Escaping the "Microsoft Trap": challenges and strategies for the technological autonomy of the French Ministry of Defence

A report on the challenges of cyber defence was tabled on 17 January by the National Assembly's Committee on National Defence and the Armed Forces. Presented by MPs Anne Le Hénanff (Horizons, Edouard Philippe's party) and Frédéric Mathieu (LFI), the report looks in particular at the French Ministry of the Armed Forces' dependence on Microsoft technologies ("*The Microsoft trap", in the text) and the possibility of a transition to Open Source software solutions.

1. Dependence and sovereignty of the information system (IS) : The Ministry's IS is complex, involving numerous hardware and software components. Complete IS sovereignty is immediately considered difficult and costly to achieve, requiring sovereign channels for hardware components, embedded software and software applications.

2. A balancing act for DGA : The French Defence Procurement Agency (DGA) is striving to develop sovereign equipment for IS components deemed sensitive. DGA is seeking to strike a balance between cost, maintainability, security and efficiency, without being able to completely dispense with the use of foreign software, notably because of development costs and security uncertainties.

3. Security policy and use of foreign products : The DGA acknowledges that the use of foreign products, such as those from Microsoft, can facilitate cyber attacks. However, it claims that architectural measures (such as perimeter security and encryption) are in place to protect sensitive data. The infrastructures running Microsoft software are owned by the State, and configuration and administration tasks are carried out internally or by trusted companies, which it considers to be a sufficient guarantee.

4. "The Microsoft trap": Microsoft's transition to service-based models will limit the department's ability to manage its own networks based on these technologies. There are three options to choose from:

   1. migration to other operating systems,
   2. maintaining old software versions
   3. or accepting the risks associated with the SaaS model.

5. Relevance of open source software: Given the dependence on Microsoft, the use of Linux and open source software is being considered. However, an overall analysis of costs, timescales and impacts is required. The report anticipates that reducing dependency on Microsoft could prove complex, costly and time-consuming. Among the challenges envisaged, the switch to open source software implies a particular HR effort in terms of training, retraining and recruitment of suitable profiles.

6. Complexity of IS sovereignty: Changing only the operating system does not guarantee IS sovereignty. It would be necessary to master a large number of other software applications and to have locally built hardware, which seems difficult to achieve in the short or medium term. In addition, a change of operating system could have an impact on interoperability with allies and delay necessary security and architecture work.

Although dependence on Microsoft is recognised as a risk to the sovereignty and security of the Ministry of Defence's information systems, the report notes that the transition to a fully sovereign solution, in particular through the adoption of Open Source software, presents significant challenges in terms of cost, human resources and compatibility with existing systems and international allies. It has certain weaknesses and lacks ambition in terms of long-term solutions:

1. Short-term vision and lack of strategic ambition :
   The text highlights the immediate difficulties and costs associated with the transition to sovereign information systems, but lacks a long-term strategic vision. Overcoming dependence on foreign suppliers requires an ambitious strategy backed by strong political will. This implies significant investment in research and development of national and European technologies.

2. Underestimation of national security risks :
   Although the text recognises the risks associated with the use of foreign technologies, it seems to underestimate the potential consequences for national security and strategic autonomy. Dependence on foreign technologies, particularly in an uncertain geopolitical context, could expose the country to major strategic vulnerabilities. In addition, the text explicitly chooses not to "express an opinion on the rule of extraterritoriality of US law", even though this is an essential issue.

3. Reactive rather than proactive approach :
   The text describes a predominantly reactive approach, focused on managing current risks rather than future prevention. A proactive approach would require an action plan to develop a national IT industry, build research capacity and encourage partnerships between the public sector and local technology companies.

4. Lack of exploration of alternatives and international collaboration :
   The text focuses mainly on the dilemma between using Microsoft and switching to Open Source software. It could benefit from further exploration of alternatives, including collaboration with other European countries to develop common solutions, thereby reducing costs and sharing technical expertise.

5. Underestimation of the benefits of Open Source software:
   Although the challenges of adopting Open Source software are recognised (costs, training, etc.), the text does not sufficiently highlight the long-term benefits, such as flexibility, transparency, improved security, and vendor independence. In particular, the text does not mention the 2006 directive published by the Ministry of Defence's DGSIC "on software for the Ministry of Defence" (reference NOR DEFM0652897X), which stated as a principle: "In addition to the advantages linked to the availability of source code, Open Source software enables compliance with standards to be verified and promotes interoperability. The Ministry of Defence must endeavour, prior to any acquisition or any internal or subcontracted development, to identify available alternative Open Source software solutions with equivalent or similar functionality".

6. Neglect of human and organisational factors :
   Digital transformation is not just about technology, but also about people. The text briefly addresses the challenges in terms of human resources, but does not propose a concrete strategy for attracting, training and retaining the talent needed to make the transition to sovereign information systems.

We therefore believe it is necessary to develop a long-term strategy that includes an ambitious vision for technological independence, an action plan for the development of national and European capabilities, an in-depth analysis of the alternatives available, and investment in human resources and innovation. This also means strengthening international collaboration, particularly at European level, to share costs, skills and best practice in the field of information and communication technologies.