my timesThe Korea Times
  1. Opinion

Wartime data evacuation: Data saved but at what cost?

Listen
By Lyse Langlois
  • Published KST
  • Updated KST
A security surveillance camera is seen near the Microsoft office building in Beijing, July 20, 2021. Microsoft says cyberattacks by state-backed Russian hackers have destroyed data across dozens of organizations in Ukraine and produced a “chaotic information environment.” The company said in a report that Russia-aligned threat groups were preparing the attacks long before the Feb. 24 invasion. AP-Yonhap

A security surveillance camera is seen near the Microsoft office building in Beijing, July 20, 2021. Microsoft says cyberattacks by state-backed Russian hackers have destroyed data across dozens of organizations in Ukraine and produced a “chaotic information environment.” The company said in a report that Russia-aligned threat groups were preparing the attacks long before the Feb. 24 invasion. AP-Yonhap

Lyse Langlois

Lyse Langlois

Modern wars, as illustrated by the U.S.-Israel strikes against Iran, and Russia’s invasion of Ukraine, have expanded the scope of national defense. In the past, this largely meant protecting a country’s territory from foreign invasion. Today, however, the notion of territory extends far beyond physical borders. Cyberspace has become a critical pillar of national security. Among emerging concerns, the protection of public data during wartime is increasingly becoming an issue that requires an urgent response from governments.

These concerns were highlighted during a cybersecurity event held on Feb. 27 at the Embassy of Canada to the Republic of Korea, titled “The Evolving Cybersecurity Threat Landscape: Global Context and the DPRK.” During the discussions, one striking example was raised: Ukraine’s decision to transfer more than 15 petabytes of government data to the cloud infrastructure of Microsoft just seven days before Russia’s invasion. The goal was to prevent strategic information from falling into Russian hands should national infrastructure be compromised.

Thanks to this measure, Ukraine was able to preserve critical government data from destruction during the prolonged war. This “digital evacuation” formed part of $500 million in wartime assistance. Ukrainian President Volodymyr Zelenskyy later expressed his gratitude to major technology companies for their technical support, awarding peace prizes to Microsoft Azure and Amazon Web Services for providing essential cloud and digital services.

However, the concept of digital evacuation did not originate in Ukraine. Estonia was the pioneer. After experiencing massive cyberattacks widely attributed to Russia, the Baltic nation became concerned about the potential destruction of its national data infrastructure. In 2017, Estonia established a “data embassy” in Luxembourg — a secure server facility granted the same diplomatic protections as a physical embassy.

Ukraine nevertheless became the first country to carry out such a large-scale data evacuation during wartime. This strategy of digital offshoring helped maintain the functioning of public services.

More than four years after Russia’s invasion of Ukraine, the Ukrainian government’s decision to move critical public data to secure cloud infrastructure continues to raise important concerns. Although the event in Seoul did not focus exclusively on the war in Ukraine, it led me to reflect on wartime data protection and the potential consequences if such data are not properly secured.

Ukraine’s decision to evacuate its public data — including civil registries, health records and administrative databases — also raised another question in my mind: What would happen if these transferred data were misused or turned into geopolitical bargaining chips? If such a scenario were to materialize, the evacuation of data itself could trigger new geopolitical tensions.

Ukraine’s decision was made under urgent circumstances. Authorities feared that cyberattacks or the destruction of national infrastructure could lead to the loss of critical information necessary for the functioning of the state and for citizens’ daily lives. Moving these data to the cloud was therefore seen as the best way to preserve them.

Yet this solution raises an important question: What happens when a country’s data are stored abroad on infrastructure owned by private companies? Do the data remain under the authority of the sovereign state that produced them, the private company hosting them, or the jurisdiction of the territory where the servers are located? At present, the rules governing such situations remain unclear, and it is often difficult to determine who ultimately bears responsibility for protecting the data.

Transferring data abroad may shield them from bombings or cyberattacks, but it can also create a new form of dependency. Once stored on global cloud infrastructure, these data may become subject to different legal systems and national regulations. In other words, a country may save its data while losing part of its control over them.

Yet these data are far from trivial. They contain citizens’ digital identities, medical records and access to public services or humanitarian aid. If such sensitive information were compromised or exploited for political purposes, the consequences could directly affect civilian populations.

Today, the rules governing these situations remain largely undefined. Technology companies play a crucial role in protecting wartime data, but their responsibilities are still poorly defined at the international level.

The war in Ukraine reminds us of a fundamental point: in the digital age, protecting a country no longer means defending its territory alone. It also means protecting its data — and the rights of the citizens attached to them. Ultimately, this is a matter of democracy.

Lyse Langlois, Ph. D., is professor and general director of the International observatory on the Societal Impacts of Artificial Intelligence and Digital Technology (Obvia), Quebec, Canada. Currently she is a visiting scholar at the School of Cybersecurity and Privacy of Korea University in Seoul.