether in third countries on Terra Firma, or data storage satellites in Earth orbit, really as secure as advertised?
Estonia could enjoy a measure of continuity of sovereign data access and services via its data embassy in Luxembourg even if Russian tanks and troops were to breach its borders and occupy much, if not all, of the country. But in such a disastrous eventuality, a data embassy might well be beside the point since the political and military facts on the ground would have been radically altered.
Similarly, in a crisis between Estonia and Russia, Luxembourg might be placed under intolerable pressure by the weight of Russian diplomacy and other forms of pressure to close the Estonian data embassy, or at least deny Estonian access to its facility.
Worse still, there would be little that could be done to prevent the physical attack against such a data embassy in Luxembourg by deniable, yet Moscow-controlled, assets.
In the event of a sustained and damaging cyber attack, however, a data embassy is certainly a useful and redundant means of assuring sovereign data security, integrity, and access since an attacker would have to target exponentially more networks and nodes, costing them more scarce resources and running the risk of exposure.
A space-based solution, such as the SpaceBelt and SpaceChain proposals, is equally attractive yet may present certain risks to would-be clients.
Space is no longer that remote – access is more reliable and widespread and satellites are increasingly vulnerable to purposeful attack and environmental hazards.
The emergence of commercial on-orbit servicing capabilities along with the renewed development of antisatellite (ASAT) weapons increase the possibility that data storage satellites might be interfered with, even sabotaged or destroyed, in orbit. Furthermore, the lack of reliable and transparent Space Situational Awareness (SSA) means covert interference with such satellites would be possible.
Also, satellites are not immune to environmental hazards such as solar flares, meteorites, radiation, and, increasingly, the risk of catastrophic collision with manmade space debris.
Similarly, the ground-based infrastructure, networks, and datalinks for a space-based system such as SpaceBelt and SpaceChain are even more vulnerable to determined attackers, whether using physical or virtual means.
Over time, and given the increasing strategic and economic value of data, data storage satellites will likely become an attractive target for hostile actors using counterspace capabilities in a time of crisis or war.
Further, Blockchain technologies, while certainly demonstrating security potential better than previous technologies, are not invulnerable. One only has to look at the recent theft of hundreds of millions of dollars in cryptocurrencies from Japanese cryptocurrency exchanges to understand that Blockchain is far from completely secure.
Redundancy, Redundancy, Redundancy
The key word in securing and storing sovereign data is redundancy, and redundancy is costly. By themselves, data embassies and space-based data storage are only temporary solutions to an increasing economic and national security problem. Yet the financial costs, while inevitably high, will pale into comparison to the cost of lost and compromised sovereign data.
States, and companies, that seek to protect the security and integrity of sovereign data in a time of increasing operational and geopolitical risk may ultimately have to examine a combination of Earth- and space-based sovereign data storage and security solutions to ensure that risk is adequately addressed.
Dr. John B. Sheldon is the Chairman and President of ThorGroup GmbH, and publisher of SpaceWatch.Global.