In her blog EU Commissioner Neelie Kroes blogs on her stance on cloud computing. In short: this is a good development which the EU will embrace and advocate, but may need regulation in order to ensure a safe environment for industry and individuals in the cloud. Here’s some thoughts on that.
Risks in the cloud
The cloud is here and to stay. Organisations that outsource IT and data storage are already part of the cloud. They will or at least should be able to ensure their cyber safety and security in the negotiations with the operator providing his services in the cloud. But what if the server in the cloud turns out to physically be in China or another country in which the EU rule of law is not applicable, but was the cheapest your cloud business partner was able to acquire to offer his services? What if this data is harvested or hacked there? What if cyber espionage is inflicted somewhere in the cloud? Doesn’t that call the question to mind what sort of data do you want to store out in the cloud and what not? I remember visiting a Ministry in the Netherlands not able to work as all data was inaccessible due to a cable torn somewhere. Nothing was stored locally any more. What are the implications where security and confidential data of an organisation are concerned? This is a question you should have an answer to before moving all out into the cloud. A few dollars savings on IT may prove to be very dear if not handled right.
At least these are business propositions. For consumers there may not be a choice. Their data disappears in the cloud, to where?, how is it protected?, and by which law?
Some problems on regulating the cloud
As most other subjects concerning regulating the Internet a few problems spring to mind:
– it’s cross border, so different jurisdictions;
– it’s commercial, so in fierce competition;
– sometimes there are perverse incentives to not block cyber crime;
– regulators/enforcers are national;
– the EU stops at its last border, the cloud doesn’t.
Just to name a few.
Two challenges regulating the cloud
1. Cross-border issues
It comes down to daring to tackle the most challenging topic: cross-border jurisdiction. The Internet works with the speed of light, “one finger click”, enforcement and regulation proceed slower than a snail. This is in part correct. Investigations need to be thorough and just in order to fine or convict someone. On the other hand investigations need to be aided in a modern way also and not be bogged down by cross-border red tape and hassles. LEAs asking industry to help them avoid MLATs should not be necessary, Mrs. Kroes, but is in fact what happens. A good study of why Microsoft was able to take down the #1 botnet Rustock and LEAs were not, could also be quite revealing.
2. Putting your Good Ears on
The other topic necessary to tackle is learning to listen to what is being said. Sometimes industry gives several reasons why it is hard or impossible to work with LEAs or governments. What is often implied is: we need your help here, governments! Instead of engaging in dialogue, it is often heard said that industry is just putting this front on in order not to act. Well, has this been tested? No, it’s usually ignored and things stand as they are. Valuable time is lost. Perhaps even potential partners lost, following the verbal clashes that follow at public events. Listening to industry I hear concerns raised which are not unrealistic or deceitful. With the right ears on they can probably be mitigated. And, should it after all be bogus arguments, it is exposed for what it is.
So what I wish Mrs. Kroes and her people, is Good Ears. Undoubtedly this will help change the course of events. After all, a public – private partnership i(mplie)s a partnership, not a one way action on tasks directed at one partner, who takes the brunt, costs and risks involved all in one.
P.s. Here’s a link to an article on McAfee’s warning for cyber espionage, published after writing this article.
Wout de Natris, De Natris Consult
Leiderdorp, 28 March 2011