Open Source is a Key Contributor

to the Issue of Digital Sovereignty

Digital sovereignty has become one of the most important goals in the European digitization strategy in recent months and years; ever since the repeal of the Cloud Act, Europe has shown that we mean business. Germany plays a leading role in these issues not only on a political level where initiatives such as Gaia-X, EUCLIDIA or the Sovereign Cloud Stack are significantly supported by the German government and companies based in Germany. But what is digital sovereignty? What is the current status? Where will, and must, the journey lead to? I discussed these topics with Dr Christian Knebel, founder and CEO of publicplan GmbH, and Karsten Samaschke, founder and CEO of Cloudical Deutschland GmbH.

Hello, thank you for your time. Both of your companies operate in the cloud and digital environment and support customers and also the state of Germany in becoming more digitally sovereign. But first, please tell us who you are and what publicplan and Cloudical do.

Christian: Yes, thank you very much. I’m Christian Knebel, Managing Director of publicplan in Düsseldorf. We are around 140 employees, and we digitize administration.

Karsten: I’m Karsten Samaschke, founder and one of the managing directors of Cloudical, we operate in the area of open source in the cloud-native environment, we offer our own Kubernetes distribution and managed services in and around Kubernetes for private and public sector clients.

A lot is happening digitally in Germany right now, what is the state of play, what is being debated?

Christian: There’s a lot of talk about digital sovereignty, for me that means the ability to independently generate and consume IT services without becoming dependent. When it comes to dependencies, people always like to talk about the multi-national cloud providers that are big in the US or China and are also used massively in Europe. But with dependencies, we are also talking about proprietary software that, once it has been purchased and introduced into a company or an authority, leads to a lock-in effect. If that path has been taken, there is hardly any chance of getting out of the software environment in question again. Because one has become accustomed to it, because the interfaces are all used, and because the effort to change once again would be huge. Digital sovereignty is the exact opposite: how do I manage to use modern and up-to-date IT solutions without creating such dependencies?

Karsten: I can only agree with Christian. For me, it’s essential we are able to understand, operate and write our own IT solutions, so it starts with the software and continues with the operative side of things. But the key issue is having the ability to do that. A big problem we often see is that people simply outsource to multi-national providers, for example, and thus knowledge is lost. The ability and the possibility to be able to offer, operate, and use IT independently and autonomously are absolutely essential. I see a great danger of this being lost.

Christian: Perhaps I should add that not only do you lose your own ability to master IT, but the issues of data protection and security are also often raised in this context. I‘m cautious about security, though, because it‘s easy to fall back into the old way of thinking, but ultimately, when you consider hacker attacks, it‘s the threat that if I move my IT to the US cloud, I‘m going to be more vulnerable to attack from hackers all over the world. That‘s a political point people often make. The issue of data protection is also an emotional topic, but there are legal foundations for it. In the context of the GDPR, depending on how strictly it’s interpreted, you definitely have a problem if you use multi-national clouds, because at the end of the day no one can guarantee there’ll be no data leakage to territories outside the EU. The benefits of the cloud, that data can be stored anywhere and failover can be avoided, also leaves the downside that your data may inadvertently leave the EU. This is still an unsolved challenge.

Karsten: For me, the key elements in this connection are software and open source. Open source is a key contributor to the issue of digital sovereignty. With open source software, you have the possibility to be vendor-independent and understand what is happening, to audit and adapt. Having this freedom and possibility is an essential aspect for me. That‘s why I very much welcome the fact that there are major open source public sector initiatives happening, for example. This is about the basic ability of an organization, or a sovereign state, to really assert itself independently. All these points are relevant to digital sovereignty and for me it is imimportant that the topic is thought through from end to end and actually lived.

What is the current status in Germany? What are politicians doing about it? Are there already solutions or offerings regarding digital sovereignty? Can we already be digitally sovereign in Germany?

Christian: I think you have to distinguish between the different levels. I‘ll start at the bottom with the networks and hardware. In the field of mobile communications, for example, there is a debate about whether we should be allowed to use Chinese chips. Even with networks, there is no getting around the infrastructure provided by CISCO and Co. Just as with processors and everything else, Europe simply has no suppliers. The political discussion is whether we can catch up and build networks – Open RAN is a catchword here. Because it has been recognized that if nothing is supplied from overseas, we will no longer be able to operate mobile phones or build servers.

The next level is the operating systems and server-oriented applications that are needed even operate cloud technology at all. This makes open source an alternative to all proprietary solutions, because Linux and others have long been dominating this area.

The next level from there is applications. Here you need to zoom in again. On the one hand, there are the things we all use every day, such as operating systems and office applications, without which no computer can operate. There are now alternatives, but the two big players, Microsoft and Apple, dominate the market because these operating systems are usually pre-installed on commercially available PCs. If you want to use an alternative, you have to go the extra mile and, for example, download and install Linux and sort out the tool chain such as Libre-Office and Co. When it comes to government, in an environment where it is already so difficult to be digitally confident, we still face the challenge of special applications. And here it is actually much more difficult and very much a mixed picture.

Germany’s government sector is increasingly using open source special applications. There are administrations looking in this direction that have perhaps started their own digital projects in the field of specialized procedures or online portals, and they would like to equip themselves with open source solutions and thus become digitally sovereign. And their number is growing. And that is exactly where we come in. We believe that this is where the greatest dependencies exist, due to the multitude of applications and the multitude of users, it‘s a huge juggernaut, because many people still fall for the common operating systems or applications.

Karsten: I‘d like to add that, generally speaking, we have actually reached an almost welcome situation in the environment of IT operations and cloud operations, even with providers like Microsoft, where over half the virtual machines are now running on Linux. This has developed to the extent that even manufacturers like Microsoft have their own Linux distribution, which they don’t actively sell but use as a basis for very many things. That‘s nice to have, of course, but it‘s also just the tip of the iceberg.

When you look at the many open source offerings, you realize they are actually more open core. That means I have an insight into part of the source code, often even the relevant part, but I’m unable to modify and adapt the code. Even though this is not usually part of everyday business, having the ability to do so is an essential aspect because I’m unable to set myself up independently of a producer per se. Open Source is often used as a fig leaf: we have a Linux system here, it‘s all good, what more do you want? The essential trick that needs to be mastered is in fact what Christian has already indicated, which is to think the whole thing through to the very end and then live it, to go the extra mile.

And in this respect, unfortunately, it has to be said that open source projects don‘t really make it easy for you, because you’re confronted with self-focused mentality: I‘m an open source project, I‘m well integrated with myself and I‘m capable of being rolled out, but together with others, not so much. This poses a great many challenges for users. But I firmly believe that the ability and the willpower to overcome these challenges basically exists and should exist, because it’s worth taking this path, making oneself independent of certain providers who do things purely out of commercial or politically driven interests. You can decide for yourself whether to go for updates, whether to go along with certain developments
or not, so you position yourself quite differently. But that also means you have to be able to understand this complex area, to operate it, maybe even to develop it a little further; you at least have to know people who can do that for you to be able to achieve that level of independence.

In Europe, there is of course the political aspect, but there is also a strong economic aspect that speaks for open source and independence, i.e. that I don‘t have to go along with certain economic interests of others. And these are things that, at the end of the day, can even mean I can save money by using open source, even though I initially and seemingly have more work to do integrating things with each other. This is because I become more independent of what a big provider decides for me in his boundless wisdom. Unfortunately and all too often people think from one moment to the next and fail to implement a long-term strategy. That‘s where we come in, pushing these issues further and further, stirring the debate about them, helping make open source and digital sovereignty the gold standard.

Christian, you mentioned e-government and said that publicplan provides open source and digitally sovereign offerings for it. What exactly do you do and offer?

Christian: In the IT world today, also in the public sector, there is actually no problem that someone somewhere has not already solved. For example: let’s say I want to have a website or a portal and I want to offer online forms so that citizens or companies can enter their requests or data to be transferred to the administration department. Our first question is hence always: what solution already exists for this case? And is that an open source solution? That’s already one of the services we offer our clients, we check what solution already exists for a specific application and then we analyze and test it accordingly. Open source projects are not always well documented, they are often very different from one version to the next, and they develop very quickly. That‘s why we test the projects in question to see if they can meet our customers‘ requirements. For example, a large federal German state wants to change its entire content management system from a proprietary solution to open source and they ask us what possibilities there are for doing so. We then seek out the possible projects or open source products that might be a good fit and analyze them and test them with regard to meet our clients‘ requirements. And that’s how we find out what would be a good alternative.

The second step is when customers have decided that we are to specialize and individualize the chosen solutions and refine them to meet the customers’ requirements. For the federal state in question, for example, this means that we implement special requirements regarding security, guarantee accessibility, or install interfaces. This leads, for example, to us choosing Drupal as a content management system and support it as the state’s CMS in North Rhine-Westphalia. It possesses the state design, all the necessary interfaces for North Rhine-Westphalia, and state-specific functions are built into it, for example, a connection to the map service used in North Rhine-Westphalia. We have developed all of this, we provide the system support and bundle it and we call it maintainership. This is how a bundle of modules, configurations, designs, etc. is created. And maintainership means that we keep this bundle permanently running, import all updates from the open source community, and provide further specifications and individual adjustments for the customer. Our maintained software is then also used in other projects, naturally with all the specific adaptations.

We also make all our developments available as open source, so you don‘t always have to go through us. By the way, we call our Drupal-maintained bundle deGov, which other companies can also use to build portals for the state of NRW. For the customer, this means independency from us; for example, if we don‘t have the resources or the customer doesn‘t like us, he can use other providers. For us, digital sovereignty and open source are so important that we provide this kind of support. That is our range of services, and this can be considered in all possible directions for the state and the public sector, our specialist area, such as in terms of form systems, portals, chatbots and chat systems, and messengers. But this also extends to the backend, where the renowned specialized procedures come into play, for which we also check what is open source, how we can map into open source what a specialized procedure would otherwise do in a proprietary solution? This public sector specialization is crucial for us because there are specific requirements in this field that are often not found in the industry at large, with accessibility being one of the key issues, and we often have special requirements for information security within the tools because the state is often the target of hacker attacks. That‘s where you have to step it up a notch. Another important point is interfaces where there are many proprietary systems in the state that are only used by the state, such as registers, the register of residents, the German traffic penalty points register in Flensburg – all these systems have interfaces and connecting them to the tools in specific contexts is one of our special services. In this respect, we are something of an enterprise provider for the government sector in the open source area.

Karsten: Interestingly, this is not far from what we do at Cloudical. One also has to say that in that sense there is no difference between software and platform. Of course, there are different aspects that you look at, but what we also do is we take an open source product, in our case Kubernetes, and bring in other open source products. We integrate them, we create the interfaces between these products, we create a manageability or maintainability of the whole story, and maintain that. And that, I believe, is an essential aspect that also contributes greatly to the acceptance of such solutions. The fact that there is a business model and that there is a business case which is not based on me conjuring up proprietary things and excluding others, but rather going the other way and taking what others have done, refining it, and then making it available again. But not in the sense of setting a boundary; with publicplan it’s still Drupal with additional modules, with adaptations, but ultimately it’s Drupal. In the same way, for us it’s still Kubernetes with additional modules, with customizations and tools, but ultimately it’s Kubernetes. We are standards compliant in terms of what these platforms, this software, and these products provide. What we do is we provide all the service and maintenance and make sure people can work with it. And that‘s also something that prevents people from falling into the vendor lock-in I described above. In addition, it offers the real value added that you only get if you use real open source products and bring them together in a meaningful way. Not everyone can do that, because it takes a lot of experience, a lot of work, and a lot of knowledge to do so. But we make this knowledge available to our customers without locking them in. We hence embody the mindset that has an overarching effect and is both valid and necessary.

You mentioned earlier that Germany still relies a lot on non-European infrastructure. What is necessary for the German public sector to actually become digitally sovereign? What is already in place? And how do publicplan and Cloudical play into this?

Christian: I have to explain one thing first. Public administration has traditionally used its own local IT service providers and its own data centers. This means that, historically, the administration side has tended to detach itself from what we today call the cloud and do its own thing. But now we’re thinking 20 years ahead and realize that this approach with the servers located in the basement also has its weaknesses since such decoupled systems are vulnerable, as recent examples have shown, for example, the university hospitals in Düsseldorf were lately paralyzed for days on end. The increasingly complex IT infrastructures also frequently overtax the relatively small IT teams, which are not always able to fend off attacks or always keep security up to date. Other aspects also play a role when there’s a power cut, for example: that‘s why people use the cloud, to act as a fail-safe. At the same time, cloud systems are also generally assumed to be more secure than when I look after my own menagerie, because the large cloud providers in particular have a huge pool of employees who are exclusively focused on security and ensure that there are relatively fewer attack angles there than in their own data center. I believe that failover scenarios and security scenarios only lead to the public administration considering whether it would not be better to crossover to a cloud system and use the benefits offered there. That‘s where the scaling aspect comes in. On-site data centers are not able to grow easily and quickly to meet the demands of increasing data volumes and computing power.

It can easily take six months or more to be in a position to use new software because first of all new servers need to be purchased and installed. With cloud providers, however, it is usually relatively easy to add resources via a web interface. Many trends are driving cloud solutions and this is gradually also happening in public administration. Here, however, the requirements of digital sovereignty once again come into play. The use of non-European providers means that EU data protection cannot be guaranteed and one is bound to only one provider, remaining dependent on its pricing and offerings. This makes the trend of moving administrations to cloud solutions difficult, which explains why they haven‘t caught on yet.

My interpretation of what we are pushing and driving with Cloudical is that we want to harness the benefits of cloud, but at the same time go down the path of dependency. By implementing Kubernetes in the customer‘s own, or geo-redundant, data center and building something that lies within the customer‘s own sovereignty and which offers all the benefits of cloud, while remaining completely under the customer‘s control, who is doing what where must always remains transparent. Subscription models and dependencies are to be avoided. I’m aware that the issue is not an easy one, but I believe Europe has also recognized that this is the path that must be taken, because otherwise we will actually be paying billions to non-European countries for services that will not benefit us in the end, only the companies operating out there.

Karsten: Basically, as Christian described, you can only really address the challenges by using modern, cloud-native platforms, even if it means using your own data center, even if this has to be in the basement, and, if there’s no other way, under your desk. This makes it possible to combine the best of both worlds. The big challenge is, firstly, to be aware of this and, secondly, to really ensure one is not once again, at the end of the day, dependent on a provider by using its software solutions. We turn the tables on this kind of situation by relying on standard open source projects, by relying on the vanilla framework (in the IT world the term „vanilla“ is used to reference the standard product of a project or a community), and by making these projects available in as unchanged a form as possible we ensure that one can use the benefits of these new environments without being tied to a particular provider or particular environment. This means I can change the hardware at any time and use my applications in other environments, because what I rely on and what I work with is standards-compliant and is set up exactly as intended and desired by the underlying projects. This approach means I can remain independent.

This directly aids sovereignty control but often also brings cost savings and flexibility. That‘s the fascinating thing about all this: once you‘ve made the effort to think your way into this environment, building up the knowledge and skills for using it, then you can actually position yourself there and really work your way through the extremely troublesome issues that Christian already mentioned. Then, at the end of the day, it‘s a question of sensitizing the people in charge, making sure they choose solutions oriented to their needs and requirements, and ensuring they don‘t get caught out by marketing promises. We offer a flexible, secure, data-sovereign, end-to-end open source cloud solution that can also  be operated in your own data center. One more point worth mentioning is that we now also have the interface between publicplan and Cloudical.

Christian: I’d just like to mention one more key aspect. The fact that data centers have realized that, sooner or later, they will be hung out to dry if they don‘t use cloud technology is already well known. I can divide data centers into three groups: firstly, those that use Microsoft and are trying to make their own operations more cloud-based by turning to Azure, those that rely on Red Hat and use its Enterprise Linux and OpenShift, and lastly those data centers that use SUSE products such as Rancher. These are Kubernetes distributions. This is relevant for us because it makes a difference for our applications whether they are to be installed, configured, and made to run in a Microsoft, Red Hat, or SUSE environment. And these are definitely individual projects that are not completed in two or three days’ time since they involve bringing our complex application constructs into the respective cloud stacks. So far this has not been our core competence and Cloudical will take care of it from now on. But, as software providers, it drives us crazy that when we have adapted our applications to one environment, we cannot use any of these adaptations for another environment and have to start from scratch all over again. The reason for this is that, even though all three vendors offer a Kubernetes platform, their Kubernetes solution is just not standards-compliant and vendor-specific customizations have been made. As a result, an application that runs in one environment, even though it is also based on Kubernetes, usually does not run in the other environment. Of course, we are happy to make the respective adaptations for our customers and there is nothing to say against this purely from a business perspective; but if we look at this through the glasses of the taxpayer and the public administration, then it is very annoying if you actually rely on a standard open source project, such as Kubernetes, but are lured back into the trap of a vendor lock-in by the vendor that you are using for the operating system.

From our point of view, you have to make sure that you use Kubernetes in such a way that you stay within the scope of the standard version and also make standard-compliant adjustments. Only then can you easily switch from data center A to data center B. This also makes work easier for us because we base our customizations on vanilla Kubernetes. Hence our applications also remain completely open source and can be used by anyone. That means the customer doesn‘t really need us to get the applications up and running. And in the end, of course, it‘s also tax-saving because we don‘t have to do the customizations every time. For me, that’s the advantage of adopting the vanilla approach and where we set ourselves apart from Red Hat, SUSE and Co.

Karsten: I can only agree with that. This phenomenon isn’t new: we also had it in the past with Java EE where, again, there were vendor specifics that ensured that you never got away from the respective platform again. That‘s why it‘s so important to stay within the scope of the standard. We’ve learned this lesson from many projects. It‘s also exactly why we, as Cloudical, are developing our own Kubernetes stack that combines the standard Kubernetes version with various integrated vanilla open source projects – precisely not rebuilding Kubernetes to only run in a specific, proprietary environment. That‘s a key point for us: once you stick with the standard, you‘re able to replace vendor A with vendor B, swap data center A for data center B, and cloud A for cloud B. It‘s not about being obliged to do it but having the freedom to do it. And the further and deeper you sink into the shallows that vendor lock-in brings, the more difficult and costly such a changeover becomes. By this stage, switching is no longer possible. And if at some point the vendor in question decides not to continue supporting a particular product, for example, or offers it in a different form, the customer faces a huge problem. The magic word for me at this point is sustainability. Dealing sustainably with tax money, with resources, and with knowledge only works properly if you stay close to the standard.

Politicians have meanwhile also understood these problems so that digital sovereignty, but also open source and technical know-how, are being called for in Germany. That means you basically have a lot of support from the very top, but I hear you saying that the road ahead will still be a long and rocky path to tread. What are the next few steps along this path?

Christian: For me, the obvious thing to do in the field of administrative digitization and the implementation of the OZG (Germany’s Act to Improve Online Access to Administrative Services) is to make sure, especially in those segments where players have not yet established themselves over the last 30 or 40 years, that we move forward aggressively and prove that it works using open source, that it works even better, and that the benefits mentioned really take effect. From this position, which is no longer so very small, we want to see if we can take on the established bastions step by step. This step-by-step approach will help us achieve the goal of running the administration based completely on open source solutions within the next ten years. I remain optimistic.

Karsten: Our basic goal is similar: it’s important for us to offer our Kubernetes distribution on the various public cloud platforms, but without leaving out the smaller or private platforms. And from that position, because we know it’s terribly difficult to get involved in that segment at all, we’ll make offers to our customers and give them the opportunity to outsource their workloads and applications as well as their infrastructures to us within the framework of managed services – not by locking them in but by convincing them through the quality of our services, thus making it quite clear that the vanilla solution, the standard, is good, that you can work wonderfully well with it. From there on, everything else will follow: the cloud environment is still in its infancy, even if the big cloud providers seem to cover a huge market, I don‘t believe it will stay that way. I believe in a very diverse ecosystem and that there are a lot of vendors and initiatives like Gaia-X, for example, that want to try to define standards and bring ideas together. These are things that we support, where we are involved, and where it is important for us to keep bringing together the benefits of a standard platform with a highly diverse and changing ecosystem. It’s also key to bring that into different areas, be it private, be it public, be it something in between. I believe that though we really have a long way to go, it’s really worth the effort – because we need alternatives to the big providers, we need independence, we need sovereignty, digital, technical, infrastructural, and knowledge-based sovereignty on a large and small scale. That’s what we stand up for again and again, every single day.

Thank you very much for these insights andoutlooks.

The interview was conducted by Friederike Zelke