Supplementary Analysis

This document consolidates: threat assessment methodology, comparison to other initiatives, exit strategy, skills market analysis, and regulatory compliance matrix.

1. Independent Threat Assessment Methodology

The Intelligence & Security Committee will ask: "Has NCSC reviewed this threat assessment? Has GCHQ validated the CLOUD Act exposure claims? Where's the JIC assessment?"

Required Intelligence Community Input

Jurisdiction Agency Required Assessment Timeline
UK NCSC / GCHQ / JIC - CLOUD Act exposure analysis
- US provider access risk assessment
- Supply chain security review 		6-12 months
EU ENISA / EU INTCEN - Cross-border data access risks
- Member state coordination
- FISA 702 implications 		6-12 months
Canada CSE / CSIS - US-Canada data sharing agreements
- Five Eyes implications
- Canadian data sovereignty 		6-12 months
Australia ASD / ASIO - Five Eyes / AUKUS considerations
- Regional threat assessment
- Defence implications 		6-12 months

Threat Assessment Framework

Current threat claims in documentation are preliminary. A formal assessment must follow a structured methodology:

Element Methodology Output
Threat Actor Analysis Identify actors who could compel US providers to take action against allied governments Actor profiles, capability assessment, intent analysis
Legal Mechanism Review Analysis of CLOUD Act, FISA 702, IEEPA, executive orders Legal pathway matrix, historical precedents
Probability Assessment Structured analytic technique (e.g., Analysis of Competing Hypotheses) Probability ranges with confidence intervals
Impact Quantification Business impact analysis of service denial scenarios Quantified impact per scenario
Mitigation Effectiveness Assessment of sovereign cloud mitigation vs. alternatives Cost-benefit comparison

Current Assessment Status

Acknowledgement: The threat scenarios presented in this documentation are based on legal analysis and logical extrapolation, not intelligence assessment.

Condition for Proceeding: Formal NCSC/GCHQ/JIC assessment must be completed and validate threat scenarios before Gate 1 (Month 6) of the pilot programme. If intelligence assessment materially disagrees with preliminary analysis, programme scope and rationale must be revised accordingly.

2. Comparison to Failed/Stalled Initiatives

Critics will ask: "Multiple jurisdictions have tried this and failed. What's different here?" This section provides honest comparison.

Gaia-X (European Union, 2019-present)

Status: Partially successful, but not achieving sovereignty goals

Aspect Gaia-X Experience Lesson for SCI
Scope Standards and federation framework, not infrastructure SCI must build actual infrastructure, not just standards
US provider inclusion AWS, Microsoft, Google joined; diluted sovereignty goal SCI explicitly excludes US-controlled providers from core platform
Achievements 180+ data spaces, 500+ certified services, Catena-X automotive success Data space model useful for sector-specific applications
Timeline 5+ years, still in "implementation phase" SCI pilot designed for 24-36 months with clear deliverables

Key difference: Gaia-X is a standards body; SCI is an infrastructure programme. Gaia-X success (data space standards) can be incorporated into SCI platform.

IPCEI-CIS (EU, 2023-present)

Status: Active, €2.6B investment, building edge/cloud infrastructure

Aspect IPCEI-CIS Relationship to SCI
Focus Edge-cloud continuum, European providers SCI can build on IPCEI-CIS technical outputs
Investment €1.2B state + €1.4B private SCI is larger scale (EU portion alone ~€100B)
Participants 12 EU member states, 100+ companies SCI adds UK, Canada, Australia coordination

Lesson: IPCEI-CIS is a building block, not a substitute. SCI EU component should coordinate with and build upon IPCEI-CIS.

India MeghRaj / Sovereign Cloud Efforts

Status: Fragmented; multiple private initiatives, no unified government cloud

MeghRaj (Government) Framework exists but implementation limited
Private sector TCS, Airtel-Google, and others building sovereign offerings

Lesson: Fragmented approach leads to multiple incompatible solutions. SCI requires unified architecture and governance.

China: Domestic Cloud Ecosystem

Status: Successful in achieving independence, but not replicable model

Why it worked: Single-party control, massive domestic market, willingness to accept capability gaps, heavy investment in domestic alternatives.
Why not applicable: Democratic governments cannot mandate use; must compete on merit; requires user acceptance.

What's Different About SCI

Factor Previous Initiatives SCI Approach
Infrastructure vs Standards Gaia-X focused on standards only Building actual infrastructure with CloudStack
US provider participation Gaia-X included them, diluting purpose Explicitly excluded from core platform
Governance Voluntary, consensus-based Treaty-based with binding mechanisms
Timeline Open-ended 24-36 month pilot with go/no-go gates
Scope EU-only UK + EU + Canada + Australia

3. Exit Strategy and Stranded Capital

NAO/Treasury will ask: "What's your exit strategy? How do you avoid another NPfIT where we spent billions and got nothing?"

Programme Failure Scenarios

Scenario A: Pilot Failure (Year 2-3)

Trigger: Pilot doesn't meet success criteria

Sunk cost: €200-500M (pilot budget)

Exit actions:

  • Orderly wind-down (12 months)
  • Return pilot services to original platforms
  • Document lessons learned
  • Retain reusable components (open source)

Residual value: Some infrastructure may be repurposed for other uses

Scenario B: Mid-Programme Failure (Year 4-5)

Trigger: Full programme started but encountering major issues

Sunk cost: £5-10B (UK share)

Exit actions:

  • Halt new migrations
  • Stabilise existing services on sovereign platform
  • Assess whether to continue reduced scope or full repatriation
  • 18-24 month transition period

Residual value: Infrastructure can host services already migrated; no full loss

Scenario C: Political/Coalition Failure

Trigger: One or more jurisdictions withdraw

Exit actions:

  • Remaining jurisdictions may continue independently
  • Withdrawing party pays exit costs per treaty
  • 24-month notice period for orderly separation

Residual value: National infrastructure remains; cooperation ends

Stranded Capital Estimates

Failure Point Total Spent Recoverable Value Net Loss (UK)
End of Pilot (Year 3) €500M (all parties) ~20% (reusable components) ~£100M
Mid-Programme (Year 5) £10B (UK) ~40% (infrastructure repurposable) ~£6B
Late failure (Year 8) £15B (UK) ~50% (services running, infrastructure useful) ~£7.5B

Maintenance Tail

Even a stopped programme requires ongoing maintenance for systems already deployed:

  • Years 1-5 post-stop: Full operational support for migrated services (~£200M/year)
  • Years 6-10: Reduced support as services are repatriated (~£100M/year)
  • Total maintenance tail: ~£1.5B over 10 years

4. Skills Market Analysis

HR/Workforce experts challenge: "You'll be competing with every tech company for talent. At government salaries, you won't get the A-team."

Market Salary Comparison (UK, 2025)

£85-120K Cloud Architect (Private Sector)
£55-75K Cloud Architect (Civil Service)
30-45% Government Salary Gap

Role-Specific Analysis

Role Private Sector Civil Service Gap Availability
Cloud Platform Engineer £70-100K £45-60K -35% Moderate shortage
Security Architect £90-130K £60-80K -40% Severe shortage
DevOps/SRE £65-95K £45-55K -35% Shortage
Data Engineer £60-90K £40-55K -35% Moderate shortage
Technical Architect £100-140K £70-85K -35% Shortage

Mitigation Strategies

Strategy Description Trade-off
Contractor rates Use contractors at market rates for surge capacity Higher cost (£450-600/day); knowledge transfer challenge
Secondments Borrow staff from private sector partners Conflict of interest management; temporary
Digital Fast Stream enhancement Accelerated graduate programme with competitive starting salaries Takes 2-3 years to produce senior capability
Special pay spine Create "Digital Specialist" grade with higher pay (like GCHQ model) Political difficulty; internal equity issues
Mission appeal Emphasise national security/public service aspect Limited effect; can't close 40% gap
Remote work flexibility Government now more flexible; compete on work-life balance Partial mitigation only

Realistic Workforce Plan

  • Core team (20%): Permanent civil servants on Digital Specialist spine
  • Extended team (50%): Contractors through existing frameworks (Crown Commercial, DOS)
  • Surge capacity (30%): Managed service provider partnerships

Budget implication: Blended rate ~30% higher than pure civil service staffing (already reflected in cost model staffing estimates).

PROPOSED INTERVENTION: Digital Sovereign Infrastructure Pay Spine

Recommended Action: Create a "Digital Sovereign Infrastructure" (DSI) pay spine for critical national security cloud roles, modelled on GCHQ technical specialist grades.

DSI Grade Current Civil Service Equivalent Proposed Salary Range Private Sector Benchmark
DSI-1 (Cloud Engineer) HEO/SEO (£35-45K) £55-70K £65-85K
DSI-2 (Senior Engineer) G7 (£45-55K) £70-90K £85-110K
DSI-3 (Principal/Architect) G6 (£55-70K) £90-120K £100-140K
DSI-4 (Chief Specialist) SCS1 (£75-95K) £120-150K £130-180K

Precedent: GCHQ operates similar specialist pay arrangements. Security cleared roles in national security programmes routinely command premiums.

Cost impact: Additional £15-25M/year for UK core team of 500 permanent staff. Reduces contractor dependency and improves knowledge retention.

Governance: Requires Treasury sign-off as part of business case. Should be included as Gate 0 condition.

5. Regulatory Compliance Matrix

Security specialists challenge: "How do you certify a brand-new platform across four different regulatory regimes simultaneously? This alone takes 3-5 years."

Jurisdiction-Specific Requirements

Requirement UK EU Canada Australia
Cloud Security Standard NCSC Cloud Security Principles EUCS (emerging) CSE CCCS guidance ASD ISM
Data Protection UK GDPR / DPA 2018 GDPR PIPEDA / Provincial Privacy Act 1988
Certification Required Cyber Essentials Plus; NCSC assessment ISO 27001; EUCS (when available) PBMM assessment IRAP to PROTECTED
Data Residency UK for OFFICIAL-SENSITIVE+ EEA for personal data Canada for Protected B+ Australia for PROTECTED+
Estimated Certification Time 12-18 months 18-24 months 12-18 months 12-18 months

Common Baseline Approach

Rather than certifying separately in each jurisdiction, establish a common baseline that satisfies the highest common denominator:

Control Domain Common Standard UK EU CA AU
Information Security Management ISO 27001:2022
Cloud-Specific Controls ISO 27017 / 27018
Service Organisation Controls SOC 2 Type II
Cryptographic Standards FIPS 140-2/3 or equivalent
Penetration Testing Annual by accredited assessor

Mutual Recognition Strategy

Propose mutual recognition agreements to reduce duplication:

  • UK-Australia: Existing Five Eyes security cooperation provides basis
  • UK-Canada: Similar frameworks, potential for bilateral agreement
  • EU-UK: Requires negotiation under TCA digital provisions
  • EU-Canada: CETA provides starting point

Certification Timeline

Phase Activities Duration
Pilot Phase ISO 27001 base; NCSC/ASD advisory assessments Months 1-24
Pre-Production Full ISO certification; national assessments begin Months 18-30
Production All certifications complete; ongoing assessment Months 30-36

6. OpenStack vs CloudStack Technical Comparison

Detailed technical analysis comparing OpenStack and Apache CloudStack as candidate substrate platforms for sovereign cloud infrastructure. Includes licensing analysis, US denial risk assessment, hyperscale capability comparison, and strategic recommendations.

View Full Technical Comparison

Document Status

This supplementary analysis consolidates responses to medium-priority gaps identified in the CRITICAL-GAPS-FOR-REFINEMENT document.

Version: 1.0 | Last updated: January 2026

Back to main documentation