EU's digital sovereignty boo-boo may be the best thing to ever happen to the project

Systems

DIY or die. Just don't let the CIA buy it

OPINION There's a spy in the court of Europe's digital sovereignty. Actually there are two, the half-siblings Intel and AMD, whose chips power the Old World bit barns on which the sovereign cloud is based. Both companies' chips have so-called Ring -3 management subsystems, complete computers with deep access to the host system, while remaining largely opaque to the people who own and administer it. All this isn't secret, even if it's not widely discussed. The story is more that the French specification derived from the EU's IPCEI-CIS specification and for sovereign clouds, while having thousands of technical details, doesn't mention this at all. The management subsystems are designed to be controlled over the same networks that servers use for servery stuff, which makes them in theory and in practice vectors for remote attackers. As Intel and AMD are governed by American laws that can force them to act in secret for the state, the billion-Euro effort to fly the European flag over an impenetrable cloud fortress seems badly flawed. A good old supply chain attack, not so much secret as too boring to think about. Fixing it will mean fixing that supply chain, and the others that live in the same blind spot.