Digital Technology Minister Sebastian Burduja said on Tuesday that there would be no risk of abuse by the SRI over unauthorized access to personal data stored in a future private government cloud, as all data accesses would be logged and citizens would be notified in real time. the time when they will have access to the data.

CyberInt_SRIPhoto: Scientific Research Institute

The government made the relevant decision on Tuesday very important for the implementation of the government’s private cloud, the largest investment in digitization in PNRR, with funding of more than 560 million euros (excluding VAT), is the IT platform that will be managed by the Authority for Digitization of Romania (ADR). in cooperation with the DPS and the Research Institute.

  • Special Telecommunications Service (STS) will provide implementation, technical and operational administration, cybersecurity, maintenance, and continued development of the government’s private cloud, Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) core infrastructure.
  • Romanian Information Service (SRI) will ensure the cyber security of the government private cloud by knowing, preventing and countering cyber-attacks, threats, risks and vulnerabilities, including sophisticated type APTs, directed against the services of the government private cloud (software as a service – SaaS) and hosted objects.

Digitalization Minister Sebastien Bourduya explained on Tuesday at the end of the government meeting that the adopted act will regulate important areas:

  • principles of a government cloud platform and how the government cloud interacts with clouds provided by private companies;
  • data classification policy – ​​which data belongs to the public private cloud, which data can be stored in cloud systems provided by private companies;
  • the logging of access to this data, respectively, the way in which Romanians will be informed in real time when the Romanian state, public institutions access their data, the area of ​​interaction, etc.

Why MAi or MApN is not among the 87 institutions and authorities that will move to the cloud

Burduia noted the fact that Romania assumed in the PNRR that at least 30 public institutions will transfer their IT systems to the government cloud by 2026.

HotNews.ro reports that the act adopted by the government today presents a list of 87 institutions and public authorities that will move to the cloud, but missing important ministries with many electronic public services or sensitive data, such as the Ministry of the Interior (MAI). ) or MApN.

  • VIEW HERE THE RULES WITH 87 INSTITUTIONS

What is the explanation?

  • “MAI, the Ministry of Justice and other exempt agencies have their own cloud system that connects to the government’s private cloud. For all practical purposes, they reside in the government cloud, not in STS’s four data centers. They reside in their own data centers that are interconnected at the database level with their own clouds.” Minister Burduja said.

Burduzha noted that all these projects of other ministries regarding their own data processing centers are financed by European funds, including some of them from already approved programs.

  • “What’s really important is that there’s a relationship at the database level again,” said Burduya.

Attention HotNews.ro, the digitization minister corrected himself by saying that all these IT systems will be developed as none of these projects or data centers have been completed yet. Also regarding compatibility, the law has just been passed.

  • Contrary to what Minister Burduja saidThe Ministry of Justice is on the list of 87 institutions that will transfer their IT systems to the state cloud.

What is SRI looking for in the public cloud?

HotNews.ro then asked the minister to explain what the Romanian Intelligence Service (SRI) is looking for in the cyber security management of this platform, given that the Special Telecommunications Service (STS) can also manage Advanced Persistent Threat (APT) cyber attacks. .

In an environment where the law on SRI’s work imposes data collection obligations, there will be a risk of abuse by SRI, as the Association for Technology and the Internet (ApTI) warned last spring.

  • “There is no risk of abuse. That’s why I told you that technology is still giving us the answer. All access to data is logged, cannot be deleted, any access leaves traces, and citizens are notified in real time.”, said Burduya.

Why was the Research Institute included in this project when there would be other authorities?

  • “Because it has these powers, defined in the Constitution of Romania and, according to the law, to fight attacks from outside the country on the data of Romanians.
  • We are talking about national security, we are talking about new types of threats and we are talking about the institution of the Romanian state that is supposed to protect the citizens of Romania.
  • And, I repeat, it does so within the limits defined by the Constitution and these provisions.
  • Know that also in other European states, everything related to cyber intelligence is the domain of the intelligence services, I repeat, within the constitutional limits and within the limits of the law.” – noted the Minister of Digitalization.

​Citizens’ and companies’ data in the future government cloud, the IT infrastructure that will host all central public IT systems, will not be able to be viewed and accessed by the Romanian Information Service (SRI), which will only provide cyber security for the system, the Ministry of Digital technologies in a wider response to the controversy surrounding this project with more than €500 million in funding from the PNRR.

  • Read more: 85 state institutions move their IT systems to the cloud managed by ADR, STS and SRI: MAI, MApN, MAE and other bodies are not yet on the list