The United States and China Dispute Global Technological Leadership. Technological competitiveness is measured by each country’s computing capacity, represented by cloud computing infrastructures and semiconductor manufacturing. These computing infrastructures are essential for modeling global cyberspace. The cyber power of a country currently represents one of the factors of national power.[1]Thus, each country with cyber power seeks to project its power to other countries, something that represents its soft power.

The United States has passed the so-called Cloud Act, a law that allows US authorities access to data stored on servers of companies located abroad but subject to US jurisdiction. Brazilian authorities have not yet perceived the geopolitical and economic risks arising from the US Cloud Act. Despite the name, international data traffic is predominantly done through undersea cable networks in the oceans. Computational capability is collecting, storing, processing, and transferring data. In the geopolitical and economic realms, the country with greater control over its data and digital infrastructure has greater political and economic control over its economy and even influence over other countries.

 Cloud computing produces billions of dollars in business, helping streamline businesses, financial capital, and logistics. Therefore, digital infrastructure capability can improve the business environment globally. The so-called Cloud Computation is a complex system integrated by a network of computers, software, data centers, and undersea cable networks, among other elements. There is now infrastructure as a service, software as a service, and platform as a service, among others. It is necessary to differentiate cloud computing services provided to governments from those offered to enterprises. There are also distinctions between private, public, and hybrid clouds.

In cloud computing for governments, especially in defense and national intelligence, there are usually stricter requirements for cybersecurity due to sensitive data on the networks. This geopolitical and economic dispute extends to international technical cyber security standards. In the layers of cybersecurity, you need to analyze data security, application security, data hosting security, and network security. Thus, one must assess the company’s reliability and check whether it follows international cybersecurity standards when selecting a cloud computing provider and whether it offers an infrastructure with resilience to cyber-attacks. As for standards, abusive policies in setting technical cybersecurity standards that exclude international competition must be avoided.

There are many business applications with cloud computing: industry, smart cities (smart operations centers for urban management), power grid management, public lighting grid management, digital government in the cloud, water supply system management, smart environmental protection, smart refrigeration systems, transport and logistics, audiovisual media (film production and broadcasting), smart ports, mining, oil and gas, and others. For example, several filmmakers and actors located in different countries will be able to make films and animations jointly. Recently, a technology company offered the experience of forming a virtual orchestra with the participation of musicians in several different countries. In the ports area, cloud computing applications make it possible to reduce costs by formatting routes and schedules for loading and unloading containers as well as ships.

There is a project in the financial sector to build the future generation of financial infrastructure called the “Bank of Things.” It is a partnership between Huawei and SPD Bank. The focus is on leveraging the internet of things for the financial sector, especially in credit risk analysis. There are BoT (bank of things) opportunities for the so-called fintechs. The goal is to create applications based on 5G technology and the Internet of Things to develop twins of things (duplicate objects). The goal is to monetize the assets, starting with connectivity. Thus, one takes advantage of digital payment systems and data resulting therefrom.[2] For example, car and driver data will be used for insurance risk analysis in smart cars. As for smart homes, residents’ data will be used for consumer potential, credit analysis, and commercial advertising. The entire digital economy depends on cloud computing systems, which is essential for digital transformation. 5G technology in mobile telecommunications networks and the Internet of Things will lead to an exponential demand for cloud computing services. Artificial intelligence and big data tools will contribute significantly to hyper-scale data processing (videos, text, images, etc.). Mathematical models are applied to cloud computing systems with the capacity to process billions of pieces of data in real-time.

In this context, scientific research for the development of new medications that used to take years will now have results in months. There will be more data traffic, hence the need for reinforced cybersecurity. The United States relies on Big Techs in cloud computing such as Amazon, Microsoft, Google, Oracle, IBM, SalesForce, Dropbox, and others. These companies offer cloud computing services in Brazil for private companies and governments. Courts of Justice in Brazil have been hiring foreign companies for cloud computing services, and[3] Brazilian business groups have procured cloud computing services from foreign companies.

The Central Bank of Brazil has a resolution authorizing procuring cloud computing services with data storage abroad.[4] China has Alibaba, Tencent, and Huawei. The European Union has no global competitor in cloud computing. Hence, its public policy encourages the development of cloud computing infrastructure by European companies. The European Union has programs to strengthen its cyber sovereignty, focusing on developing cloud computing infrastructures. The geopolitical dispute is extended to the power to access data on servers located abroad, which makes it possible to extend the extraterritorial application of US jurisdiction. 

In that line, the United States has passed the Cloud Act (Clarifying Lawful Overseas Use of Data), which is a law that allows US authorities to access data stored by service providers on servers located in other countries. The United States Congress has a bill on data access, transparency, and accountability called the “Setting an American Framework to Ensure Data Access, Transparency and Accountability Act” or the “Safe Data Act.” Regulation of the subject is incipient. The European Union is the most advanced on the subject, having passed the Cybersecurity Act and the proposal for data governance regulation. The European Union Agency for Cybersecurity (ENISA), for example, has cloud security recommendations for healthcare service providers.[5] It has another recommendation for cloud computing security and resiliency for governments.[6] There is a recommendation for cybersecurity standards for hospitals. In the United States, Executive Order no. 13984 from January 2021 deals with malicious cyber-attacks against cloud computing infrastructures. According to that act, the National Security Agency must assess the cybersecurity risks in providing cloud technologies and infrastructure to the government. After that, the Trade Department began requiring cloud computing infrastructure service providers to verify the foreign identity of service providers, as well as certification and compliance rules.

The United States has passed specific regulations for the procurement of cloud computing services by the government and federal agencies. China has passed the Data Security Law that ensures protections for critical information infrastructure (information services, energy, transportation, water conservation, finance, utilities, e-government), requirements for international data transfer, data export control rules, compliance for data providers, trading platforms, data consumers, and rules for data center location in Chinese territory. It should be noted that, although there are common rules for cybersecurity, depending on the industry’s uniqueness, there is a demand for more specific rules. Thus, there are peculiarities in the financial, energy, nuclear, defense, and health sectors, among others. As for cyber risks, there are some risk-sharing practices between the cloud computing and service provider and the customer. In cloud computing contracts, there should be maximum transparency about cyber risks and information about the clauses for updating cyber security services on devices, networks, and equipment.

Insurance contracts must have clear and precise clauses about contractual coverage regarding cyber risks. In addition, companies must develop geopolitical and geoeconomic risk matrices. In the near future, there may be discussions about competition in the cloud computing market, especially about economic concentration.[7] Data confidentiality, availability, and integrity are essential in cloud computing. There is also the concern with the environmental sustainability of data centers as they are large energy consumers. In this respect, cloud computing services should follow the principle of energy efficiency. In Brazil, there is no proper cybersecurity regulation in cloud computing services. Brazil lacks a general law for cybersecurity. Currently, the topic is only addressed as self-regulation by private companies. In short, cloud computing infrastructures and services will shape the digital economy. The country that best invests in cloud computing infrastructure will have greater international competitiveness and computing power. Brazil has an interesting geostrategic profile to attract investments in cloud computing and become a global and regional player in this sector.  

**All rights reserved. This article must not be reproduced or used without mentioning the source.

Ericson Scorsim. Lawyer and Consultant in Regulatory Communications Law. Ph.D. in Law from the University of São Paulo (USP). Author of the book “Jogo geopolítico entre Estados Unidos e China no 5G: impacto no Brasil.” (The Geopolitical Game between the United States and China regarding 5G: Impact on Brazil), Amazon, 2020 e 2021. Author of the book Geopolítica das Comunicações, 2nd edition, revised and updated, Amazon, 2022.

[1]As in Cyber capabilities and National Power: a net assessment. The International Institute for Strategic Studies – IISS.

[2] Huawei and SPDBANK, Bank of Things White paper. Next-Generation financial infrastructure, 2020.

[3] This is the case, for example, with the São Paulo Court of Justice, which has procured Microsoft’s cloud computing services.

[4]  Central Bank of Brazil, Ordinance n. 3,909, dated August 16, 2018, provides on the cybersecurity policy and on requirements for procuring data processing and storage and cloud computing services to be observed by payment institutions authorized to operate by BACEN.

[5]See: European Union Agency for Cybersecurity. Cloud Security for healthcare services, January, 2021.

[6]See: European Network and information security agency. Security & Resilience in governmental clouds, making an informed decision, January, 2011.

[7] Geer, Dan, Jardine, Erics and Leverett, Eireann. On Market Concentration and Cybersecurity Risk, Journal of Cyber Policy, 2020, vol. 5, n. 1, 9-29, Routledge – Taylor & Francis Group.

Crédito de Imagem: FIA