ANALYSIS: Your military data is sitting with the enemy—and no one is talking about it

The Architecture That’s Changing the Game

There’s a concept that military strategists would do well to learn—and quickly: the data mesh. No, this isn’t Silicon Valley jargon. It’s an architectural doctrine that could redefine how the armed forces manage, protect, and leverage their information.

The principle is brutally elegant. The data doesn’t move. It stays where it’s sovereign—on national soil, within controlled infrastructure, at the appropriate classification level. But it becomes queryable from any authorized node on the network. No copies. No transfers. No replication on a foreign server.

Imagine a French intelligence analyst who, from Paris, can simultaneously query data stored on a secure cluster in Estonia, an onboard server on a ship in the Mediterranean, and a forward operating base in the Sahel—without that data ever leaving its sovereign environment. Each nation retains control. Each piece of data remains under its jurisdiction. But the coalition’s collective intelligence is amplified.

When the network goes down: the ultimate test

And in DDIL environments—Denied, Disrupted, Intermittent, Low-bandwidth—the logistical nightmare of any deployed force? The data mesh continues to function. Users query the available systems. Critical nodes are prioritized. Situational awareness survives even when the network is degraded.

This isn’t theory. It’s operational survival.

Access control based on role and attributes—RBAC and ABAC in the jargon—adds a layer of surgical precision. Access isn’t binary (yes/no). It depends on the user’s role, their clearance, their current mission, and the operational context. The same analyst might be able to view certain data on Tuesday but not on Wednesday, depending on the operation to which they’re assigned.

Every access event is logged. Every request is audited. Every anomaly is detectable. Transparency is not the enemy of security—it is its foundation.

Why Proprietary Code Is a Sovereign Risk

Here’s a truth the defense industry would rather not hear. Every time a military deploys a proprietary system whose source code it cannot audit, it introduces a component into its architecture that it is unable to verify.

It’s like installing a lock on a nuclear safe—and handing the only spare key to a private foreign company.

Open-source software, on the other hand, offers complete transparency. The code is readable. Auditable. Verifiable by national cybersecurity teams. No hidden backdoors. No reliance on a single vendor. No risk that a change in trade or geopolitical policy will turn your critical tool into an inaccessible black box.

Open standards: the common language of coalitions

Open standards like OpenTelemetry play a similar role for the data itself. When military systems from five different nations need to communicate during a NATO exercise, proprietary standards create invisible walls. Each system speaks its own language. Interoperability becomes a constant exercise in translation—slow, costly, and dangerous in a combat situation.

Open standards are the lingua franca of digital defense. They enable systems to communicate regardless of their origin or manufacturer. They reduce integration costs. They accelerate the adoption of new technologies. And above all, they eliminate vendor lock-in—that toxic dependency that turns a commercial contract into a strategic shackle.

Europe has understood this. The European Union’s defense funding now places strategic autonomy at the heart of its doctrine. Developing software engineering expertise is no longer a bonus—it is a prerequisite for sovereign survival.

Paranoia Elevated to a Doctrine

The Zero Trust model is based on a principle that every military professional should find familiar: never assume that the perimeter is secure. Never assume that an authenticated user is legitimate. Never assume that a connected device is safe. Verify. Always. Everywhere. With every transaction.

In a traditional defense environment, security relies on the perimeter: a wall around the network; a badge to gain entry. Once inside, you’re trusted. That model has been shattered. Modern attacks don’t breach the wall—they originate from within: a compromised account, an infected device, a malicious insider.

Zero Trust treats every request as potentially hostile. Every access is authenticated, authorized, encrypted, and logged—whether it comes from the Chief of Staff’s office or a field terminal deep in a conflict zone.

The Architecture of Productive Distrust

For defense organizations, Zero Trust isn’t a product to buy. It’s an architectural philosophy. It requires network microsegmentation—each zone isolated, each data flow controlled. It requires continuous verification—not a one-time authentication at login, but a constant reassessment of the legitimacy of every action.

Combined with the data mesh, Zero Trust creates an environment where sovereign data remains sovereign, where access is granular and contextual, and where every anomaly is detected before it becomes a breach.

This isn’t paranoia. It’s operational clarity.

The Dilemma of Sovereign AI

Artificial intelligence is exponentially increasing capabilities in processing, analysis, and detection. In the defense sector, it can transform mountains of raw data into actionable intelligence in a matter of seconds. Anomaly detection. Predictive analytics. Sensor fusion. A decisive advantage.

But—and this is a “but” the size of an aircraft carrier—AI needs data to function. And if that data is processed by a model hosted abroad, trained on unknown datasets, and operated by a company subject to foreign jurisdiction… then the tactical advantage turns into a strategic vulnerability.

The question is no longer “should we use AI in defense?”—that question has been settled; the answer is yes. The real question is: what kind of AI, trained on what data, hosted where, and controlled by whom?

When the Algorithm Becomes a Threat to Sovereignty

A proprietary AI model is a decision-making black box. You feed it your data. It returns a verdict. But in between—between input and output—you don’t know what’s happening. You don’t know what biases are built in. You don’t know if the model has been compromised. You don’t know if the results are reliable or subtly manipulated.

Sovereign AI—trained on national data, deployed on controlled infrastructure, and audited by authorized teams—is the only acceptable solution. And it requires, from the outset, that data sovereignty be absolute. Without sovereign data, there is no sovereign AI. Without sovereign AI, there is no strategic autonomy.

The circle is complete. It all starts with data.

Europe Is Waking Up—But Does It Have Time?

The European Union has placed digital sovereignty at the heart of its defense agenda. The rhetoric is ambitious. Funding is following—partially. The assessment is clear: dependence on American and Chinese technologies in the defense sector is not a technical weakness. It is a strategic subservience.

And yet. How many European defense ministries can today claim, with their hand on their heart, that 100% of their classified data resides on sovereign infrastructure? How many can guarantee that no foreign algorithm touches their intelligence flows? How many have audited—truly audited, not just superficially checked off—every software component in their digital chain of command?

The silence that follows these questions is deafening.

Skills Development: The War We Don’t See

It’s not enough to simply purchase sovereign solutions. We need sovereign engineers to operate them. National cryptographers to secure them. Local architects to design them. Data sovereignty without skills sovereignty is a mirage.

This is where the open-source approach takes on its full strategic significance. Proprietary software creates dependency. Open-source software builds skills. Every engineer working on Elasticsearch, OpenTelemetry, or open standards develops transferable, auditable, and sovereign expertise.

Training a generation of defense engineers capable of mastering their own technology stack—that is the invisible battle Europe must win over the next five years.

Sharing Without Revealing Too Much

NATO operates on a fundamental principle: the sharing of intelligence among allies. But this sharing creates constant tension. Every nation wants to contribute to the common situational awareness. None wants to expose its sources, methods, or true capabilities.

The international data mesh provides an architectural solution to this political dilemma. Each nation retains full control over its data. Access rules are defined independently. Requests are tracked. Data never physically moves. Only authorized responses cross digital borders.

It’s the difference between lending a book and letting someone photocopy it. In the first case, you retain control. In the second, you’ve lost it—for good.

Distributed Trust as an Operational Doctrine

Shared governance frameworks, combined with distributed computing capabilities, make it possible to create what might be called architectural trust. Trust no longer rests on political declarations or diplomatic handshakes. It is encoded in the architecture itself. Verifiable. Auditable. Immutable.

For multinational operations—from peacekeeping to joint exercises to collective defense—this architectural trust is the operational lubricant without which the machine seizes up, slows down, and eventually grinds to a halt at the worst possible moment.

And in the realm of defense, the worst possible moment is never just a theoretical possibility.

Thirty Years of Technological Debt

Every military in the world is saddled with a digital graveyard. Systems designed before the invention of the smartphone. Relational databases that communicate with nothing but themselves. Obsolete communication protocols so deeply embedded in operational processes that they cannot be removed without bringing the entire structure crashing down.

These legacy systems aren’t just a technical problem. They’re a national security risk. Every data silo they create is a blind spot. Every missing interface is an opportunity for an adversary. Every update that can’t be performed is a vulnerability that worsens over time.

Modernization That Can No Longer Wait

The classic temptation is a “big bang” migration—replacing everything at once. This is a budgetary and operational fantasy. Reality demands a gradual approach: wrapping legacy systems in a layer of modern interoperability. Connecting them to the data mesh without immediately replacing them. Extracting their data without disrupting their operation.

Open-source software excels in this role as a universal integrator. Its flexibility allows it to connect to almost anything—from systems dating back to the 1990s to the latest-generation cloud-native architectures. And every connection established means one less silo. One less blind spot. One less vulnerability.

Cyberattacks are not a future threat—they happen every day

As you read these lines, offensive cyber operations are targeting Western defense systems. Not tomorrow. Not in a theoretical scenario. Right now. State-sponsored groups from Russia, China, North Korea, and Iran are conducting ongoing campaigns of intrusion, reconnaissance, and pre-positioning within allied military networks.

Data sovereignty is not a peacetime luxury. It is a wartime shield. Every piece of data stored on non-sovereign infrastructure is a potential attack vector. Every dependency on a foreign provider is an exploitable pressure point. Every opaque algorithm is a potential backdoor.

Resilience as a Doctrine

Data sovereignty strengthens resilience at every level. At the tactical level, it ensures that field commanders retain access to their information even if the main network is compromised. At the operational level, it prevents an attack on a single node from bringing down the entire chain of command. At the strategic level, it ensures that no adversary can cut off a nation’s access to its own data by targeting a commercial provider.

The distributed data mesh, combined with Zero Trust and open-source technologies, creates a digital defense architecture with no single point of failure. No central server to destroy. No single provider to compromise. No master key to steal.

Resilience is not a feature of the system. It is the system itself.

When Sensors Talk to Sensors

Most of the data traffic in a modern theater of operations is not human-generated. It consists of machines communicating with other machines. Radar sensors, surveillance drones, satellites, navigation systems, electronic warfare platforms—every second, billions of data packets flow between automated systems.

The security of these machine-to-machine communications is a major blind spot. Every unencrypted data stream can be intercepted. Every unauthenticated protocol can be spoofed. Any non-sovereign data passing through foreign infrastructure is potentially compromised.

Zero Trust architectures applied to M2M communications treat every exchange between machines with the same rigor as human access. Mutual authentication. End-to-end encryption. Comprehensive logging. No exceptions—not even for a temperature sensor on an armored vehicle.

The Military Internet of Things: Proliferation and Peril

The number of connected devices in a modern military environment doubles every eighteen months. Every new sensor, every new drone, and every new connected weapon system increases the attack surface. And every non-sovereign attack surface is an open invitation.

M2M data sovereignty requires that every component in the chain—from the sensor’s firmware to the transmission protocol to the processing server—be auditable, controllable, and operable under sovereign control. Open source is non-negotiable here. Proprietary firmware whose code cannot be verified in a sensor deployed in a conflict zone is a leap of faith that no responsible commander should accept.

Total Traceability or Total Irresponsibility

In the civilian world, the audit trail ensures compliance. In the defense world, it ensures operational accountability. Who accessed what information, when, from where, and for what mission—these questions are not bureaucratic. They are vital.

When an operation goes wrong—and operations do go wrong—the ability to precisely reconstruct the information chain that led to a decision is the difference between learning from mistakes and repeating them. Between understanding and guessing. Between progress and death.

The data mesh, with its native traceability of every query and every access, transforms every operation into a searchable archive. Not a black hole where information enters and vanishes. A transparent crystal where every photon of data leaves a verifiable trace.

Continuous Improvement as a Tactical Advantage

The armed forces that learn the fastest from their operations are the ones that win. The OODA loop—Observe, Orient, Decide, Act—doesn’t stop at action. It starts over. And the fuel for this loop is sovereign, traceable, analyzable data.

Every after-action review (AAR) fueled by comprehensive audit data is a lesson learned. Every lesson learned is a marginal advantage. A thousand accumulated marginal advantages make the difference between an army that adapts and one that stagnates.

Every day lost is an advantage given up

Russia has built a sovereign internet—the Runet—capable of operating offline from the global network. China has erected its Great Firewall and developed an entirely domestic technological ecosystem. What we think of their motivations and methods is one thing. That they understood the strategic importance of data sovereignty before most Western democracies is a fact.

Every month that Western defense organizations spend without resolving their data sovereignty issues is a month during which the gap widens. Adversaries do not take budget breaks. They do not issue 24-month requests for proposals. They build, deploy, and iterate—at a pace that Western procurement processes struggle to keep up with.

The True Cost of Dependence

The cost of data sovereignty is not insignificant. Dedicated infrastructure, staff training, skills development, migration of legacy systems—the bill is substantial.

But what is the cost of a lack of sovereignty? Critical intelligence that is inaccessible at the decisive moment. An operation compromised by a vulnerability in a foreign component. An ally who loses trust because their shared data has been exposed. A strategic decision made blindly because the algorithm that was supposed to inform command has been manipulated.

The cost of inaction cannot be measured in euros. It is measured in lives, lost battles, and abandoned sovereignty.

And once sovereignty has been surrendered, it cannot be bought back. It must be reclaimed—always at a higher cost, always later, and always at the cost of blood.

The Inevitable Conclusion

Data sovereignty is not an IT project. It is a national defense imperative on par with nuclear deterrence, the projection of force, or control of airspace. A nation that does not control its data does not control its defense. Period.

The tools exist: the distributed data mesh; auditable open source; interoperable open standards; Zero Trust architecture; and sovereign AI trained on national data. None of these technologies is theoretical. They are deployable. They are proven. They are waiting for decision-makers to have the courage to adopt them.

The colonel in Estonia, the one searching for his classified intelligence on a server in Virginia—he shouldn’t have to wonder whether his query is sovereign. The architecture should guarantee that it is. Automatically. Natively. Without compromise.

What comes next depends on those reading these lines

The next war—whether kinetic, cyber, hybrid, or all of the above—will be won or lost in the data architectures built today. Not in the tanks ordered three years from now. Not in the aircraft delivered five years from now. In the decisions made right now about how data is stored, protected, shared, and leveraged.

Data sovereignty is the invisible foundation of everything else. Without it, nothing holds together. With it, everything becomes possible—collaboration among allies, operational agility, resilience against attacks, and decision-making superiority.

The question is no longer whether data sovereignty is important. The question is: How much longer will we continue to ignore it?

Signed, Jacques PJ Provost