Neelie Kroes, the EU, cloud computing, regulation and Good Ears

In her blog EU Commissioner Neelie Kroes blogs on her stance on cloud computing. In short: this is a good development which the EU will embrace and advocate, but may need regulation in order to ensure a safe environment for industry and individuals in the cloud. Here’s some thoughts on that.

Risks in the cloud
The cloud is here and to stay. Organisations that outsource IT and data storage are already part of the cloud. They will or at least should be able to ensure their cyber safety and security in the negotiations with the operator providing his services in the cloud. But what if the server in the cloud turns out to physically be in China or another country in which the EU rule of law is not applicable, but was the cheapest your cloud business partner was able to acquire to offer his services? What if this data is harvested or hacked there? What if cyber espionage is inflicted somewhere in the cloud? Doesn’t that call the question to mind what sort of data do you want to store out in the cloud and what not? I remember visiting a Ministry in the Netherlands not able to work as all data was inaccessible due to a cable torn somewhere. Nothing was stored locally any more. What are the implications where security and confidential data of an organisation are concerned? This is a question you should have an answer to before moving all out into the cloud. A few dollars savings on IT may prove to be very dear if not handled right.

At least these are business propositions. For consumers there may not be a choice. Their data disappears in the cloud, to where?, how is it protected?, and by which law?

Some problems on regulating the cloud
As most other subjects concerning regulating the Internet a few problems spring to mind:
– it’s cross border, so different jurisdictions;
– it’s commercial, so in fierce competition;
– sometimes there are perverse incentives to not block cyber crime;
– regulators/enforcers are national;
– the EU stops at its last border, the cloud doesn’t.
Just to name a few.

Two challenges regulating the cloud
1. Cross-border issues
It comes down to daring to tackle the most challenging topic: cross-border jurisdiction. The Internet works with the speed of light, “one finger click”, enforcement and regulation proceed slower than a snail. This is in part correct. Investigations need to be thorough and just in order to fine or convict someone. On the other hand investigations need to be aided in a modern way also and not be bogged down by cross-border red tape and hassles. LEAs asking industry to help them avoid MLATs should not be necessary, Mrs. Kroes, but is in fact what happens. A good study of why Microsoft was able to take down the #1 botnet Rustock and LEAs were not, could also be quite revealing.

2. Putting your Good Ears on
The other topic necessary to tackle is learning to listen to what is being said. Sometimes industry gives several reasons why it is hard or impossible to work with LEAs or governments. What is often implied is: we need your help here, governments! Instead of engaging in dialogue, it is often heard said that industry is just putting this front on in order not to act. Well, has this been tested? No, it’s usually ignored and things stand as they are. Valuable time is lost. Perhaps even potential partners lost, following the verbal clashes that follow at public events. Listening to industry I hear concerns raised which are not unrealistic or deceitful. With the right ears on they can probably be mitigated. And, should it after all be bogus arguments, it is exposed for what it is.

So what I wish Mrs. Kroes and her people, is Good Ears. Undoubtedly this will help change the course of events. After all, a public – private partnership i(mplie)s a partnership, not a one way action on tasks directed at one partner, who takes the brunt, costs and risks involved all in one.

P.s. Here’s a link to an article on McAfee’s warning for cyber espionage, published after writing this article.

Wout de Natris, De Natris Consult

Leiderdorp, 28 March 2011


About Wout de Natris

As a consultant I specialise in establishing new and different relationships between industry, governments and law enforcement where internet safety and the fight against cyber crime are concerned. This makes me a bridge builder. Hence the blogs name. In this blog I intend to stress the need for interaction, cooperation and exchange of information in order to change the mentioned relationships. On offer: a comprehensive training on all non-technical aspects of spam enforcement and a cyber awareness presentation for companies and institutions
This entry was posted in Cyber crime, International cooperation: cross border aspects, Self regulation, Spam enforcement and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s