States vulnerable to foreign aggression embrace the cloud: lessons from Taiwan

Taiwan is among nations pioneering the adoption of hyperscale cloud services to achieve national digital resilience.

The island faces two major digital threats: digital isolation, in which international connectivity is intentionally severed or significantly degraded (for instance, if all submarine cables are cut), and digital disruption, in which local infrastructure, such as data centres, is inoperable.

To counter this, Taipei is shifting critical public systems and government data to global cloud platforms, and turning global cloud providers Microsoft, Google, and Amazon into partners in national resilience. But this reliance on foreign tech giants raises questions about sustained sovereignty in times of crisis.

Taiwan has learned from Ukraine’s digital survival before and right after Russia’s full-scale invasion in 2022. When threats to Ukraine’s physical and digital critical infrastructure escalated, the government in Kyiv rushed through amendments to its data protection law, permitting government data to be stored on public cloud platforms. This amendment allowed Ukraine to shift critical data and services to cloud infrastructure across Europe. So essential government functions, public services and important private sector functions remained available even when its local physical infrastructure was under siege.

Building on these insights, Taiwan in 2023 launched a four-year, NT1.34 billion ($65.7 million) plan to transition 18 critical civilian government information systems to the cloud in 2023. This includes services such as national health insurance, vehicle management and border control systems. The effort is intended to ensure continuity of essential digital services during disasters and emergencies and to enable swift operational recovery in the case of outages.

According to a press release, this involves ‘cryptographic splitting and data backup mechanisms’. Although details are scarce, the Taiwanese government is presumably distributing encrypted backups of critical national data offshore stored across various cloud providers and retaining exclusive access to the decryption key. As part of this effort, former minister of the Ministry of Digital Affairs Audrey Tang suggested Taiwan would conduct contingency drills that would involve rerouting operations to alternative locations, such as Japan or Australia.

While hyperscale cloud services offer resilience against cyber and physical threats, they prompt questions around data sovereignty and personal data protection: how can a government keep control over data and services managed through foreign commercial infrastructure? How can privacy laws be enforced when data is outside of a nation’s physical jurisdiction?

Taiwan has taken a pragmatic approach, allowing data-holding entities to use foreign cloud infrastructure as long as they can strictly adhere to Taiwan’s privacy requirements. For instance, in 2023 the Financial Supervisory Commission amended its rules to allow the financial industry to use foreign cloud platforms for some operations, provided they met information security regulations, particularly regarding de-identification processes and personal data protection.

Cloud providers are acutely aware of contentions around digital sovereignty and have responded by offering ‘sovereign hyperscale cloud’ solutions. These involve security controls specifically implemented to meet local regulations and requirements, such as restricting data access and management to security-cleared local personnel operating from their national jurisdiction. The Australian Department of Defence is one enterprise that intends to implement sovereign hyperscale cloud, alongside sovereign cloud from domestic cloud providers as part of its cloud strategy. The willingness of global hyperscale cloud providers to adapt their offerings reflects their increasing role in national security.

In Taiwan, the Ministry of Digital Affairs is taking advantage of this adaptability. They have worked to bring the three major cloud providers (Google, AWS, Microsoft) into Taiwan and are actively encouraging them to build local partnerships with the satellite communication vendors to create locally resilient systems that can switch to satellite communications during emergencies and prioritise essential data transmission. These measures are particularly important for a country that imports 98 percent of its energy and faces regular challenges from natural disasters, such as earthquakes and typhoons, as well as military and hybrid threats. By establishing redundant systems through cloud and satellite infrastructure, Taiwan can maintain critical government functions even when local systems are compromised.

Cloud providers face operational risks when supporting nations vulnerable to aggression. When AWS and Azure took over the hosting of Ukraine’s critical systems and data, their cloud infrastructure became a target of state and non-state cyberattacks. Yet this exposure provides valuable cyber threat intelligence, which is then used to improve security products, benefitting other customers.

The deepening integration of technology in national security and digital resilience introduces new dynamics to the relationship between states and global technology providers. These companies are no longer just technology providers; they are custodians of critical national assets. This shift demands a mature framework of collaboration: one that considers tech companies as potentially essential partners in national resilience, including as part of the digital supply chain. This inherently comes with mutual commitments centred around trust, accountability, oversight and responsibility that are sustainable during times of crisis.

Taiwan’s integration of hyperscale cloud into their national resilience strategy shows how nations can leverage leading global technological capabilities while maintaining oversight over their critical systems and sensitive data. This model may well define strategic autonomy in an age where digital resilience depends on foreign-provider infrastructure.