Read this article in Romanian.
The Romanian cloud project is the centrepiece of the government’s digitalisation plan, set to attract €500 million from the EU and bring the country closer to Europe’s e-governance targets. However, the proposal has so far mostly succeeded in stirring up controversy.
The first steps taken by the Romanian authorities to legislate the government cloud have provoked negative reactions from representatives of the civil society and even from some state institutions that are supposed to join the said cloud.
In line with Europe’s e-governance targets, Bucharest committed to universal access to public services online. Moreover, there would be an online history of the citizen’s interactions with the state, and personal data and documents would be protected by high-performance cybersecurity systems.
“The government cloud facilitates the transition to a data-driven, secure and dynamic economy, a digital economy aligned with the European Union’s strategic directions for action on data governance,” said Dragoș Vlad, president of the Romanian Digitalisation Authority.
The NRRP as a roadmap for digital transformation
The government cloud is the central “deliverable” of Romania’s National Recovery and Resilience Plan (NRRP) in digitalisation.
The planned reforms aim to set up this cloud, “ensure interoperability, improve connectivity, strengthen the protection and cyber security of public and private entities and increase digital skills in the public sector”.
The NRRP provides – directly or indirectly – around €500 million in funding for the government cloud. It is to be an IT infrastructure accompanied by the necessary cybersecurity and will host public applications and databases in four data centres.
This legislative framework must be in place, according to Romania’s commitments, by 30 June. Moreover, the law on cyber defence and security must be finalised and in force by the end of 2022.
The Emergency Ordinance scandal
In the context of the urgency of these steps, the government has published a draft Emergency Ordinance – a frequently used legislative tool in Romania – which has sparked adverse reactions from the IT industry, the non-governmental sector and even some central institutions.
According to the draft, the implementation and maintenance of the public cloud would be delegated to the Special Telecommunications Service, a specialised intelligence service. The Romanian Intelligence Service (SRI) would be in charge of its cyber security.
“SRI cannot ensure the security of personal data, because its legal purpose is to collect information,” warned the Association for Technology and Internet (APTI), led by lawyer Bogdan Manolea.
The ministry of digitalisation rejected concerns over the privacy of the information stressing that the SRI would not be able to access the content of data in the cloud.
Anton Rog, head of the SRI’s National Cyberint Centre, told Digi24 TV station the government cloud is critical infrastructure and, in the seven years the centre has been providing cyber security for 61 public institutions, there has not been a single complaint about SRI accessing their data.
However, the concerns remain in particular around the SRI collecting traffic data, namely the data behind each communication, as it is impossible to provide cybersecurity services without it.
Radu Puchiu, IT entrepreneur and envoy of the Open Government Partnership action plan, described the choice of delegating the government cloud to STS (Special Telecommunications Service) as “more than strange” since the finance ministry has an IT department of hundreds of people and the interior ministry also manages a critical database.
For Puchiu, the emerging framework is very rigid from the outset, which will hinder its development.
The IT industry also criticised the draft legislation. The Software Industry Employers’ Association (ANIS) warned that if the provisions of the draft legislation were to be maintained, it would not be possible to use non-proprietary technologies or open-source technologies in the construction of the cloud.
The ministry of digitalisation also denied this, saying that the private sector would be able to develop solutions and services for government cloud applications.
State institutions are not happy either
Criticism of the SRI’s involvement in the government cloud project comes not only from civil society but also from state institutions.
SRI, STS, and the Romanian Digitalisation Authority (RDA) sent in February a technical questionnaire on cloud migration to 108 public authorities and institutions in Romania. Two weeks later, only 83 institutions had filled in the questionnaire.
Of those still outstanding, six refuse to migrate their applications and data to the government cloud. These include extremely important institutions such as the Permanent Electoral Authority, the Constitutional Court and the National Anticorruption Directorate (DNA).
“We do not consider it normal for the STS and SRI to have access to all the data and documents that the Permanent Electoral Authority (AEP) is preparing for the elections,” AEP chief Constantin Mitulețu-Buică told Libertatea, a newspaper.
Similarly, DNA officials have set up their own IT applications with state-of-the-art equipment to protect the flow and storage of sensitive information related to ongoing criminal cases.
In April, the minister for digitalisation tried to tone down the polemics: “There was never any question that the operationalisation and use of the databases would be done by anyone other than the Romanian Digitalisation Authority,” said Marcel Boloș, minister for research and digitalisation at the time of the declaration, minister for investments and European projects starting May 3rd.
Boloș stressed that control over the public databases would be kept ”in the civil area”.
[Edited by Zoran Radosavljevic]