So, what was it that Peder Johansson discussed that created something that could be compared to a sickly paleness of thought in the auditorium that had come to the PLM Experience Day? Clearly, the issues he raised must be seen in a broad perspective where general global security development is a given aspect. Johansson stated that things are different today and that the situation has changed dramatically in just two years. It seems no coincidence that this coincides with Donald Trump’s return to the presidency after the last election. Not least, experienced political observers tend to point to a certain unpredictability as a heavy uncertainty factor; as well as the fact that the department he created for Elon Musk, DOGE (Department of Government Efficiency), which had as its objective to reduce staffing at US agencies, has had an impact, for example among those parts of the administration that were tasked with monitoring the way the agencies use the US Cloud Act.
Today, this often involves extremely sensitive matters, not least when it comes to defense organizations such as NATO, countries like Sweden, and the military-industrial activities of the Western sphere in general. What data can be stored in the cloud? What does it mean that the US authorities can extract data from the cloud without notifying anyone? And linked to this: How can AI affect the disposition of and the ability to access sensitive data? There are, of course, several questions, but the overall picture ends in complexity and uncertainty that is difficult to assess.
What is Cloud Technology?
In an interesting keynote, Peder Johansson first discussed cloud security aspects and important regulations that are in place. Among them are the aforementioned US Cloud Act, Data Protection Framework, Zero Trust, Zscaler, and the EU’s AI Act. He generally described cloud technology as a software-defined, scalable IT infrastructure where the hardware, the servers, are basically empty shells, a kind of large online storage space where people and companies store files and applications, accessible from anywhere with an internet connection. The cloud offers services such as computing power, databases, networks, and software applications. Its main purpose is to provide access to computing resources and services on demand over the internet, including a wide range of services such as servers, storage, databases, networks, software, analytics, and information.
In this context, Johansson pointed out the types of clouds that appear in the discussions:
- Public clouds, where you share the infrastructure with others
- Private clouds, where you get a delimited part of the data center
- Hybrid clouds, a mixed IT environment that integrates private clouds with public cloud services
- On-premise clouds – you can have a cloud infrastructure in your own data center, with the same functionality as with the other variants.
“However, cloud does not necessarily mean that you have to go to a supplier and buy computing power,” summed up Saab Aeronautics’ IT chief.
Zero Trust – “never trust, always verify”
A core question is how a system can know who is allowed to access and use the information. This is where Zero Trust comes into play, noted Johansson. The main principles of the Zero Trust security model are to verify explicitly by always authenticating and authorizing all users and devices. Instead of believing that everything behind the company’s firewall is secure, the Zero Trust model assumes it is subject to an intrusion and verifies every request as if it came from an uncontrolled network. Regardless of where the request comes from or what resource it connects to, the Zero Trust model teaches us to “never trust, always verify.” The model is designed to adapt to the complexity of the modern IT environment, which also includes the mobile workforce. Zero Trust protects user accounts, devices, applications, and data wherever it is. A Zero Trust approach should encompass the entire organization and serve as an integrated security philosophy and end-to-end strategy.
US Authorities have a Statutory Backdoor Through the US Cloud Act
That said, Peder Johansson turned to essential pieces of existing legislation.
“One of the key pieces of legislation, and one that may be a bit problematic in Saab’s case, is the US Cloud Act,” he noted.
It is a 2018 piece of legislation that was enacted to give US authorities access to electronic data stored by US suppliers, regardless of where the information is located, and create a framework for bilateral agreements with trusted foreign partners for mutual access. The law is primarily aimed at streamlining the collection of electronic evidence for investigations of serious crimes, such as terrorism and cybercrime, by clarifying American legal authority and providing a mechanism for international cooperation. However, it also raises legal problems regarding privacy and cross-border legal issues. Not least, the latter part is of interest to the Saab Group.
“That’s right, but what does this mean for us,” Johansson asked rhetorically and continued: “It means that American suppliers, such as Microsoft, Amazon, and Google, are subject to American law, which also means that no matter where the data is in the world – even for these companies’ data centers in Sweden or Europe – American law applies. This can be valuable when it comes to, for example, export control, of course. On the other hand, it does not prevent American authorities from entering and retrieving data at their own discretion. Complicating the situation is also the fact that they have a duty of confidentiality; you never know if something has been retrieved, or when and what it was retrieved, which is, of course, very troublesome when it comes to, for example, important military product data.”
Supervisory Authority Dismantled by DOGE
But there are several more contextually relevant regulatory frameworks, concerning, for example, GDPR legislation and personal information: Data Protection Frameworks. They help organisations navigate and comply with complex data protection laws such as the General Data Protection Regulation (GDPR) and other national or international standards.
“It means that we have protection regarding our personal information. It cannot be handled in any way. So, for example, can we take it in and use it in the purchased American cloud solutions we’re talking of,” asked Saab Aeronautics Head of IT. “Well, you couldn’t really do that, at least not until 2023; when an EU law was written where, after an agreement with the US on the qualification of the purchased cloud services, it became permissible to store this personal information. In parallel with this agreement, the Americans organized two independent forums, which partly had a reviewing function and partly also constituted a supervisory authority. However, President Trump has dismantled this, via DOGE (Department of Government Efficiency), the department that Elon Musk was responsible for for a while. But the agreement still applies.”
The world can be annoyingly inconsistent to deal with.
“Can We Trust American Tech Giants?”
Having said this, the fact remains that these cloud service providers, mainly Microsoft, AWS, and Google, produce very secure solutions.
“For example, there is no company in the world that invests as much money in security as Microsoft. In light of this, your own company can never come close to the same secure solutions that these players produce,” claimed Peder Johansson.
So, what is the problem? Before he got to the answer, he mentioned a few more products that are relevant in the context.
“When you buy this type of cloud services from suppliers like Microsoft, AWS, and Google, you might do it from more than one of them. It could be two or you might have your own IT solution that you still have “on prem” (locally installed) or with another supplier,” said Peder Johansson. “The question is, how do you make this fit together. And how do you make it fit together with Zero Trust?”
The answer is that there are many products, and one of the largest today is Zscaler. It is also an American company and cloud service. They have their own cloud service centers where their ’product spins’. What does this product do? Peder Johansson again:
”It maintains and supports the authorization culture. It is this product that provides information about what information and applications a specific person, with their specific certificate, can gain access to. In short, it’s about a smart solution that you can use at home, for example, when you want to log in to the company network, or of course at work.”
This is a very secure solution, Johansson noted. But again, the matter has its complications. The world has become an increasingly insecure place, and while Zscaler is an American company, operating under the same conditions described above regarding the regulations they have to comply with, the question remains: Can we trust American tech giants?
Saab Aeronautics’ Head of IT exemplifies this:
”When the US is pushed to the edge – it has happened quite recently on two occasions – access to US cloud services has been cut off for at least two countries. It was not possible to access any cloud services. Could it happen to us? What happens if the Ukraine conflict escalates? Ukraine managed for a long time because it had information in American clouds. However, we also know that they accessed the information via Starlink, which at one point was shut down for a week or so. It became dark and quiet.”
AI as a Latent Security Threat
In the next step, during his presentation at PLM Experience Day, Peder Johansson connected the security pieces to AI. In general, he noted, everything is encrypted.
“Great, of course,” he said, “but you can think about how long it will take before the codes in what is encrypted today are cracked?”
AI is a latent threat, not least because of the heavy processing power that has been added to computers via new generations of CPUs and GPUs. CPUs (Central Processing Units) are the “brains” of computers that execute instructions and handle tasks by processing data and controlling other hardware, while GPUs (Graphics Processing Units) are specialized electronic circuits designed to accelerate complex graphical and computational tasks, such as artificial intelligence and machine learning. The capacity of these processors has almost exploded over the past four years.
“Sure, it’s safe now, but is it safe tomorrow?” Johansson wondered and continued: “With the new CPUs and GPUs, a lot can change quickly. How long will it take before AI can read encrypted information in plain text?”
An exaggerated concern? Definitely not, it is very much part of his mission at Saab to think about and act on these pieces. Thinking before things happen is golden.
“Development is fast, the safety pieces are increasingly uncertain and the solutions increasingly complex,” commented Johansson, adding, “it is not surprising that one symbolically tends to put on a ‘tinfoil hat’ from time to time. Therefore, it may be interesting to think about what could happen if you combine some of the products and technologies that we have talked about above.”
Gripen Configurations in a Cloud Environment? Hardly!
An example: Let’s say that the company has Microsoft 365 E5 premium cloud subscription at the enterprise level, including core productivity apps in Microsoft 365, plus advanced features for security, compliance, analytics, and voice. It improves security with automated threat protection and advanced compliance features for data protection and governance, offers deep business insights through data analytics such as that from Power BI, and provides advanced voice features.
“This means that we have the entire advanced security mechanism available. We have moved our internal AD to Microsoft’s cloud service. That’s where our certificates, users, and clients are located, which are then stored internally on my PC. My script for Zscaler is also on my local PC. For this, we have implemented connectors in all infrastructure hubs that you want to access. This is where my Zero Trust is located, i.e. the entire recipe for what I can access as an individual, what information, what applications, etc., provided that I can upload with the right certificate.”
“In this context, remember what I discussed above: We now know that American authorities can retrieve data whenever they want. But what about what is on my PC then, which was the key to this – how does it work? We have the Microsoft 365 E5 product, which scans and manages our clients, and then stores data in the cloud. This also contains the key to accessing all our information: The recipe for what I am allowed to retrieve. Can we then claim that things are safe? In general, it is super secure against intrusion. But we are now aware that there are known legal backdoors to open, and data can be retrieved at any time by the American authorities, but does it matter?”
The answer is hardly surprising: “Yes, it does matter. I don’t want to put, for example, configurations for the Gripen multi-role combat aircraft in such an environment. That would hardly be good for Sweden, but it is not my decision as an IT manager, but a decision that must be made by the company’s management. In short: Yes, these are extremely smart solutions, each to their own, but if you start combining these solutions together, you can get effects that you hadn’t imagined. If you listen to the traffic that goes from my PC, which is actually on the regular internet, it is encrypted today. But if we connect AI engines to it, then we can read everything that goes between.”
Development Towards Sensitive Data Handled “On Prem”
A final question in Johansson’s keynote circled around how we are currently facing the issue of whether product data is safe with AI and in the cloud, in the hands of American hyperscalers.
The picture is complex, but Peder Johansson generally indicated that sensitive data will be located in places on prem where accessibility is limited. This may possibly be contrary to what is required for the AI to be able to provide maximum internal service; it must be trained on all conceivable aspects when it comes to, for example, product development as a whole.
“Yes, it is really a key area where and how it should be trained. It needs the right information and therefore needs to be trained in the right places.”
Will it happen in the cloud under the conditions stated above?
“Hardly, no company with a drive for self-preservation would want to risk being forced to share important IP (Intellectual Property) and data that they make money from? For parts that deal with sensitive data, we will instead see on-prem solutions,” he said, adding:
“Another thing that affects the AI side is the EU’s recently adopted AI Act regulation, but related to this are other problems that create unequal conditions for European companies, compared to non-European companies. The regulation basically aims to protect people, for example, by preventing AI from being used freely for medical purposes. However, it also contains areas that are intended to protect jobs, which could ultimately affect competitiveness. But the regulation is still new, so it is too early to say how it will affect companies and their ability to act.”
Notably, the EU’s AI Act, the first comprehensive legal framework for AI in the EU, excludes military and security applications from its scope. This means that the AI Act’s obligations and restrictions (targeted at civilian AI) do not apply to weapon systems designed solely for military purposes. This can be put into perspective as the use of AI in military applications and software becomes increasingly common, with technologies such as drones, ground robots, electric combat vehicles, and sensors being developed to assist soldiers in combat.
What effects can be expected for OEM-level players, such as Saab Defense and other similar players?
“Probably that they will become even more careful about where they expose their product information. Regarding information that is deemed to be of extra protection value, as I said, you will probably choose your own on-prem environments,” Johansson replied.
Can Europe Create its Own Secure Clouds?
The question of what can be done to make Europe independent of the currently far-reaching powers of American authorities is even trickier.
“Yes, this question is challenging, but European solutions will nevertheless be needed. In the short term, however, it will be difficult to find solutions on par with, for example, Google,” notes Peder Johansson.
What all this could lead to is currently topping the agendas of many companies. As a background to this development, notably the waves of discussion are running high about what Europe can and should do to meet the situation. Among these is the idea of “sovereign European clouds”. In the PLM area, for example, Dassault Systemes already has one, but the performance in the large format required to handle the gigantic European needs is questionable. As is, the question of whether you want to connect your data to the French-owned DS platform if you work in other PLM environments. For example, there is information that it is not only US intelligence sources that is working systematically to collect industrial information. For example, the French intelligence service is said to have allocated 20 percent of its budget to help French companies with the collection of industrial secrets. True or not, risks are everywhere, and the “tinfoil hat” that Peder Johansson symbolically puts on when he feels a concern about how strange ways the spread of information can take in the uncertain world we currently have around us is not at all unreasonable.
Others who are acting with huge investments in their plans are the German business systems giant SAP, which has announced investments of 20 billion euros, equivalent to 220 billion kronor, and an expansion of SAP Sovereign Cloud, to compete with AWS, Azure, and Google.”
The Complete Silence when Peder Johansson Finished His Keynote
Anyway, when Johansson finished his presentation on the question, “Is product data secure with AI and the cloud,” as noted in the introduction, there was something of a doomsday atmosphere in the auditorium at Skeppsholmen. There was complete silence – why?
“I think it dawned on everyone present that the companies that, probably after careful consideration, have chosen to store their product data in the cloud, at the same time have given American authorities an exclusive opportunity to retrieve the data they want without having to tell them that they had done so. I think we saw a mixture of concern and embarrassment. Concern about what could happen – and embarrassment that they had not realized this,” commented Lena Gunnarsson, a consultant at Combitech, from the organizing staff.
“It is clear that there are mechanisms to handle this, but right now the situation is a bit uncertain, where things that we took for granted have changed overnight,” concluded Peder Johansson.
