Your Infrastructure Isn't Really Yours
Who controls your digital operations - what happens when they decide you can't use them ?
This piece has been forming for a while. The ICC sanctions incident made visible something that has been structurally true for years: we do not fully control the infrastructure we depend on. This is what that means for how we think about security, resilience, and dependency. What happens if your technology is removed from underneath your feet?
In January 2025, the United States sanctioned the International Criminal Court and its staff. Within days, Karim Khan, the ICC’s chief prosecutor, found himself locked out of his Microsoft email. There was no hack, no breach, just a policy decision in Washington executed through infrastructure the ICC trusted implicitly.
After all, when you subscribe to Microsoft 365, you rarely reflect on the underlying delivery mechanism. We take these services for granted—largely because, until now, the weaponisation of sanctions was debated in multilateral forums like the UN General Assembly, not imposed as unilateral decisions by individual countries.
What happened to Khan was not an isolated incident; sanctions have been levelled against organisations and individuals before. But it was sobering for another reason: the target could have been anyone in Europe. An ally suddenly found itself at the receiving end of hostile sanctions by another ally, delivered through a process that can best be described as abusive.
For decades, organisations worldwide have built their digital operations on a foundation of US technology, presuming that if you can pay, it’s available. Microsoft for productivity, Google for collaboration, AWS and Azure for cloud infrastructure, Zoom and Teams for communication. Now, we are growing increasingly dependent on AI frontier models as well.
The hidden insight now emerging is that this foundation was never neutral, and that illusion has now been shattered in plain sight.
This Should Not Have Been Surprising, but it was
The sanctions against the ICC and its staff revealed what security professionals and geopolitical analysts have been warning about for years: that the extraterritorial reach of US jurisdiction, combined with the dominance of US technology firms, creates a dependency that can be weaponised unilaterally, without judicial process, and against parties the US itself previously treated as legitimate. This effectively creates a technology "kill-switch" that can be applied to anyone when the state wills it: turning this into an issue not only about dependence, but about sovereignty for both states and organisations.
What made this case particularly instructive was the target of the sanction. The ICC is, in the eyes of the world, not some adversarial entity. It is an institution that Western democracies helped establish, that many US allies actively support, and that was acting within its legal mandate. The sanctions were not levelled against a mutual enemy, but rather against an organisation pursuing accountability that the current US administration found inconvenient.
This case has broken the implicit assumption that the US would only exercise these capabilities against "shared" threats. Now that we hold the evidence that a "kill-switch" can be used at will, we need to form strategies that break the dependency; strategies that cover not only the technology and tools themselves, but also the data that could be severed, seized, or rendered inaccessible without warning.
We Allowed This Risk to Be Lopsided
The uncomfortable truth that the current scramble for digital sovereignty obscures is that we buried our heads in the sand and ignored the risks.
The Snowden revelations in 2013 demonstrated unambiguously that the NSA was conducting mass surveillance on allied leaders. The diplomatic friction played out briefly in the media, but we swiftly returned to the status quo. Snowden’s revelations showed that US technology companies were either cooperating or being compelled to cooperate with the US administration’s instructions through programmes like PRISM. They exposed that the “Five Eyes” arrangement meant all of this was coordinated behaviour among Anglophone intelligence services. And they laid bare that the legal frameworks ostensibly protecting non-US persons were essentially theatre.
The public response was telling but symbolic. European governments continued procuring US technology. Corporations continued migrating to US cloud platforms. The fundamental architecture of dependency not only persisted but deepened as cloud adoption accelerated through the 2010s. We saw some changes to how cloud data was geofenced and hosted through regional clusters. But most of that was driven by domestic data privacy obligations, not by concerns over resilience, dependence, or security.
Why? Because, I argue, there was a collective choice - not always conscious or articulated - to treat the Snowden revelations as an intelligence problem rather than an infrastructure problem. The framing became “the Americans spy on us” rather than “we have built systems that structurally enable foreign powers to surveil and potentially disrupt our operations.”
We allowed this risk to be lopsided, working under the flawed assumption that “friendly” governments would not weaponize it against us. Call it a remnant of a “gentlemen’s agreement”; that friends don’t do things like that. Or perhaps more accurately, we chose comfort over confrontation, convenience over sovereignty, the path of least resistance over strategic autonomy.
That remained so, until it started to hurt.
Surveillance Capability vs Control Capability
Snowden revealed surveillance capability; the recent sanctions cases reveal something different: control capability. That distinction matters.
Surveillance is passive in its immediate effect. Your operations continue. You may be compromised, but you are not disabled. You can even maintain the polite fiction that you do not know about it, or indulge in the diplomatic theatre that “we all spy on each other.”
Sanctions-driven service termination is different: it is active and tangible. You cannot log into your email. Your video conferences will not connect. Your cloud storage becomes inaccessible. Credit card transactions or payment services are denied. There is no ambiguity, no deniability, and no option to simply continue as before. For individuals, it is life changing. For corporations or organisations, this becomes mission critical: loss of access to cloud storage, emails, or payment facilities means complete operational paralysis.
This is what has finally broken through the wilful blindness. Not the abstract knowledge that the US could exercise control, but the concrete experience of it being exercised against actors that European and international institutions considered legitimate.
The Dependency Map Most Organisations Have Not Recognised
To understand the exposure, we need to consider where US control points exist in a typical organisation’s digital operations.
Identity and Access is perhaps the most critical layer. Microsoft Entra ID (formerly Azure AD), Okta, and similar US-based identity providers often control who can access what. If your identity provider is sanctioned, or directed to cut you off because of sanctions against you or your country, your staff may find themselves locked out of everything simultaneously.
Communication is perhaps the most visible layer. Email (Microsoft 365, Google Workspace), messaging (Slack, Teams, WhatsApp), and video conferencing all flow through US-controlled infrastructure. The Khan case demonstrated this directly.
Productivity and Collaboration encompasses documents created in US-controlled formats, stored on US-controlled cloud infrastructure, with US-controlled sharing mechanisms. Adobe Cloud, Zoom, Salesforce, Monday: the list extends well beyond the obvious names. Even self-hosted instances depend on licensing and update mechanisms that remain US-controlled. Add AI-enabled features, and sensitive data begins flowing to processing infrastructure you may never have assessed.
Artificial Intelligence adds a new dimension. Anthropic’s recent tangle with the US administration resulted in foreign individuals being banned from accessing their most advanced models, causing disruption to people and businesses that relied on them.
Development and Operations is often overlooked. GitHub (owned by Microsoft), AWS, Azure, Google Cloud, and the npm/PyPI ecosystems all have a US nexus. An organisation that builds on these platforms may find its deployment pipeline or code repositories inaccessible. The rise of AI-assisted development tools, most of which are tightly integrated with these same platforms, only deepens the dependency.
Financial Infrastructure extends beyond software. Payment processing, banking relationships, and SWIFT access have all demonstrated susceptibility to US secondary sanctions. Francesca Albanese, a UN Special Rapporteur, fell victim to US sanctions in ways that illustrate how deeply this reaches into daily life: inability to claim health insurance reimbursements, disrupted access to financial services in Europe through a globally integrated banking system, and denial or severe restriction from various US-based digital platforms and services. She has described herself as having been made a “non-person.”
Most organisations have not mapped these dependencies comprehensively to their operations or ecosystems. They know they use Microsoft or Google, but they have not traced the chain to understand where a single decision in Washington could sever multiple critical functions simultaneously.
Clearly, no one expects to be sanctioned - and I mention this explicitly because we mustn’t be distracted from the fact that sanctions only represent one way that tech and data denial can be exercised. Trade restrictions, tariffs, export controls, and taxation have all become instruments of US foreign policy, and the current administration has shown willingness to deploy them broadly and without constraint. The question of digital sovereignty can no longer be separated from the broader reality of economic coercion.
The implications extend beyond direct action: organisations may find themselves self-censoring, pre-emptively withdrawing from platforms, or constraining their own operations to avoid entanglement. Whether the restriction is externally imposed or self-inflicted, the outcome is the same: diminished autonomy.
The OneDrive Realisation: When “Local” Is Not Local
These dependencies are not abstract policy concerns. They manifest in the routine operations of every connected device.
A recent experience crystallised this for me. While converting PDF files on a laptop - a purely local operation with temporary files intended for immediate deletion - I noticed unusual network activity. Investigation revealed that OneDrive, configured by default, was syncing every temporary folder to the cloud as fast as the conversion process created them. It prompted a reflection on how opaque cloud storage actually is to the end user.
Files may be stored, deleted, and subsequently forgotten by the user, but in the backend, numerous things have happened. Those temporary files will have left their imprint on logs and repositories, and what actually happens on Microsoft’s infrastructure is not transparent to us. The principle that “deletion means deletion” does not hold in cloud environments. What you experience as deletion is better understood as a request to remove something from your view. What persists on the backend is outside your knowledge and control. That is a very important distinction from a security perspective.
I am of course well aware that my OneDrive files are stored in the cloud as well as locally. But the realisation of the breadth of the activity was more uncomfortable: in a cloud-centric operating model, even ephemeral and local activities are not spared. This is not a bug. It is the deliberate design of modern operating systems. Cloud synchronisation is the default. Local-only storage requires active configuration. The boundary between “my device” and “the cloud” is intentionally blurred. The user experience is optimised for seamlessness rather than transparency.
The implications extend further. All files on OneDrive are accessible to US law enforcement or security agencies presenting Microsoft with valid legal process. Photographs and images are scanned using facial recognition technology for grouping purposes, including CSAM detection through hash matching. Although seemingly innocent and justifiable, this necessarily involves processes for managing false positives and human review of flagged content.
For organisations handling sensitive personal, financial, or legal information, this represents uncontrolled data exposure. The review processes, the staff conducting them, and the criteria being applied are entirely outside your risk management framework.
And then there is BitLocker. Windows’ encryption feature, marketed as allowing the end user to protect their own data through client-side encryption, has a default configuration where recovery keys are escrowed to your Microsoft account - cared for by Microsoft unless users actively opt out. This means your encryption is only as strong as Microsoft’s willingness and legal ability to refuse demands for those keys.
Recent reports (January 2026) confirmed that Microsoft has already complied with US law enforcement warrants, providing the FBI with BitLocker recovery keys that allowed investigators to unlock encrypted laptops. Microsoft has stated it receives approximately 20 requests for BitLocker keys annually and, with valid warrants, provides agencies with keys to decrypt user data - note that this what they are legally permitted to disclose. The company stated it will continue to comply with court orders when it has access to those keys, meaning that this is no longer a theoretical risk. It has been made very real under a plethora of legal texts including the CLOUD Act, FISA, the USA PATRIOT Act, the USA FREEDOM Act, and the Stored Communications Act.
But lawful access is not the only concern. Johns Hopkins cryptography professor Matthew Green raised a more fundamental alarm: what happens when Microsoft’s cloud infrastructure gets breached? Microsoft has suffered multiple significant security incidents in recent years. If attackers compromise those servers and exfiltrate recovery keys, they gain decryption capability for every device whose keys were stored there. They would still need physical access to the drives, but that is cold comfort for organisations with laptops that travel, get lost, or get stolen. The “Microsoft is safe” assumption does double duty: we trust they will resist improper requests, and we trust their infrastructure is secure enough to protect the keys we have handed them. Both assumptions are increasingly difficult to defend.
For users whose threat model is “someone steals my laptop,” this is adequate. For users whose threat model includes “a foreign government with legal authority over my technology vendor,” this is not encryption in any meaningful sense.
The Cybersecurity Profession’s Blind Spot
This creates a threat model that most organisations have not adequately addressed. Traditional cybersecurity focuses on malicious actors attempting unauthorised access. What we are now confronting is the risk of authorised access being revoked by a trusted vendor acting under legal compulsion from a foreign government, which has significant implications for cybersecurity and operational resilience. The Karim Khan case also demonstrates that “foreign government” necessarily includes your allies. Lord Palmerston, in an 1848 speech to the House of Commons, famously remarked that in international geopolitics there are “no permanent enemies, and no permanent friends, only permanent interests.” We would do well to heed this advice.
Therefore, what we see here is not a vulnerability in the conventional sense. It is a feature of the architecture working as designed—just not in your favour, nor in that of your organisation or nation.
The cybersecurity profession developed increasingly sophisticated frameworks for thinking about threats, vulnerabilities, and controls. But these frameworks largely excluded the category of risk now materialising.
Vendor risk management became a discipline, but it focused on whether vendors had adequate security practices, not on whether vendors could be compelled by their governments to act against customer interests. Supply chain security emerged as a concern, but primarily regarding malicious code injection rather than jurisdictional control. Threat intelligence developed elaborate taxonomies of nation-state actors but treated them as external attackers rather than potential controllers of your own infrastructure.
The assumption embedded in these frameworks was that your vendors were on your side. That assumption was always questionable after Snowden. It is now demonstrably false.
This is not the first time the cybersecurity profession has faced such a reckoning. The old “castle and moat” security model presumed that anyone inside the network perimeter could be trusted. We eventually learned that trust was misplaced: that threats could come from within, that insider risk was real, and that perimeter defence alone was inadequate. The security profession had to fundamentally reorient its thinking.
We are now facing a similar dilemma. We have built sophisticated threat models for external attackers, malicious insiders, and even nation-state espionage. But we have largely failed to incorporate the risk that the very infrastructure we rely on - the walls we retreated behind - can be weaponised against us by geopolitical actors and everyday politics. We look for threats and malicious activities from adversarial actors, but we are missing the risks embedded in the geopolitical dependencies of our own technology stack. The threat is not only breaking in; the threat is the technology foundation being pulled out from under you.
A genuinely updated cybersecurity posture would need to:
Incorporate “vendor-state threat” as a first-class category alongside nation-state attackers, criminals, and insiders
Develop controls and mitigations specifically for jurisdictional risk
Recognise that compliance with foreign legal demands is a threat vector, not merely a vendor’s legal obligation
Build resilience against service termination as seriously as resilience against service compromise
This is a substantial reorientation that changes your risk posture. Failure to make this shift leaves organisations exposed to a risk they are not even measuring.
The “No Alternative” Thought Terminator
When I raise these issues with clients and colleagues, the most common response is: “There is no real alternative to Microsoft Office.” Consider any major vendor with a locked ecosystem - Adobe, Apple, IBM, Broadcom, and others - and you can easily follow the logic of why security professionals accept certain types of vendor risks.
This reasoning functions as a thought-terminating cliché that short-circuits strategic analysis. What people usually mean is one or more of the following:
I am familiar with Microsoft Office and do not want to learn something else
My organisation has built workflows or has technological lock-in that would require significant effort and costs to change
The people I exchange documents with use Microsoft Office and I worry about compatibility
I have not actually evaluated alternatives recently
The alternatives I tried years ago were inadequate and I assume nothing has changed
None of these are the same as “no alternative exists.” They are statements about switching costs, familiarity, inertia, comfort, and assumptions. These are real factors, but they are costs to be weighed against benefits, not immutable constraints.
The French government, after assessing the needs of its 2.5 million civil servants, concluded that the switching costs were worth bearing. They have mandated migration from US-based video conferencing tools to a homegrown alternative called Visio by 2027. The Austrian military concluded that LibreOffice was adequate for their needs and completed migration across 16,000 workstations by September 2025.
These are not small or unsophisticated organisations. They are not engaging in symbolic gestures. They are serious institutions that evaluated the trade-offs and reached different conclusions than the “no alternative” framing suggests. If they can do it, the question is no longer whether alternatives exist. It is whether we have the will to pursue them.
Control, Not Comfort
For years, most organisations treated their technology stack as a neutral utility layer. Cloud, identity, collaboration, and infrastructure were selected on functionality, cost, and convenience. The assumption beneath those choices was simple: the core providers we rely on are stable, aligned, and unlikely to act against our interests.
That assumption, as we have seen, is no longer defensible as a security premise.
The core issue is not surveillance alone. It is control. Modern organisations operate on infrastructure where access, identity, licensing, and availability can be altered by entities outside their jurisdiction and outside their governance. This is not a hypothetical vulnerability. It is a structural property of how contemporary digital services are delivered and regulated.
Encryption, vendor risk management, and compliance frameworks address parts of this exposure. But they do not remove it. Client-side encryption can reduce the risk of disclosure. It cannot ensure continued access. A well-secured tenant can still be locked. A compliant organisation can still lose service. The technical controls that protect confidentiality do not automatically protect continuity.
This does not mean wholesale disengagement from global technology providers is practical or desirable. It does mean that dependency must be understood as a security and resilience concern, not merely a procurement choice. The question is no longer whether organisations rely on external platforms. They do. The question is whether that reliance is mapped, deliberate, and governed with the same seriousness applied to other critical risks.
A robust posture begins with clarity. Know which functions cannot fail. Know which data cannot be exposed. Know which systems you cannot operate without for even a short period. Then examine where control over those functions and systems actually resides. In many cases it will sit with providers operating under legal and political authorities that may diverge from your own. That is not an accusation. It is a condition of the environment. And it will be uncomfortable.
From there, the task is architectural rather than rhetorical. Separate confidentiality from availability in your risk model. Retain independent control of critical keys and data where confidentiality is paramount. Ensure that essential operations can continue, at least temporarily, if a major provider becomes unavailable. Prefer formats and systems that allow migration under pressure rather than only under ideal conditions. Document where dependency is accepted and where it is being reduced.
None of this produces absolute sovereignty. Absolute sovereignty in a globally integrated digital ecosystem is unrealistic. What it produces is awareness and agency. It replaces inherited trust with explicit assessment. It reduces the likelihood that a single external decision can halt internal operations. It turns dependency from an invisible assumption into a managed variable, meaning territory you can defend to your board.
Security has long focused on preventing unauthorised access. The next phase requires equal attention to authorised control wielded by actors outside the organisation’s sphere of influence. Institutions that adapt their architecture and procurement accordingly will be more resilient. Those that continue to treat their infrastructure as politically and legally neutral will remain exposed to decisions made elsewhere.
The Decisions We Have Avoided
Once exposure is understood, the instinct is to reach for a remediation plan. Resist that instinct. The first task is not to fix but to understand and then decide.
Modern organisations do not operate on infrastructure they fully control. They operate on infrastructure made available to them under legal, commercial, and political conditions that can change. That reality cannot be engineered away. It can only be confronted.
The question is not whether you depend on external platforms. You do. The question is what happens to your operations if the entities controlling those platforms no longer share your assumptions, priorities, or constraints. Not in theory. In practice.
This forces a set of decisions that most organisations have never made explicitly. Which functions must continue under almost any circumstances? Which data must remain confidential regardless of jurisdictional pressure? Which systems can tolerate interruption, and for how long? Which dependencies are strategic, and which are merely convenient?
This sits outside traditional disaster recovery planning. RPO and RTO assume failure followed by recovery. They assume outages, not exclusion. They assume restoration is possible. They do not account for access being deliberately revoked.
Today, in most environments I have observed, these distinctions do not exist. Dependencies accumulate through integration and familiarity rather than intent. The result is an undifferentiated estate in which critical and non-critical functions share the same control points and the same vulnerabilities. Everything works, until something does not. At that point, the absence of prior decisions becomes visible.
The purpose of any response is not technological isolation. It is clarity about where control resides and whether that location aligns with your tolerance for disruption or disclosure. Different organisations will draw the lines differently. A government agency, a law firm, a multinational corporation, and a research institution will reach different conclusions. What matters is that the conclusions are deliberate rather than inherited.
What this moment demands is not a checklist but a classification. Not every dependency carries the same consequence. Not every function requires the same degree of independence. But without explicit decisions about which is which, architecture becomes a record of convenience rather than intent.
Final Note
Organisations that understand where control resides and plan for its potential loss will retain operational agency when conditions change. We should view the early actions from France and Austria as markers of a change in understanding of technology dependency and risk. Those that continue to treat their infrastructure as neutral may eventually discover it was never entirely theirs to control.
The central question is simple and rather uncomfortable from a resilience and business continuity perspective: if access to key systems were restricted tomorrow by forces outside your control, what would actually stop, and are you prepared for that answer?
Dependency in a globally integrated digital ecosystem is unavoidable. Unexamined dependency is not.



