A security surveillance camera is seen near the Microsoft office building in Beijing, July 20, 2021. Microsoft says cyberattacks by state-backed Russian hackers have destroyed data across dozens of organizations in Ukraine and produced a “chaotic information environment.” The company said in a report that Russia-aligned threat groups were preparing the attacks long before the Feb. 24 invasion. AP-Yonhap

Modern wars, as illustrated by the U.S.-Israel strikes against Iran, and Russia’s invasion of Ukraine, have expanded the scope of national defense. In the past, this largely meant protecting a country’s territory from foreign invasion. Today, however, the notion of territory extends far beyond physical borders. Cyberspace has become a critical pillar of national security. Among emerging concerns, the protection of public data during wartime is increasingly becoming an issue that requires an urgent response from governments.

These concerns were highlighted during a cybersecurity event held on Feb. 27 at the Embassy of Canada to the Republic of Korea, titled “The Evolving Cybersecurity Threat Landscape: Global Context and the DPRK.” During the discussions, one striking example was raised: Ukraine’s decision to transfer more than 15 petabytes of government data to the cloud infrastructure of Microsoft just seven days before Russia’s invasion. The goal was to prevent strategic information from falling into Russian hands should national infrastructure be compromised.

Thanks to this measure, Ukraine was able to preserve critical government data from destruction during the prolonged war. This “digital evacuation” formed part of $500 million in wartime assistance. Ukrainian President Volodymyr Zelenskyy later expressed his gratitude to major technology companies for their technical support, awarding peace prizes to Microsoft Azure and Amazon Web Services for providing essential cloud and digital services.

However, the concept of digital evacuation did not originate in Ukraine. Estonia was the pioneer. After experiencing massive cyberattacks widely attributed to Russia, the Baltic nation became concerned about the potential destruction of its national data infrastructure. In 2017, Estonia established a “data embassy” in Luxembourg — a secure server facility granted the same diplomatic protections as a physical embassy.

Ukraine nevertheless became the first country to carry out such a large-scale data evacuation during wartime. This strategy of digital offshoring helped maintain the functioning of public services.

More than four years after Russia’s invasion of Ukraine, the Ukrainian government’s decision to move critical public data to secure cloud infrastructure continues to raise important concerns. Although the event in Seoul did not focus exclusively on the war in Ukraine, it led me to reflect on wartime data protection and the potential consequences if such data are not properly secured.

Ukraine’s decision to evacuate its public data — including civil registries, health records and administrative databases — also raised another question in my mind: What would happen if these transferred data were misused or turned into geopolitical bargaining chips? If such a scenario were to materialize, the evacuation of data itself could trigger new geopolitical tensions.

Ukraine’s decision was made under urgent circumstances. Authorities feared that cyberattacks or the destruction of national infrastructure could lead to the loss of critical information necessary for the functioning of the state and for citizens’ daily lives. Moving these data to the cloud was therefore seen as the best way to preserve them.

Yet this solution raises an important question: What happens when a country’s data are stored abroad on infrastructure owned by private companies? Do the data remain under the authority of the sovereign state that produced them, the private company hosting them, or the jurisdiction of the territory where the servers are located? At present, the rules governing such situations remain unclear, and it is often difficult to determine who ultimately bears responsibility for protecting the data.

Source: Korea Times News